Jump to content











Photo

Rewrite free disk space to avoid file recovery


  • Please log in to reply
31 replies to this topic

#26 Brito

Brito

    Platinum Member

  • .script developer
  • 10616 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 18 February 2015 - 04:21 PM

Actually, you can specify a pass with nothing but zeros using the tool I mentioned.

 

However, I will likely repeat myself in saying that exists at least one reason not to adopt a single pass with zeros.

 

If you are trying to make the other partie's life as difficult as possible, I would like to see many random characters added. In fact, I would welcome that one of these tools would throw a few fake file headers in the process, just to make the resulting disk so garbled that causes the forensic efforts some frustrating hours. It is no personal attack against forensic professionals, I'm just safekeeping my data and adding some traps for the preying eyes.

 

:)



#27 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 18 February 2015 - 05:26 PM

Actually, you can specify a pass with nothing but zeros using the tool I mentioned.

Sure :), and that is the ONLY option *needed*.
 

However, I will likely repeat myself in saying that exists at least one reason not to adopt a single pass with zeros.
 
If you are trying to make the other partie's life as difficult as possible, I would like to see many random characters added. In fact, I would welcome that one of these tools would throw a few fake file headers in the process, just to make the resulting disk so garbled that causes the forensic efforts some frustrating hours. It is no personal attack against forensic professionals, I'm just safekeeping my data and adding some traps for the preying eyes.
 
:)

But then it would make much more sense to make a single pass with zeroes (or ones, or two's, should you like them better ;)) and then fill the disk with lolcats and random internet found documents, and then corrupt each and every header (but not too much).
If you use a "pre-set" the good forensic professionals will be able to recognize the "pattern" and your evil plan would be soon vanified...

I will also repeat myself, saying how the "Heavy", "Super" or "Ultra", let alone the "Custom" which may be even worse, are provisions that dhould have a BIG WARNING telling the users how they:
1) make no sense whatever
2) put without any need an added stress on the device

:duff:
Wonko



#28 Brito

Brito

    Platinum Member

  • .script developer
  • 10616 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 18 February 2015 - 09:56 PM

This kind of tool for lolcats and fake headers could be an interesting thing to write one day. Would take some practice to see how the writing patterns could be realistic enough to fool snooping eyes to interpret them as meaningful data. :lol:

 

I'll write it in Java, to ensure that the java virtual machine installation already take half the disk size. This way a good part of our mission of overwriting old data gets accomplished even before running the tool. :)



#29 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 19 February 2015 - 08:02 AM

I'll write it in Java, to ensure that the java virtual machine installation already take half the disk size. This way a good part of our mission of overwriting old data gets accomplished even before running the tool.  :)

Nice approach, you could also embed the full Cygwin package into a .net 4.0 wrapper and have it run on a Linux through Wine, so that you fill the other half of the hard disk and also some space on a second hard disk, useful as pre-scrubbing ;).

 

Coincidentally I think this is just the right moment to initiate such a project, as I believe that there is at least one Java programmer that may be soon looking around for a new job in Germany :whistling::

http://www.smh.com.a...218-13hlnd.html

http://www.smh.com.a...217-13h26r.html

:w00t: :ph34r:

 

Now, more seriously, and JFYI, some "previous" art does exist:

http://www.forensicf...wtopic/t=11023/

http://www.forensicf...wtopic/t=11126/

http://articles.fore...mage-generator/

https://github.com/hannuvisti/forge

and it does have an actual use to create "test images" for training and research.

 

The project is very nice, BTW, though it is still in an early stage. 

 

:duff:

Wonko



#30 Brito

Brito

    Platinum Member

  • .script developer
  • 10616 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 19 February 2015 - 08:51 AM

Looks good that prior art. :)

 

I believe that there is at least one Java programmer that may be soon looking around for a new job in Germany

 

That guy really screwed it up. That court question was easy to answer, he should have said the timestamp information regarding each IP address captured is detailed inside the file contents, not on the overall stamp of the log file that just displays the time of the last write operation.

 

I mean, a smallish company with just two technical guys and he was never curious enough on his own to know how the log file works? I'm actually looking for a Java developer in Germany but he won't be getting an email from me. :dubbio:

 

On the up side, the defense lawyer really exploited his uncertainty. These kind of companies are really pesky and their "accuracy" is buggy. A friend of mine was hustled to pay 600 EUR due to the download of German folk songs (volkslieder) from a torrent. He doesn't even like volkslieder, let alone grab them on purpose to hear in the house.. :lol:



#31 Brito

Brito

    Platinum Member

  • .script developer
  • 10616 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 19 February 2015 - 02:48 PM

I'd like to add a reference to this topic, found a nifty tool for low level formatting:

We also have developed Lowvel - a free tool to erase data irreversibly from various storage devices. Lowvel overwrites data with zeroes, i.e. performs so called zero-filling of a storage device. It should be noted that after such zeroing, neither a data recovery software nor a data recovery service can recover data off the device.

http://www.lowlevelformat.info/

http://www.lowlevelf...ro-filling.aspx

 

These ones seem to know what they are doing and are probably qualified for a Wonko stamp of approval award because I don't find any of my beloved-rainbow-pattern-filling-options, just dull zero's on the whole disk.

 

Was taking a look and the company behind the tooling seems to be doing some really good quality work on data recovery, perhaps not getting enough attention when compared to some other providers: http://www.reclaime....s-recovery.aspx

 

:)



#32 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 19 February 2015 - 03:26 PM

Naah.

Meaning that though these guys are seemingly very good :), by contributing to NOT spread the myths, and in that respecting the ninth commandment
http://en.wikipedia....Computer_Ethics
unlike the previous good guys referenced earlier,  they do IMHO exceed in oversimplifying the matter and they are seemingly more oriented towards zero filling (for performance purposes) SSD's than anything else.

 

Specifically, that tool is "as" nifty "as" any other among the tens similar available tools only it is 800 Kb where most dd-like tools are smaller, like (say) pldd:

http://reboot.pro/to...uest-for-ddexe/

(which includes a /dev/zero like device).

AFAICR however some of their tools aimed to RAID recovery aren't at all shabby :thumbup:

The topic has been beaten to death, once it is agreed that writing zeroes is all that is needed, doing it NATIVELY will always be faster than through any software writes:
http://reboot.pro/to...-use-in-win7pe/
http://reboot.pro/to...in7pe/?p=153778

 

which means translated *anything* that can initiate an ATA Safe Erase will do, and do it faster:

http://reboot.pro/to...e-from-windows/

 

:duff:

Wonko






2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users