At the outset of each new case we always ensure that our destination drives for the image files are wiped using an appropriate tool. We've recently been asked to demonstrate how we verify the integrity of that process. My initial response was that one of the ways is if we use EnCase to wipe the drive we ensure the "Vefity Wiped Sectors" box is ticked.
However, this got me thinking. Are there any other third party tools that could do the same verification. Not that I don't trust EnCase, I just think it would be useful to say that we've wiped the drive using one method (e.g. EnCase) and verified that it's wiped using another method (whatever that may be). Short of manually going through the drive and ensuring that each sector is OO, is anyone aware of any third party tools that will check a drive to see if it has been wiped properly?
At the outset of each new case we always ensure that our destination drives for the image files are wiped using an appropriate tool. We've recently been asked to demonstrate how we verify the integrity of that process. My initial response was that one of the ways is if we use EnCase to wipe the drive we ensure the "Vefity Wiped Sectors" box is ticked.
However, this got me thinking. Are there any other third party tools that could do the same verification. Not that I don't trust EnCase, I just think it would be useful to say that we've wiped the drive using one method (e.g. EnCase) and verified that it's wiped using another method (whatever that may be). Short of manually going through the drive and ensuring that each sector is OO, is anyone aware of any third party tools that will check a drive to see if it has been wiped properly?
MikeA,
Make a final wipe pass using HEX00 and then hash the drive using MD5 the value should be 0000 0000 0000 0000 indicating that the drive contains no data, any other value would show data remains on the drive.
Alan
hash the drive using MD5 the value should be 0000 0000 0000 0000 indicating that the drive contains no data.
Unfortunately that will not work. If you have an MD5 tool that returns that hash then I would suggest it isn't functioning properly.
Even an empty file will produce an MD5 hash D4-1D-8C-D9-8F-00-B2-04-E9-80-09-98-EC-F8-42-7E.
Hashing a single null byte (0x00) will also produce a different hash 93-B8-85-AD-FE-0D-A0-89-CD-F6-34-90-4F-D5-9F-71
Adding further nulls as you would find on a wiped disk will produce different hashes again depending on the number of bytes hashed.
Mike
Are you using Encase to image as well? If so, the image is contained within a container and would negate the need to wipe the target prior to imaging?
Are you using Encase to image as well? If so, the image is contained within a container and would negate the need to wipe the target prior to imaging?
Mike, I think a lot of folks see a solid reason to head off the opposing attorney by cleaning all media.
Good answer on the hash bty. IMHO
If you have unix or a boot CD you can issue the following command
dd if=/dev/zero of=/dev/fd0
This takes an input file i.e. the /dev/zero handle which produces a constant stream of zeros, and get it to write to the output file i.e. /dev/fd0 (in this case the floppy drive).
Once this is complete you can hash the entire drive and obtain a hash value. This should match the hash value from encase, provided the same hashing alogrithm is used to compute the hash. If the hash doesnt match then something is different and data resides on the disk.
Oh, the dd command has many more switches such as block size if you need to specify that.
Hi rcw8892
If you wipe a drive using HEX00 (binary 00000000) on the whole drive then the hash calculation will be 00000000 which will produce a hash value as previously described. A mathematical calculation on 00 will always produce 00. I always do this using DOS applications not from a Windows environment.
Alan
hash the drive using MD5 the value should be 0000 0000 0000 0000 indicating that the drive contains no data.
Unfortunately that will not work. If you have an MD5 tool that returns that hash then I would suggest it isn't functioning properly.
Even an empty file will produce an MD5 hash D4-1D-8C-D9-8F-00-B2-04-E9-80-09-98-EC-F8-42-7E.
Hashing a single null byte (0x00) will also produce a different hash 93-B8-85-AD-FE-0D-A0-89-CD-F6-34-90-4F-D5-9F-71
Adding further nulls as you would find on a wiped disk will produce different hashes again depending on the number of bytes hashed.
If you wipe a drive using HEX00 (binary 00000000) on the whole drive then the hash calculation will be 00000000 which will produce a hash value as previously described. A mathematical calculation on 00 will always produce 00. I always do this using DOS applications not from a Windows environment.
Except md5 (as do modern hashes) start with a non-zero seed value. If you hash 0 you do not get a 0 hash. I'd go so far to say that if you hash something and get a zero, your procedure was flawed. RFC 1321 on md5 will shed some light on how md5 hash works.
Gentlemen,
I have to apologise in my answer, not paying attention I said MD5 and should have said checksum ) rcw8892 you are correct. I shall now go and hang my head in shame.
Alan
If you wipe a drive using HEX00 (binary 00000000) on the whole drive then the hash calculation will be 00000000 which will produce a hash value as previously described. A mathematical calculation on 00 will always produce 00. I always do this using DOS applications not from a Windows environment.
Except md5 (as do modern hashes) start with a non-zero seed value. If you hash 0 you do not get a 0 hash. I'd go so far to say that if you hash something and get a zero, your procedure was flawed. RFC 1321 on md5 will shed some light on how md5 hash works.
If your SOPs require that you wipe the image repository prior to use, it would seem to preclude using a file server for storing your images that you're working on. Each case, from 100GB to 2TB, will need its own standalone drives which have been wiped, correct?
We've been using eSATA enclosures with freshly wiped drives for all of our work, but as the volume picks up, and as the size of the projects increases past the limits of a single disk, the appeal of a huge file server increases dramatically.
-David
I usually will do both the wiping and verification in linux with one command.
dcfldd pattern=00 of=/dev/sdb bs=? conv=noerror,sync ; sum /dev/sdb
The first command before the ";" will wipe the device (where sdb is the device you want to wipe). The second part after the ";" will provide a checksum and count of blocks on the device.
? should be replaced with the blocksize you want.
After the command is run. You will eventually see an output of numbers.
If you wiped the drive sucessfully, the first set of numbers you see should all be zeros.