) My question is about the examination of a harddisk by police investigators.
Scenario
The police have seized a harddisk that they suspect has incriminating evidence within, yet the harddisk has been fully wiped with dban PRNG stream between 60-70 rounds.
Now to my knowledge EnCase and similar programs will not be of any use so would a microscope be used? and if so will it be done on an exact copy of the original harddisk or would the original harddisk have to be removed from the casing thereby eventually destroying it.
btw i am learning all the time so any input is appreciated
tnx
Unless it holds the location of the holy grail, the second shooter in the JFK assasination or the Da Vinci code, no one is going to go to the expense of recovering anything from a multi-wiped disk with a microscope.
😉
Look at the current thread on 'Single pass wipe sufficent'. It will answer all of your questions
Look at the current thread on 'Single pass wipe sufficent'. It will answer all of your questions
Will it?
You write some offending data to your hard drive. One or more of the sectors containing the material goes bad so the drive maps out those sectors and maps in new ones. All without the OS knowing. You see the Feds coming up the road and run your favourite cleaning software. The drive is clean as far as the OS is concerned but the offending data is still there.
You write some offending data to your hard drive. One or more of the sectors containing the material goes bad so the drive maps out those sectors and maps in new ones. All without the OS knowing. You see the Feds coming up the road and run your favourite cleaning software. The drive is clean as far as the OS is concerned but the offending data is still there.
This is possible but how likely is it? what is the likelihood of just the one or two sectors that hold the incriminating data being swapped out. Even if you do recover some evidence from these sectors you then need to make the link between the evidence and who was using the computer - this is often where a case falls down.
If you are looking at CP then even if you recover a full picture you would be unlikely to be able to say when it got on the disk or how.
If of course the evidence was say terrorist related then it may make good intel.
How likely is it? I don't know; it depends upon the scenario. If you have a drive that you use solely for your collection of contraband, you use it a great deal and the drive is getting old then not that unlikely I would guess. The swapped sectors would tend to contain your favourite data because they would take the most wear. As for who was in the driving seat, that is always a problem and not just for computer forensics, why else do we now have front-facing speed cameras?
Being very unscientific, I think the chances of of getting useful data in a reallocated block must be on par with getting an accidental MD5 hash collision.
Perhaps someone could also say that when a sector 'fails' on a modern disk, how big is the block that is reallocated - is it a single 512 sector, or maybe 16K?
Are bad sectors not stored in the firmware? and if so then the manufacturer access key would be needed?
From what i know the chances are highly unlikely of recovery from data being stored there
Being very unscientific, I think the chances of getting useful data in a reallocated block must be on par with getting an accidental MD5 hash collision.
I would guess that the chance of their being useful is the same order of magnitude as getting useful data from file slack and we are all quite happy to look there.
I believe that individual sectors are re-mapped (i.e. 512 data bytes).
Are bad sectors not stored in the firmware?
No, they are stored on previously unused and invisible sectors on the disk surface.