Security Basics mailing list archives

Re: Hard Drive Forensics Question

From: "J. Oquendo" <sil () infiltrated net>
Date: Wed, 8 Oct 2008 12:27:24 -0500

On Wed, 08 Oct 2008, Ansgar Wiechers wrote:

Of course if you'd want to avoid any risk, you'd feed the disk to a
furnace and get rid of the problem once and for all.

Regards
Ansgar Wiechers


And that would do?
http://www.ontrackdatarecovery.co.uk/columbia-drive-recovery/

Appropriately a degausser would solve the problem, but
it would also make the drive useless. I won't get into
counterforensics, but most so called wiping tools aren't
worth the programming it took to make them.

http://www.first.org/conference/2006/papers/geiger-matthew-papers.pdf

There are plenty of ways to securely wipe data, but
from my perspective, it involves creativity and a
very good understanding of the system going right
down to the metadata levels. This includes pre-fetch
info, etc., etc., however at the same time, more
and more forensics experts could re-coup evidence
of counterforensics tools being used which 1) may
make it easier for us to rebuild, 2) may on its
own give weight to wrongdoing.

To understand what I mean about wrongdoing, you'd
have to understand scenarios... Scenario: Defendant
is on trial for stashing corporate secrets. His
attorneys cry foul. Defendant was a salesman...
What exactly was he doing with evidence eliminator
again?

You have to understand the mechanisms of fighting
a war. Just the mention of it alone whether he had
it for good reasons is enough to raise suspicion
in the eyes of ANY juror. Not to mention the idiotic
names for some of these programs: "Evidence Eliminator"
why not call it "ForensicExpertsShouldCheckMeFirst"
or "Hey look I potentially have something to hide 1.0"

As for feeding it to a furnance, better be hot enough
to turn it to liquid metal.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, CNDA, CHFI, OSCP

"Believe nothing, no matter where you read it, or
who said it, no matter if I have said it, unless it
agrees with your own reason and your own common
sense." - Buddha

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB

Current thread:

Re: Hard Drive Forensics Question, (continued)
- - - Re: Hard Drive Forensics Question J. Oquendo (Oct 03)
    - RE: Hard Drive Forensics Question Murda Mcloud (Oct 06)
    - Re: Hard Drive Forensics Question Razi Shaban (Oct 06)
    - RE: Hard Drive Forensics Question Murda Mcloud (Oct 06)
    - Re: Hard Drive Forensics Question Razi Shaban (Oct 06)
    - RE: Hard Drive Forensics Question Murda Mcloud (Oct 06)
    - Re: Hard Drive Forensics Question Razi Shaban (Oct 06)
    - RE: Hard Drive Forensics Question Murda Mcloud (Oct 07)
    - Re: Hard Drive Forensics Question Matt (Oct 08)
    - Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 08)
    - Re: Hard Drive Forensics Question J. Oquendo (Oct 08)
    - Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 08)
    - Re: Hard Drive Forensics Question J. Oquendo (Oct 09)
    - Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 09)
    - Re: Hard Drive Forensics Question Chris Barber (Oct 10)
    - Message not available
    - Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 08)
    - Message not available
    - RE: Hard Drive Forensics Question Murda Mcloud (Oct 09)
    - Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 07)
    - Re: Hard Drive Forensics Question anonymous pimp (Oct 07)
    - Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 07)
    - Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 06)

(Thread continues...)