±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 1
New Yesterday: 3
Overall: 27139
Visitors: 48

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

File Erasing Question

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

File Erasing Question

Post Posted: Thu Jan 10, 2008 12:47 pm

Hello all:

Long time viewer first time poster - and I thank you for taking the time to post information on this forum which in turn has helped me gain a lot of knowledge.

Here's the scenario:
Client wants drive imaged
Client wants certain files COMPLETELY erased from the drive
Client wants drive re-imaged.

1) Can anyone recommend a (free if possible) program that will allow me to erase the file entirely?
2) I realize that reimaging the drive after erasure does not guarantee that remnants of that file will not be available in swap, spool, temp areas, which brings up two questions:
a) Can anyone recommend a way that I can remove ALL hints of the file?
b) Can anyone help me bolster my argument to the client that a complete erasure is not guaranteed based on remnants being found in swap, spool etc.

Thank you again folks.
Arthur.


PS: Harlan - nice job on the book - great information - Thank you Smile  

4n6art
Senior Member
 
 
  

Re: File Erasing Question

Post Posted: Thu Jan 10, 2008 1:18 pm

Sounds fishy to me. Did you ask your client why he wanted to do this? Ignorance is not always bliss, in fact ignorance sometimes means liability. As some will tell you, I always assume the worst about people. It makes my job easier.

Good luck with that.  

verdad
Member
 
 
  

Re: File Erasing Question

Post Posted: Thu Jan 10, 2008 1:23 pm

Oh, and I don't mean to be rude, but if you have to ask your question, you don't have the skill to pull it off. What do you intend to say when your client blames you because someone figured this out? Tell your client to be honest instead.  

verdad
Member
 
 
  

Re: File Erasing Question

Post Posted: Thu Jan 10, 2008 1:30 pm

Verdad:

Thanx for the reply - no offense taken.

My initial meeting with the client is next week. I do plan on asking him WHY - I have no intentions of taking on a case without knowing all the facts and history and having it documented somewhere. It did sound a little fishy to me but I will reserve judgment till I have my meeting - this could be a case of Attorney/Client privileged information they are trying to scrub.

Does ANYONE have the skill to pull this off?? I will admit I don't and I don't think anyone else does either to a level that they can guarantee that the file will disappear from the second image (without scrubbing all the unallocated space and removing the swap etc). If someone does, I would like to know how it can be done.

I am leaning towards NOT having an iron-clad guarantee on the file deletion - I am looking towards more experienced people to help me prove my case.

Appreciate the response. Smile
Arthur  

4n6art
Senior Member
 
 
  

Re: File Erasing Question

Post Posted: Fri Jan 11, 2008 4:00 pm

- 4n6art
Verdad:

Thanx for the reply - no offense taken.

My initial meeting with the client is next week. I do plan on asking him WHY - I have no intentions of taking on a case without knowing all the facts and history and having it documented somewhere. It did sound a little fishy to me but I will reserve judgment till I have my meeting - this could be a case of Attorney/Client privileged information they are trying to scrub.

Does ANYONE have the skill to pull this off?? I will admit I don't and I don't think anyone else does either to a level that they can guarantee that the file will disappear from the second image (without scrubbing all the unallocated space and removing the swap etc). If someone does, I would like to know how it can be done.

I am leaning towards NOT having an iron-clad guarantee on the file deletion - I am looking towards more experienced people to help me prove my case.

Appreciate the response. Smile
Arthur


Why not just copy off the data that you do want and then wipe the drive if that is what your client wants.

Mark
_________________
Mark Stevens
Principal Forensic Investigator
Microsoft Ltd
Network Security Investigations & Forensics 

mas66
Member
 
 
  

Re: File Erasing Question

Post Posted: Fri Jan 11, 2008 4:29 pm

i think thats gonna be pretty hard, the registrys and forensics tool will be able to tell you what the client did.

if you do not want to defame your client in court, you do not want to have registries saying that you have tampered with something nor would you give him a fresh copy of windows with some old files trying to pass as a seasoned OS/disk if you know what i mean.

if the client is using xp, you can back up data that he does want, dd the whole disk with urandom and then do a fresh isntall of vista. then put the files back, that way he can say in court that he was updating his operating system.

or you can say that he took a sudden interest in UNIX Twisted Evil
OPENBSD!!! encrypt the hard drive but hand over the encryption keys as a law abiding citizen would.

does that help?  

bsd-roo
Newbie
 
 
  

Re: File Erasing Question

Post Posted: Fri Jan 11, 2008 6:09 pm

BSD-ROO,

- bsd-roo
i think thats gonna be pretty hard, the registrys and forensics tool will be able to tell you what the client did.


"Registrys"[sic]? What does that have to do with anything? The OP said that the scenario is as follows:

"Here's the scenario:
Client wants drive imaged
Client wants certain files COMPLETELY erased from the drive
Client wants drive re-imaged."

There's no mention whatsoever of the client asking that all traces of activity by a user, with respect to a specific file, be erased...just the file.

It appears that from what's been presented in this forum, the client is asking to have a file (or files) removed. Nothing in the original post by "4n6art", nor in his subsequent post, makes any reference to an issue before the courts...all that he/she said was "...this could be a case of Attorney/Client privileged..."

The fact is, there is no way to ensure that all remnants of any particular file have been completely removed from a system. First off, 4n6art never specifies the operating system in question, nor does he/she give any information about the file itself...what kind of file, how it was produced, etc.

Let's assume that this is a Windows XP system, and that we're dealing w/ a text document produced with Notepad. Now, Notepad doesn't produce temp files by default, but we don't know how many iterations there are of the file, nor if any remnants are in unallocated space.

Spool file are something of an issue, although they are deleted when the the file is printed. The contents will end up in unallocated, but if the first sector (with the file header) is overwritten, how do you know which of the remaining (and how many) sectors contain data from the original file.

Don't get me started on Word documents!

Now, you can do due diligence by imaging the system, and performing a complete search using keywords that are specific and unique to the file in question. This will tell you were files and/or remnants are located...but is it all of them? Is there a sector in unallocated space, or perhaps some data left in file slack that contains portions of the file that did not contain the keywords, or perhaps only a portion of the keyword (say, "coinc", rather than "coincidence")?

Identified, specific sectors on a drive can be completely overwritten, to the point where it may be cost prohibitive (via magnetic resonance imaging) to recover the data. But to say that the file is completely removed is more of an absolute than what I'd like to be my reputation on.

Harlan  

keydet89
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next