RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?

["Robinson, Sonja" <SRobinson () HIPUSA com>]

According to information I received at an HTCIA meeting about 3 months ago,
as well as some reading that I have done, 31 times is now what is
recommended.  I can't locate my notes that had the speaker's name in the
piles on my desk but he was from NY State Dept. of Health I believe and in
charge of info security.  They had performed a number of tests on a number
of different wiping utilities (30 or so).  They specifically stated that
although their tests were obviously not exhaustive since there are a myriad
of tools out there, that s/w such as Maresware DeClafy and a few others
(somewhere in my notes) were the best because not only did they wipe the
drive completely, but it did the MBR's and even did past the EOF Flag at the
end of the drive.  They also spoke about shredders, magnets, etc. and the
pros and cons of each.  It was a very good training session and brought up a
lot of interesting points and dialog.   7x was the de facto standard for
D0D.  I am not sure if they have adjusted their requirements.  7x times was
recommended to ensure that the full clusters and sectors were completely
overwritten.  I agree in many instances 1 wipe is sufficient depending upon
what data you are trying to conceal, i.e. confidentiality and depending upon
whether you are resiisuing the drive or selling/diposing of it.  I also
agree with you that MOST tools will not recover past one wipe however, there
have been arguments stated in this thread that it is recoverable and
theoretically it IS possible although you are correct it is generally more
difficult. I wipe mine to the original D0D specs currently, 7x.  I will be
testing FTK, Encase, R-Studio and some other generally available tools over
the next two weeks or so, as time permits.  I will be testing against a
regular format, gdisk, and BCWipe and perhaps some others.  I will post a
summary of the results when I have them.

Sonja Robinson, CISA
Network Security Analyst
HIP Health Plans
Office:  212-806-4125
Pager: 8884238615



-----Original Message-----
From: Troy Larson [mailto:ntevidence () attbi com] 
Sent: Thursday, June 26, 2003 3:32 PM
To: Robinson, Sonja; 'NC Agent'; security-basics () securityfocus com
Subject: RE: Digital Evidence Question - What is an effective Windows hard
-disk search tool?


Sonja,

I respectfully take issue with only one statement: "A wipe to DoD specs (7
or more passes - 31 recommended now) would make data unrecoverable."  

I would say that, unless you are using special hardware tools to access the
hard drive disk platters directly, ONE pass is sufficient to make the data
unrecoverable.  That is, one pass should make data unrecoverable to any
software recovery tool (or any method that relies solely on the hard drive's
own hardware).

Please let me know if I am mistaken.

Troy

-----Original Message-----
From: Robinson, Sonja [mailto:SRobinson () HIPUSA com] 
Sent: Thursday, June 26, 2003 9:01 AM
To: 'NC Agent'; security-basics () securityfocus com
Subject: RE: Digital Evidence Question - What is an effective Windows hard
-disk search tool?


> > O/S could be Fat32.  We didn't have that info.  True.  Normal formats
still retain data in parts of the clusters so data is recoverable.  My
previous posts stated that.  A wipe to DoD specs (7 or more passes - 31
recommended now) would make data unrecoverable.  I'm sorry if people missed
earlier posts where I discussed un/allocated, free, swap space,
non/sequential  clusters, etc. and are only responding to this one or if I
wasn't as specific as I should have been in .  I had previously stated in
other posts that, potentially, data is recoverable if it was not overwritten
(and the user potentially overwrote a number of clusters when he reinstalled
the O/S and the apps, depending on where the new install files were written
to on the hd of course). And that if the full cluster was overwritten they
would not be able to recover anything in unallocated space sinec it would
then be allocated. If only part of the cluster is overwritten/allocated the
data residing in the unallocated space is recoverable.  The user had asked
if he could recover files in a format readable by the original apps.  If
only parts of the files are recoverable, i.e. using hex editor or similar
tool then most likely not.  (And I will not profess to know every potential
tool that could potentially recover some in a readable format.) MS tends to
write non-contiguously and thus it is likely that a part of a file was
overwritten by one of the newly installed programs.  This of course is
effected by the age of the drive, the amount of data, where the files were
written to-the beginning of the hard vs the end, the amount of files that
were "deleted" throughout the years, etc.  

Also, in another post I suggested he try a hex editor to view the data in
the clusters to see what was available for recovery.  Based on that review
you could determine what it was worth to buy a program to help recover any
data or what would be necessary to rebuild the files manually.  It appeared
that this was beyond the user's technical capabilities at the moment and
that such rebuilding would require a third party and an additional cost
which he did not seem inclined to pay. I think he specifically mentioned a
PST file and his e-mail messages which is what I was mainly focusing on.  In
all likelihood, PST would be extremely difficult to put back together so it
was readable by Outlook since all of the messages would be scattered and
some most likely lost. My main point was that in all likelihood it was going
to require him to put files back together manually and that they would most
likely not be readable by the original program.  Other files may be easier
to get in their entirety. I should have clarified this, sorry.  

In any event it is nice to share all of the potential ways to recover lost
data for varying technical capabilities.  The more avenues you have the more
chances you might have to recover something even if it is only bits and
pieces.



 
-----Original Message-----
From: Robinson, Sonja [mailto:SRobinson () HIPUSA com]
Sent: Friday, June 20, 2003 10:50
To: 'Wilcox, Stephen'; 'security-basics () securityfocus com'
Subject: RE: Digital Evidence Question - What is an effective Windows hard
-disk search tool?

If you reformatted, don't waste your money on any product, your stuff is
gone and the $75 tool isn't going to help you.  Forensics tolls aren't going
to help you.

I would take exception to the above comment, assuming a FAT32 system and
using the high level format the only part of the drive that will be lost is
the system area of the drive.  The data area, cluster 2 and beyond will
remain untouched.  So even if you format the data is still there, just the
system area is zeroed. Which means you may have to look for it manually, but
does not mean that it is gone and your search would be a waste of time.



You're only hope is something like Ontrack and that will cost you.  Even if
you could recover some of the information from free space or slack space, no
your files wouldn't have been readable.  IF you has not reformatted and IF
you had not reinstalled the O/S yes they woul;d have been readble by the
original program.  You're pretty much toast dude.  Sorry.  It is possible to
reassemble files IF they are still there (99.5% chance they're hosed) but
reassembly will cost you serious $$ because it takes a lot of time to do
manually.

Actually all that you have to do is rebuild the root files and remap the
FAT, if the files were contained in contiguous clusters before the
formatting it is not that tough to do although a little time consuming.  If
however the files were in non-contiguous clusters then you are in for time
consuming recovery.

Clayton Hoskinson, CFCE
IS Auditor
State Auditor and Inspector




---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant, while
InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------


**********************************************************************
CONFIDENTIALITY NOTICE: This e-mail transmission, including any attachments
to it,  may contain confidential information or protected health information
subject to privacy regulations such as the Health Insurance Portability and
Accountability Act of 1996 (HIPAA). This transmission is intended only for
the use of the recipient(s) named above.  If you are not the intended
recipient, or a person responsible for delivering it to the intended
recipient, you are hereby notified that any disclosure, copying,
distribution or use of any of the information contained in this transmission
is STRICTLY PROHIBITED.  If you have received this transmission in error,
please immediately notify me by reply e-mail and destroy the original
transmission in its entirety without saving it in any manner. 






**********************************************************************


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant, while
InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------