Some new misinforma...
 
Notifications
Clear all

Some new misinformation on hard disk wiping

29 Posts
9 Users
0 Likes
1,465 Views
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
Topic starter
 

I guess that the Urban Legend will never die 😯
http//windowssecrets.com/top-story/rethinking-the-process-of-hard-drive-sanitizing/

If you need to securely erase a drive, an overwrite wipe simply isn’t enough anymore.

Mixing together the 2006 Nist recommendations with the new SSD technologies, and with the early (2010) article by Steven Swanson and Michael Wei makes no sense whatsoever.

But even this one (more recent)
http//www.cirworld.com/index.php/IJCDS/article/download/IJCDS14/pdf

Contributes to the myth

If you have information on a hard drive
or flash drive that absolutely needs to be destroyed, you may
choose to completely destroy the drive. Good security
practices should make this unnecessary, but in the rare case
that you have extremely sensitive data that needs to be totally
eliminated, we are including a few tips on how to do this.
1. Run a file shredding program and wipe the entire drive.
This will overwrite the data and destroy most traces of files.
The more times this is done, the less the chance of data
retention.
2. Run a powerful magnet over the drive, thus demagnetizing
it and further distorting the contents. You can find these
magnets in the hard drives of junk computers, some stereo
speakers, etc.
3. Burn or smash the hard drive.
4. Take the broken parts and dispose of them in separate
places, preferably putting some distance between the various
parts. It is possible that, if a section is found, powerful
microscopes could still access parts of files or data.
However,
the above steps should make the hard drive itself difficult to
find, and complicated or impossible to access if its parts are
found.

One of the worst mish-mash of paranoid phears with truisms!

It is possible that, if a section is found, powerful
microscopes could still access parts of files or data.

Sure, how small must the parts be to be safe?
Separating the single atoms would be enough or should we break them atoms in smaller pieces?

However, the above steps should make the hard drive itself difficult to find, and complicated or impossible to access if its parts are found.
Really?
You mean that it is not possible to read info from something that you cannot find?

jaclaz

 
Posted : 13/09/2012 4:07 pm
Wardy
(@wardy)
Posts: 149
Estimable Member
 

Are you telling me I can stop sending shredded fragments of HDD to random people in China?? lol

 
Posted : 13/09/2012 4:14 pm
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

Nuke it from orbit. It's the only way to be sure.

 
Posted : 13/09/2012 4:39 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
Topic starter
 

Are you telling me I can stop sending shredded fragments of HDD to random people in China?? lol

NO roll , I am saying that your random Chinese address generator is not entirely random 😯 , and using some special hardware/software the Government has ways to predict all of them addresses.

Use a GOOD random generator (courtesy xkcd)

Or even easier, instead of spending long hours of work creating files that noone will ever be interested in (but that the Government will be able to read anyway) use this wink
http//www.bertel.de/software/rdfc/index-en.html
to produce them…..(this approach has the not-so-trivial side effect that you will have more time for your family and friends and for a few good walks)

jaclaz

 
Posted : 13/09/2012 5:22 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

mrgreen

We have labs all over the country with evidence piling up, unexamined. I hear case stories from LEOs where the collected digital devices are never examined, let alone presented.

Local and State prosecution can barely pay for collection, let alone a good analysis…

 
Posted : 13/09/2012 7:22 pm
(@audio)
Posts: 149
Estimable Member
 

Here is a perhaps a really stupid question… Sanitizing drives before putting evidence on them has been recommended standard for a long time as far as I can tell… But why is that?

1. We know when data is overwritten, it's gone.
2. Forensic images are written to drives as a single file or a series of files.

So where is the threat of contamination if the drive isn't zeroed out before evidence is put on them? What am I missing?

 
Posted : 13/09/2012 9:05 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
Topic starter
 

Here is a perhaps a really stupid question… Sanitizing drives before putting evidence on them has been recommended standard for a long time as far as I can tell… But why is that?

1. We know when data is overwritten, it's gone.
2. Forensic images are written to drives as a single file or a series of files.

So where is the threat of contamination if the drive isn't zeroed out before evidence is put on them? What am I missing?

You spend time wiping them to save time 😯 , see the analisys here
http//www.forensicfocus.com/Forums/viewtopic/t=6613/postdays=0/postorder=asc/start=12/

jaclaz

 
Posted : 13/09/2012 9:45 pm
(@audio)
Posts: 149
Estimable Member
 

You spend time wiping them to save time 😯 , see the analisys here
http//www.forensicfocus.com/Forums/viewtopic/t=6613/postdays=0/postorder=asc/start=12/

jaclaz

That was a good read, thanks. )

 
Posted : 14/09/2012 12:06 am
(@larrydaniel)
Posts: 229
Reputable Member
 

Sanitizing drives is a hold over from the time when raw images where used, i.e. clones in native format. In those cases, contamination would be a real issue.

Modern forensic images like Expert Witness format or Encase images are encapsulated and are not subject to contamination.

Why still do it? Some in these forums will tell you that it is because defense attorneys ask about it and it takes too long to explain in court.

The issue is not defense attorneys, per se, in those circumstances. It is experts who don't know the difference between a raw image and a encapsulated forensic image file.

They "advise" their attorneys to attack the evidence in this way for two possible reasons;

1. They are ignorant of forensic file formats.
2. They hope you are.

I still read about cases where the "expert" has no idea what an Encase image is, how to open it, or how to examine the evidence. It is a sad statement about people who practice computer forensics.

 
Posted : 17/09/2012 10:10 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

Are you saying that those who pre-wipe their drives before using for anything are "ignorant of forensic file formats" - or did I misread that?

Sanitizing drives is a hold over from the time when raw images where used, i.e. clones in native format. In those cases, contamination would be a real issue.

Modern forensic images like Expert Witness format or Encase images are encapsulated and are not subject to contamination.

Why still do it? Some in these forums will tell you that it is because defense attorneys ask about it and it takes too long to explain in court.

The issue is not defense attorneys, per se, in those circumstances. It is experts who don't know the difference between a raw image and a encapsulated forensic image file.

They "advise" their attorneys to attack the evidence in this way for two possible reasons;

1. They are ignorant of forensic file formats.
2. They hope you are.

I still read about cases where the "expert" has no idea what an Encase image is, how to open it, or how to examine the evidence. It is a sad statement about people who practice computer forensics.

 
Posted : 18/09/2012 10:52 pm
Page 1 / 3
Share: