So I've just finished my 2nd year at University (Studying Computer Forensics) and I've taken it upon myself to some research in my free time. So I took a memory stick, deleted all the data, then overwritten the stick with data. I then ran recovery software on it. The recovery software found approx 1,000 files which could be recovered.
I then used wiping software to wipe the memory stick with 0's. I then ran recovery software again. And nothing. Couldn't recover a damn thing. I used FTK imager to take an image of the memory stick then used FTK to analyze the stick and all I saw was files, when viewed in hex, just contained 0's.
So now i'm left thinking; if a 'bad guy' used the techniques mentioned above, what is the next step for me, as a forensicator?
So I've just finished my 2nd year at University (Studying Computer Forensics) and I've taken it upon myself to some research in my free time. So I took a memory stick, deleted all the data, then overwritten the stick with data. I then ran recovery software on it. The recovery software found approx 1,000 files which could be recovered.
No.
Meaning that you did NOT overwrite the WHOLE data (if you did you would only find the NEW data that you wrote to it).
I then used wiping software to wipe the memory stick with 0's. I then ran recovery software again. And nothing. Couldn't recover a damn thing. I used FTK imager to take an image of the memory stick then used FTK to analyze the stick and all I saw was files, when viewed in hex, just contained 0's.
Sure , hardly something that needs posting as "news". !
JFYI a "plain" Format under a modern NT based OS would do as well
http//www.forensicfocus.com/Forums/viewtopic/t=9341
So now i'm left thinking; if a 'bad guy' used the techniques mentioned above, what is the next step for me, as a forensicator?
You can go and take a walk outside, be kind to some stranger, this kind of stuff.
Simply you have nothing to retrieve, let alone to analyze. (
Another activity you could indulge on could be that of Searching the internet and the board wink .
You could find something of interest, like
http//www.forensicfocus.com/Forums/viewtopic/t=3542/
http//www.forensicfocus.com/Forums/viewtopic/t=9847/
In theory you may be able to find some traces in some "spare sectors", though it won't be easy
http//www.forensicfocus.com/Forums/viewtopic/t=7042/
AND, from a merely probabilistic point of view of NO actual usefulness in a case.
(unless the stick has been used for years to store huge plain text files only, the probability of getting anything that makes sense in a bunch of sectors is very near to 0.0000001%).
jaclaz
Since we are talking about Flash media, the only other thing that you might want to try is to perform a chip off of the Flash chips and dump the content to try and recover artifacts caused by wear levelling.
Flash media have a portion of Flash memory that is reserved for the controller to perform wear levelling. For example, a 80 GB SSD drive might in reality have 100 GB of Flash storage. When you perform a "standard" wipe, you only wipe the user-addressable space (80 GB / 100 GB).
So, with chip-off you are able to access the entire memory, including the part that is reserved to the controller. If you're lucky, you might then find some artifacts.
According to NIST, the safest way to wipe Flash storage is to use "Secure Erase". If correctly implemented by the manufacturer, Secure Erase should erase all the memory cells including those reserved for the controller.
As for regular hard drives a wipe is pretty much definitive and you won't find anything. Just like encryption, wiping is a big pain in the … for forensics.
So I've just finished my 2nd year at University (Studying Computer Forensics) and I've taken it upon myself to some research in my free time. So I took a memory stick, deleted all the data, then overwritten the stick with data. I then ran recovery software on it. The recovery software found approx 1,000 files which could be recovered.
No.
Meaning that you did NOT overwrite the WHOLE data (if you did you would only find the NEW data that you wrote to it).jaclaz
When I say I over-written the data, I mean I pasted 16gb of rubbish onto the memory stick. Sorry if you didn't find this a valid test, but I'm just doing some research and it's interesting to me.
Thanks )
So now i'm left thinking; if a 'bad guy' used the techniques mentioned above, what is the next step for me, as a forensicator?
Depends entirely on the storage device, as far as I can see. If your view the storage unit as a black box that you can't look into, you can't get further. It could be hard drive, or a flash drive, or some kind of RAID device, or even, in theory, a cloud-connected iSCSI (or ATA-over-Ethernet) device that relays all your read/write requests to some storage server elsewhere. Or perhaps something more strange, such as a Voom Shadow 'drive'. But if you can't 'look inside', that's it – all you have is what the device interface allows you to do.
Which probably means that you should go for ATA, SCSI, USB, etc. interface and protocol specifications to *really* know what your options with that particular type of device are.
Then, it becomes a question of how the device has been implemented, i.e. what's inside the black box. Some options have already been mentioned – but they assume that you can 'pop the hood' in one way or another.
Added and that, to some extent, is what I think a … 'forensicator', did you say? … must be able to do.
When I say I over-written the data, I mean I pasted 16gb of rubbish onto the memory stick. Sorry if you didn't find this a valid test, but I'm just doing some research and it's interesting to me.
Sure ) , but consider (hypothetically) that you are tasked to paint with white 😯 the pages of (say) a 100 page book (or if you prefer write over them).
You cannot overwrite first 16 pages of it (or 16 pages of it at random) and actually be surprised that after the overwriting the untouched remaining 84 pages can still be read. wink
On the other hand, after you have duly blanked all 100 pages you cannot be surprised that no page can be read anymore.
There is here a thread dedicated to deleting, formatting and wiping analogies that you may also find of interest
http//www.forensicfocus.com/Forums/viewtopic/t=5150/
if you don' t like the book analogy, you can use the Hotel's one
http//www.forensicfocus.com/Forums/viewtopic/p=6536197/#6536197
but once the briefcase has gone down the chute and through the incinerator, that's it, all you can find is (maybe) some fragments.
jaclaz
I then used wiping software to wipe the memory stick with 0's. I then ran recovery software again. And nothing
Congrats - you wiped the drive and all the geniuses on this board won't be able to recover a thing.
thanks Jaclaz, i'll look at the links you provided.
I then used wiping software to wipe the memory stick with 0's. I then ran recovery software again. And nothing
Congrats - you wiped the drive and all the geniuses on this board won't be able to recover a thing.
Not sure if you're being sarcastic or you genuinely mean that wink