Hi,
As part of an experiment I am doing I need to try and recover files that have been securely deleted. I have used the wipe feature in EnCase to do this, and after a couple seconds of wiping I have cancelled the wiping process (the first part of the experiment, the second is to let it wipe completely). I have then tried to recover the files through FTK with no luck. Windows sees the drive empty and FTK just sees free space.
I have used the Data Carving feature in FTK with no avail.
EnCase also sees an empty drive.
Is there a specific way this is done in industry?
Thank you.
If the sectors have been overwritten, and do not contain next weeks lottery numbers, forget it. The data has gone.
If you are the CIA/FBI then there are possible ways to recover maybe50% of the bits, but with newer drives, density is so high, redundancy is so low the recovery rate is probably 0.0000001%
My personal view is a single wipe is fine, various (possibly out of date standards) insist on3, 7, or …. Life is too short to waste time on it, look for the data else where.
Hi Mscotgrove,
Thank you for your reply, that definitely makes sense and I agree with you. But because this experiment is for my final year project I need to show that I have attempted to retrieve the data, even if it means I recover nothing; hence trying the Data Carving feature in FTK.
I need to show the steps I had taken in both the major forensics software to retrieve securely deleted files (and other forensic software).
What are the steps would you attempt to take in order to retrieve data from a securely deleted device?
Thank you.
How do you imagine the steps taken would differ?
You are using some very high level tools, and that might be the problem.
Have you tried looking at the disk with a hex editor or something.
You could run 'xxd -a <image or disk' to autoskip all lines that are zeroed out
Foremost to recover files that were after the wipe cancel maybe?
Just brainstorming based on the few details you provided.
This assumes the wipe was cancelled, if it hadn't been, I'd agree with Mscotgrove.
As Michael has suggested, for all practical purposes you can forget anything that has actually been overwritten. Thinking laterally is an important skill in CF; depending on the scope of your assignment here are some other potentially relevant considerations
(1) Some wiping software is poorly implemented e.g. I've encountered MFT records of supposedly wiped files using poor quality wiping tools. However, I've yet to see a wiping tool that doesn't actually overwrite the file content.
(2) You may be able to recover fragments of partially wiped files from the device, although you may not be able to tie them conclusively or persuasively to a deliberate act of wiping.
(3) You may be able to find content from a wiped file in another location either on the same device (e.g. temp directory copy or a backup to file that the user had forgotten about) or elsewhere (e.g. backup on NAS, external disk, or online backup). Again, depending on the circumstances you may have difficulty tying the identified content conclusively or persuasively to a deliberate act of wiping.
Hi,
I have used the wipe feature in EnCase to do this, and after a couple seconds of wiping I have cancelled the wiping process (the first part of the experiment, the second is to let it wipe completely). I have then tried to recover the files through FTK with no luck. Windows sees the drive empty and FTK just sees free space.I have used the Data Carving feature in FTK with no avail.
EnCase also sees an empty drive.
Is there a specific way this is done in industry?
Thank you.
We talking about the first or second part of the experiment? Couple of seconds of wipe and you couldn't find anything, or completed wipe, and couldn't find anything?
For the first, I'm very surprised you couldn't carve anything if you only ran the wipe procedure for 2 seconds.
For the second, I would be very surprised if you _could_ carve anything. A wipe is a wipe is a wipe.
Hi guys,
Thank you very much for your replies.
I have tried looking at the device in WinHex which also sees free space.
This is the first part of the experiment, where I have let it wipe for a few seconds when I say few or a couple I do actually mean about 28 to 30 seconds not 2 seconds.
When I asked what steps you would take to retrieve the data I meant what other tools would you use?
I think I might try the wipe for about 5 seconds and see if anything can be seen.
Thank you again.
When you do the wipe write a known pattern so that you can easily see how far your wipe has gone. Use something like WinHex and scan for NOT (whatever your patern was). I would suggest that you don't use X'00' or X'FF' as you will find many areas of those already, I often use X'FA' or 'A5'. Don't forget that automatic re-mapping may leave sectors with data that will not be overwritten by any normal software but, by the same token, cannot be read by normal software.
Good luck with the project.
I am trying to grasp what new discovery you may find in this experiment.
Have you read up on how EnCase "wipes" data, or sdelete, Secure Delete, DBan, eraser, autoclave, killdisk, BootNuke, etc?