Help with a dissertation idea

[andrewsco]

Hi.

I am an Msc student looking at the possibilities of a dissertation in and around computer forensics. i (think) I am interested in the physical side of actually erasing information, and then trying to find it again. I have heard that Encase is the best software to use for recovery, and there have even been a few law cases to confirm this.

What software do people recommend for erasing information? I would like people to say firstly which is best (regardless of cost) and then which is the best free tool.

Also if anyone can think up a good dissertation idea, I would be very grateful

Thanks
Andy

[XTC46]

A program called DBAN is a very good data removal tool. by default it writes over the HD 3 times but you can set it to do it as many as 14 times. the really great part is its on a bootable disk so you pop it in, reboot and let it do its thing.

[catch]

For deleting single files, there are many tools that all do basically the same thing... rewrite over the erased data X times. (at least seven is the DOD requirement for secure environments if I recall correctly)

Other tools overwrite the data once and then relabel the pointer so it looks like something not worth recovering. This has the disadvantage of being less secure on an absolute scale, but being as secure on a practical scale and has the advantage of putting less wear on the drive.

For clearing an entire drive you'll want to use a degaussing ring.

cheers,

catch

[|gridley|]

from a linux command prompt you could use

Code:

dd if=/dev/zero of=/dev/hdX bs=1k

(where X is the number of the hard drive, hda for prim. master)
This will effectively overwrite the complete hard drive (including the partition table) with zeroes.
This will prevent 'normal' users from finding anything on your drive.
If you want to be really sure you could do a

Code:

dd if=/dev/random of=/dev/hdX bs=1k

to overwrite the complete harddisk with random data.

Afterwards repartition and reinstall or physicly destruct the harddrive.

For the government standard on data destruction you would have to repeat this process a bunch of times.

[andrewsco]

Thanks for the quick reply's!

I did read somewhere that you can replace with o's etc, but also with random digits kind of like what was mentioned above. How exactly is this done on a windows machine? Do you just use the programs suggested, or can you use the command prompt and do it a bunch of times?

Second thing - How exactly can data be recovered. I know that programs such as Encase are used, but i have also read that data can be recovered, even after being re-written a number of times (I gather this has to do with the hardware?) Does anyone know any more on this, and where I could find some information?

Thanks
Andrew

[ghostmachine]

Originally posted here by andrewsco
Thanks for the quick reply's!

I did read somewhere that you can replace with o's etc, but also with random digits kind of like what was mentioned above. How exactly is this done on a windows machine? Do you just use the programs suggested, or can you use the command prompt and do it a bunch of times?

Second thing - How exactly can data be recovered. I know that programs such as Encase are used, but i have also read that data can be recovered, even after being re-written a number of times (I gather this has to do with the hardware?) Does anyone know any more on this, and where I could find some information?

Thanks
Andrew

you might need knowledge of assembly
With assembly, you can "talk" low level to the HDD..
for a start, you could search for some open source "format" or "fdisk" programs and look at how the author do it.
eg the Spinrite data recovery program was written in assembly.
cheers

[andrewsco]

Thanks again for the reply's. One thing; I tried to google on what a 'degaussing ring' is, but couldn't find any info on actually using it to wipe an entire drive...could you explain please?

Gostmachine: I will have a look into that thanks, that would be really interesting if i could put some programming into my dissertation somehow. I dont suppose there are any tutorials you know of explaining this in a bit more detail?

Andy

[i2c]

isnt a degaussing ring just a means of demagnetising something? for instance a HDD? this would destroy everything cos you should know that the HDD stores data magnetically.

Past few times ive bought HDD second hand off places such as Ebay, ive found some interesting bits and pieces. - most people dont bother to erase.

Maybe you could try this? by a bunch of HDD off ebay and see whats recoverable? youd be able to get some interesting stats this way I think, personally I'd go for SCSI disks cos they tend to be a bit more "industrial" then your home computer IDE disk so you mihgt get some more interesting information - finacial, medical, etc.... this would be good for stating your case at why this is a serious issue.

Try writing to CSEG, NCIS, and some bank companies likem KPMG, PWC, morgan and stanley and others and see what there policies are on disposal of HDD's are.

As for acessing the HDD "low level" so to speak, try using DOS debug - have a look into tutorials on bootsectors in dos debug - similar principles apply to access the main area (has it got a real name?) of a HDD

i2c

ps - as im currently doing my dissertation, if I were you, id kill urself now, there far to much hassle!

[i2c]

Forgot to mention - degausing rings (A.K.A degausing coils) are used for deguassing tellies and CRT montiors, maybe even O-scopes to.

You can buy them for under £50 I think, or make them (personnally i'd make one, but im an idiot and i enjoy messing with high voltage stuff, Its safer to buy and a lot less effort)

http://images.google.co.uk/images?q=...ff&sa=N&tab=wi

i2c

[nebulus200]

Originally posted here by i2c

Past few times ive bought HDD second hand off places such as Ebay, ive found some interesting bits and pieces. - most people dont bother to erase.

Maybe you could try this? by a bunch of HDD off ebay and see whats recoverable? youd be able to get some interesting stats this way I think, personally I'd go for SCSI disks cos they tend to be a bit more "industrial" then your home computer IDE disk so you mihgt get some more interesting information - finacial, medical, etc.... this would be good for stating your case at why this is a serious issue.

[/B]

This is an excellent idea IMHO. One of the things that Rob Lee did in the SANS Forensics track (8 if I remember) was buy some harddrives off of ebay, image them, and then provide us to them as a Forensics challenge. It was really kind of scary, found out more than I wanted to about a preacher, a raytheon employee (with tons of info), and I forget off the top of my head what was on the other. But if you were to do the analysis and then discuss research ways of clearing the data and tie that into corporate/government policies for destroying data and you could have yourself a very interesting topic

On a side note, I want to second the person talking about 'dd', between it, Autopsy, TCT, Helix, and a couple of other tools, you'd be very well covered in comparison to Encase (which is not free). I would highly recommend you looking into them.