MAC FORNESICS- Evidence of Wiping

Encase has an option under in the case processor to look for consecutive sectors filled with the same character which is helpful for identifying wiped sectors.

Greetings,

I'd call Blackbag Tech (http//www.blackbagtech.com/) and see what they've got. If it isn't in their tool kit, they should add it.

-David

Greetings,

I'd call Blackbag Tech (http//www.blackbagtech.com/) and see what they've got. If it isn't in their tool kit, they should add it.

-David

A company's going to modify their software because one person calls up and has a need to "scan" for evidence of a wiping product?

Encase has an option under in the case processor to look for consecutive sectors filled with the same character which is helpful for identifying wiped sectors.

That is not going to help if they wipe with a utility that replaces them with random values.

Greetings,

I'd call Blackbag Tech (http//www.blackbagtech.com/) and see what they've got. If it isn't in their tool kit, they should add it.

-David

A company's going to modify their software because one person calls up and has a need to "scan" for evidence of a wiping product?

We just purchased the Blackbag suite for some other aspects of our investigation, we are still waiting for it to arrive though . I'm not sure it provides support for this issue though.

Greetings,

a) They might already have that capability in the product.
b) If multiple people need it, they should add it.
c) If it is in competing products, Encase, they should consider adding it.

But I was mostly thinking about point a.

-David

I agree if multiple people are in demand for that feature, the market will provide it. This isn't an easy task to accomplish though. Some utilities leave little or no trace. Some you wouldn't even know existed, but you got lucky and found a wiping log that the user didn't know existed.

We are in the process of reviewing the consecutive sectors as Earn suggested. We have utilties, such as Gargoyle, that will search for this type of evidence on the Windows side, the issue is that most of these are signature based and on the MAC side, the signatures are different.

Encase has an option under in the case processor to look for consecutive sectors filled with the same character which is helpful for identifying wiped sectors.

That is not going to help if they wipe with a utility that replaces them with random values.

Agreed but that's the only way I can think of that will help you to find evidence of wiping. If it is random characters like you suggested, and theres no evidence of the program being installed, it will be impossible to prove. Unless you can find a log some place on the machine you will likely find no traces. The wiping programs I've played around with usually have an option if you want to create a log. If you are trying to hide something chances are you wont want a log of what you've done.

What kind of scan do you have in mind if it's not for consecutive sectors?

Encase has an option under in the case processor to look for consecutive sectors filled with the same character which is helpful for identifying wiped sectors.

That is not going to help if they wipe with a utility that replaces them with random values.

Agreed but that's the only way I can think of that will help you to find evidence of wiping. If it is random characters like you suggested, and theres no evidence of the program being installed, it will be impossible to prove. Unless you can find a log some place on the machine you will likely find no traces. The wiping programs I've played around with usually have an option if you want to create a log. If you are trying to hide something chances are you wont want a log of what you've done.

What kind of scan do you have in mind if it's not for consecutive sectors?

One that specializes in the consecutive sectors, looking for default wiping logs or evidence traces of wiping utilities, etc. As for the random wiping tools, in my opinion, there is no such thing as random. Random is only an algorithm and once you find that algorithm, you can essentially figured out if something was used or point it back to the source utility. I just didn't know if there was a product that focused that.

I think at this point, we are only going to have the consecutive sectors results to work with.