Some new misinforma...
 
Notifications
Clear all

Some new misinformation on hard disk wiping

Page 1 / 2
jaclaz
(@jaclaz)
Community Legend

I guess that the Urban Legend will never die 😯
http//windowssecrets.com/top-story/rethinking-the-process-of-hard-drive-sanitizing/

If you need to securely erase a drive, an overwrite wipe simply isn’t enough anymore.

Mixing together the 2006 Nist recommendations with the new SSD technologies, and with the early (2010) article by Steven Swanson and Michael Wei makes no sense whatsoever.

But even this one (more recent)
http//www.cirworld.com/index.php/IJCDS/article/download/IJCDS14/pdf

Contributes to the myth

If you have information on a hard drive
or flash drive that absolutely needs to be destroyed, you may
choose to completely destroy the drive. Good security
practices should make this unnecessary, but in the rare case
that you have extremely sensitive data that needs to be totally
eliminated, we are including a few tips on how to do this.
1. Run a file shredding program and wipe the entire drive.
This will overwrite the data and destroy most traces of files.
The more times this is done, the less the chance of data
retention.
2. Run a powerful magnet over the drive, thus demagnetizing
it and further distorting the contents. You can find these
magnets in the hard drives of junk computers, some stereo
speakers, etc.
3. Burn or smash the hard drive.
4. Take the broken parts and dispose of them in separate
places, preferably putting some distance between the various
parts. It is possible that, if a section is found, powerful
microscopes could still access parts of files or data.
However,
the above steps should make the hard drive itself difficult to
find, and complicated or impossible to access if its parts are
found.

One of the worst mish-mash of paranoid phears with truisms!

It is possible that, if a section is found, powerful
microscopes could still access parts of files or data.

Sure, how small must the parts be to be safe?
Separating the single atoms would be enough or should we break them atoms in smaller pieces?

However, the above steps should make the hard drive itself difficult to find, and complicated or impossible to access if its parts are found.
Really?
You mean that it is not possible to read info from something that you cannot find?

jaclaz

Quote
Topic starter Posted : 13/09/2012 5:07 pm
Wardy
(@wardy)
Active Member

Are you telling me I can stop sending shredded fragments of HDD to random people in China?? lol

ReplyQuote
Posted : 13/09/2012 5:14 pm
Chris_Ed
(@chris_ed)
Active Member

Nuke it from orbit. It's the only way to be sure.

ReplyQuote
Posted : 13/09/2012 5:39 pm
jaclaz
(@jaclaz)
Community Legend

Are you telling me I can stop sending shredded fragments of HDD to random people in China?? lol

NO roll , I am saying that your random Chinese address generator is not entirely random 😯 , and using some special hardware/software the Government has ways to predict all of them addresses.

Use a GOOD random generator (courtesy xkcd)

Or even easier, instead of spending long hours of work creating files that noone will ever be interested in (but that the Government will be able to read anyway) use this wink
http//www.bertel.de/software/rdfc/index-en.html
to produce them…..(this approach has the not-so-trivial side effect that you will have more time for your family and friends and for a few good walks)

jaclaz

ReplyQuote
Topic starter Posted : 13/09/2012 6:22 pm
jhup
 jhup
(@jhup)
Community Legend

mrgreen

We have labs all over the country with evidence piling up, unexamined. I hear case stories from LEOs where the collected digital devices are never examined, let alone presented.

Local and State prosecution can barely pay for collection, let alone a good analysis…

ReplyQuote
Posted : 13/09/2012 8:22 pm
Audio
(@audio)
Active Member

Here is a perhaps a really stupid question… Sanitizing drives before putting evidence on them has been recommended standard for a long time as far as I can tell… But why is that?

1. We know when data is overwritten, it's gone.
2. Forensic images are written to drives as a single file or a series of files.

So where is the threat of contamination if the drive isn't zeroed out before evidence is put on them? What am I missing?

ReplyQuote
Posted : 13/09/2012 10:05 pm
jaclaz
(@jaclaz)
Community Legend

Here is a perhaps a really stupid question… Sanitizing drives before putting evidence on them has been recommended standard for a long time as far as I can tell… But why is that?

1. We know when data is overwritten, it's gone.
2. Forensic images are written to drives as a single file or a series of files.

So where is the threat of contamination if the drive isn't zeroed out before evidence is put on them? What am I missing?

You spend time wiping them to save time 😯 , see the analisys here
http//www.forensicfocus.com/Forums/viewtopic/t=6613/postdays=0/postorder=asc/start=12/

jaclaz

ReplyQuote
Topic starter Posted : 13/09/2012 10:45 pm
Audio
(@audio)
Active Member

You spend time wiping them to save time 😯 , see the analisys here
http//www.forensicfocus.com/Forums/viewtopic/t=6613/postdays=0/postorder=asc/start=12/

jaclaz

That was a good read, thanks. )

ReplyQuote
Posted : 14/09/2012 1:06 am
LarryDaniel
(@larrydaniel)
Active Member

Sanitizing drives is a hold over from the time when raw images where used, i.e. clones in native format. In those cases, contamination would be a real issue.

Modern forensic images like Expert Witness format or Encase images are encapsulated and are not subject to contamination.

Why still do it? Some in these forums will tell you that it is because defense attorneys ask about it and it takes too long to explain in court.

The issue is not defense attorneys, per se, in those circumstances. It is experts who don't know the difference between a raw image and a encapsulated forensic image file.

They "advise" their attorneys to attack the evidence in this way for two possible reasons;

1. They are ignorant of forensic file formats.
2. They hope you are.

I still read about cases where the "expert" has no idea what an Encase image is, how to open it, or how to examine the evidence. It is a sad statement about people who practice computer forensics.

ReplyQuote
Posted : 17/09/2012 11:10 pm
jhup
 jhup
(@jhup)
Community Legend

Are you saying that those who pre-wipe their drives before using for anything are "ignorant of forensic file formats" - or did I misread that?

Sanitizing drives is a hold over from the time when raw images where used, i.e. clones in native format. In those cases, contamination would be a real issue.

Modern forensic images like Expert Witness format or Encase images are encapsulated and are not subject to contamination.

Why still do it? Some in these forums will tell you that it is because defense attorneys ask about it and it takes too long to explain in court.

The issue is not defense attorneys, per se, in those circumstances. It is experts who don't know the difference between a raw image and a encapsulated forensic image file.

They "advise" their attorneys to attack the evidence in this way for two possible reasons;

1. They are ignorant of forensic file formats.
2. They hope you are.

I still read about cases where the "expert" has no idea what an Encase image is, how to open it, or how to examine the evidence. It is a sad statement about people who practice computer forensics.

ReplyQuote
Posted : 18/09/2012 11:52 pm
marcyu
(@marcyu)
Active Member

I do it anyway. Maybe out of habit. But more because I don't know if the defense, through some crazy subpoena due to a technically-ignorant judge, will get that hard drive I've saved the image to, and find traces of other cases in unallocated space. And if you don't believe a technically-deficient judge will sign off on an unwarranted subpoena, you haven't been doing this very long.

ReplyQuote
Posted : 19/09/2012 2:19 am
Patrick4n6
(@patrick4n6)
Senior Member

Are you saying that those who pre-wipe their drives before using for anything are "ignorant of forensic file formats" - or did I misread that?

That wasn't my reading. I read Larry as saying that experts who say that not having sterilised a drive containing forensics images invalidates the results are ignorant.

Sterilization is for 2 reasons

1. For forensic cloning destination drives, to ensure that "slack" space after the size of the source drive doesn't contain data that could be improperly added to the case.

2. To prevent taking sensitive or confidential data out into the field with you.

ReplyQuote
Posted : 19/09/2012 2:38 am
LarryDaniel
(@larrydaniel)
Active Member

Marcyu - So true. That alone is a good reason to do it.

Patrick4n6 - You read it right. It is ignorant experts who cause all of us the most problems, no matter what side we are on.

ReplyQuote
Posted : 19/09/2012 6:45 am
Audio
(@audio)
Active Member

Wow. Pretty scary someone can become an "expert" and not know what an Encase image is. Just to be clear, you're referring to some bozo who claims to be an expert, not someone who has become an expert witness. Because if it's the later, then I'm scared. Really scared.

ReplyQuote
Posted : 19/09/2012 7:14 am
LarryDaniel
(@larrydaniel)
Active Member

You should be scared. I had case in which the judge allowed the opposite person to qualify as an expert becuase he had "used data recovery software several times" and he "regularly fixed his friends' computers"

ReplyQuote
Posted : 19/09/2012 7:49 am
Page 1 / 2
Share:
Share to...