Notifications
Clear all

drive wiping

31 Posts
13 Users
0 Reactions
2,615 Views
fornzix
(@fornzix)
Eminent Member
Joined: 17 years ago
Posts: 35
 

That is the #1 reason why we wipe our drives - to prevent discovery of deleted forensic image data from a previous case. More importantly, to protect the confidentiality of the data for the original client.

Do you think that putting evidence files (really I mean – all files) in a Truecrypt container would solve this issue?? If it's encrypted, then it's just going to be random looking junk.

On a side note, I'd like to hear some opinions from others who are running cases, either EnCase or FTK, on Truecrypt volumes or in TC containers. Specifically I'm looking to see if using Truecrypt or a similar variable will slow things down.


   
ReplyQuote
(@gkelley)
Estimable Member
Joined: 21 years ago
Posts: 128
 

That is the #1 reason why we wipe our drives - to prevent discovery of deleted forensic image data from a previous case. More importantly, to protect the confidentiality of the data for the original client.

Do you think that putting evidence files (really I mean – all files) in a Truecrypt container would solve this issue?? If it's encrypted, then it's just going to be random looking junk.

Yes, I do think that would help mitigate the issue but I would be more confident telling the clients that it was erased vs just encrypted in a TrueCrypt container and having to explain to them why it was protected. To all of us, there would be no difference, to a lay person, there would be confusion.


   
ReplyQuote
(@seanmcl)
Honorable Member
Joined: 19 years ago
Posts: 700
 

Yes, I do think that would help mitigate the issue but I would be more confident telling the clients that it was erased vs just encrypted in a TrueCrypt container and having to explain to them why it was protected. To all of us, there would be no difference, to a lay person, there would be confusion.

In my contracts I include a clause that states that, unless otherwise requested by the client or directed by the court or specified by law or statute, I reserve the right to retain data in encrypted form and in a secure location for a period of time sufficient to ensure that the data will not be required for national security, litigation or law enforcement. Typically that is between six months and two years.

I have twice had cases where the initial task was data recovery, only, or a simple report on a user's activity which have, after a period of time, resulted in either a wrongful termination action or breach of contract. A third case was a wrongful death suit where my image of the victim's laptop was the only copy which had not been altered after his death.

Of course, you never really know how long to save something which might, eventually, become evidence in a legal proceeding so I use my best educated guess. Luckily, storage is cheap.


   
ReplyQuote
jhup
 jhup
(@jhup)
Noble Member
Joined: 16 years ago
Posts: 1442
 

Ah, man! D

Love to see that write up!

If you need a monkey, PM me idea . I would be happy to participate in this research.

I think taking a couple of hundred blank images, and a couple of hundred used drives and checking how the blank space looks on them could tell us if it this hypothesis is true.

I was thinking of documenting this over the next few months to see if there is a discernible pattern.


   
ReplyQuote
(@ronanmagee)
Estimable Member
Joined: 20 years ago
Posts: 145
 

What do you mean by "data leakage"? Do you mean data from a previous case being intermingled with the forensic image and therefore one mistaking evidence from a previous case as being part of the current case? As long as your MD5, SHA-1 or SHA-256 hash calculates correctly, this is mathematically improbable.

Although mathematically impossible it's the fact that it has happened that is important. The defence/prosecution will mainly try to paint you and your actions in a bad light, documentation or no documentation. Even if the file(s) found are not related to the case they'll rip you apart. I'd far rather not be placed in that position and if it means wiping the drive for 4 - 8hrs before use then I'll gladly do that if it saves any embarrassment in the long term.


   
ReplyQuote
(@gkelley)
Estimable Member
Joined: 21 years ago
Posts: 128
 

What do you mean by "data leakage"? Do you mean data from a previous case being intermingled with the forensic image and therefore one mistaking evidence from a previous case as being part of the current case? As long as your MD5, SHA-1 or SHA-256 hash calculates correctly, this is mathematically improbable.

Although mathematically impossible it's the fact that it has happened that is important. The defence/prosecution will mainly try to paint you and your actions in a bad light, documentation or no documentation. Even if the file(s) found are not related to the case they'll rip you apart. I'd far rather not be placed in that position and if it means wiping the drive for 4 - 8hrs before use then I'll gladly do that if it saves any embarrassment in the long term.

When has it happened? I'm not referring to a drive that contains forensic images and also contains files (deleted or not) pertaining to another case. My assumption was that "data leakage" referred to a forensic image that somehow contained inside of the forensic image files from another case. If one verified the hash of the forensic image before sending it out, then it would be mathematically improbable for this to occur and I have never heard of it happening.


   
ReplyQuote
(@ronanmagee)
Estimable Member
Joined: 20 years ago
Posts: 145
 

I guess it is how you term 'data leakage'. I'd define it as data that has contaminated other data and brought into question its admissibility. I'm not aware of any particular case but have heard about more general scenario where the 'evidence' wasn't the problem but rather the investigators techniques. I think this thread was trying to pick up on similar issues.


   
ReplyQuote
(@gkelley)
Estimable Member
Joined: 21 years ago
Posts: 128
 

I guess it is how you term 'data leakage'. I'd define it as data that has contaminated other data and brought into question its admissibility.

With respect to digital evidence, how can data in one case contaminate data in another case? Let's say you have a box (hard drive) that contains a gun sealed up tight in an evidence bag (forensic evidence files). That box also contains some photos that were involved in another case.

Now yes, the presence of evidence from 2 cases in a box does constitute sloppy handling of evidence but the photos aren't contaminating the gun, are they?

Let me say that I completely agree that hard drives should be wiped before use to protect the confidentiality of the data that was previously on the drive, but I still can't understand how not wiping the old data on the drive can "contaminate" the current data on the drive.


   
ReplyQuote
jhup
 jhup
(@jhup)
Noble Member
Joined: 16 years ago
Posts: 1442
 

I don't think anyone disagrees that technically there is no such thing as "data leakage". (actually there is - in tapes and such I experienced it, but that's a different thread D)

But, perception is often reality, especially in court.

You mentioned "sloppiness". What does that mean?

It is irrelevant, because a jury would look at it as such too, "sloppy". Even if they, themselves could not define what that means. And, because of that labeling, they would infer that something else most likely to be also "sloppy".

Ergo, we are not necessarily fixing true "data leakage", but simply eliminating the perception of the possibility.


   
ReplyQuote
(@ronanmagee)
Estimable Member
Joined: 20 years ago
Posts: 145
 

Hi GK,

I guess it's all a matter of what you perceive to be the best course of action to take and your personal view on evidence handling and perception of your credibility if evidence was brought into question. My take like yours is to mitigate the threat and wipe every time.

Ronan


   
ReplyQuote
Page 3 / 4
Share: