Legality of drive wiping

[irongeek at irongeek.com (Adrian Crenshaw)]

Thanks Jason, that is my understanding as well, but I'm having problems with
finding the case law to back it up. Most of the cases I've stumbled across,
if use of a wiping tool was found, it turned out bad for the person using
the tool. However, none of those wiping were done a a matter of
course/policy.

Adrian

On Mon, Jan 11, 2010 at 12:43 PM, Jason Wood <tadaka at gmail.com> wrote:

> Disclaimer:  I AM NOT A LAWYER....
>
> I was at a forensics conference last year and similar questions were
> brought up about this.  Here is what I understood from it.
>
> If you do something routinely (and you might want to have some way of
> making clear that it is routine) you should not have problems with regular
> drive wiping etc.  However, once you have been given indication that an
> investigation is on and that you will need to preserve information, the
> wiping must stop.  Otherwise you run the risk of "destruction of evidence"
> and such.  That's my understanding from sitting in the audience during a
> panel discussion.
>
> You might want to run it past a tech savvy lawyer for better advice on it.
> I met a pretty good guy who happens to be a lawyer at the previously
> mentioned forensics conference.  His name is Joshua Gillibrand and he goes
> by @bowtielaw on Twitter.  Super nice guy and he has a load of case
> information on things like this.  You might want to touch base with him on
> it.
>
> Jason
>
>
> On Mon, Jan 11, 2010 at 9:59 AM, Adrian Crenshaw <irongeek at irongeek.com>wrote:
>
> > Hi all,
> >     I'm working on a new article that tries to answer the following
> > question:
> >
> > When is expunging data valid to keep avoid e-discovery costs or protect
> > personal privacy, and when would it be considered "destruction of evidence"?
> > Is having set policy of "records are delete every x days," or "free hard
> > drive space is wiped nightly" enough, or is more required?
> >
> >     The above question is phrased from the stand point of a business, but
> > I must admit I?m more interested in the answer from an individual
> > standpoint.  For those not in the know, wiping a drive after an
> > investigation had begun (or if you have a reasonable expectation to believe
> > a legal investigation it about to begin) is considered ?Destruction of
> > evidence? or ?Spoliation of evidence?. Once an investigation is likely to
> > begin, you have what is known as a ?duty to preserve?. Two likely outcomes
> > if you are found to have caused spoliation of evidence are: 1. Prosecution
> > under criminal statues concerning destruction of evidence (check with a
> > layer in your jurisdiction). 2. The judge may slap you with a
> > ?spoliation-based adverse inference?, which basically means a statement
> > saying that since you destroyed evidence, it is likely there was something
> > incriminating there, and the court should assume it would have help your
> > adversary?s case. Now all that said there are exceptions made for data that
> > has been removed because of normal, routine processes.
> >
> >    I can think of many valid reasons for wiping a drives freespace
> > routinely:
> >
> > 1. Protect privacy from others with physical access.
> > 2. Fear that the machine might be stolen.
> > 3. Donating the machine.
> > 4. Reallocating the machine to someone of a different security level.
> >
> > But would that hold up in a court case? I'm having problems finding case
> > law. I'd imagine no matter what your reasons, prosecuters will try to get a
> > ?spoliation-based adverse inference? judgment against you if any drive
> > wiping had been detected. Anyone have experience with this, or know a case
> > where someone did drive wiping for privacy reasons, but the prosecution
> > tried to make it seem like destruction of evidence that may never have been
> > there in the first place?
> >
> >
> > Adrian
> >
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
>
>
> --
>
> irc: Tadaka
> Twitter:  Jason_Wood
> jwnetworkconsulting.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100111/e4eedf5a/attachment.htm