Join Us!

File Erasing Questi...
 
Notifications
Clear all

File Erasing Question  

  RSS
4n6art
(@4n6art)
Active Member

Hello all

Long time viewer first time poster - and I thank you for taking the time to post information on this forum which in turn has helped me gain a lot of knowledge.

Here's the scenario
Client wants drive imaged
Client wants certain files COMPLETELY erased from the drive
Client wants drive re-imaged.

1) Can anyone recommend a (free if possible) program that will allow me to erase the file entirely?
2) I realize that reimaging the drive after erasure does not guarantee that remnants of that file will not be available in swap, spool, temp areas, which brings up two questions
a) Can anyone recommend a way that I can remove ALL hints of the file?
b) Can anyone help me bolster my argument to the client that a complete erasure is not guaranteed based on remnants being found in swap, spool etc.

Thank you again folks.
Arthur.

PS Harlan - nice job on the book - great information - Thank you )

Quote
Posted : 10/01/2008 10:47 pm
verdad
(@verdad)
New Member

Sounds fishy to me. Did you ask your client why he wanted to do this? Ignorance is not always bliss, in fact ignorance sometimes means liability. As some will tell you, I always assume the worst about people. It makes my job easier.

Good luck with that.

ReplyQuote
Posted : 10/01/2008 11:18 pm
verdad
(@verdad)
New Member

Oh, and I don't mean to be rude, but if you have to ask your question, you don't have the skill to pull it off. What do you intend to say when your client blames you because someone figured this out? Tell your client to be honest instead.

ReplyQuote
Posted : 10/01/2008 11:23 pm
4n6art
(@4n6art)
Active Member

Verdad

Thanx for the reply - no offense taken.

My initial meeting with the client is next week. I do plan on asking him WHY - I have no intentions of taking on a case without knowing all the facts and history and having it documented somewhere. It did sound a little fishy to me but I will reserve judgment till I have my meeting - this could be a case of Attorney/Client privileged information they are trying to scrub.

Does ANYONE have the skill to pull this off?? I will admit I don't and I don't think anyone else does either to a level that they can guarantee that the file will disappear from the second image (without scrubbing all the unallocated space and removing the swap etc). If someone does, I would like to know how it can be done.

I am leaning towards NOT having an iron-clad guarantee on the file deletion - I am looking towards more experienced people to help me prove my case.

Appreciate the response. )
Arthur

ReplyQuote
Posted : 10/01/2008 11:30 pm
mas66
(@mas66)
New Member

Verdad

Thanx for the reply - no offense taken.

My initial meeting with the client is next week. I do plan on asking him WHY - I have no intentions of taking on a case without knowing all the facts and history and having it documented somewhere. It did sound a little fishy to me but I will reserve judgment till I have my meeting - this could be a case of Attorney/Client privileged information they are trying to scrub.

Does ANYONE have the skill to pull this off?? I will admit I don't and I don't think anyone else does either to a level that they can guarantee that the file will disappear from the second image (without scrubbing all the unallocated space and removing the swap etc). If someone does, I would like to know how it can be done.

I am leaning towards NOT having an iron-clad guarantee on the file deletion - I am looking towards more experienced people to help me prove my case.

Appreciate the response. )
Arthur

Why not just copy off the data that you do want and then wipe the drive if that is what your client wants.

Mark

ReplyQuote
Posted : 12/01/2008 2:00 am
bsd-roo
(@bsd-roo)
New Member

i think thats gonna be pretty hard, the registrys and forensics tool will be able to tell you what the client did.

if you do not want to defame your client in court, you do not want to have registries saying that you have tampered with something nor would you give him a fresh copy of windows with some old files trying to pass as a seasoned OS/disk if you know what i mean.

if the client is using xp, you can back up data that he does want, dd the whole disk with urandom and then do a fresh isntall of vista. then put the files back, that way he can say in court that he was updating his operating system.

or you can say that he took a sudden interest in UNIX twisted
OPENBSD!!! encrypt the hard drive but hand over the encryption keys as a law abiding citizen would.

does that help?

ReplyQuote
Posted : 12/01/2008 2:29 am
keydet89
(@keydet89)
Community Legend

BSD-ROO,

i think thats gonna be pretty hard, the registrys and forensics tool will be able to tell you what the client did.

"Registrys"[sic]? What does that have to do with anything? The OP said that the scenario is as follows

"Here's the scenario
Client wants drive imaged
Client wants certain files COMPLETELY erased from the drive
Client wants drive re-imaged."

There's no mention whatsoever of the client asking that all traces of activity by a user, with respect to a specific file, be erased…just the file.

It appears that from what's been presented in this forum, the client is asking to have a file (or files) removed. Nothing in the original post by "4n6art", nor in his subsequent post, makes any reference to an issue before the courts…all that he/she said was "…this could be a case of Attorney/Client privileged…"

The fact is, there is no way to ensure that all remnants of any particular file have been completely removed from a system. First off, 4n6art never specifies the operating system in question, nor does he/she give any information about the file itself…what kind of file, how it was produced, etc.

Let's assume that this is a Windows XP system, and that we're dealing w/ a text document produced with Notepad. Now, Notepad doesn't produce temp files by default, but we don't know how many iterations there are of the file, nor if any remnants are in unallocated space.

Spool file are something of an issue, although they are deleted when the the file is printed. The contents will end up in unallocated, but if the first sector (with the file header) is overwritten, how do you know which of the remaining (and how many) sectors contain data from the original file.

Don't get me started on Word documents!

Now, you can do due diligence by imaging the system, and performing a complete search using keywords that are specific and unique to the file in question. This will tell you were files and/or remnants are located…but is it all of them? Is there a sector in unallocated space, or perhaps some data left in file slack that contains portions of the file that did not contain the keywords, or perhaps only a portion of the keyword (say, "coinc", rather than "coincidence")?

Identified, specific sectors on a drive can be completely overwritten, to the point where it may be cost prohibitive (via magnetic resonance imaging) to recover the data. But to say that the file is completely removed is more of an absolute than what I'd like to be my reputation on.

Harlan

ReplyQuote
Posted : 12/01/2008 4:09 am
4n6art
(@4n6art)
Active Member

Thanx for all the input, folks.

- I don't think the client wants the drive wiped clean after Image#1. I have a feeling they want certain files wiped ONLY. If the idea is to turf the laptop out to someone else in the company - they an image/DoD wipe/OS Install will be in order but I won't know for a few days. I don't know the O/S but I am leaning towards WinXP.

- I am not going to help him BS his way in court either (if that's where this will end up). I don't think (as of yet) that is the intention either, but he can do it without any help from me if he wants to LOL

- I am going to wait and see WHY they want certain files removed and the HD re-imaged. After all that I know and have read and given all your input reconfirming that there is no way to guarantee erasure - I do not plan to stick my neck out and say that everything relating to a file(s) will be gone.

Have a safe Week!
Arthur

ReplyQuote
Posted : 13/01/2008 5:45 am
ronanmagee
(@ronanmagee)
Active Member

Hi Art,

Keep us informed of your findings and your decision. Interesting to see how you deal with this dilemma -)

ReplyQuote
Posted : 13/01/2008 8:36 pm
neddy
(@neddy)
Active Member

Art,

Response
1)
Evidence Eliminator, BC Wipe etc however I guess the nature of the files marked for deletion is a major factor.
2)
a)
Sanitise a clone of the disk using a Hex Editor (could take you a long time!)
b)
You could image the disk and perform keyword searches on the image that relate to the files. The results will show your client the difficulty of erasing all traces of the files, they may then decide another course of action.

Speculation;
If your client is hoping to submit the disk as evidence in some form and wishes to avoid being embarrased by material stored on the disk, deletions of any sort will raise suspicions that may cause more problems than the initial files may have.

If your client is recycling the computer for further use, then relace it with a new disk & OS and install the original one in a USB caddy for your client to do as he pleases with.

Let us know what your client really requires!

Ned

ReplyQuote
Posted : 14/01/2008 2:08 am
clownboy
(@clownboy)
Junior Member

I have worked on a few jobs of this type and it isn't always that sinister a motivation that drives the client. In most cases it is an agreement between the two parties to remove an item (a file or application) as part of a pre-litigation agreement. The offending party agrees to remove the item and then work out a settlement or go to litigation at a later date.

We would come in and image the drive to preserve the evidence of the item. We delete the item(s) and wipe the free/unallocated space and other references and re-image the drive to prove it no longer has useful references to the items at issue.

I use BCWipe and Eraser for wiping, EasyCleaner to delete references in the registry and startup files. I also pack the registry and delete any past registry backups. I am sure I miss a few references but they are so minor that most people are not all that concerned. The fact that the party can no longer access the item or items is what really matters.

ReplyQuote
Posted : 15/01/2008 3:28 am
jaclaz
(@jaclaz)
Community Legend

As always, I may be completely wrong, but I think that you are making it more "difficult" than it really is.

1) create a "DIR" List of every file that needs to be permanently deleted
(including exact size in bytes)
2) create (on ANOTHER HD) one file for each one of the list with the SAME exact size in bytes, these files can be either "00" filled or "random characters" filled, see also this
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=2065
3) copy, xcopy, robocopy or whatever newly generated files overwriting the ones on the "source" hard disk
4) defrag "source" hard disk
5) delete files in list
6) defrag again hard disk

Check if you can find even a tiny bit of the original files with any forensic tool.

Otherwise use a file-based (as opposed to RAW based) backup solution, re-format AND wipe the drive, then restore from backup everything BUT the "to be deleted" files.

The "old" (and "poor man" wink ) way to defrag a NT 4.00 Workstation in the old times (some of you might remember how NT 4.0 did not come with a built-in defragging tool) was exactly this, I had two installs of NT on two separate partitions, booted to the second (the "emergency") install, used xcopy to copy all the files from "main" partition to a third one, formatted (and optionally wiped) the first one, then xcopied back the files.
😯

jaclaz

ReplyQuote
Posted : 15/01/2008 3:28 pm
steve862
(@steve862)
Active Member

Hi,

Regarding disk wiping. There can be a small proviso. That being one or more sectors mapped out by the disk controller prior to any wiping. At a later date those sectors are recovered using a disk utility. If those sectors contained data that should have been wiped it would now be available again.

If this is a case of wanting to sanitise a laptop before it changes hands installing a new hard disk would make sense considering the cost of hard drives.

Steve

ReplyQuote
Posted : 15/01/2008 7:19 pm
4n6art
(@4n6art)
Active Member

Ok… here's the scoop on this weird request.

- The client supports a law office.
- The law firm has the user who is resigning from a corporation and User wants to show best effort that all information relating to that corporation that he worked for has been removed from his *PERSONAL* computers.
- The request for erasure is for his personal systems.
- The lawyers and the support company CEO (ex-lawyer) have vetted this request - there is no perception of impropriety on the user's part - he is leaving in good standing and needs to make sure his soon-to-be-ex company is comfortable that all their information is off his drives.

We are first going to image the original systems as given to us - one ExternalHD and one PC. After which
- We have a list of files that need to be removed given to us by User.
- For the ExtHD, we will copy the remaining files to another drive, wipe ExtHD, reformat ExtHD and restore those files to the ExtHD
- For the PC, we will delete requested files, delete swap, temp areas; Ghost the HD, wipe original drive clean and reimage the drive from the Ghost Image.
- Both ExtHD and PC drive will be reimaged again.

I think that will show good-faith effort on the part of the employee.
Can anyone else think of anything I should consider?

Thank you all for your caution and suggestions!

Regards…
Arthur

ReplyQuote
Posted : 18/01/2008 10:21 am
Share: