File Carving from a Partially Wiped Evidence Disk

Monday, September 13, 2010

Bozidar Spirovski


On the previous article on secure information disposal, a visitor suggested that Darik's Boot and Nuke (DBAN) can be used for emergency evidence destruction. While it is quite correct, DBAN takes time to finish.

So, what evidence can be recovered from a disk on which someone interrupted the DBAN process?

Example Scenario

We created a simulation of an interrupted information destruction. Here is the scenario:

An employee has been collecting illegal material on his corporate computer.

    * The employee is accidentally notified that internal audit investigators will review his computer in several minutes

    * The employee boots to a Darik's Boot and Nuke to destroy the disk contents

    * The investigators intercepts and disconnect the power to the computer before DBAN finishes


Since DBAN will overwrite information, it can be assumed that the File Allocation Tables are destroyed, as well as some of the data.

   1. The investigator creates a DD image of the disk drive, as presented in the Tutorial - Computer Forensics Evidence Collection

   2. The DD image is loaded into the Helix investigator computer

   3. All strings are extracted from the image using the 'strings' command - tis activity creates a huge file that needs to be analyzed manually

   4. All possible files are extracted using the 'scalpel' file carving tool - this is an automated tool which can search for a lot of known file types and tries to extract them by matching the beginning and end of the file

   5. The carved files and strings are analyzed one by one. Most of the carved files are useless, since there is fragmentation on every drive so part of the files are lost, or the carving tool cannot match the other parts of the file.


    * While evidence recovery from a partially wiped drive is possible, it is both difficult and time consuming to achieve. At any rate, no investigator can guarantee successful results.

    * Also, it must be noted that after the first pass of the DBAN write, a very large percentage of information is already destroyed, so one has to be very lucky to walk in on the person while he/she is wiping the hard drive and interrupt the process on time.

Cross-posted from ShortInfosec

Possibly Related Articles:
Security Training
Post Rating I Like this!
Susan V. James Unless you can easily identify the points of demarcation between *wiped* and *not wiped* even the data that you can recover would be suspect as corrupted by DBAN, and probably not admissable as evidence.
Julian Tosh One could argue that once the file table has been wiped, any evidence collected should be considered useless because there will be no way to prove the context of the evidence - When was it written? Under which account was the file written into the file system? Etc. These would be gaping holes in anyone's legal case.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.