Re: Hard Drive Forensics Question

["Razi Shaban" <razishaban () gmail com>]

On Mon, Oct 6, 2008 at 7:00 AM, Murda Mcloud <murdamcloud () bigpond com>

I won't reply to the first part, as I feel that it doesn't really need
much more elaboration.

> > > > And why do you feel that random is better?
> > >
> > > If it is actual files that are copied, they may be recovered.
> > > Depending on the nature of those files, opinions could be made either
> > > way. If it's random data, nothing can be retrieved and they are left
> > > with nothing to work with. If they are accusing him of wrong-doing
> > > that he is innocent of, he should leave them with as little as
> > > possible to work with, in my opinion.
>
> Maybe I should have asked, "Why do you feel that random is better than
> something else eg 0's?"
>
> I don't think it matters whether it's random or not-overwrite something and
> it's overwritten. Which means it's unrecoverable. Some apps will overwrite
> with random numbers. Eg DBAN
> If someone sees a pattern in the hard drive after I do
> dd if=/dev/zero of=/dev/hdax
> because it's not random they would be right. It's not random. However, can
> they see any files I had on there before? No.

Which is more likely to appear on a normal hard drive that has not
been tampered with or set up: Entire blocks of 0s, or random malformed
data?

--
Razi