I have received a request from a client to wipe certain data from 3 PCs. This data is connected to infringed copyright. This creates a challenge to say the least as how you go about wiping all of the data (thumbnails etc etc) is questionable. Also, it prsents liablility issues as, unlike conventional evidence, we have been asked to to access and wipe live data which goes against all my teachings. Previously, I have simply copied off data that the suspect is allowed back and then wiped the whole drive.
Any comments?
an interesting one, All depends on what you want to do, realistically was it the client that was using illegal software/data or was it the clients staff downloading stuff they shouldn't have been?
Secondly there are file erase tools that will erase specific files and overwrite them, but again you have the issues of identifying all files that are also associated with such files, thus makes the whole deletion harder…
and of course coming to original image/data - all depends on the case in question, can you or do you see it going to court, if so and you are cross examined then you could be at a loss to explain the reason the original data was accessed, and if it is examined by a third party this issue of deleted/zeroed data could be bought up if they identify files/file pointers etc that point to something that is no longer there (time stamps etc can come into play also).
I wouldn't do it myself, but sometimes we have to do what the client wants. S
I have received a request from a client to wipe certain data from 3 PCs. This data is connected to infringed copyright. This creates a challenge to say the least as how you go about wiping all of the data (thumbnails etc etc) is questionable. Also, it prsents liablility issues as, unlike conventional evidence, we have been asked to to access and wipe live data which goes against all my teachings. Previously, I have simply copied off data that the suspect is allowed back and then wiped the whole drive.
Any comments?
I got stuck with something similar on a CP case. The court ordered the machine returned as part of a plea bargain but excluding the contraband. What I ended up doing was wiping the files in question with Winhex, defragged the drive to move everything together and then wiping the free space.
Assuming you can work out the technical issues (which can be thorny if these are Windows PCs), before I did anything I would first want some assurance that I wasn't being asked to tamper with evidence in a legal matter - whether already filed or known to the client to be pending (here in the US, he might have received what you could call a "do-not-delete" demand). And I'd get it in writing.
Least expensive method for the client is to have the legitimate user files copied off of the original hard drive (documents and such). Then drill/shred the hard drive to destroy it. A new hard drive is much cheaper than editing files off a hard drive, especially if there are hundreds or thousands of files, plus the unallocated space, plus files you will miss. The computer owner can reinstall his/her system on a clean hard drive and copy their user files onto the new drive. But then again, if the client wants to pay for the time it takes to find all the files in question, wipe them, wipe the free space, defrag the computer, keyword search to ensure the files are gone AND know that you could have missed files altogether, then I guess whatever makes the client happy, makes the client happy.
The solution, in part, is determined by the format in which the data to be deleted is found. Obviously, you can use SDELETE or another utility to wipe free space and you can use tools such as BCWipe or WinHEX to do the same for the MFT.
But first you have to find all of the infringing materials (which means that you'll likely want to do a signature analysis to ensure that relevant data isn't being hidden in files with the wrong extension).
Basically, without knowing the format of the infringing data it is hard to say.
Also, what do yo mean by "wipe live data"?
I like the comments by everyone ref checking the legal aspects. Always a good first step.
You have to return the PC's running in the same condition? Why wouldn't you just wipe the hard drives completely and re-install the OS? All bases covered, right and it would be way faster and way less risk of missing anything.
Update Actually, I could have just said ditto to Brent.
thanks for the feedback and I have considered all the issues covered. The PCs have been used in a family environment so there are third parties who have the right to have their data back intact. The case is over and the suspect found guily. The court ordered that the infringing data be removed before the PCs be returned but did not go into any more detail.
I am not sure if this can actually be done
if the case is over then I would boot up the pc's and run the erase software you get online, it will erase specific files and can also erase slack space etc (can't remember the name of it but someone else might be able to chime in here). or as others have suggested use a hex editing tool…
do we know what the infringed data is, movies? music or software? or something a little more interesting? - the first two would be relativley easy to remove albeit time consuming… the last would be a little more arkward…
surely if he has been found guilty then there has been a forensic analysis of the machine already done with the files detailed in the report so you should know that there are no more files hidden or it wouldn't have been a very good forensic investigation?
I don't have a lot of forensic experience just my two cents.