File/Drive Wiping

Occasionally there is some discussion on computer forensic examinations and how good is the software and the examiners.  A majority of the computer forensic examiners are well-trained and have good experience.  The same can be said for the tools they use.  There are a variety of commercial and open source forensic tools.  Probably the best know computer/network forensic tool is EnCase.  A single copy/license for EnCase runs over a couple thousand dollars.  This is a good tool – Bottom line. 

If you have some interest in computer forensics, here is site to look at – Forensic Focus

The following Forensic Focus article was interesting – Is  Your Client An Attorney Be  Aware Of Possible Constraints On Your Investigation Part 2 

Single Pass is Good

Saying that, EnCase and other forensic tools do have limits.  In years past, I have played with (and tested) a variety of software, to include data encryption and file/drive wiping.  The following was true for all the open source wiping tools I tested on standard hard drives: WHEN PROPERLY USED, nothing was recoverable.  This was for single-pass write.  Many of the wiping tools also have multiple-pass write options.  Some up to 35 write passes!  *** Don’t try this on a large GB hard drive – It will take a LONG TIME!  I would suggest that you only use multi-passes on single files. 

Note:  With Solid State Hard Drives (SSD) there were some previous problems with some SSD not being wiped as expected.  If you use them, I would suggest reviewing the reports, as well as verifying wipes on them with a Disk/Hex editor.    The following links are to the “Anti-Forensics” Web site; their 2009 article stating single-pass wiping is good enough. 

Yes it is a bit geeky, but provides lots of good information.  The author also addresses the common belief that even if overwritten, data can be recovered.  What this belief is usually referring to is some sort of microscopic examination of the “physical” storage plates.  This process is extremely costly, time-consuming, and the chance of finding the smoking gun is doubtful at best.  

The Problem with Wiping Files

The problem lies in most operating systems have various records, temp files, caches, file/folder pointers, and registry entries that a user doesn’t know or think about.  These residue items can show what was once on a system, even when the original data is long gone and unrecoverable.  It can paint a possible picture.  I assume that this was the case based on reading a recent Prenda case filing where there was some sort of forensic examination.  Case 2:11-CV-03072, Boy Racer v. Named Doe.

Based on the document, I believe Prenda obtained some sort of consent from the owner for the analysis.  If the examiner had found the “smoking gun” on the hard drive we would have seen the Doe settle (Dismissed with Prejudice) or it would have likely gone to trial.  As all we see in the amended complaint is the weak circumstantial evidence, I don’t believe the examiner found any movie(s), just pointers of such movies. 

26. In a recent examination of the Macintosh computer used by Defendant during the times of his infringements, an updated version of Vuze appears in the “Applications” folder.  Through further inspection of Defendant’s computer, Plaintiff’s agents found Mp4 converter, StreamMe, and ServeToMe software that could enable an individual to convert a full-length video to a mobile device-compatible format; Toast10, which allows an individual to burn DVDs on Mac computers from videos downloaded over the Internet; and OmniDiskSweeper, a Mac utility program that helps users quickly identify and delete potentially infringing videos on one’s Mac computer in furtherance of evading liability for copyright infringement. 

Just A Tool

Now I know the Trolls will say I’m telling people to use these tools to destroy evidence – I’m not.  The post is an attempt to dispel some rumors and give people accurate information.  I laugh at the suggestion that because someone has these tools, they are up to no good and guilty of being a pirate, thief, etc.  These are tools – plain and simple.  The same as a hand gun – what you do with it determines if it is used for good or bad.  If you have ever donated or sold a computer, I hope and pray you did wipe the hard drive first. 

Prime example of why you should have encryption and file/drive wiping toolsStolen Desktop Computer Exposes Data Of Nearly 4 Million Patients – November 2011  http://www.darkreading.com/database-security/167901020/security/attacks-breaches/231903320/stolen-desktop-computer-exposes-data-of-nearly-4-million-patients.html

DieTrollDie  🙂

About DieTrollDie

I'm one of the many 'John Does' (200,000+ & growing in the US) who Copyright Trolls have threatened with a civil law suit unless they are paid off. What is a Copyright Troll? Check out the Electronic Frontier Foundation link - http://www.eff.org/issues/copyright-trolls
This entry was posted in Forensics and tagged , , , , . Bookmark the permalink.

8 Responses to File/Drive Wiping

  1. I have read the same things regarding one pass being sufficient, and I find nothing wrong with wiping computer files, and in fact I encourage it along with the regular practice of running registry cleaners and disk cache (and temp file) cleaning tools (e.g., all done well with Piriform’s free “CCleaner” software). I even go so far as to tell people I speak to that it is wise to fully encrypt their hard drives (e.g., Truecrypt’s free encryption software does just as good a job as any) — technology is fast enough that any degradation of performance will be barely noticeable.

  2. I forgot to mention — I thought it was funny that you used the “For Dummies” book as the image for your post — Wiley & Co., the publishers for the “For Dummies” book series are one of the FIRST publishers who are suing bittorrent users for the downloading of their e-books.

  3. DieTrollDie says:

    I also like and use both CCleaner and TrueCrypt – great free programs Yes I also thought about Wiley & Co., when I selected the image.

  4. gofly says:

    This is more a tech question for anyone…I’m only now reading about bit torrent software and I’m trying to explain something.. A minor says “But I never downloaded that file..!!!…” (I believe my kid since spouse suggested that we pay the jackals, but child protested ..very stongly..) If you are off the hook, parents love you, don’t care as long as you were not making pipe bombs, why protest?
    Can bittorrent software be installed on a computer and set up (defaults?) so the computer is some sort of hub where the user never requests the file, but the system still particapates in the swarm?

    • DieTrollDie says:

      Gofly,

      There are ways that the movie in question could have been downloaded via your “Public” IP address and never make it on your computers. If you Firewall/Router was run “Open” (no required password to access it), someone in your neighborhood could have used it to surf the Internet and download the movie via BitTorrent. Even if the Firewall/Router was secured, there is a vulnerability in Wi-Fi Protected Setup (WPS), that allows a hacker to gain access in a day or less. The hacker (neighbor) could then use your Internet without you knowing. Please see the Newbie/Noob page and start reading. Remeber not to panic and don’t call the Trolls and try to explain this and reason with them. THEY DON’T CARE!!! They only want your money. Please don’t put too much details in any postings you make, as the Trolls can also read it. I will send an email.

      DieTrollDie 🙂

    • DieTrollDie says:

      You didn’t put too much info – you are fine. Nobody but me will see you IP address or email address. I don’t release that information – I just didn’t want you to add anything else.

      DTD 🙂

    • DieTrollDie says:

      As far as the BitTorrent software question, most operating systems do not come with it already installed. One notable exception can be found in the various Linux operationg systems. For Windows systems, it requires someone to install it on a system.

    • CTVic says:

      DTD did a good job of answering your question – I just wanted to add a few somethings to what he’s said:
      It is also possible that your IP address was being used by other users on the internet anywhere in the world. There are hackers out there, with the knowledge and tools, to make things happen under the IP address of a totally unrelated party. They choose an IP address, and generate traffic that impersonates it. The choice of IP address could be random or targeted.
      There’s also the possibility that if your child was downloading *anything* via Bit Torrent, he could have inadvertently downloaded copyrighted material without knowing it! There are documented cases in more than one Copyright Troll case where people downloaded what they thought was innocent, legal content, then upon reviewing it found that it was copyrighted pornography. They innocently download something, see that it’s something else and delete it immediately – then a few months later get a settlement demand from a law firm. This kind of deception is rampant on file sharing networks, where some internet jokester takes illicit videos of gay porn and names it “Western Baptist Choir” before sharing it publicly. Some do it for the lulz, others do it for the profitz.
      It’s never been directly proven, but widely suspected that some tech agencies who make money tracking Bit Torrent copyright infringement have down this themselves – creating deceptive honeypots to trick people into downloading the wrong thing, then having the lawyer demand settlement.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s