On Thu, Aug 30, 2001 at 01:26:54PM -0700, Ed Shirley wrote: > I have recently been working on a case where had > occasion to re-image a subject's machine and was > surprised to find that most of the provocative > material was gone without a trace this time. I used > Encase to examine the drive. I am used to seeing the > tracks left by wiping tools, and this appeared as > though they never existed. It's not that difficult. In fact, it's damn easy. Just time consuming. On Windows use xcopy to copy and entire drive hierarchy to another drive or directory and then delete the old and then copy the other back into place. Then use a utility to simply fill the disc with a single file full of zeros (or stars or what ever) or use multiple patterns to overwrite. If you are only worried about personal data directories, you can do this without any magic treatment of system directories. If you have more free space than occupied space, it's really easy. Want to get fancy, use *zip to backup your directories, nuke the old ones (saving a few dos utilities to recover), wipe the disk (to give you clean sectors to write to and protect past your file EOFs), then unzip preserving directories, remove the zip file, and wipe the free space again. Maybe do a defrag just to make the disk "look" realistic without leaving any dirty data. :-/ Time... You just need time. When you are done, there will be no stale deleted directory entries (other than the root directory and those can be dealt with as well) and all the data is toast. Do it with multiple passes to insure you have caught everything and even magnetic analysis becomes increasingly difficult (and expensive). System files and hidden files make things only "slightly" more difficult (see Norton Utilities and/or Linux boot CDs). > When the some wiping utilities I have experience were > used, the filenames were usually intact, although the > content of the file was overwritten. Is this because > the filename is listed in the master file table? IS > the size also contained in this mft? Is MFT not the > master file table? Other utils I have seen scramble > or rename the files, but there are still files there > marked as deleted. If you copy a directory to a new directory then delete the old one and copy the directory back (or rename it) all the deleted entries are gone, period, because they never existed in the directory in question (and the old directory was overwritten by the double copy and free space returned to the file system for overwriting). > Anyway, this particular case has troubled me. I am > not aware of a tool that could remove these files > previously marked as deleted without leaving some kind > of trace. Are there any executables that I can look > for that would betray that some sort of scrubbing had > been used? > I take it very personally when someone attempts this > sort of thing, because they think they are smarter > than me. This time it looks like they might be. Doesn't take a rocket scientist. Only someone with a little basic knowledge of the file system structure. Basic knowledge and enough time, forewarning, and preparation to scram the disk. > Ed Mike -- Michael H. Warfield | (770) 985-6132 | mhwat_private (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 05 2001 - 09:58:08 PDT