Hi All,
Is it common practice to ALWAYS wipe the destination media before making an image? I ask this as someone just getting his feet wet in the field. I am curious because although wiping makes perfect sense to me (to get rid of any residual data), should it really make a difference if I've verified hashes of original media and destination image to be the same.
As a beginner I am testing software and practices at home by creating images of small second hand HDD (2-4 GB’s) to an 80 GB USB drive and analyzing them using different tools. Should I be wiping this drive for every new image I create or seeing as I am working with small test drive sizes is it acceptable to partition the larger drive into, lets say 5-6 volumes and wipe them individually when needed?
Thanks for any input.
Andrew.
Andy, current best practice guidelines are that a repository drive should be a wiped forensically before being copied to. The argument for wiping each time is mainly in case of cross contamination of evidence/data.
If you are imaging directly to a file server on a network, as many are doing/starting to do (we practice this, and image directly to a large capacity RAID), then wiping that repository for each case is not feasible.
If you are not using images of drives, and perhaps simply making a direct copy of the data of one drive to another - then examining that data in its native environment - yes wiping that repository drive should be done to ensure nothing remains in unallocated, etc…..
Andy
Thanks Andy…
That's what I assumed but I don't want to be assuming too much at this piont…
The promp and informative reply is once again much appreciated.
Andrew-
Hi Andy,
This is an interesting topic. If you make an image of a harddrive using EnCase or practically any other forensic software, it should not make any difference what so ever whether the target drive was wiped or not.
Since the imaging software makes an identical copy and checks, using hash algorithms, to make sure the copy is identical, there is no real need for wiping from a technical point of view.
The only reason I can see for wiping is that it is easier to explain to anyone questioning the process if you just say "Yes, I wiped the target drive seven using this approved software… Bla bla… thus I can guarantee that the image has not been affected by what may have been on the drive before imaging…".
The fact that the only thing guaranteeing the integrity of the image is the way you make the image and that the image (using EnCase) is a file that cannot easily be manipulated is something you ought to be able to explain and explain in a way that even an amateur would understand (many clients, courts, lawyers etc are amateurs when it comes to computer forensics).
Correct me if I am wrong…
And yes, I DO wipe the target drive, but just once, because there is no way anything overwritten once could affect anything written to the drive after the wiping…
Ah… And I thought I was fast 😀
Well, Andy (both of you), the reason I wipe is just to be able to say I've done it…
When you use any kind of server storage solution this no longer work, as Andy pointed out… And where I worked before that was the case and we never really had difficulties explaining the procedure.
Cross contamination just cannot happen using forensically sound methods.
rofmoc,
Thanks also…this was the thought process that led to me questioning whether an image (hash verified) would be sufficient…someone cross examining me as to wiping/disk integrity etc…
quote:
[The only reason I can see for wiping is that it is easier to explain to anyone questioning the process if you just say "Yes, I wiped the target drive seven using this approved software… Bla bla… thus I can guarantee that the image has not been affected by what may have been on the drive before imaging…". ]
Andrew-
