«
»

Computer Forensics: Examining a Wiped Drive with EnCase








What happens when a drive is wiped? Can the data be recovered? What can computer forensics find? This short video looks at a wiped hard drive with EnCase

This entry was posted on Friday, May 28th, 2010 at 1:05 am and is filed under Forensics. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.


13 Responses to “Computer Forensics: Examining a Wiped Drive with EnCase”

  1. Great video, thanks!

    I plan on using dban to wipe my hard drive before using the recovery disks to reinstall the operating system. I’m doing this to give my brother a working computer, while preventing his buddies from getting hold of any of my sensitive data.

    Would you recommend this method, or do you know of a better way?

    Thanks again for your video and any advice you can give!

  2. NiGhtMarEs0nWax on May 28th, 2010 at 1:59 am

    Thanks, i thought as much when it came to recovering securely erased data.

    ill have to give the manual a proper read because i was opening the documents themselves instead of the sector/cluster they were contained in, so i was only seeing the hex for that document.

    thanks, ill do a bit of reading and ill check out your site later.

  3. NiGhtMarEs0nWax on May 28th, 2010 at 2:19 am

    thanks, i thought as much when it came to recovering securely erased data.

    i never really got to grips with winhex, i only gave it a quick testrun, i was opening files directly instead of the sectors/clusters that contained them, so i was only seeing the hex for those particular documents. i’ll do a bit of reading on it. cheers mate, ill check out your site later :)

  4. whereisyourdata on May 28th, 2010 at 2:49 am

    WinHex can certainly see file slack. Rember file slack is just data/hex we define as slack, its just hex on a hard drive. If your editor can see the drive, it can see the file and the slack

  5. whereisyourdata on May 28th, 2010 at 3:04 am

    There is a common myth that you can undo a complete wipe – this is simply not true. I have covered this on my site, and SANs have a very good article showing that technically, its just not possible.

  6. NiGhtMarEs0nWax on May 28th, 2010 at 3:35 am

    oh, and do you know any alternatives to encase that can analyze and possibly even edit file slack? i tried winhex but it dosnt seem to recognise file slack.

  7. NiGhtMarEs0nWax on May 28th, 2010 at 4:00 am

    right thanks, so what you’re saying is it should cover the entire platter(s)?

    just out of curiosity i heard that this process can be reversed, is that true? it seems like a silly question considering the data written over the top is random.

  8. whereisyourdata on May 28th, 2010 at 4:48 am

    You just need to conduct one wipe of the entire physical hard drive. i.e. from the very begining to the very end. Issues like the MFT are not relevant, because if the drive is wiped its wiped, regardless of files system. E.g NTFS, FAT, etc

  9. NiGhtMarEs0nWax on May 28th, 2010 at 5:14 am

    hey i have a quick question about securely erasing a hard drive, i will be selling my hard drive at one point and i want to make sure that all sensative data is destroyed, so i will be doing a secure disc erase where all data is over written a few times with random data, will this also include the MFT and essentially secure delete 100% of the data on my drive? or is there something i will be missing? overwriting the data X amount of times is unrecoverable right?

  10. whereisyourdata on May 28th, 2010 at 6:08 am

    If a file exists in location X and you then overwrite data at X it is destroyed. Overwriting data at X over and over again makes no difference (despite the hype). However, if you have pointers, links or references, to the file e.g the recent documents in windows, those are not deleted as they are not at X, they are in a different file, in a different location, and Windows stores links in numerous locations. For this reason its very hard to remove all evidence of a file without wiping the drive.

  11. spinetinglydingly on May 28th, 2010 at 6:22 am

    Would multiple Shred Free Disk Space sessions eventually destroy those fragments, pointers and registry entries?

    If no, are there ways to destroy those fragments, pointers and registry entries manually or with another free program online?

    Thank you for answering my questions.

  12. whereisyourdata on May 28th, 2010 at 7:13 am

    Wiping a file will with file shredder or the like will destroy that file, but only the contents of that file in that location. Opening and closing a file creates pointers to the file, registry entries, and copies of the content are stored on the hard drive elsewhere (only for temporary purposes but fragments can still be recovered). These fragments, pointers and registry may not be wiped, and therefore evidence you had that file, and “possibly” some of the contents can still be recovered.

  13. spinetinglydingly on May 28th, 2010 at 7:20 am

    I used program File Shredder for the first time last week. Before that I would just use Recycle Bin to get rid of unwanted files / programs.

    I used option Shred Free Disk Space and use File Shredder directly to destroy all unwanted files / programs from now on. Does that mean everything that has ever been deleted from my computer is now unrecoverable?

    Or do I literally have to have the entire hard drive wiped clean (baby out with the bathwater option) for that to happen?

Leave a Reply

Powered by Yahoo! Answers