Hoping someone can explain this. I have 2 external USB drives which I have used for previous cases, case references 0073 and 0074
I used DBAN (2.2.6) to wipe both drives overnight last night, both apparently succeeded although there was an error message listed AFTER the success messages.
I went to use the one from 0073 for a new case (0076), initialised it and quick formatted it, but when I went to select it as the destination drive in TIM on an XP SP2 box, some data and folders from a completely unrelated case (0065) appear in the dialogue box. Thought "strange" - deleted the files/folders, tried again - 0065 stuff still there.
OK, went into Disk Management, deleted the partition and Quick Formatted, then back to TIM, 0065 stuff still there. Hmmm. Shut down and re-started - 0065 stuff still there in TIM
OK, deleted the partition, did a full format - 0065 stuff still there in TIM.
Gave the drive to a colleague who has nothing to do with forensics and wouldn't have had any of my drives connected to her system - 0065 stuff still there in plain view in Windows Explorer.
Hmmmmmm. Decided to give DBAN another shot but in the meamtime tried the drive from 0074 - and the 0065 stuff is on it as well!! But not exactly the same stuff. I used FTK Imager to take hashes and directory listings and they're not the same - close, but definitely not the same.
At no stage have either of these USB drives (0073 and 0074) been used in connection with 0065.
Has anyone got any clue what might be going on here? Am I missing something blindingly obvious? ?
Cheers
Some more info - where filenames (including full path info) on the two two wonky drives (0073 and 0074) match, hashes don't always match. Both MD5 and SHA1
HTH x
Greetings,
Why are you assuming the problem is with DBAN? It doesn't maintain state information across reboots if you're running it from a thumb drive, and probably not in other cases. And you don't mention connecting the 0065 drive to the DBAN system. Or are you running DBAN on the system that you're using for TIM?
What about the TIM system? Has 0065 been attached to it?
Did you look at the 007x drives prior to wiping them? After doing so but before TIM? With a hex editor now?
Have you tried rewiping the 007x drives? Wiping another drive and connecting it to the TIM system to see if 0065 data shows up?
I could go on ….
-David
Hi David, wasn't assuming the problem is with DBAN, I've just never come across this before.
For clarification, am running DBAN from boot CD on one system, all other work (incl TIM) is on a different system.
Haven't connected 0065 to the DBAN system, but have to the TIM one although several days intervened (am not in the office now so would have to go back and check) and BTW I had to roll back to a Restore Point yesterday on the TIM system.
The 007x drives prior to wiping - yes I collected some data files yesterday that the business wanted to retain and put them on CD/DVD. Prior to TIM and after initialisation, no didn't look at them but I'm guessing that the fact that Windows wanted to initialise them implies they were pretty well wiped? Have looked at both drives in FTKI, and in Explorer view can see all that 0065 stuff. I'll have a look in WinHex tomorrow but frankly am at a loss to know what to look for.
Haven't tried re-wiping yet as I only have one system for wiping and it's running overnight, but will try the drive tomorrow. And after initialisation will assign it something other than drive F (which is what both the others were).
Can you share any ideas you might have as to how this scenario might have arisen? To me it looks as if the 0065 stuff has mysteriously transferred from somewhere across to the wiped drives but (a) I have no idea where it came from (it isn't on the TIM system as far as I can see - done a search for filenames), (b) why is the data on the two frives different if it's the same thing that's triggering it, © even if the 0065was on the TIM system, what would have triggered the transfer?
Regards
Greetings,
I really have no idea, sorry.
Given that you're running DBAN from a CD I'm pretty certain that your problem isn't with DBAN.
I'd run another drive through the same process and examine it at each step to see when the 0065 data appears. I'd also look at the TIM system to see if the 0065 data is on there, and if so, where.
When you connected the 007x drives to the TIM system, did you run anything other than TIM that would write to a drive? If not, then then TIM is your likely culprit.
-David
David, immediate problem solved. After much to-ing and fro-ing with the same result, I deleted all items in the TIM Acquisition Queue (basically a history log) and hey presto problem disappeared.
As to WHY the problem arose, goodness only knows. I had used one USB drive for several images for one case (0065)
4 x USB sticks (max 2GB each) - ref USB01, USB02 etc
1 x Toshiba external 500GB drive
The Toshiba turned out to be a flaky drive which I didn't have time to complete imaging (User going to USA from UK) so I cancelled that specific job. But cancelling shouldn't give TIM a problem like this.
The only thing I can think of is that whatever problem I encountered last week which forced me to roll back to an earlier RP also caused some kind of corruption in TIM (I don't think TIM was running at the time but couldn't be 100% sure).
I tried creating a new RP yesterday, and rolled back to the same one frmo last week in the hope that I might have got something back, but no - TIM Acquisition Queue was empty
Have now restored yesterday's RP and everything looks rosy from now on in. I've logged it with Tableau, will report back on anything they come up with.
Cheers
Hi folks, answer on this problem from Tableau (aka Guidance) via a UK vendor, paraphrased
This a a known "bug" which was reported last year
Given that guidance now own Tableau, one wonders how much effort will go into bug fixing - anyone else feel a rival for FTK Imager being spawned?
Cheers everyone
anyone else feel a rival for FTK Imager being spawned
What, EnCase?
Yup - saw this before
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=5801
Its annoying. At the EnCase 7 preview in NYC I specifically asked about TIM and future development and I was lead to believe that it will continue and GSI might move in the direction of a stand alone imager as well.
Greetings,
If GSI releases a standalone imager, they're just continuing the pissing contest with AD. Both companies need to grow up a bit, focus more on improving their own core products, and spend less time taking chunks out of each other. Pretty soon, it will not be the other party they need to worry about, but a third party, possibly a new player in the field, who starts eating their lunch.
FTK Imager works well. And it is free. Why spend valuable engineering resources competing with "good" and "free" when your customers are hammering on you to fix bugs and add features to your existing products that they're already paying good money for, and are getting frustrated with?
-David