±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36783
New Yesterday: 2 Visitors: 140

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

File Erasing Question

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 
  

4n6art
Senior Member
 

Re: File Erasing Question

Post Posted: Jan 13, 08 06:45

Thanx for all the input, folks.

- I don't think the client wants the drive wiped clean after Image#1. I have a feeling they want certain files wiped ONLY. If the idea is to turf the laptop out to someone else in the company - they an image/DoD wipe/OS Install will be in order but I won't know for a few days. I don't know the O/S but I am leaning towards WinXP.

- I am not going to help him BS his way in court either (if that's where this will end up). I don't think (as of yet) that is the intention either, but he can do it without any help from me if he wants to LOL

- I am going to wait and see WHY they want certain files removed and the HD re-imaged. After all that I know and have read and given all your input reconfirming that there is no way to guarantee erasure - I do not plan to stick my neck out and say that everything relating to a file(s) will be gone.

Have a safe Week!
Arthur  
 
  

ronanmagee
Senior Member
 

Re: File Erasing Question

Post Posted: Jan 13, 08 21:36

Hi Art,

Keep us informed of your findings and your decision. Interesting to see how you deal with this dilemma Smile  
 
  

neddy
Senior Member
 

Re: File Erasing Question

Post Posted: Jan 14, 08 03:08

Art,

Response
1)
Evidence Eliminator, BC Wipe etc however I guess the nature of the files marked for deletion is a major factor.
2)
a)
Sanitise a clone of the disk using a Hex Editor (could take you a long time!)
b)
You could image the disk and perform keyword searches on the image that relate to the files. The results will show your client the difficulty of erasing all traces of the files, they may then decide another course of action.


Speculation;
If your client is hoping to submit the disk as evidence in some form and wishes to avoid being embarrased by material stored on the disk, deletions of any sort will raise suspicions that may cause more problems than the initial files may have.

If your client is recycling the computer for further use, then relace it with a new disk & OS and install the original one in a USB caddy for your client to do as he pleases with.

Let us know what your client really requires!

Ned
_________________
Neddy
Forensic Computer Analyst (LE)
BSc (Hons)
!(-.-)!~~ 
 
  

clownboy
Member
 

Re: File Erasing Question

Post Posted: Jan 15, 08 04:28

I have worked on a few jobs of this type and it isn't always that sinister a motivation that drives the client. In most cases it is an agreement between the two parties to remove an item (a file or application) as part of a pre-litigation agreement. The offending party agrees to remove the item and then work out a settlement or go to litigation at a later date.

We would come in and image the drive to preserve the evidence of the item. We delete the item(s) and wipe the free/unallocated space and other references and re-image the drive to prove it no longer has useful references to the items at issue.

I use BCWipe and Eraser for wiping, EasyCleaner to delete references in the registry and startup files. I also pack the registry and delete any past registry backups. I am sure I miss a few references but they are so minor that most people are not all that concerned. The fact that the party can no longer access the item or items is what really matters.  
 
  

jaclaz
Senior Member
 

Re: File Erasing Question

Post Posted: Jan 15, 08 16:28

As always, I may be completely wrong, but I think that you are making it more "difficult" than it really is.

1) create a "DIR" List of every file that needs to be permanently deleted
(including exact size in bytes)
2) create (on ANOTHER HD) one file for each one of the list with the SAME exact size in bytes, these files can be either "00" filled or "random characters" filled, see also this:
www.forensicfocus.com/...pic&t=2065
3) copy, xcopy, robocopy or whatever newly generated files overwriting the ones on the "source" hard disk
4) defrag "source" hard disk
5) delete files in list
6) defrag again hard disk

Check if you can find even a tiny bit of the original files with any forensic tool.

Otherwise use a file-based (as opposed to RAW based) backup solution, re-format AND wipe the drive, then restore from backup everything BUT the "to be deleted" files.

The "old" (and "poor man" Wink ) way to defrag a NT 4.00 Workstation in the old times (some of you might remember how NT 4.0 did not come with a built-in defragging tool) was exactly this, I had two installs of NT on two separate partitions, booted to the second (the "emergency") install, used xcopy to copy all the files from "main" partition to a third one, formatted (and optionally wiped) the first one, then xcopied back the files.
Shocked

jaclaz  
 
  

steve862
Senior Member
 

Re: File Erasing Question

Post Posted: Jan 15, 08 20:19

Hi,

Regarding disk wiping. There can be a small proviso. That being one or more sectors mapped out by the disk controller prior to any wiping. At a later date those sectors are recovered using a disk utility. If those sectors contained data that should have been wiped it would now be available again.

If this is a case of wanting to sanitise a laptop before it changes hands installing a new hard disk would make sense considering the cost of hard drives.


Steve
_________________
Forensic Computer Examiner, London, UK 
 
  

4n6art
Senior Member
 

Re: File Erasing Question

Post Posted: Jan 18, 08 11:21

Ok... here's the scoop on this weird request.

- The client supports a law office.
- The law firm has the user who is resigning from a corporation and User wants to show best effort that all information relating to that corporation that he worked for has been removed from his *PERSONAL* computers.
- The request for erasure is for his personal systems.
- The lawyers and the support company CEO (ex-lawyer) have vetted this request - there is no perception of impropriety on the user's part - he is leaving in good standing and needs to make sure his soon-to-be-ex company is comfortable that all their information is off his drives.

We are first going to image the original systems as given to us - one ExternalHD and one PC. After which:
- We have a list of files that need to be removed given to us by User.
- For the ExtHD, we will copy the remaining files to another drive, wipe ExtHD, reformat ExtHD and restore those files to the ExtHD
- For the PC, we will delete requested files, delete swap, temp areas; Ghost the HD, wipe original drive clean and reimage the drive from the Ghost Image.
- Both ExtHD and PC drive will be reimaged again.

I think that will show good-faith effort on the part of the employee.
Can anyone else think of anything I should consider?

Thank you all for your caution and suggestions!

Regards...
Arthur  
 

Page 2 of 2
Page Previous  1, 2