Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: Jamesfl
New Today: 0
New Yesterday: 2
Overall: 29378

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 IE11 and Keywords
 Disk Image
 ZERO DAY EXPLOIT
 Senior Cyber Forensic Incident Response Consultant -Cambs UK
 A question for students and newbies

Computer Forensics World Forums


Pages Served
We received
51844504
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Secure "erasing" - how effective IS it?
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Secure "erasing" - how effective IS it?
Goto page 1, 2, 3  Next
 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> General Computer Forensic Issues
View previous topic :: View next topic  
Author Message
spy1
Newbie
Newbie


Joined: May 03, 2006
Posts: 5

PostPosted: Fri May 05, 2006 8:14 am    Post subject: Secure "erasing" - how effective IS it? Reply with quote

Does a program such as "Eraser" ( heidi.ie/eraser/ ) defeat forensic programs - to such an extent as to make them useless in gathering evidence of any kind - if Eraser is used correctly (settings-wise, number-of-passes-wise) and run religiously (once on a schedule and also at the close of any given session) in conjunction with lesser "clean-up" programs such as CleanCache, CCleaner, SBS&D, Index.datSuite, NTREGOPT and PageDefrag (run in the correct order, of course)?

After seeing what was left over of my son's Internet travels after running the "lesser" programs above by using the trial version of a program called
RecoverMyFiles ( recovermyfiles.com/ ), I ran an Eraser "free space" wipe (one pass) with Eraser set to over-write:

(a) Free Disk Space (and Master File Table Records)

(b) Cluster Tip Area

(c) Directory Entries

and got the result shown in the screenshot here: wilderssecurity.com/showthread.php?p=742026#post742026 .

Are all those files now truly "un-recoverable" - or not? If they are, why does that program say that the "Recovery" ability is "Very Good"?

I really have to wonder if there is any way to truly "erase" all vestiges of any file you have or d/l onto your computer (to a certainty of every single trace of it being "gone" or "un-recoverable" by any means) - especially when you get into all that geeky-sounding stuff about non-resident attributes; additional MFT records; extents that lie outside the MFT; MFT "slack"; file slack; RAM slack, etc., etc, etc.

What's the real answer here - and I'm asking it here because I would think that you all would really know. Pete

*If it helps, this is a WinXP Pro, NTFS set-up
Back to top
View user's profile
deckard
Newbie
Newbie


Joined: Oct 25, 2005
Posts: 22

PostPosted: Fri May 05, 2006 11:03 pm    Post subject: Reply with quote

Of course it is recoverable. There IS data written there, all 0's. The erase or wipe prrograms don't reall erase data, they overwrite with a pattern, sometimes 0's sometimes random patterns, depends on your programs and how you configure it.

This ma be the somplistic answer to your questions but in essence ou aren't erasing anthing, just replacing the data with a pattern of new data that is meaningless.

Bill

Data Forensics and Recovery Consultants
Mooresville NC
Back to top
View user's profile
deckard
Newbie
Newbie


Joined: Oct 25, 2005
Posts: 22

PostPosted: Fri May 05, 2006 11:06 pm    Post subject: Reply with quote

Guess I better proofread better, looks like my "y" key is not functioning properly. Hope you can "read" them in.

Bill
Back to top
View user's profile
gralfus
Newbie
Newbie


Joined: Sep 30, 2004
Posts: 113

PostPosted: Sat May 06, 2006 1:55 am    Post subject: Reply with quote

I second deckard's conclusion. In my tests of Eraser versus forensic recovery programs (on a hard drive and on a flash card), none of the original data was recoverable after even one pass of pseudorandom data. It is possible for the FAT to retain the file names, and temp files may exist in other locations. I found that some programs keep quite a bit of information in places I didn't suspect until I found it later. This is what commonly trips up criminals during an investigation. They may be confident that they encrypted or erased information, but it is sitting there in plain sight in another location.
Back to top
View user's profile
deckard
Newbie
Newbie


Joined: Oct 25, 2005
Posts: 22

PostPosted: Sat May 06, 2006 2:22 am    Post subject: Reply with quote

and Gralfus brings out another important part of this process.. TESTING your tools. If you don't KNOW YOURSELF the work as advertised BEFORE you get into a courtroom.
Back to top
View user's profile
spy1
Newbie
Newbie


Joined: May 03, 2006
Posts: 5

PostPosted: Sat May 06, 2006 2:42 am    Post subject: Reply with quote

Let me describe my daily "exit sequence" - what I do before leaving the computer after any given session:

(Note that Windows is set to clear the swapfile at re-start and Page Defrag from SysInternals - sysinternals.com/Utilities/PageDefrag.html - is set to run automatically at every re-start. SystemRestore is totally dis-abled, as are RemoteRegistry and RemoteDesktop.

All browsers - IE, FireFox, Opera - are set to delete personal data/clear temp files/not remember history for longer than one day/remove d/l history upon exit, etc.)

Run CleanCache v3.2 - buttuglysoftware.com with all options set re: finding/deleting what's found - 35 single wiping passes - with no back-ups permitted. (Covers all three browsers and is actually pretty awesome in and of itself - notwithstanding the fact that it requires the .Net framework).

Run CCleaner v.1.28.277 - ccleaner.com, set likewise except for a seven-wipe max (it's catches a couple of things that CC misses, mainly the jre caches and Windows Update un-install stuff).

Run Index.dat Suite - support.it-mate.co.uk/?mode=Products&p=index.datsuite - to make absolutely sure all index.dats are found and deleted. (No "back-ups" and all other cleaning functions selected in that, too, although to just "deletes", doesn't multiple-pass over-write).

Re-start computer.

Run SpyBot Search&Destroy, followed immediately by NTREGOPT and another re-start .

At that point - having deleted everything I can possibly think of - I start off a single "free-space" wipe with Eraser Version 5.7 - heidi.ie/eraser/ as I'm walking out the door.

(Eraser also does another "free-space" wipe - scheduled - nightly).

I don't know, I'm just into "un-necessary" data destruction, I guess.

Can anyone think of anything I'm missing? Maybe in regard to the .Net Framework stuff? Pete
Back to top
View user's profile
spy1
Newbie
Newbie


Joined: May 03, 2006
Posts: 5

PostPosted: Sun May 07, 2006 3:46 am    Post subject: Reply with quote

Okay, the other thing I've been wondering about is something I can't link you to (because I've forgotten where I read it) about the fact that the MFT doesn't get destroyed even in a complete low-level hard-drive format? This doesn't jive with what I'm reading at the DBAN forum however.

Is that correct, or myth?

And - how much data do the BIOS and the printer memory retain? Pete
Back to top
View user's profile
gralfus
Newbie
Newbie


Joined: Sep 30, 2004
Posts: 113

PostPosted: Wed May 10, 2006 1:42 am    Post subject: Reply with quote

"low-level format" refers to a factory process that users can't normally accomplish. Formatting the drive normally does not remove data, but does remove pointers to the data in the FAT or MFT, making it appear to have removed the data.

DBAN takes out everything on the hard drive, provided the whole drive is selected (not just a single partition). It has to be partitioned and formatted afterward.

BIOS doesn't retain any user data, just information about the hardware, and settings the computer will use when accessing the hardware.

Printers shouldn't retain information once it has printed. That said, I've never heard of printer memory being queried forensically, so newer printers *may* have an internal log. There can be spool files left over on the PC that describe what was printed. Print servers can also keep track of username, filename, and time of printing.
Back to top
View user's profile
spy1
Newbie
Newbie


Joined: May 03, 2006
Posts: 5

PostPosted: Wed May 10, 2006 4:25 am    Post subject: Reply with quote

Yes, I was made aware of some of what my all-in-one was retaining in its' own memory some time ago: dslreports.com/forum/remark,13664275 .

Gotta wonder why there isn't "separate memory" in the damned monitor, too. Or is there?? Pete
Back to top
View user's profile
andocrates
Newbie
Newbie


Joined: Dec 25, 2005
Posts: 31

PostPosted: Tue Aug 22, 2006 11:52 pm    Post subject: Reply with quote

the only true safety is strong encryption and flash memory (ram drives) Eraser couldn't stop the federal government if they wanted your hard drive contents, it can however (at 35 passes) stop 99% of police, local courts, and law firms. But if you use Internet explorer you should be aware of the bazillion places it stores stuff. I haven't used IE in at least a year, what a terrible privacy threat that thing is. Of course Netscape shares the blame for giving us Javascript.

Hey spy1 get a search program like agent ransack and search for all files created in the last 1 days. You can use windows explorer as well, but it's buggy and often gives you all files created AND accessed. That's too many files to deal with.
Back to top
View user's profile
spy1
Newbie
Newbie


Joined: May 03, 2006
Posts: 5

PostPosted: Wed Aug 23, 2006 1:24 am    Post subject: Reply with quote

I'll give AgentRansack a spin (have just d/l'ed it) just to see what it's like.

Thanks.

I had a lot of fun with learning all this stuff (and still apply all of it, too).
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Wed Aug 23, 2006 1:36 pm    Post subject: Reply with quote

Unless you wipe your entire drive regularly (depending on how bad you want the data to be gone would decide how often regularly is), Data can still be recovered. By wiping it, I mean overwriting the entire drive with random characters at least 7 times. Then reinstall the OS. Then there is still a chance that something will slip between the tracks.
Back to top
View user's profile
gralfus
Newbie
Newbie


Joined: Sep 30, 2004
Posts: 113

PostPosted: Thu Aug 24, 2006 1:57 am    Post subject: Reply with quote

I hear the multiple passes claim mentioned a lot, but haven't seen anyone back up the claim with modern equipment. As I posted in this same thread back on May 6, my own experiments show that one pass of pseudorandom data completely prevents the recovery of any data that occupied the same space. It is possible for the same data to be stored in multiple locations, or at least parts of it, so it can be difficult to remove all traces from an "in use" hard drive. But if the whole drive is overwritten, the data is gone as far as forensics programs are concerned.

My instructor said that in his research of the fabled "magnetic microscopy" approach, only 20% of the data was found. That is 20% of each byte, not 20% of useful information. The result was entirely useless to an investigation. When you think about it, that isn't surprising. If a particular location on a drive has contained elements of 20 different files over the past few years, which part of which file is being "recovered"? The whole approach presupposes that only one file was there previously. Channelscience.com did a whitepaper on this that said they had never seen whole files recovered with this method, and that it just wasn't a commercially viable process.

So I encourage all of you to experiment for yourselves and see how your tools work, what you can recover, and what you can't. Get a hard drive (as well as other storage devices) just for this purpose and do legitimate testing, and keep track of the results. This way when you take the stand to testify, you know from repeated experimentation that your words are true and verifiable.
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Thu Aug 24, 2006 12:16 pm    Post subject: Reply with quote

My point was that simply zeroing unused space is almost useless since most likely there is still evidence of the files you are trying to hide in other areas on the drive. If you want to truly hide stuff, you would have to have a setup with no writing to the hard drive. For instance, boot with Knoppix, do your surfing, then restart. Since Knoppix only mounts a HD as read only and creates a ram drive for "storage", when you restart all traces are gone.
Back to top
View user's profile
Prickaerts
Newbie
Newbie


Joined: Jan 03, 2006
Posts: 255
Location: The Netherlands

PostPosted: Thu Aug 24, 2006 4:35 pm    Post subject: Reply with quote

Most wipe applications that run under Windows do not take care of slack space, only free space. So forensic tools might still be able to recover some data. Question remains of course how probable it is that that information is relevant?

Regarding wiping; when using "normal" forensic tools such as FTK,Encase,Sleuthkit etc, one pass wipe should suffice. I read research that even after 7 (!) wipe passes using microscope data could still be recovered. And yes, only small remnants and not often would that be relevant / usuable data?

The reason you want to do more then 1 pass is that you do not control that process, how do you prevent that little piece of data to be relevant? More passes provide more security.

And in the end degaussing, shredding and then melting gives you better protection Wink
Back to top
View user's profile Send e-mail Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> General Computer Forensic Issues All times are GMT + 10 Hours
Goto page 1, 2, 3  Next
Page 1 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.