I always wipe my drives before I reuse them. I do not want to ever be questioned about it. But the only problem I have seen about not wiping a drive is if you are reformatting the drive to a different partition type, it does not always remove the old partition information. Then your OS can get very confused what partition type you are using. But most people who only use windows do not have this problem. ………(insert your own joke here)
I use a Voom HardCopy to image and clone drives during acquisition and my acquisition drives have all been wiped, and I always keep wiped drives available for those times when the client wants a forensic clone. Having said that, I store my case files on a server and generally have 5 to 10 cases stored on the server at any 1 point in time. I may be working several cases at the same time. As long as I have documented the procedure, and have tested and validated it, I see no point in wiping my storage drive.
When I began doing forensics I was using Safeback to copy the original evidence to tape and then restoring it to a drive to examine using Dos based tools it was paramount that the drive be wiped prior to examination, today, not so much.
Just my 2 cents.
Wiping will do no harm, except waste a few hours.
Wiping gives confidence that no data leakage can compromise evidence. It also prevents the defence from stating that they found data elsewhere on the drive that may not relate to that case.
Although it takes some initial time to wipe I believe that in the long run, especially if the case goes to court and there is some doubt as to where the evidence came from, then the time spent during the initial wiping procedure will save many hours and $$$ when trying to explain how and where this data came from.
Ronan
One of the Forensic 4 Cast podcasts brought up the subject of post mortum identification of wiping tool used - do they leave a identifiable pattern?
Would anyone be interested in seeing research on the subject?
Sure. There is at least one tool, Aperio, which claims to do this, but it is released to LE only (when will people figure out that most white collar crime is not investigated by LE?)
The problem, as it has been explained to me, is that publication of the fingerprints will cause the developers/vendors of these tools to change them. As a matter of practice, I'd do this anyway, however, what interests me more is how you can detect (or rule out) selective wiping on an otherwise intact file system.
So this tool, such Aperio can predict if and which "wiping tool" was used on a device?
I would definitely would be interested because of the technology behind it.
So this tool, such Aperio can predict if and which "wiping tool" was used on a device?
I would definitely would be interested because of the technology behind it.
Not so much whole devices, but Aperio is able to detect some wiping tools on the basis of signatures, artifacts, etc. There are publications describing it available from CERT at CMU.
That having been said, there are tools out there which are virtually indetectable so the fact that Aperio doesn't identify a program is not to say that wiping did not occur.
I actually was wondering about "wiping" with random or even all 0 data.
The notion came to me after reviewing the truecrypt detection thread.
Programs and data files are rarely random. So seeing empty space with true or pseudo-random data could be an indication of wiping.
Of course this is just hypothesis. I don't have real data how blank drives look, nor do I have a knowledge how used drives look.
I think taking a couple of hundred blank images, and a couple of hundred used drives and checking how the blank space looks on them could tell us if it this hypothesis is true.
To prevent this, a wiping program could take random in-use sectors and "wipe" blank sectors with that data. Of course, duplicate sector data could give that away - unless there is some random scrambling is added to the used sectors…
Wiping gives confidence that no data leakage can compromise evidence.
What do you mean by "data leakage"? Do you mean data from a previous case being intermingled with the forensic image and therefore one mistaking evidence from a previous case as being part of the current case? As long as your MD5, SHA-1 or SHA-256 hash calculates correctly, this is mathematically improbable.
It also prevents the defence from stating that they found data elsewhere on the drive that may not relate to that case.
That is the #1 reason why we wipe our drives - to prevent discovery of deleted forensic image data from a previous case. More importantly, to protect the confidentiality of the data for the original client.
Wiping gives confidence that no data leakage can compromise evidence.
What do you mean by "data leakage"? Do you mean data from a previous case being intermingled with the forensic image and therefore one mistaking evidence from a previous case as being part of the current case? As long as your MD5, SHA-1 or SHA-256 hash calculates correctly, this is mathematically improbable.
It also prevents the defence from stating that they found data elsewhere on the drive that may not relate to that case.
That is the #1 reason why we wipe our drives - to prevent discovery of deleted forensic image data from a previous case. More importantly, to protect the confidentiality of the data for the original client.
I think taking a couple of hundred blank images, and a couple of hundred used drives and checking how the blank space looks on them could tell us if it this hypothesis is true.
I was thinking of documenting this over the next few months to see if there is a discernible pattern.