RE: Advice regarding servers and Wiping Drives after testing

["dave kleiman" <dave () davekleiman com>]

Bill,

Go to http://www.DaveKleiman.com/Files all of my labs are available there.


How interesting you state "" and supposedly recovered a file in the lab (the
recovery process was not shown),".

To have a better perspective on all of this information, you may want to
read:

Can Intelligence Agencies Read Overwritten Data: http://tinyurl.com/8zblp 

Secure Deletion of Data from Magnetic and Solid-State Memory:
http://tinyurl.com/iqx3  (pay special attention to the "Epilogue") 

Secure File Deletion: Fact or Fiction?:  http://tinyurl.com/yuqoqj


Dave


      -----Original Message-----
      From: William Holmberg [mailto:wholmberg () amdpi com]
      Sent: Wednesday, September 12, 2007 12:19
      To: dave kleiman; security-basics () securityfocus com
      Subject: RE: Advice regarding servers and Wiping Drives after testing
      
      Dave,
      <Note- the links from your page on Infragard "Zip | PPT | Handout PDF
|
      CD Active Links PDF" Do not work, although Mr. Bejtlich's links do-
I'd
      like to get your data for future classes>
      
      I looked up my notes on that day, to verify my memories of the
      presentation, and to answer your question...
      
      Well, yes and no...
      The first example, the instructor clearly stated that the drive had
been
      overwritten 0's, and supposedly recovered a file in the lab (the
      recovery process was not shown), in this case a .jpg which was
partially
      (3/4's)viewable. He remarked the technique would remain undisclosed,
but
      that it was time intensive and expensive, yet still used regularly. He
      did not say it wasn't ESM either, so perhaps that is what it was. I
      paraphrase him by the quote "Even when the drive has been overwritten
      with 1's and Zeroes we can often get evidence with this new
procedure".
      Frankly, I remember him saying it having something to do with magnetic
      signatures, differentiation and time (age) of magnetic signatures, if
      that makes sense.
      
      The second example the drive was formatted and partitions deleted, and
      data was recovered successfully on that example, but there was a third
      demonstration where some files that were overwritten with another type
      of file, and it was presented to us (understand, we were viewing the
      process remotely, and there was no way for me personally to verify
      exactly what was really occurring on the other end, but we had no
reason
      to doubt the veracity of the claims) that the overwritten files were
      recovered immediately after the overwrite. I do remember that I had
      questions about that particular procedure because in that case the
      computer had not been restarted, but was still running. I had thought
      perhaps some NVRAM or swap file was involved in the recovery, but time
      did not permit us to ask all the questions I and the attendees had for
      the team presenting. The examiners referred to the users method as a
      virtual "flashpaper" technique where a small directory was overwritten
      with other innocuous files by the suspect through a software package
      which responded to a Hotkey.
      
      We were also given the impression that the third recovery technique
was
      quite new, perhaps even experimental, and that the types of files
      recovered were limited by both their type as well as the types of
files
      replacing/overwriting the existing files. I was told it had something
to
      do with the way the files were altered which allowed restructuring of
      what had changed, but there were no technical specifics given.
      
      I'm sorry I don't have more on it. If we are successful in getting
more
      funding for the DOJ classes I will press the issue in the next
semester
      with others involved to see if I can get some more specific info on
      those aspects.
      
      Specifically though, you are correct that in the formatted example,
the
      drive had not been "shredded" and completely overwritten with a
program
      intended to subvert any recovery, although the examiner did allude to
it
      being "extremely more difficult" once that was done, though the
      implication was that it was not impossible. He also did show how to
tell
      that certain programs had been used (on another drive) to totally
remove
      potential evidence, which was also interesting, and sounds like it is
      similar to what your class accomplished in San Diego.
      
      So, specifically, Ansgar is likely quite correct that in a case where
      the drive has been shredded by overwriting in that manner that no data
      can be recovered easily- but we were given the impression that it had
      just been done, though it was possible that was a limited ESM method.
      
      I do not claim personal expertise in this area, as I mentioned, but I
do
      believe that most people in the class came away with the impression
that
      it could be done, but there was mention of a cost to benefit ratio,
and
      even admissibility of the evidence. For instance, if the drive was
      purchased as a refurbished drive from any vendor, it is likely the
      agencies would rarely try to ESM for evidence because no matter how
      successful they may be, a shrewd lawyer could quite easily get a jury
to
      have reasonable doubts about where the data recovered actually came
      from.
      
      I will ask our director to reschedule this presentation again and be
      sure to ask some more pertinent questions next time to see where
exactly
      the parameters of the presentation begin and end. If there are other
      definitive articles, etc. you all know of, please let me know as I
would
      love to expand on this topic in the classes. Perhaps we could even
setup
      a remote presentation with some of you- though I warn you the class
pays
      poorly!
      :0)
      All the best,
      Bill
      
      -----Original Message-----
      From: dave kleiman [mailto:dave () davekleiman com]
      Sent: Wednesday, September 12, 2007 9:08 AM
      To: security-basics () securityfocus com
      Subject: RE: Advice regarding servers and Wiping Drives after testing
      
      Bill,
      
      I think you are mistaken.  I attend and teach labs at most of the
      forensic
      events yearlong including the FBI InfraGard National Conference (
      http://tinyurl.com/24vuj8 ).  As a matter of fact, last month at the
      HTCIA
      International conference in San Diego, part of my class demonstrated
how
      to
      identify the traces of different types of erasure programs. These were
      single random and/or zero passes.
      You can download it here:  http://tinyurl.com/35mbc9 .  I have NEVER
      seen or
      heard of a demonstration or tool, outside of an ESM Electron Scanning
      Microscope, that would recover the data after being "wiped".
      Perhaps you are thinking of after deleting partitions and/or
formatting
      several passes??
      
      Dave
      
      
      
      Respectfully,
      
      Dave Kleiman - http://www.davekleiman.com
      4371 Northlake Blvd
      Suite 314
      Palm Beach Gardens, FL 33410
      561.310.8801
      
      
      
      
      
      
      
            -----Original Message-----
            From: listbounce () securityfocus com
      [mailto:listbounce () securityfocus com] On
            Behalf Of William Holmberg
            Sent: Tuesday, September 11, 2007 17:36
            To: Ansgar -59cobalt- Wiechers;
security-basics () securityfocus com
            Subject: RE: Advice regarding servers and Wiping Drives after
      testing
      
      
      
            -----Original Message-----
            From: listbounce () securityfocus com
      [mailto:listbounce () securityfocus com]
            On Behalf Of Ansgar -59cobalt- Wiechers
            Sent: Tuesday, September 04, 2007 1:03 PM
            To: security-basics () securityfocus om
            Subject: Re: Advice regarding servers and Wiping Drives after
      testing
      
            On 2007-09-01 gjgowey () tmo blackberry net wrote:
            > A since pass with all zero's really won't protect your data
from
      being
            > recovered by more advanced data recovery software let alone
      alone
            > hardware.
      
            I'd like to see a single case where someone was able to recover
      data
            from an overwritten harddisk, even after a single pass with
      zeroes.
      
            *********************
            Hi,
            No doubt you are an intelligent and well educated person in
these
            fields, and probably have many areas of expertise more
proficient
      than
            mine. I do have to state however, and nearly any Infragard
member
      can
            tell you, the FBI uses tools that accomplish this on a regular
      basis.
      I
            have no doubt other agencies do as well. We have had
      demonstrations of
            it remotely in a class I help instruct, SAFE computing for Law
            Enforcement and Non-Profits (SAFE is Security And Forensic
      Education)
      at
            Metro State University of Minnesota, MCTC campus.
      
            My .02...
            -Bil