±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36738
New Yesterday: 0 Visitors: 143

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Exam Drive & Wiping Question

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3  Next 
  

samr
Senior Member
 

Re: Exam Drive & Wiping Question

Post Posted: Nov 04, 05 21:36

I am a little confused. Are you meaning a disk that contains a data copy of the original or a disk that contains the imaged file? and are you talking about a full overwritting delete or just a simple delete? Sorry if the answers seem obvious.  
 
  

Matt67
Newbie
 

Re: Exam Drive & Wiping Question

Post Posted: Nov 04, 05 22:50

Thanks for the info, I'll keep that in mind..Like I said being "very new" it was only a guess..  
 
  

m7esec
Senior Member
 

Re: Exam Drive & Wiping Question

Post Posted: Nov 05, 05 00:19

I believe that this gentleman is talking about wiping the examination drive (for example, the HDD that contains his Forensics tools such as Encase, FTK, etc) with a known "clean" OS, Tool installation, etc. I do not believe he is talking about using the drive used to duplicate the original evidence. If this is the case, yes, this is a good practice, and it is what I do everytime on my non-networked Examination PC. Will it be an issue that would arise in court? Probably only if it is suspected to have a virus or other malware that can be used to modify your findings, somehow. It also shows that you are interested in "due diligence" in protecting the investigation and that no outside influences could have had any effect on your results.

Yes it is a pain, but after a while, when you have all the bugs worked out, you and your client will be glad you did.  
 
  

TMD22
Member
 

Re: Exam Drive & Wiping Question

Post Posted: Nov 05, 05 03:27

Yes m7Sec that is exactly what I am talking about, my exam drive (containing forensic tools for each case)

I plan on doing it, being in law enforcement for so long its better to always CYA.

Thanks again  
 
  

arashiryu
Senior Member
 

Re: Exam Drive & Wiping Question

Post Posted: Nov 05, 05 10:58

My Recommendation:

1) Forensically wipe your Forensic Workstation's hard drive.
2) Install base OS XP, Linux etc (your preference) and all your forensic tools. Ensure that you have all current critical OS patches, AntiVirus with current defs etc.
3) Create a image of you forensic workstation's hard drive.
4) Work on your case (#1 for example).
5) When case is completed or closed forensically wipe your drive of your forensic workstation.
6) Restore the image created in step 3 to your forensic workstation's drive. Update critical patches, Virus defs etc.
7) Create another image.
Cool Work on case (# 2 for example) and when case is completed or closed, start with step 5 thru 7 to prepare for next case.

So Basically all you have to do is maintain a current image of your forensic workstation and just restore it everytime after forensically wiping your hard drive at the end of each case so it is ready to go for next case.  
 
  

Andy
Senior Member
 

Re: Exam Drive & Wiping Question

Post Posted: Nov 05, 05 16:01

I disagree with the instruction to wipe on each occasion. If you are making a forensically sound 'image' of the suspect drive using say EnCase or Linux DD (to DD image files), and most practitioners use this method, then there is no point what-so-ever in wiping the storage drive each case...You are wasting your time. An ‘image’ is an exact bit for bit copy of the original held in a 'container' (either DD or EnCase proprietary evidence files). Therefore, there is no chance of cross contamination from previous cases. The image is verified with a hash value, change one single bit from a one to a zero and the hash is entirely different, this would be spotted during the authentication procedure as Greg rightly mentions.

Also many practitioners now store and investigate cases on a large capacity server, so wiping isn’t feasible.

If you are copying directly the entire file structure to another disk and replacing it in the original machine and examining it in its native environment, then yes under these circumstances I agree, it would be best practice to forensically wipe the storage drive, as there may well be cross contamination……

Andy  
 
  

TMD22
Member
 

Re: Exam Drive & Wiping Question

Post Posted: Nov 05, 05 17:05

Andy

Thanks for your input, however, I think you are talking about the "storage" medium used to copy the suspect drive to. I am talking about my "exam drive" the one that holds the forensic tools to complete the exam. e.g (Win 98 & XP).

I may be mistaken but this is how I read your post. Please elaborate.

Thanks again for your help and insight

Mark  
 

Page 2 of 3
Page Previous  1, 2, 3  Next