Hi,
It is any possibility to wipe hard drive without possibility to check that disk was wiped ?

I think that software that we can use to wipe disk always leaving some digital signarure and in the laboratory, they can check that hard drive was cleared/wiped and what program was used.

I also think that when it detects which software was used to clean/wpie hard drive, it's more likely to recover deleted data.

I am going to make image of hard drive using clonezilla (image will be contain default factory windows 7 installation) and then I would like to use MHDD 4.6 to low level format and after that HDD Erase 4.0 (Secure ATA erase) after all that, I would like to restore system from clonezilla image.

Do you think that after such operations will be seen that hard drive was wiped ?

Matt

There will b other obvious evidence of the fact that windows was running, then there will be a bi obvious interruption when the cloning is done and then normal windows operations will resume. IMHO it will be hard to hid that from investigators. as for telling if the drive has been "secretly" wiped and then restored to look like nothing has happened, I think that would be difficult too. Windows is changing and recording thousands of things all the time, and this is a big hurdle to camoflage. for some insight listen to an interview of Cory Harrell:
corey has a very interesting blog and tool on volume shadow copies. http://journeyintoir.blogspot.com.au/2012/01/ripping-volume-shadow-copies.html he is interviewed on cyberspeak: http://cyberspeak.libsyn.com/cyber-speak-may-7-2012-volume-shadow-copies - very good interview.
So I think hiding the wipe itself is the least of your worries.

for some more:
http://malthus.zapto.org/viewtopic.php?f=101&t=220

Thank you for your response.

OK, but I can delete shadow copy by disable this service before create clonezilla image.

In that case it will be impossible to check system changes (because shadows copy will be erased by later wiping) but for me, however, is more importantly, whether it will be possible determine that hard drive was previously wiped before image restore.

??

Matt

There may be traces of this activity in the logs and other parameters in the hard disks SA and firmware. I don't have much knowledge of specifics, but I would think that such a major event as wiping would be impossible to cover up, IF you know what to look for, and IF you actually are looking. Remember the Hard Disk has an operating system. Operational parameters are always changing, logs are written, and I would bet that if you analyse a normal hard disk that was used for 7 straight days, and one that was cloned, wiped and re-imaged... there would either be extra data there or holes in the data where data was obviously missing or tampered with.


Yes you can... but you would leave obvious holes that someone would be alerted that you have tried to cover up something and dig deeper. did you listen to the interview and discussion around shadow copies? Particularly about the timeline aspect, a "normal" system and a suspicious one.

I think your best chance that no-one will notice, is that probably no-one would be looking.

Hi Matt



Given that you are applying erase techniques which you have little knowledge of, and no direct control over, i'd say that was a very slim chance indeed.

Second, you have little in the way of knowing what the hard drives own system writes where, on a disk, outside the host OS control.


In certain cases: True


Unless the data are also stored in another unwiped section of disk, i can't see how a zero written by one program has more chance of being recovered than a zero written by another.



MHDD: are you aware of other utils in there for HPA and maybe DCO? These are unseen by normal OS but can be accessed by other tech tools. Without this knowledge you maybe only wiping part of a drive.

HDD Erase: this only detects drives on the IDE channels. If you want to try it on SATA you may have to tinker in BIOS with compatibility mode if, your system supports it.

HDD Erase also leaves its own audit trail on LBA sector 0 of the erased drive, timestamped and if it can, will write logs these updated for each secure erase cycle.

If you are using a "golden image" to re write a drive to a known state, and as HaQue alludes, what about the disparity after time, of files that have differences in date. What about subsequent system updates, AV signatures and such.

Bad sectors may also hold clues for an examiner as the OS is unaware of any firmware remapping process.
ie there may be remnants of original data at a location which has been redirected to a copy on a non damaged section of the drive. This auto reallocation can be turned off with specialist equipment. the data need not be valid or hold good info, but it does show that the drive has had prior use there.

It's also often not about what is there, but what is expected to be seen to be there but which is missing.

gl dude.

K

_________________
Когда хочется кушать – съешь всё.
Голод не тётка!

I wonder what is attempting to be hidden, (fade in Mission Impossible music)

I think it was Travis Goodspeed that had some research about a HDD detecting when it was being violated. maybe have a look what he was saying. IIRC it was that certain tools and OS's access a HDD a certain way, and you can twiddle a firmware to detect that and react differently. For example if a windows OS is booting from a drive, I think it reads the same thing 9 times, as it has to build the directory tree after discovering what it is.

also look at stuff by, dammnit, memory blank... The Sprite, or spritesmod, or it could be Felix Domke... anyway all that research is great

Thx for reply.

What you think about :

BCWipePD utility
HDAT2

Can this software hide that hdd was wiped ?
How to erase audit log written to LBA sector 0 ?

Matt

Matt,


yeh, both good programs if used correctly.


No idea, same reasons as above. you don't have any guarantee that they will cover all your bases.
You could give them a try and turn the drive over to an interested party to check.


I'd say nuke the entire device from orbit ... it's the only way to be sure

›(̠̄:̠̄c ›(̠̄:̠̄c (¦Ҝ (¦Ҝ ҉ - - - ¦̺͆¦ ▪▌

K

_________________
Когда хочется кушать – съешь всё.
Голод не тётка!

I don't understand the process of

taking an image
wiping the drive so it is unknown it is wiped,
the re-imaging with the image that was previously taken.

unless you are going to edit the image, or use the PC hardware in the "gap time" in secret, or want to destroy deleted data I don't see what this is going to achieve. Not saying there is no good reason, there usually is..

BTW even if the NSA or whoever weren't going to think to look that deep, they are now

I would like to prevent recovery of deleted files. Clonzilla creates a disk image contains only existing files. Simultaneously, I would like to be sure that there is not possible to determine that hard drive was safely cerased.

In NSA case - I know that big brother is watching but my questions are related only for my education, research and hobby because I am IT specialist and it is for my very interesting.

In that case, for personal research, forum posts on the subject are the very first step.
You have been given the main opinion that yes, you will be able to notice this operation IF someone is actually looking.

Next step: buy some drives, get access to tools that DR/Law Enforcement might use, find out what techniques they would be using to look, and test, on different manufacturers drives.

IMHO there is no information in Public domain that is going to further what you have been told already.

One of your problems is that the simple operation of researching this is going to bring it to vie of others and you will have a Streisand effect.

This scenario is far more extensive than just removing evidence of disk erasure, which is in itself likely impossible without detailed knowledge of how each erasure tool works, and how clonezilla images.


By whom?

That statement, to me, rings alarm bells in that it is venturing into antiforensics ie "how to cover tracks".

Disk erasure is one thing, but the amount of work and technical expertise required to reset any artifacts that both the disk internals and OS have created, from SMART to shadow copies thro to registry entries is akin to trying to unscramble an egg.

Not only that, there are other indicators beyond your control such as ancillary equipment, network logs and more, that leave evidential traces.

I'm going no further as, despite the "education" statement, it looks like this is turning into an evading detection and anti-forensics thread rather than hard drive tech and could bring the forum into disrepute.

You maybe need a "734c|-| m3 |-|0\/\/ 2 b 4 l337 |-|4><0R !" forum for that, sorry.

_________________
Когда хочется кушать – съешь всё.
Голод не тётка!

Definately sounds like a bit far to go, but then we dont know whats being hidden.

You cant teach beople to be 1337, they either are, are arent!

HaQz0r :
i haz to be leet.
the road behind us is actually designated B-1337 on the maps =)

_________________
Когда хочется кушать – съешь всё.
Голод не тётка!

I saw a beekeeper van a while ago that had
"All your Bees are belong to us" sig-other couldnt understand my childish giggle

The amount of FUD in this thread is unbelievable.

Shadow copies are stored as part of the NTFS file system. If you're wiping the drive, you're wiping the shadow copies. Only on recent versions of Windows is it even enabled by default.

What on earth do you expect to glean from SMART data that the drive has been wiped? SMART monitors internal drive parameters. It isn't concerned in the slightest as to what data is stored on the drive.

This talk of the drive storing any sort of user data in the service area is also pure conjecture. The biggest concern with regards to wiping would be reallocated sectors, but even these can be overwritten by using an ATA Extended Erase.

This thread could have simply been answered by saying "If you wipe a drive, then restore a different image, obviously it is possible to detect that the drive has been modified. Is it possible to recover the original data? No."

Plus, who cares what the OP is trying to hide? Do you really think that's any of your business?

No, it isn't looks like turning into evading detection and anti-forensics thread rather than hard drive ....
If we are not able to ask question on forum like that you need to ask yourself another question why forums exists.....
On the other hand, why personal / privacy data protection would be a crime ?
Is the protection of your home a crime ?
Knowledge acquisition is a crime ?

Thx for reply.

Matt

taffer:

implied to me :
install W7 -> create clonezilla image -> wipe drive -> lay clonezilla image back down
As you say: evidence of drive wipe : yes
Recovery of data : yes actually as here it is the image that was taken by clonezilla prior to wipe.
No mention of deleting anything here.

This turned into

implied to me (rightly or wrongly) that
install W7 -> use W7 -> delete files progs or w/e -> create clonezilla image (which will not copy slack space with remnants of deleted files) -> wipe drive -> lay clonezilla image back down.
This would carry over artifacts left by previous windows activity.

SMART does have an impact: http://www.meridiandiscovery.com/articl ... forensics/
as does Shadow:
http://www.forensicexplorer.com/shadow-copy.php
given that the previous FS is laid back down possibly with changes recorded.


It wasn't until he brought it here.
If it is significant enough to be taking these sorts of measures to delete data and to cover tracks does knowledge of content even matter?


Is it possible to recover the original data? No: uuuh yes - he is laying down the image created with clonezila - ie the original data minus attempted deleted data.

mattx388:

Wiping a drive, reinstating a system and altering the system to "hide" that it was wiped is going much further than the normal "i regulary delete files on the grounds of privacy" it implies you have "something" to hide.
If the LEA even think you have tried to "pervert the course of justice" whether it is "forgetting" your encryption key, or they find inconsistencies between what they ask and what you say compared with system, they will act.

i tend to agree tho, this should have started and ended with a yes/no type of reply or maybe even ignored as a "teach me to hack" type of question.

_________________
Когда хочется кушать – съешь всё.
Голод не тётка!