Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: Anyone think that Evidence Eliminator is not working

  1. #11
    Junior Member
    Join Date
    Sep 2005
    Posts
    1

    testing erasers

    Not many of us have a clean room complete with ££££'s of VOGON forensics kit. However basic tests on secure erasure can be easily performed with PC Inspector file recovery:

    http://www.pcinspector.de/file_recovery/UK/welcome.htm

    Personally I use Cyberscrub; its much more professional and you can create your own algorithims. Guttmann wipe is slow but effective.
    Your Network is only as secure as the dumbest user.

  2. #12
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    I think for most people (unless your being pursued by mysterious black helicopters) it would be sufficient to use linux and dd if=/dev/random of=/dev/hda , a few times, maybe overwrite with zero's every other time. 5-10 times should pretty much fsck anything underneath.


    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  3. #13
    Banned
    Join Date
    Jul 2005
    Posts
    511
    And how about those flash devices? Those pen devices or Compact Flash memory cards... For EUR 100 you can already buy one with a 1 GB size. So, if you would use them to store sensitive data, then format them, are they clean enough? Or is forensics even able to read data from these devices?
    And how about rewriteable CD/DVD disks? After formatting the sensitive data from those disks, is there still a way to retrieve the data again or won't even the most advanced forensics lab be able to retrieve anything from it?

    Just curious.

  4. #14
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    You can recover from flash devices from slackspace anyway. I suppose due to the nature of the technology the data will persist until it is overwritten.

    Low level formatting and rewriting should take the flash devices beyond reasonable recovery. I don't know if it's possible (even in theory) to recover overwritten data from flash.

    CD/DVD considering the cost of disks, if you want the data gone shred them physically or scratch the top surface down to the dye. I wouldn't mess about with formatting.

    I suppose it could be possible to detect subtleties in the dyes of CD/DVD after formatting. Black helicopter time there though.

  5. #15
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    A quick question (not to hijack the thread) that I thought would fit into this thread.

    You have a file server setup. The clients connect to the file server and copy a file to their machine. On the client machine, the file is saved to a temporary location and then written to disk. So, there are two places one might find a file. The temporary location (normally RAM?) and on the disk.

    Does the server put the file in a temporary location (either in RAM or a temporary folder) and then transmit it?

    I just recently picked up one of my forensics books again today doing some review. However, I never remember seeing that mentioned. I suppose it would be an easy test using filemon...
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  6. #16
    Junior Member
    Join Date
    Feb 2006
    Posts
    12
    Use TrueCrypt with a good algorithim and a long complex password and only store your incriminating information on there.

    Now and then securely remove caches and such. I use FireFox Portable and Miranda-IM so I know where all of that is stored, the only thing left is the swap file.

    To erase a hard drive so that it is completely unrecoverable, or unrecoverable to the point that anything recovered would be inadmissable, just load your favorite linux live and do:

    dd if=/dev/random of=/dev/hda1

    I guarantee, all of this is more than sufficient to protect yourself from a FBI/CIB investigation. As long as you don't leave any loose ends lieing around. :-)

  7. #17
    Senior Member
    Join Date
    Dec 2004
    Posts
    320
    Well since the thread is back, I guess I might as well ask, If you turn windows page file usage to 0, will it still use page files ? At all ? I know that it shouldn't, but considering window's track record on things like that, I gotta ask.
    The fool doth think he is wise, but the wiseman knows himself to be a fool - Good Ole Bill Shakespeare

  8. #18
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi dmorgan

    I don't think that you can do that, there is a "minimum allowed" value these days. It is 2Mb on this Win 2000 box.


  9. #19
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    BC Wipe will wipe file slacks, and it also can encrypt your swap file.

    Maybe he was running an older version of EE and it missed some of the cache? Maybe he p.o.'ed someone and got setup? Maybe his computer was "0wn3d"? There was a case in KY a couple of years back where the guy used that defense. He claimed his computer was hacked and used as a server. I've seen similar cracks firsthand.

    No telling from the article what really happened but Katja's right: pretty dumb doing that at work.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •