why should I wipe a...
 
Notifications
Clear all

why should I wipe a drive before putting evidence on it ?  

  RSS
Bobbynyc
(@bobbynyc)
New Member

Its a question I have been asked and I have heard several times..

But I just can't think of a real answer to be honest..

I have seeked the assistance of Google with no luck as well..

I am just wondering why should I be worried about my E01s being contaminated by data it is over writing or the slack space or unallocated space on a drive..

I would image the crc check for each E01 would show something wrong when the the E01s are verified and such..

I am just trying to understand some real life scenario that someone could impart as to why a drive should be wiped before putting evidence in the form of E01 or DD on it..

I can understand that someone reviewing the evidence could look at this area in question to make you look bad.. EG maybe there was porn on the drive in the unallocated space for example.

But beyond this how is overwriting data on a drive especially with E01s going to contaminate my evidence..

Mind you this is not a debate on my part.. Just seeking some real wisdom on my possible short sightedness on this question.

Quote
Posted : 05/06/2015 7:01 pm
jaclaz
(@jaclaz)
Community Legend

It's a known matter of debate/doubt.

See here
http//www.forensicfocus.com/Forums/viewtopic/p=6568740/#6568740

and in a few posts starting here, the nice advice/expkanation by Jhup
http//www.forensicfocus.com/Forums/viewtopic/p=6559978/#6559978
and here
http//www.forensicfocus.com/Forums/viewtopic/p=6560020/#6560020

In a nutshell you waste time (in the lab) to save time (in court).

jaclaz

ReplyQuote
Posted : 05/06/2015 7:14 pm
Bobbynyc
(@bobbynyc)
New Member

It's a known matter of debate/doubt.

In a nutshell you waste time (in the lab) to save time (in court).

jaclaz

LOL

I am going to read those links.. But I laughed out loud in the office.. I had to show the other examiners your response.. They laughed as well..

One guy responded, that is what we do pretty much with everything we do here..

ReplyQuote
Posted : 05/06/2015 7:37 pm
athulin
(@athulin)
Community Legend

I can understand that someone reviewing the evidence could look at this area in question to make you look bad.. EG maybe there was porn on the drive in the unallocated space for example.

Or personal information related to one or more people related to the investigations for which you have used that disk in the past, or other sensitive information.

It's a question of risk assessment what could happen? And if it does, can you just shrug it off, or will you, your business or your employer be damaged in some material way?

And it's not always 'wipe before use'. 'Wipe after use' is probably more common.

Those who are concerned with privacy or restricting access to sensitive information usually wipe their image disks _as soon as_ the information stored on them is not required for business anymore. Keeping information beyond that point is nothing but a business risk.

If you're working in a corporate environment where information security is an issue, you may have to classify information (usually confidentiality) when it is created or received. If that is the case, have a chat with your IS officer.

ReplyQuote
Posted : 05/06/2015 8:03 pm
jaclaz
(@jaclaz)
Community Legend

Or personal information related to one or more people related to the investigations for which you have used that disk in the past, or other sensitive information.

It's a question of risk assessment what could happen? And if it does, can you just shrug it off, or will you, your business or your employer be damaged in some material way?

And it's not always 'wipe before use'. 'Wipe after use' is probably more common.

To be picky (as I am BTW) your "wipe after use" is similar to "wipe before re-use".

The interesting point may become, given that along your own policies/processes you surely wipe a disk after it has been used, as soon as the evidence is not anymore needed of course, and the actual disk is put in a pile labeled "wiped disks ready to be re-used", which actions do you log when you take a disk out of the pile for a new case?

I mean, do you trust blindly the fact that if a disk is in the "wiped disks" pile it has been surely wiped, do you check it's hash to be corresponding to a fully zeroed one, do you wipe it (again) no matter what, do you report the date (possibly several months earlier) in which the disk was wiped "after use" and by whom (data written in the envelope containing the disk or on a label on it?) in your "new case" report?

(and as a side-side note, do you manage the pile/stack as LIFO or FIFO?)

jaclaz

ReplyQuote
Posted : 05/06/2015 9:06 pm
athulin
(@athulin)
Community Legend

To be picky (as I am BTW) your "wipe after use" is similar to "wipe before re-use".

But there is a distinction. 'Wipe after use' is intended to minimize the time any information is stored on the disk. 'Wipe before use' does not say anything about how long the drive has been left lying around.

'Wipe after use' ensures that a case is properly closed, and information leakage risks related to that case minimized.

'Wipe before use' addresses risks involved in starting a new case, and any risks inherent in using 'dirty' disks for that particular case.

I mean, do you trust blindly the fact that if a disk is in the "wiped disks" pile it has been surely wiped …

No.

Not erasing information as quickly as is consistent with business needs is – in my eyes – a capital offense.

Not erasing information before imaging is – again, in my eyes – a much lesser offense.

Even with both, there is a risk for information exposure. And even if I might ask for both, I can't really expect to get it– particularly not if there's a fire on. It's not that uncommon to have to buy a new disk in the field. If I have to wait while a 2TB disk is wiped prior to use while there's a three-alarm case going on, … well, that's a capital offense in the eyes of others.

So, if I can get only one of 'wipe-after-use' and 'wipe-before-use', I choose the first. I can live with those risks (in conjunction with additional SOPs).

That's what it boils down to what risks can be accepted? what risks do we have to minimize, at at what maximum cost? There is no answer that works for everyone.

ReplyQuote
Posted : 06/06/2015 12:12 am
jaclaz
(@jaclaz)
Community Legend

Sure ) .
I was making the distinction between a "re-used" disk and a "brand new" disk.
A "re-used disk" is a "security/privacy" risk for the past case and a possible risk/point of objection for the new case.
A "brand new disk" may present a risk/point of objection for the new case only.

Additionally I introduced the new issue that unless you wipe yourself (no matter if the disk is new or re-used and already wiped) immediately before starting using (or re-using) the disk there will be an additional complication.

In practice there are IMHO three possibilities (provided that the scope is to be 100% sure that your behaviour cannot be censored or objected in Court for the new case and you will need to spend time to explain it)
1) you wipe the disk (anyway)
2) you hash check it is already wiped and document this (or go to #1 if the hash for all 00's doesn't match)
3) you are bound to keep a sort of chain-of-custody for the media even after it has been wiped "after use" to "guarantee" that the disk has been previously wiped (and that noone wrote anything to it since)

I am pretty sure that you (or anyone else) will be perfectly able to justify in case of emergency/need the use of a non-wiped disk, or of a disk which wiped state has not been verified, as said in the mentioned thread there is not (for the new case) a technical/forensics reason to wipe before, but there are practical reasons why it is common and good practice.

jaclaz

ReplyQuote
Posted : 06/06/2015 12:51 am
StreetForensics
(@streetforensics)
Member

GREAT Question Bobbynyc! I have wanted to ask this very question but have been afraid of the possible replies.

I agree that if my E01 is written over old data and something goes wrong, the checks in place should alert me. Hash Values not matching, verification failing, crc errors, etc. In reading the links posted above (quick review) I get the impression the practice of wiping began prior to the E01 or other container type image formats becoming as standard as they are now. I can see how a 'clone' of a source drive can allow old case data to be left and read as belonging to the new case if a wipe had not occurred.

I also understand that the practice of wiping, while a time consuming task, takes that argument away from the defense in court. But shouldn't explaining the fact that the evidence file (E01) representing the source hard drive was verified as being a forensic copy of it also defeat the argument that there may be old case data being read by our software used to examine it?

Are there any recent cases in court in which a forensic exam was thrown out as a result of claimed or actual 'cross contamination' (don't get me wrong, I am not challenging anyone as if I don't believe it, I am just wondering out loud).

Further more, if the defense has a forensic expert who also conducts an exam and they are allowed to create an image from the original evidence they should be able to duplicate all of your findings, which I would think also validate your evidence file as being a bit by bit copy of the original. If they are only given a copy of your E01, again, they should be able to duplicate your findings as well.

One of the links talked about the unlikely possibility that a pointer in your evidence file becoming corrupt and pointing to an area of your un-wiped disk containing left over un-wiped data. This would obviously be bad, and I am not sure how this could happen. And the likelihood that it points to a area containing something of value to your case also seems small.

ReplyQuote
Posted : 18/06/2015 1:06 am
Share: