Legality of drive wiping

[tkrabec at gmail.com (Tim Krabec)]

I'd say you need to do a few things
1. Inventory your data see what you have, where it is, why you are keeping
it, and how big it is.
2. Use the inventory & statutes to define how long each type of data must be
kept for
3 use the above information to decide what should be kept and for how long.
and when purges + wipes should be preformed (don't forget about backups as
well) make sure the process can be stopped "easily" in case you are
subpoenaedor I believe have reasonable knowledge you will be subpoenaed
4.   Follow the program, putting in some checks and balances for CYA.

On Mon, Jan 11, 2010 at 11:59 AM, Adrian Crenshaw <irongeek at irongeek.com>wrote:

> Hi all,
>     I'm working on a new article that tries to answer the following
> question:
>
> When is expunging data valid to keep avoid e-discovery costs or protect
> personal privacy, and when would it be considered "destruction of evidence"?
> Is having set policy of "records are delete every x days," or "free hard
> drive space is wiped nightly" enough, or is more required?
>
>     The above question is phrased from the stand point of a business, but I
> must admit I?m more interested in the answer from an individual standpoint.
> For those not in the know, wiping a drive after an investigation had begun
> (or if you have a reasonable expectation to believe a legal investigation it
> about to begin) is considered ?Destruction of evidence? or ?Spoliation of
> evidence?. Once an investigation is likely to begin, you have what is known
> as a ?duty to preserve?. Two likely outcomes if you are found to have caused
> spoliation of evidence are: 1. Prosecution under criminal statues concerning
> destruction of evidence (check with a layer in your jurisdiction). 2. The
> judge may slap you with a ?spoliation-based adverse inference?, which
> basically means a statement saying that since you destroyed evidence, it is
> likely there was something incriminating there, and the court should assume
> it would have help your adversary?s case. Now all that said there are
> exceptions made for data that has been removed because of normal, routine
> processes.
>
>    I can think of many valid reasons for wiping a drives freespace
> routinely:
>
> 1. Protect privacy from others with physical access.
> 2. Fear that the machine might be stolen.
> 3. Donating the machine.
> 4. Reallocating the machine to someone of a different security level.
>
> But would that hold up in a court case? I'm having problems finding case
> law. I'd imagine no matter what your reasons, prosecuters will try to get a
> ?spoliation-based adverse inference? judgment against you if any drive
> wiping had been detected. Anyone have experience with this, or know a case
> where someone did drive wiping for privacy reasons, but the prosecution
> tried to make it seem like destruction of evidence that may never have been
> there in the first place?
>
>
> Adrian
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com



-- 
Tim Krabec
Kracomp
772-597-2349
smbminute.com
kracomp.blogspot.com
www.kracomp.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100111/09f78cc5/attachment.htm