I haven't had the chance to play with encase or ftk… out of my budget, etc.
And I have read the paper PDF from Guidance Software
Can Computer Investigations Survice Windows XP?
An examination of Microsoft Windows XP and its Effect on Computer Forensics
December 2001
While not addressing whether Encase can deal with wiped files, this paper seems to indicate worry that it cannot and mitigates that with the act that it's hard for a user to use the builtin XP wipter tool on a regular basis.
So my question is not whether the NSA can recover your data…
In your _experience_, has encase or ftk been able to deal with a drive that
- Has had data wiped one time
- Has had data wiped >1 times
- Has been encrypted with truescrypt or winmagic's securedoc?
John
Both EnCase and FTK are just tools, but no magic can be performed with them! D Wiping means overwriting, and it is imposible for any tool to recover info from a wiped drive.
Relating to encryption, that is a completely different issue. No matter which tool has been used to encrypt the device, you will need to get the password somehow (attacking the pwd or just having it from the custodian). Once you've got it, you should be able to analyze the disk just as if it was unencrypted.
I seem to find many papers that suggest that wiping isn't enough to stop data from being harvested, which is why I was trying to find out if these are the tools I should be looking at for this purpose.
OK - let me address the second point to extend the question.
If encase or whatever other tool can read deleted data, or data that has been overwritten once… if there was a drive that was previously unencrypted, then encrypted after the fact, wouldn't these tools perhaps be able to see the data as it was prior to the encryption?
I would venture to say that papers claiming recovery of wiped data are either refering to Gutmann's work (now somewhat obsolete) or wiping done with poorly designed products. I've yet to see a credible and documented reproduction of recovery of data from a properly wiped drive. A lot of claims, but insufficient information to attempt to reproduce.
As to data that is later encrypted, again it depends on the quality of the encryption program. If it is designed to wipe the unencrypted file as it encrypts it, I'd suggest recovery is impossible. I've seen others that didn't wipe the file so the unencrypted form was recoverable.
I seem to find many papers that suggest that wiping isn't enough to stop data from being harvested, which is why I was trying to find out if these are the tools I should be looking at for this purpose.
As ddow has said, anyone suggesting that wiping isn't enough either needs to cite plausible evidence or hasn't done any research in the last 10 years.
In any case, those who actually believe you can recover data that has been overwritten generally don't also believe you can do it with software alone. After all, if this were possible we'd all be using it all the time to double the storage capacity of our drives.