Myths in computer forensics

That seems like an odd result, were you able to determine what had gone wrong with the wiping process?

Jamie

As for myth number #1, it seems that we all pretty much agree that it is possible to get some data from laboratory attacks, when cost and time are of no consequence. Whether that data is relevant to legal preceedings is not the point. Just the fact that it is possible.

However, I do not know of any local, state or federal department that would use an electro-magnetic microscope or whatever on a regular basis.

But the sheer fact that it is possible to gather some data makes it not a myth.

As for myths 2 and 3, I never knew these were myths, just bad practice.
I dare anyone to not follow proper procedure when handling digital evidence. Then while you are explaining Computer Forensics to the Judge and Jury, who can barely turn a computer on, that the mistake or lack of a proper evidence chain is not that big of a deal.

In the US for a civil case, you can get almost anything in, Judge's discretion. In civil a ruling is based on "preponderence of evidence". In a criminal trial, I bet it might be a little rougher.

I am more curious as to why the GFCA Instructor would volunteer these statements. From an instructing standpoint, I would stress the importance of chain of custody and proper handling that it would seem to be the only option.

That seems like an odd result, were you able to determine what had gone wrong with the wiping process?

Jamie

No, I wasn't. I did contact LSoft, and they had no explanation either.

As for myth number #1, it seems that we all pretty much agree that it is possible to get some data from laboratory attacks, when cost and time are of no consequence. Whether that data is relevant to legal preceedings is not the point. Just the fact that it is possible.

However, I do not know of any local, state or federal department that would use an electro-magnetic microscope or whatever on a regular basis.

But the sheer fact that it is possible to gather some data makes it not a myth.

But that's what I'm trying to get at - no one has never managed to recover overwritten data in any useful or accurate manner. That myth is totally true until someone can prove otherwise.
Please note that the myth says nothing about misregistration or bad sectors.

As for myth number #1, it seems that we all pretty much agree that it is possible to get some data from laboratory attacks, when cost and time are of no consequence.

I wonder how relevant this will be when flash becomes the norm and disc drives and their moving platters sail away into the distance of history?

Whether that data is relevant to legal preceedings is not the point.

Well, yes and no.

If you are saying because Mount Everest is there lets climb it with no other desire than to prove you have climbed it… then fine. This would be analogous to you saying I am a super-duper data recovery specialist.. OK, but so what?

However, I am not sure the comment "legal preceedings is not the point" sits well in forensics because the job is about producing evidence for legal proceedings. The issues being discussed are orientated towards forensics. If that wasn't the case why generally are we employing the word "forensic"?

I wonder how relevant this will be when flash becomes the norm and disc drives and their moving platters sail away into the distance of history?

Gutmann in 2001, wrote a follow up to his Secure deletion of Magnetic Storage. It addresses techniques to perform forensics on Flash type storage (Semiconductors).

His website is http//www.cs.auckland.ac.nz/~pgut001/

Interested in hearing any one with electrical engineering experience opinions on it.

I have a feeling it will go about the same.

However, I am not sure the comment "legal preceedings is not the point" sits well in forensics because the job is about producing evidence for legal proceedings. The issues being discussed are orientated towards forensics. If that wasn't the case why generally are we employing the word "forensic"?

Ok, I see your point. Allow me to trade out "relevant", a poor word choice, for "evidentiary value".

Since all data discovered is relevant (it is evidence) in a case but it may or may not have any evidentiary value.

Gutmann in 2001, wrote a follow up to his Secure deletion of Magnetic Storage. It addresses techniques to perform forensics on Flash type storage (Semiconductors).
His website is http//www.cs.auckland.ac.nz/~pgut001/
Interested in hearing any one with electrical engineering experience opinions on it.
I have a feeling it will go about the same.

Thanks for the link….

Ok, I see your point. Allow me to trade out "relevant", a poor word choice, for "evidentiary value". Since all data discovered is relevant (it is evidence) in a case but it may or may not have any evidentiary value.

Ahhhh, ok I thought you meant something different, I wasn't being picky jansen -)

Gutmann in 2001, wrote a follow up to his Secure deletion of Magnetic Storage. It addresses techniques to perform forensics on Flash type storage (Semiconductors).

All of Gutmann's stuff is fairly old, and also only theoretical. I'd like to see something written a bit more recently than prior to 1996, as well as some actual hands-on work.
I personally feel that our job will remain exactly the same with SSDs as with normal hard drives. This is just an opinion, of course, as I've not worked on an SSD at any low-level. But I'd be very surprised if overwritten data is presented in any easier way on an SSD compared to a HDD, and by now you would all have tired of my opinions on HDDs. )

I personally feel that our job will remain exactly the same with SSDs as with normal hard drives. This is just an opinion, of course, as I've not worked on an SSD at any low-level. But I'd be very surprised if overwritten data is presented in any easier way on an SSD compared to a HDD, and by now you would all have tired of my opinions on HDDs. )

Chatting with my brother yesterday, he runs an IT repair centre. He says he is seeing some laptops with solid-state drives as opposed to conventional HDDs. I asked him as solid-state has number-of-write limitations expressed in the manufacturer's spec has he had any repairs specifically dealing with write failure. He said not yet but he thinks it will be evitable, given the manufacturer's spec and generally computing high write rates, that he expects to see life of SSD about 2 years between upgrades.

Chatting with my brother yesterday, he runs an IT repair centre. He says he is seeing some laptops with solid-state drives as opposed to conventional HDDs. I asked him as solid-state has number-of-write limitations expressed in the manufacturer's spec has he had any repairs specifically dealing with write failure. He said not yet but he thinks it will be evitable, given the manufacturer's spec and generally computing high write rates, that he expects to see life of SSD about 2 years between upgrades.

A quick Google search seems to tell me that newer SSDs have a write cycle time that, under normal usage, could easily be measured in decades. With wear-levelling you basically have to fill the entire SSD the number of times that you have write-cycles.
This site (http//www.storagesearch.com/ssdmyths-endurance.html) talks about it, and they say this towards the end

"I found some data from Mtron (one of the few SSD oems who do quote endurance in a way that non specialists can understand). In the data sheet for their 32G product - which incidentally has 5 million cycles write endurance - they quote the write endurance for the disk as 'greater than 85 years assuming 100G / day erase/write cycles' - which involves overwriting the disk 3 times a day."

I won't pretend to have any real experience with SSDs, and the proof will really only rear its head in a few years when we see how they actually go. But info on the web seems to show they are now a very capable replacement for HDDs.