PaulDotCom mailing list archives
Legality of drive wiping
From: tkrabec at gmail.com (Tim Krabec)
Date: Mon, 11 Jan 2010 13:09:23 -0500
I'd say you need to do a few things 1. Inventory your data see what you have, where it is, why you are keeping it, and how big it is. 2. Use the inventory & statutes to define how long each type of data must be kept for 3 use the above information to decide what should be kept and for how long. and when purges + wipes should be preformed (don't forget about backups as well) make sure the process can be stopped "easily" in case you are subpoenaedor I believe have reasonable knowledge you will be subpoenaed 4. Follow the program, putting in some checks and balances for CYA. On Mon, Jan 11, 2010 at 11:59 AM, Adrian Crenshaw <irongeek at irongeek.com>wrote:
Hi all, I'm working on a new article that tries to answer the following question: When is expunging data valid to keep avoid e-discovery costs or protect personal privacy, and when would it be considered "destruction of evidence"? Is having set policy of "records are delete every x days," or "free hard drive space is wiped nightly" enough, or is more required? The above question is phrased from the stand point of a business, but I must admit I?m more interested in the answer from an individual standpoint. For those not in the know, wiping a drive after an investigation had begun (or if you have a reasonable expectation to believe a legal investigation it about to begin) is considered ?Destruction of evidence? or ?Spoliation of evidence?. Once an investigation is likely to begin, you have what is known as a ?duty to preserve?. Two likely outcomes if you are found to have caused spoliation of evidence are: 1. Prosecution under criminal statues concerning destruction of evidence (check with a layer in your jurisdiction). 2. The judge may slap you with a ?spoliation-based adverse inference?, which basically means a statement saying that since you destroyed evidence, it is likely there was something incriminating there, and the court should assume it would have help your adversary?s case. Now all that said there are exceptions made for data that has been removed because of normal, routine processes. I can think of many valid reasons for wiping a drives freespace routinely: 1. Protect privacy from others with physical access. 2. Fear that the machine might be stolen. 3. Donating the machine. 4. Reallocating the machine to someone of a different security level. But would that hold up in a court case? I'm having problems finding case law. I'd imagine no matter what your reasons, prosecuters will try to get a ?spoliation-based adverse inference? judgment against you if any drive wiping had been detected. Anyone have experience with this, or know a case where someone did drive wiping for privacy reasons, but the prosecution tried to make it seem like destruction of evidence that may never have been there in the first place? Adrian _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-- Tim Krabec Kracomp 772-597-2349 smbminute.com kracomp.blogspot.com www.kracomp.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100111/09f78cc5/attachment.htm
Current thread:
- Legality of drive wiping Adrian Crenshaw (Jan 11)
- Legality of drive wiping Jason Wood (Jan 11)
- Legality of drive wiping Adrian Crenshaw (Jan 11)
- Legality of drive wiping Bradley McMahon (Jan 11)
- Legality of drive wiping Tim Krabec (Jan 11)
- Legality of drive wiping byte.bucket at 4a44.com (Jan 11)
- Legality of drive wiping Mad Marv (Jan 11)
- Legality of drive wiping Adrian Crenshaw (Jan 11)
- Legality of drive wiping Jason Wood (Jan 11)