File Erasing Questi...
 
Notifications
Clear all

File Erasing Question

14 Posts
10 Users
0 Likes
899 Views
4n6art
(@4n6art)
Posts: 208
Reputable Member
Topic starter
 

Hello all

Long time viewer first time poster - and I thank you for taking the time to post information on this forum which in turn has helped me gain a lot of knowledge.

Here's the scenario
Client wants drive imaged
Client wants certain files COMPLETELY erased from the drive
Client wants drive re-imaged.

1) Can anyone recommend a (free if possible) program that will allow me to erase the file entirely?
2) I realize that reimaging the drive after erasure does not guarantee that remnants of that file will not be available in swap, spool, temp areas, which brings up two questions
a) Can anyone recommend a way that I can remove ALL hints of the file?
b) Can anyone help me bolster my argument to the client that a complete erasure is not guaranteed based on remnants being found in swap, spool etc.

Thank you again folks.
Arthur.

PS Harlan - nice job on the book - great information - Thank you )

 
Posted : 10/01/2008 10:47 pm
(@verdad)
Posts: 12
Active Member
 

Sounds fishy to me. Did you ask your client why he wanted to do this? Ignorance is not always bliss, in fact ignorance sometimes means liability. As some will tell you, I always assume the worst about people. It makes my job easier.

Good luck with that.

 
Posted : 10/01/2008 11:18 pm
(@verdad)
Posts: 12
Active Member
 

Oh, and I don't mean to be rude, but if you have to ask your question, you don't have the skill to pull it off. What do you intend to say when your client blames you because someone figured this out? Tell your client to be honest instead.

 
Posted : 10/01/2008 11:23 pm
4n6art
(@4n6art)
Posts: 208
Reputable Member
Topic starter
 

Verdad

Thanx for the reply - no offense taken.

My initial meeting with the client is next week. I do plan on asking him WHY - I have no intentions of taking on a case without knowing all the facts and history and having it documented somewhere. It did sound a little fishy to me but I will reserve judgment till I have my meeting - this could be a case of Attorney/Client privileged information they are trying to scrub.

Does ANYONE have the skill to pull this off?? I will admit I don't and I don't think anyone else does either to a level that they can guarantee that the file will disappear from the second image (without scrubbing all the unallocated space and removing the swap etc). If someone does, I would like to know how it can be done.

I am leaning towards NOT having an iron-clad guarantee on the file deletion - I am looking towards more experienced people to help me prove my case.

Appreciate the response. )
Arthur

 
Posted : 10/01/2008 11:30 pm
(@mas66)
Posts: 21
Eminent Member
 

Verdad

Thanx for the reply - no offense taken.

My initial meeting with the client is next week. I do plan on asking him WHY - I have no intentions of taking on a case without knowing all the facts and history and having it documented somewhere. It did sound a little fishy to me but I will reserve judgment till I have my meeting - this could be a case of Attorney/Client privileged information they are trying to scrub.

Does ANYONE have the skill to pull this off?? I will admit I don't and I don't think anyone else does either to a level that they can guarantee that the file will disappear from the second image (without scrubbing all the unallocated space and removing the swap etc). If someone does, I would like to know how it can be done.

I am leaning towards NOT having an iron-clad guarantee on the file deletion - I am looking towards more experienced people to help me prove my case.

Appreciate the response. )
Arthur

Why not just copy off the data that you do want and then wipe the drive if that is what your client wants.

Mark

 
Posted : 12/01/2008 2:00 am
(@bsd-roo)
Posts: 8
Active Member
 

i think thats gonna be pretty hard, the registrys and forensics tool will be able to tell you what the client did.

if you do not want to defame your client in court, you do not want to have registries saying that you have tampered with something nor would you give him a fresh copy of windows with some old files trying to pass as a seasoned OS/disk if you know what i mean.

if the client is using xp, you can back up data that he does want, dd the whole disk with urandom and then do a fresh isntall of vista. then put the files back, that way he can say in court that he was updating his operating system.

or you can say that he took a sudden interest in UNIX twisted
OPENBSD!!! encrypt the hard drive but hand over the encryption keys as a law abiding citizen would.

does that help?

 
Posted : 12/01/2008 2:29 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

BSD-ROO,

i think thats gonna be pretty hard, the registrys and forensics tool will be able to tell you what the client did.

"Registrys"[sic]? What does that have to do with anything? The OP said that the scenario is as follows

"Here's the scenario
Client wants drive imaged
Client wants certain files COMPLETELY erased from the drive
Client wants drive re-imaged."

There's no mention whatsoever of the client asking that all traces of activity by a user, with respect to a specific file, be erased…just the file.

It appears that from what's been presented in this forum, the client is asking to have a file (or files) removed. Nothing in the original post by "4n6art", nor in his subsequent post, makes any reference to an issue before the courts…all that he/she said was "…this could be a case of Attorney/Client privileged…"

The fact is, there is no way to ensure that all remnants of any particular file have been completely removed from a system. First off, 4n6art never specifies the operating system in question, nor does he/she give any information about the file itself…what kind of file, how it was produced, etc.

Let's assume that this is a Windows XP system, and that we're dealing w/ a text document produced with Notepad. Now, Notepad doesn't produce temp files by default, but we don't know how many iterations there are of the file, nor if any remnants are in unallocated space.

Spool file are something of an issue, although they are deleted when the the file is printed. The contents will end up in unallocated, but if the first sector (with the file header) is overwritten, how do you know which of the remaining (and how many) sectors contain data from the original file.

Don't get me started on Word documents!

Now, you can do due diligence by imaging the system, and performing a complete search using keywords that are specific and unique to the file in question. This will tell you were files and/or remnants are located…but is it all of them? Is there a sector in unallocated space, or perhaps some data left in file slack that contains portions of the file that did not contain the keywords, or perhaps only a portion of the keyword (say, "coinc", rather than "coincidence")?

Identified, specific sectors on a drive can be completely overwritten, to the point where it may be cost prohibitive (via magnetic resonance imaging) to recover the data. But to say that the file is completely removed is more of an absolute than what I'd like to be my reputation on.

Harlan

 
Posted : 12/01/2008 4:09 am
4n6art
(@4n6art)
Posts: 208
Reputable Member
Topic starter
 

Thanx for all the input, folks.

- I don't think the client wants the drive wiped clean after Image#1. I have a feeling they want certain files wiped ONLY. If the idea is to turf the laptop out to someone else in the company - they an image/DoD wipe/OS Install will be in order but I won't know for a few days. I don't know the O/S but I am leaning towards WinXP.

- I am not going to help him BS his way in court either (if that's where this will end up). I don't think (as of yet) that is the intention either, but he can do it without any help from me if he wants to LOL

- I am going to wait and see WHY they want certain files removed and the HD re-imaged. After all that I know and have read and given all your input reconfirming that there is no way to guarantee erasure - I do not plan to stick my neck out and say that everything relating to a file(s) will be gone.

Have a safe Week!
Arthur

 
Posted : 13/01/2008 5:45 am
(@ronanmagee)
Posts: 145
Estimable Member
 

Hi Art,

Keep us informed of your findings and your decision. Interesting to see how you deal with this dilemma -)

 
Posted : 13/01/2008 8:36 pm
neddy
(@neddy)
Posts: 182
Estimable Member
 

Art,

Response
1)
Evidence Eliminator, BC Wipe etc however I guess the nature of the files marked for deletion is a major factor.
2)
a)
Sanitise a clone of the disk using a Hex Editor (could take you a long time!)
b)
You could image the disk and perform keyword searches on the image that relate to the files. The results will show your client the difficulty of erasing all traces of the files, they may then decide another course of action.

Speculation;
If your client is hoping to submit the disk as evidence in some form and wishes to avoid being embarrased by material stored on the disk, deletions of any sort will raise suspicions that may cause more problems than the initial files may have.

If your client is recycling the computer for further use, then relace it with a new disk & OS and install the original one in a USB caddy for your client to do as he pleases with.

Let us know what your client really requires!

Ned

 
Posted : 14/01/2008 2:08 am
Page 1 / 2
Share: