On the previous article on secure information disposal, a visitor suggested that Darik's Boot and Nuke (DBAN) can be used for emergency evidence destruction. While it is quite correct, DBAN takes time to finish.
So, what evidence can be recovered from a disk on which someone interrupted the DBAN process?
We created a simulation of an interrupted information destruction. Here is the scenario:
An employee has been collecting illegal material on his corporate computer.
* The employee is accidentally notified that internal audit investigators will review his computer in several minutes
* The employee boots to a Darik's Boot and Nuke to destroy the disk contents
* The investigators intercepts and disconnect the power to the computer before DBAN finishes
Since DBAN will overwrite information, it can be assumed that the File Allocation Tables are destroyed, as well as some of the data.
1. The investigator creates a DD image of the disk drive, as presented in the Tutorial - Computer Forensics Evidence Collection
2. The DD image is loaded into the Helix investigator computer
3. All strings are extracted from the image using the 'strings' command - tis activity creates a huge file that needs to be analyzed manually
4. All possible files are extracted using the 'scalpel' file carving tool - this is an automated tool which can search for a lot of known file types and tries to extract them by matching the beginning and end of the file
5. The carved files and strings are analyzed one by one. Most of the carved files are useless, since there is fragmentation on every drive so part of the files are lost, or the carving tool cannot match the other parts of the file.
* While evidence recovery from a partially wiped drive is possible, it is both difficult and time consuming to achieve. At any rate, no investigator can guarantee successful results.
* Also, it must be noted that after the first pass of the DBAN write, a very large percentage of information is already destroyed, so one has to be very lucky to walk in on the person while he/she is wiping the hard drive and interrupt the process on time.
Cross-posted from ShortInfosec