Re: Hard Drive Forensics Question

[Ansgar Wiechers <bugtraq () planetcobalt net>]

On 2008-10-08 J. Oquendo wrote:
> On Wed, 08 Oct 2008, Ansgar Wiechers wrote:
> > Of course if you'd want to avoid any risk, you'd feed the disk to a
> > furnace and get rid of the problem once and for all.
>
> And that would do?
> http://www.ontrackdatarecovery.co.uk/columbia-drive-recovery/

I don't think so. How was that disk wiped?

> Appropriately a degausser would solve the problem, but it would also
> make the drive useless. I won't get into counterforensics, but most so
> called wiping tools aren't worth the programming it took to make them.
>
> http://www.first.org/conference/2006/papers/geiger-matthew-papers.pdf

Looks interesting, although the test scenario differs from what I had
outlined (single-pass wipe of the entire disk with zeroes). Too bad that
SysInternals' SDelete wasn't included in this evaluation. I'm rather
curious how it would have performed in the "free space" and "targeted
files" tests.

I only took a glimpse now, but will read it thoroughly as soon as I have
a little more time.

> There are plenty of ways to securely wipe data, but from my
> perspective, it involves creativity and a very good understanding of
> the system going right down to the metadata levels. This includes
> pre-fetch info, etc., etc.,

If we're talking about removing traces from a system that shouldn't be
touched otherwise: yes, most certainly.

> however at the same time, more and more forensics experts could
> re-coup evidence of counterforensics tools being used which 1) may
> make it easier for us to rebuild, 2) may on its own give weight to
> wrongdoing.
>
> To understand what I mean about wrongdoing, you'd have to understand
> scenarios... Scenario: Defendant is on trial for stashing corporate
> secrets. His attorneys cry foul. Defendant was a salesman... What
> exactly was he doing with evidence eliminator again?
>
> You have to understand the mechanisms of fighting a war. Just the
> mention of it alone whether he had it for good reasons is enough to
> raise suspicion in the eyes of ANY juror. Not to mention the idiotic
> names for some of these programs: "Evidence Eliminator" why not call
> it "ForensicExpertsShouldCheckMeFirst" or "Hey look I potentially have
> something to hide 1.0"

I see your point, but I'd still have to disagree. Having a counter-
forensics tool installed is no proof whatsoever that the defendant
actually did what he's charged with. Presumption of innocence is one of
the most basic principles of our legal system. And that's for a reason.

> As for feeding it to a furnance, better be hot enough to turn it to
> liquid metal.

Going well above the material's Curie point should suffice, AFAICS.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq