I understand the need to forensically wipe a target drive before cloning a drive, but is there any reason to wipe the drive before writing a image file(s)? Shouldn't simply a quick format be enough?
Couple reasons why it's good to do it
1) you get asked by opposing council "can you say beyond all reasonable doubt that that file didn't come from a previous examination". Yes it's a long shot, but if you have wiped a drive and have a log of the wipe that eliminates that question completely
2) I've hot swapped a drive that decided it would die and I "lost" all of my examination data. Lucky for me there wasn't much on there, but I fired up encase and did a recovery and got everything back. It was overall a lot easier because the only data there was for that examination.
If you out together an old box that you can just plug in drives to wipe you can get Linux to autoboot into a dd/dc3dd script that will auto wipe the drive, format and log everything just in case
Need? No. The image file is written all at once, and no residual data will show through, with the exception of slack space.
You of course, can prove this by hashing the image after it's copied.
This may open up a line of attack for the defense. But I think it's minimal. As long as you can prove that the hash was the same before and after the copy, I think you'd be fine.
It was part of normal practice at our lab purely to negate the question from lawyers who will try and cast doubt on the evidence by playing on Judge and jury's lack of technical know how.
But as my old boss used to say "if you can't adequately explain on the stand why you don't have to do it (wipe hard drives) then you are in the wrong job" )
FYI I no longer wipe drives before each job and in the many years with the Police and my time since leaving I have never once been asked if I wiped the drive prior to starting work.
FYI I no longer wipe drives before each job and in the many years with the Police and my time since leaving I have never once been asked if I wiped the drive prior to starting work.
for me its not that onerous to set a few drives to wipe overnight but i can see that if you dont have the drives to spare than its not a necessity.
just make sure your hashes match haha
The other thing is, if we make it mandatory to wipe all external/portable drives prior to writing a forensic evidence file, what will happen when the defense finds out we don't wipe the whole SAN before every image?
Whatever you do, I would advise uniformity. As I said, and others said, wiping a target for a forensic evidence file isn't necessary (for many reasons), but if you wipe one, but not the other, it could open a, futile, line of attack.
I have never understood this reasoning unless the other side can't find the same bit of evidence on their verified copy of the image the whole argument is superfluous.
I have never understood this reasoning unless the other side can't find the same bit of evidence on their verified copy of the image the whole argument is superfluous.
That is true, but you have to take into account that alot of times (I don't have specific statistics), the defense doesn't do their own examination. They only poke holes in the prosecution's examiner's report.
It should be said, this is why the malware defense persists.
This particular topic has also been discussed here (as an OT corollary to the actual topic title)
http//www.forensicfocus.com/Forums/viewtopic/t=6613/postdays=0/postorder=asc/start=7/
jaclaz
