'RE: Digital Evidence Question - What is an effective Windows hard'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-basics
Subject:    RE: Digital Evidence Question - What is an effective Windows hard
From:       "Robinson, Sonja" <SRobinson () HIPUSA ! com>
Date:       2003-06-30 13:04:12
[Download RAW message or body]

I agree with you 100%.  As far as I know, it would be very expensive to
recover the data.  But because I deal with PHI, I have to be 100% certain.
Since I can't know 100% of the s/w tools available I don't want to say that
no s/w can retrieve or that there isn't another way to retrieve, especially
for the normal person.  

I wouldn't be surprised if we knew a lot of the same people - it was a
pretty small field a few years ago and still is.  :)

Sonja Robinson, CISA
Network Security Analyst
HIP Health Plans
Office:  212-806-4125
Pager: 8884238615



-----Original Message-----
From: Troy Larson [mailto:ntevidence@attbi.com] 
Sent: Friday, June 27, 2003 3:42 PM
To: Robinson, Sonja; 'NC Agent'; security-basics@securityfocus.com
Subject: RE: Digital Evidence Question - What is an effective Windows hard
-disk search tool?


Sonja,

I would be very interested (actually, surprised) if any software tool could
recover any data after only one overwrite.  It is my understanding that
software is limited to the capability of the drive--and the hard drive
itself isn't going to see data once it is overwritten.  The overwritten data
is noise to filter out to prevent data corruption.  

I am familiar with the research that you mentioned (we must run with the
same crowd).  My only point was that unless you needed to worry about
someone spending money for an expensive, hardware-based data recovery, one
pass should be sufficient.  (I don't want to do 7-31 passes on a 160GB drive
unless I really, really have to.)

Thanks for the excellent points.

Troy

> -----Original Message-----
> From: Robinson, Sonja [mailto:SRobinson@HIPUSA.com]
> Sent: Friday, June 27, 2003 6:23 AM
> To: 'Troy Larson'; 'NC Agent'; security-basics@securityfocus.com
> Subject: RE: Digital Evidence Question - What is an effective 
> Windows hard -disk search tool?
> 
> 
> According to information I received at an HTCIA meeting about
> 3 months ago, as well as some reading that I have done, 31 
> times is now what is recommended.  I can't locate my notes 
> that had the speaker's name in the piles on my desk but he 
> was from NY State Dept. of Health I believe and in charge of 
> info security.  They had performed a number of tests on a 
> number of different wiping utilities (30 or so).  They 
> specifically stated that although their tests were obviously 
> not exhaustive since there are a myriad of tools out there, 
> that s/w such as Maresware DeClafy and a few others 
> (somewhere in my notes) were the best because not only did 
> they wipe the drive completely, but it did the MBR's and even 
> did past the EOF Flag at the end of the drive.  They also 
> spoke about shredders, magnets, etc. and the pros and cons of 
> each.  It was a very good training session and brought up a
> lot of interesting points and dialog.   7x was the de facto 
> standard for
> D0D.  I am not sure if they have adjusted their requirements. 
> 7x times was recommended to ensure that the full clusters 
> and sectors were completely overwritten.  I agree in many 
> instances 1 wipe is sufficient depending upon what data you 
> are trying to conceal, i.e. confidentiality and depending 
> upon whether you are resiisuing the drive or selling/diposing 
> of it.  I also agree with you that MOST tools will not 
> recover past one wipe however, there have been arguments 
> stated in this thread that it is recoverable and 
> theoretically it IS possible although you are correct it is 
> generally more difficult. I wipe mine to the original D0D 
> specs currently, 7x.  I will be testing FTK, Encase, R-Studio 
> and some other generally available tools over the next two 
> weeks or so, as time permits.  I will be testing against a 
> regular format, gdisk, and BCWipe and perhaps some others.  I 
> will post a summary of the results when I have them.
> 
> Sonja Robinson, CISA
> Network Security Analyst
> HIP Health Plans
> Office:  212-806-4125
> Pager: 8884238615


**********************************************************************
CONFIDENTIALITY NOTICE: This e-mail transmission, including any attachments to it,  \
may contain confidential information or protected health information subject to \
privacy regulations such as the Health Insurance Portability and Accountability Act \
of 1996 (HIPAA). This transmission is intended only for the use of the recipient(s) \
named above.  If you are not the intended recipient, or a person responsible for \
delivering it to the intended recipient, you are hereby notified that any disclosure, \
copying, distribution or use of any of the information contained in this transmission \
is STRICTLY PROHIBITED.  If you have received this transmission in error, please \
immediately notify me by reply e-mail and destroy the original transmission in its \
entirety without saving it in any manner. 






**********************************************************************


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic