I realize that it is necessary to wipe a drive if you are making a duplicate copy of the drive but is it also necessary to wipe a drive if you will be storing an encase/dd image to it?
Your only cost is the initial time to wipe it.
Your benefit is the ability to rebuff a potential challenge.
Is the cost of a few hours outweigh the benefit of the ability to use the image in a potential case?
I realize that it is necessary to wipe a drive if you are making a duplicate copy of the drive but is it also necessary to wipe a drive if you will be storing an encase/dd image to it?
Who are you going to convince that the target drive contains nothing except what you wrote to it?
A technician who knows hard drives inside out?
Or perhaps a jury or a court of law who may not do so?
And how much effort are you prepared to spend in doing that? More than it takes to erase the drive?
Given that both EnCase and raw dd images are simply logical files in and of themselves, I'm curious as to why there seems to be an assumption that the drive on which it's contained needs to be wiped.
I do agree that this should be a matter of procedure, but from a technical perspective, say I have a drive image for analysis, and someone else acquired it to a USB ext HDD and provided me with a copy of the image. If the other analyst didn't clean their drive, and the drive itself contained two files…the dd *.img file and a .jpg (CP) file…and the analyst incorrectly reports that CP was found (none was found in the image), then isn't it on the analyst and their employer?
From a procedural point of view, I see the issue…however, from a technical one, I don't.
No technical reason, simply procedural.
I am sure there is a theoretical technical reason, but I do not believe of any significant probability.
Let's hear from those that use a server to store their images. Do they only store and work on one image at a time on the server and wipe the server between cases. I doubt it. How is this different than not wiping drives?
I believe that it is a matter of the examiner to explain the method of data acquisition and preservation. Are you able to explain why you wipe every time? Why you don't? It is not only a matter of procedure, but how you stand behind that approach in a deposition or cross examination. The examiner is "under the gun" to verify the who, what , where, when and whys' - not the tools or procedures in use. Be prepared to justify YOUR actions and not the actions others recommend.
Let's hear from those that use a server to store their images. Do they only store and work on one image at a time on the server and wipe the server between cases. I doubt it. How is this different than not wiping drives?
From what I hear from our guy who is managing the SAN, when I set up a sparse file (like through a truecrypt container), I can wipe it, and it would be true sector wipe.
It still remains to be seen if this is true, and I definitely open to not doing it ) .
My worry is that the need to multi-wipe to sanitize has merged with the "leaking into". The drum of "wipe it 4 million times" have been beaten for so long, it is now a mantra without reason.
One of the Forensic 4 Cast podcasts brought up the subject of post mortum identification of wiping tool used - do they leave a identifiable pattern?
Would anyone be interested in seeing research on the subject?
The only possible danger of not wiping a file first was that when creating an Encase (EWF) file, part of the file did not write and old data on the disk was still there.
However, this is extremely unlikely.
Even more unlikely is the fact that there are CRC checks and Hash values. As long as these are verified, there is no possible danger of this corruption being missed.
Wiping will do no harm, except waste a few hours.