Occasionally there is some discussion on computer forensic examinations and how good is the software and the examiners. A majority of the computer forensic examiners are well-trained and have good experience. The same can be said for the tools they use. There are a variety of commercial and open source forensic tools. Probably the best know computer/network forensic tool is EnCase. A single copy/license for EnCase runs over a couple thousand dollars. This is a good tool – Bottom line.
If you have some interest in computer forensics, here is site to look at – Forensic Focus
The following Forensic Focus article was interesting – Is Your Client An Attorney Be Aware Of Possible Constraints On Your Investigation Part 2
Single Pass is Good
Saying that, EnCase and other forensic tools do have limits. In years past, I have played with (and tested) a variety of software, to include data encryption and file/drive wiping. The following was true for all the open source wiping tools I tested on standard hard drives: WHEN PROPERLY USED, nothing was recoverable. This was for single-pass write. Many of the wiping tools also have multiple-pass write options. Some up to 35 write passes! *** Don’t try this on a large GB hard drive – It will take a LONG TIME! I would suggest that you only use multi-passes on single files.
Note: With Solid State Hard Drives (SSD) there were some previous problems with some SSD not being wiped as expected. If you use them, I would suggest reviewing the reports, as well as verifying wipes on them with a Disk/Hex editor. The following links are to the “Anti-Forensics” Web site; their 2009 article stating single-pass wiping is good enough.
Yes it is a bit geeky, but provides lots of good information. The author also addresses the common belief that even if overwritten, data can be recovered. What this belief is usually referring to is some sort of microscopic examination of the “physical” storage plates. This process is extremely costly, time-consuming, and the chance of finding the smoking gun is doubtful at best.
The Problem with Wiping Files
The problem lies in most operating systems have various records, temp files, caches, file/folder pointers, and registry entries that a user doesn’t know or think about. These residue items can show what was once on a system, even when the original data is long gone and unrecoverable. It can paint a possible picture. I assume that this was the case based on reading a recent Prenda case filing where there was some sort of forensic examination. Case 2:11-CV-03072, Boy Racer v. Named Doe.
Based on the document, I believe Prenda obtained some sort of consent from the owner for the analysis. If the examiner had found the “smoking gun” on the hard drive we would have seen the Doe settle (Dismissed with Prejudice) or it would have likely gone to trial. As all we see in the amended complaint is the weak circumstantial evidence, I don’t believe the examiner found any movie(s), just pointers of such movies.
26. In a recent examination of the Macintosh computer used by Defendant during the times of his infringements, an updated version of Vuze appears in the “Applications” folder. Through further inspection of Defendant’s computer, Plaintiff’s agents found Mp4 converter, StreamMe, and ServeToMe software that could enable an individual to convert a full-length video to a mobile device-compatible format; Toast10, which allows an individual to burn DVDs on Mac computers from videos downloaded over the Internet; and OmniDiskSweeper, a Mac utility program that helps users quickly identify and delete potentially infringing videos on one’s Mac computer in furtherance of evading liability for copyright infringement.
Just A Tool
Now I know the Trolls will say I’m telling people to use these tools to destroy evidence – I’m not. The post is an attempt to dispel some rumors and give people accurate information. I laugh at the suggestion that because someone has these tools, they are up to no good and guilty of being a pirate, thief, etc. These are tools – plain and simple. The same as a hand gun – what you do with it determines if it is used for good or bad. If you have ever donated or sold a computer, I hope and pray you did wipe the hard drive first.
Prime example of why you should have encryption and file/drive wiping tools – Stolen Desktop Computer Exposes Data Of Nearly 4 Million Patients – November 2011 http://www.darkreading.com/database-security/167901020/security/attacks-breaches/231903320/stolen-desktop-computer-exposes-data-of-nearly-4-million-patients.html