Anything else worth...
 
Notifications
Clear all

Anything else worth checking for deleted data?

6 Posts
4 Users
0 Likes
353 Views
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

I've attached a drive to FTK Imager. Found no data.

Had another try with EnCase. Also nothing to mention.

Are there any other tools or processes to try and find any remnants of any data left behind? Or is it safe to conclude that this is empty?

If so, is there any way to determine whether this was deliberately wiped (ie because someone didn't want anyone finding there was anything on there before), or indeed it's simply a factory new drive that hasn't been used?

It's a FAT32 SSD USB drive.

 
Posted : 18/05/2016 2:47 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I've attached a drive to FTK Imager. Found no data.

Had another try with EnCase. Also nothing to mention.

Are there any other tools or processes to try and find any remnants of any data left behind? Or is it safe to conclude that this is empty?

If so, is there any way to determine whether this was deliberately wiped (ie because someone didn't want anyone finding there was anything on there before), or indeed it's simply a factory new drive that hasn't been used?

It's a FAT32 SSD USB drive.

Well, you found no data OR the whole disk is filled with zeroes?

Check the CRC and/or MD5 and compare it to a zero byte CRC and/or MD5 for the same EXACT size
http//www.forensicfocus.com/Forums/viewtopic/t=5077/
http//www.forensicfocus.com/Forums/viewtopic/t=5077/postdays=0/postorder=asc/start=9/
http//www.edenprime.com/tools/epAllZeroHashCalculator.htm

jaclaz

 
Posted : 18/05/2016 12:51 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

The problem with doing a hash check of a disk drive is that it can several hours to show that the drive is not zero - even by a single bit on a 4TB drive.

The is, in my opinion, a large chance that disk that may be considered blank, may have a few headers still on the disk.

My approach to your problem is a feature in my software that scans the disk and shows if a sector is blank, possible text, possible file start, possible compressed data. It is then displayed as a simple graphic. Using this I have often found areas of data in the middle of the disk that can then be investigated (often an old partition)

ie you want to look at the disk for areas of data that has been written, and areas that are blank. This can still be a problem on disks that have initialised with a pattern, rather than zeros.

A similar approach would be to use data carving to detect possible files.

 
Posted : 18/05/2016 8:06 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

The problem with doing a hash check of a disk drive is that it can several hours to show that the drive is not zero - even by a single bit on a 4TB drive.

… though maybe in this specific case this "FAT32" drive is not that big and being a SSD it is also pretty fastish to hash…

Anyway I assumed that the device had been already imaged by FTK imager (or other tool) and thus its hash was already known. oops

jaclaz

 
Posted : 18/05/2016 9:00 pm
kacos
(@kacos)
Posts: 93
Trusted Member
 

.. is there any way to determine whether this was deliberately wiped (ie because someone didn't want anyone finding there was anything on there before), or indeed it's simply a factory new drive that hasn't been used?

It's a FAT32 SSD USB drive.

Well, you found no data OR the whole disk is filled with zeroes? ..

or it may be filled with random or customs patterns (see eraser for example).

 
Posted : 18/05/2016 9:53 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

or it may be filled with random or customs patterns (see eraser for example).

Yep ) , though roughly we have 256^[number of BYTES in the devices] 😯 possibilities, of which we can check easily for exactly ONE condition (which excludes ALL other ones) i.e. the single case when the device is ALL zeroes.

A good question would be whether the device (new from factory) is actually ALL zeroes or not (and this may actually vary from specific device/manufacturer/model/etc.), while we know for sure that a wiped disk - by definition - is (or should be) all zeroes.

But, back to the specific case, I wonder how a supposedly new form factory OR wiped device can be categorized as being "FAT32", as a new device might have well been delivered from factory pre- (partioned and) formatted as FAT32 but the result of an intentional wipe would be all zeroes, unlesss the wiping has been followed by new (partitioning and) formatting.

And still, if the device is (partitioned and) formatted with a given filesystem it is usually possible to know at least under which OS this happened and in some cases even when the operation was performed.

jaclaz

 
Posted : 18/05/2016 10:15 pm
Share: