Security Basics mailing list archives
RE: Hard Drive Forensics Question
From: "Murda Mcloud" <murdamcloud () bigpond com>
Date: Mon, 6 Oct 2008 13:00:45 +1000
Sorry to be a pedant on this:
I assumed minimal knowledge, I figured that copying, pasting, deleting,
and repeating would be the method that anyone could understand. The copy/paste/delete process that you are describing still doesn't make sense to me. Perhaps you could give an example of what the process is? If you run something like dd then I don't really know where the copy and paste bit comes into it. Running dd needs nothing more than knowing how to open a terminal window and man dd(minimal knowledge). Understanding what it does exactly and what you will be left with after a destructive command such as dd if=/dev/zero of=/dev/hdax is probably a bit harder but not much.
Delete it so as to be able to write over it again. Multiple write-overs ensure that no data may be recovered.
I'd disagree with the above and say that a single overwrite is more than enough. No need to delete(still don't see what you would gain from deleting something that has been already overwritten) and then repeating seems like a waste of time and cycles. Don't take my word for it, take NIST's: http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf Making sure the command has completed is the thing to be confident of, however. That is my caveat here. You could even use dcfldd (I think there is a port for OSX) if you want to see progress etc.
And why do you feel that random is better?If it is actual files that are copied, they may be recovered. Depending on the nature of those files, opinions could be made either way. If it's random data, nothing can be retrieved and they are left with nothing to work with. If they are accusing him of wrong-doing that he is innocent of, he should leave them with as little as possible to work with, in my opinion.
Maybe I should have asked, "Why do you feel that random is better than something else eg 0's?" I don't think it matters whether it's random or not-overwrite something and it's overwritten. Which means it's unrecoverable. Some apps will overwrite with random numbers. Eg DBAN If someone sees a pattern in the hard drive after I do dd if=/dev/zero of=/dev/hdax because it's not random they would be right. It's not random. However, can they see any files I had on there before? No.
-----Original Message----- From: Razi Shaban [mailto:razishaban () gmail com] Sent: Monday, October 06, 2008 8:04 AM To: Murda Mcloud Cc: security-basics () securityfocus com Subject: Re: Hard Drive Forensics Question On Mon, Oct 6, 2008 at 1:23 AM, Murda Mcloud <murdamcloud () bigpond com> wrote:So you mean similar to writing 0 s to the drive? Like dd if=/dev/zero of=/dev/hdax ? or from dev/random?Yes.Just wasn't sure why you said 'copy and paste and delete'-it didn'tmakesense to me.I assumed minimal knowledge, I figured that copying, pasting, deleting, and repeating would be the method that anyone could understand.Also, what would be the point of deleting the data after you haverandomlygenerated it? Surely if you have overwritten everything then deletingitseems superfluous.Delete it so as to be able to write over it again. Multiple write-overs ensure that no data may be recovered.And why do you feel that random is better?If it is actual files that are copied, they may be recovered. Depending on the nature of those files, opinions could be made either way. If it's random data, nothing can be retrieved and they are left with nothing to work with. If they are accusing him of wrong-doing that he is innocent of, he should leave them with as little as possible to work with, in my opinion. Regards, Razi Shaban
Current thread:
- Re: Hard Drive Forensics Question, (continued)
- Re: Hard Drive Forensics Question Mike Hale (Oct 03)
- RE: Hard Drive Forensics Question Mike Staples (Oct 06)
- Re: Hard Drive Forensics Question B 650 (Oct 03)
- Re: Hard Drive Forensics Question Larry Offley (Oct 03)
- Re: Hard Drive Forensics Question Razi Shaban (Oct 03)
- Re: Hard Drive Forensics Question J. Oquendo (Oct 03)
- RE: Hard Drive Forensics Question Murda Mcloud (Oct 06)
- Re: Hard Drive Forensics Question Razi Shaban (Oct 06)
- RE: Hard Drive Forensics Question Murda Mcloud (Oct 06)
- Re: Hard Drive Forensics Question Razi Shaban (Oct 06)
- RE: Hard Drive Forensics Question Murda Mcloud (Oct 06)
- Re: Hard Drive Forensics Question Razi Shaban (Oct 06)
- RE: Hard Drive Forensics Question Murda Mcloud (Oct 07)
- Re: Hard Drive Forensics Question Matt (Oct 08)
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 08)
- Re: Hard Drive Forensics Question J. Oquendo (Oct 08)
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 08)
- Re: Hard Drive Forensics Question J. Oquendo (Oct 09)
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 09)
- Re: Hard Drive Forensics Question Chris Barber (Oct 10)
- Re: Hard Drive Forensics Question Razi Shaban (Oct 03)
- Message not available
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 08)