Hi all,
I know Encase can do it, but what other tools are there that can provide quick visual verification that a drive has been wiped?
This would preferably be something that a non-"techie" could do relatively easily. i.e. attach the suspect drive to a write block, then to a forensic computer, and have some sort of visual verification that a drive has been wiped (zero'ed out or pattern, or anything except random characters)
thanks
-Nick
Not wanting to pass judgment here but simply searching for non random patterns isn't the best qualifier for determining if a disk has been wiped. Afterall… dd if=/dev/random of=/dev/hda will bypass your qualification.
Quick visual inspection
FTK imager (accessdata.com)
A hex editor
Various linux tools like xxd and dd combinations
Maybe a dd command piped with a string would give the investigator an idea.
However, I think a slightly more advanced software (FTK imager for exemple) would allow both that kind of check (wether the drive has been wiped or not) and maybe a quick preview…
thanks for the replies.
sorry, i failed to mention that i'm not just looking to see if it's been wiped in general, but if it has been wiped a certain way. i.e. all 0's, all 1's, something other than what could look like a full disk encrypted drive.
if i check a preview of the drive in encase i should see the disk and no partitions, and under the preview of the drive, all of the same character that was used to wipe the drive, most often 0.
also the work would not be perfomed by a computer technician, but by a PoC at a remote site.
I'm not too experienced with hex editors oops i've used one a long time ago to examine single files. How would i get the hex editor to view the entire attached hard drive in Windows XP? this could be a much more cost-effective solution than buying another copy of Encase.
would a bootable linux cd and dd be the best option when balancing minimal cost with minimal technical expertise? this work would be performed by someone who has never strayed outside of a windows environment. They would have some informal training on identifying IDE, SATA, SCSI drives, how to attach the write block and determine that it is working, and creating a case in encase to preview the drive.
sorry for all the questions, just trying to get a feel for what options i have for a limited budget that will still be usable for someone without a lot of technical training.
offline,
As Linux treats everything as a file then you can just use xxd on sda (or whatever your attached suspect drive is). You could then view different areas of the physical disk.
You don't mention if you are interested in selective wiping, i.e. zeroing out unused MFT records or blocks of space on the hard drive. Is this something you might be investigating/researching?
Steve