RE: Hard Drive Forensics Question

["Murda Mcloud" <murdamcloud () bigpond com>]

Sorry to be a pedant on this:

> > I assumed minimal knowledge, I figured that copying, pasting, deleting,
and repeating would be the method that anyone could understand.

The copy/paste/delete process that you are describing still doesn't make
sense to me. Perhaps you could give an example of what the process is?
If you run something like dd then I don't really know where the copy and
paste bit comes into it. Running dd needs nothing more than knowing how to
open a terminal window and man dd(minimal knowledge). Understanding what it
does exactly and what you will be left with after a destructive command such
as
dd if=/dev/zero of=/dev/hdax
is probably a bit harder but not much.

> > Delete it so as to be able to write over it again. Multiple
> > write-overs ensure that no data may be recovered.

I'd disagree with the above and say that a single overwrite is more than
enough. No need to delete(still don't see what you would gain from deleting
something that has been already overwritten) and then repeating seems like a
waste of time and cycles. Don't take my word for it, take NIST's:
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf


Making sure the command has completed is the thing to be confident of,
however. That is my caveat here.


You could even use dcfldd (I think there is a port for OSX) if you want to
see progress etc.

> > > And why do you feel that random is better?
> >
> > If it is actual files that are copied, they may be recovered.
> > Depending on the nature of those files, opinions could be made either
> > way. If it's random data, nothing can be retrieved and they are left
> > with nothing to work with. If they are accusing him of wrong-doing
> > that he is innocent of, he should leave them with as little as
> > possible to work with, in my opinion.

Maybe I should have asked, "Why do you feel that random is better than
something else eg 0's?"

I don't think it matters whether it's random or not-overwrite something and
it's overwritten. Which means it's unrecoverable. Some apps will overwrite
with random numbers. Eg DBAN
If someone sees a pattern in the hard drive after I do
dd if=/dev/zero of=/dev/hdax
because it's not random they would be right. It's not random. However, can
they see any files I had on there before? No.







> > -----Original Message-----
> > From: Razi Shaban [mailto:razishaban () gmail com]
> > Sent: Monday, October 06, 2008 8:04 AM
> > To: Murda Mcloud
> > Cc: security-basics () securityfocus com
> > Subject: Re: Hard Drive Forensics Question
> >
> > On Mon, Oct 6, 2008 at 1:23 AM, Murda Mcloud <murdamcloud () bigpond com>
> > wrote:
> > > So you mean similar to writing 0 s to the drive?
> > > Like dd if=/dev/zero of=/dev/hdax ?
> > > or from dev/random?
> >
> > Yes.
> >
> > > Just wasn't sure why you said 'copy and paste and delete'-it didn't
> > make
> > > sense to me.
> >
> > I assumed minimal knowledge, I figured that copying, pasting,
> > deleting, and repeating would be the method that anyone could
> > understand.
> >
> > > Also, what would be the point of deleting the data after you have
> > randomly
> > > generated it? Surely if you have overwritten everything then deleting
> > it
> > > seems superfluous.
> >
> > Delete it so as to be able to write over it again. Multiple
> > write-overs ensure that no data may be recovered.
> >
> > > And why do you feel that random is better?
> >
> > If it is actual files that are copied, they may be recovered.
> > Depending on the nature of those files, opinions could be made either
> > way. If it's random data, nothing can be retrieved and they are left
> > with nothing to work with. If they are accusing him of wrong-doing
> > that he is innocent of, he should leave them with as little as
> > possible to work with, in my opinion.
> >
> >
> > Regards,
> > Razi Shaban