removing last access, last change data

General discussion about data forensics.

Moderators: Eraser DevTeam, Eraser Moderators

removing last access, last change data

Postby palancar » Mon Dec 12, 2011 10:21 pm

I am very fond of your program. I have been reading and using several of your releases. This question is likely to be slightly outside of the "eraser arena" but its so closely related it might be nice to incorporate it. I use forensic software to examine how thoroughly Eraser does its job. Even something generic like Recuva reports great things after I finish using the latest eraser release!!

Being a security/privacy fanatic I have been trying to determine if its possible for eraser, or any other product you are aware of, to change or wipe out the last access times (meta data in general) for the fat32 filesystem on removable media.

Let me give an example for where this would be practical in my world. I insert a USB with a Truecrypt virtual volume and open that volume. I only work inside the encrypted volume via the TC control panel. However; the flash itself is a fat32 filesystem based drive, which holds the volume I am using. My dilemma is that I don't know how to verify/observe what traces of usage are being left outside of the volume on the flash drive. For this example nothing is touched or accessed on the fat32 filesystem except for any "silent marks" being placed there by my OS as the drive is inserted and removed when I am finished using it.

Although unrelated, I don't want want to device encrypt my flash as I do use the space outside of the volume on occasion.

I love the wipe free space features of eraser but I know they don't really address the question this post asks. I have been reading my a@@ of here and elsewhere. I know fat32 doesn't technically journal, but it does store times and such so hence the question this thread asks.

Any light on this? Would eraser be able to handle this if it were tweaked a bit? Just curious how eraser and/or I can get my concerns addressed.

Thanks
palancar
 
Posts: 14
Joined: Mon Dec 12, 2011 9:49 pm

Re: removing last access, last change data

Postby Joel » Tue Dec 13, 2011 3:16 am

palancar wrote:I am very fond of your program. I have been reading and using several of your releases. This question is likely to be slightly outside of the "eraser arena" but its so closely related it might be nice to incorporate it. I use forensic software to examine how thoroughly Eraser does its job. Even something generic like Recuva reports great things after I finish using the latest eraser release!!
Thank you for verifying the effectiveness of Eraser.

palancar wrote:Being a security/privacy fanatic I have been trying to determine if its possible for eraser, or any other product you are aware of, to change or wipe out the last access times (meta data in general) for the fat32 filesystem on removable media.
As a general rule, all file times are erased together with the file. In the specific case of FAT32, the directory entries containing old entries are also erased and compacted as part of the free space erase process.

palancar wrote:Let me give an example for where this would be practical in my world. I insert a USB with a Truecrypt virtual volume and open that volume. I only work inside the encrypted volume via the TC control panel. However; the flash itself is a fat32 filesystem based drive, which holds the volume I am using. My dilemma is that I don't know how to verify/observe what traces of usage are being left outside of the volume on the flash drive. For this example nothing is touched or accessed on the fat32 filesystem except for any "silent marks" being placed there by my OS as the drive is inserted and removed when I am finished using it.
Just do an unused space erase, it should work for you.

palancar wrote:Any light on this? Would eraser be able to handle this if it were tweaked a bit? Just curious how eraser and/or I can get my concerns addressed.
I think Eraser already addresses this, in my opinion.
Be sure to read the FAQ before posting. If you found this application useful, please contribute to Eraser's development.

I develop Eraser but I am not an employee of Heidi Computers Ltd. My views do not represent those of Heidi Computers Ltd.
Don't PM or Email me questions: they won't be answered any faster than on the forum and knowledge won't be accessible by all.
User avatar
Joel
Eraser DevTeam
 
Posts: 3688
Joined: Sat Aug 19, 2006 12:16 am
Location: Singapore

Re: removing last access, last change data

Postby Joel » Tue Dec 13, 2011 3:17 am

I'm assuming you delete/erase the temp files outside the encrypted container when you're done, otherwise the Free Space erase will leave the metadata alone.
Be sure to read the FAQ before posting. If you found this application useful, please contribute to Eraser's development.

I develop Eraser but I am not an employee of Heidi Computers Ltd. My views do not represent those of Heidi Computers Ltd.
Don't PM or Email me questions: they won't be answered any faster than on the forum and knowledge won't be accessible by all.
User avatar
Joel
Eraser DevTeam
 
Posts: 3688
Joined: Sat Aug 19, 2006 12:16 am
Location: Singapore

Re: removing last access, last change data

Postby palancar » Tue Dec 13, 2011 10:56 pm

Joel I can't see any temp files on the USB drive outside of the encrypted and dismounted volume. The flash I am experimenting with for this thread is a 4G with only 40 meg of free space. The majority of the drive space is being used by the TC encrypted volume. The flash contains three directories/folders. Those are the volume itself, the TC traveler mode folder, and the third is the backup volume header (128k) in case the one on the volume gets damaged. I have made sure that the folder view options show all hidden files while in explorer, but I see no "hidden files" and certainly no temp files when the volume is dismounted.

What I am attempting to verify is how I could use a program to leave forensic analysis useless regarding the last time this usb flash was used. I am ONLY concerned about outside of the encrypted volume and not at all about tracks on the machine being used. My USB's are mobile and it is very unlikely that the machine being used and USB would be together in my area of concern.

When I erase/wipe free space with eraser and then use Recuva I notice that the erased dates for last modified show as unknown and that is nice!! Is there any way to do that with the metadata on fat32?

I would even consider using a pre-boot RAM approach like TRK or similar if there is a file/script to destroy fat32 metadata on a USB, and of course still leave the flash being useable.

What simple forensic tools are available for the purpose of examining the fat32 metadata on a USB filesystem? I have access to an older Encase (version 4ish) so I may give that a go.

Thanks for giving me some advice. I love the eraser product and I trust what it does.
palancar
 
Posts: 14
Joined: Mon Dec 12, 2011 9:49 pm

Re: removing last access, last change data

Postby Joel » Wed Dec 14, 2011 8:08 am

In the case of FAT Eraser takes things one step further, while in NTFS the file names are garbled and times are reset to zero, in FAT, the directory entries themselves are wiped. In other words, analysing with Recuva will show results as if no file has been there before.
Be sure to read the FAQ before posting. If you found this application useful, please contribute to Eraser's development.

I develop Eraser but I am not an employee of Heidi Computers Ltd. My views do not represent those of Heidi Computers Ltd.
Don't PM or Email me questions: they won't be answered any faster than on the forum and knowledge won't be accessible by all.
User avatar
Joel
Eraser DevTeam
 
Posts: 3688
Joined: Sat Aug 19, 2006 12:16 am
Location: Singapore

Re: removing last access, last change data

Postby mastermind » Tue Feb 05, 2013 11:05 am

While working with Eraser 6.0.10, found a pattern 0x21 00 21 00 00 00 00 00 21 00 00 00 00 00 00 00 in the directory entry of the deleted file. This is for a FAT file system on a pendrive <=128 MB.

For a forensic investigator, this pattern will clearly indicate Eraser tool being used.

Is there a way to avoid this?
mastermind
 
Posts: 1
Joined: Tue Feb 05, 2013 10:53 am

Re: removing last access, last change data

Postby garrett01 » Thu Feb 14, 2013 6:47 pm

Can you retest with this version: http://eraser.heidi.ie/download.php?id=278

I think the marker you refer to might be the FAT delete marker. I'll check this over the weekend.
garrett01
 
Posts: 977
Joined: Tue Dec 31, 2002 4:06 pm
Location: Ireland

Re: removing last access, last change data

Postby Joel » Tue May 07, 2013 11:51 pm

AFAIK, no, short of rewriting all the directory structures.

I think Garrett is right (thought I can't remember specifics) but I do recall there was some marker indicating that a FAT entry is deleted. I'm not sure if it's 0x21, but it could well be. At the same time, I don't recall leaving it as 0x21, it should be all zeroed. I'll check.
Be sure to read the FAQ before posting. If you found this application useful, please contribute to Eraser's development.

I develop Eraser but I am not an employee of Heidi Computers Ltd. My views do not represent those of Heidi Computers Ltd.
Don't PM or Email me questions: they won't be answered any faster than on the forum and knowledge won't be accessible by all.
User avatar
Joel
Eraser DevTeam
 
Posts: 3688
Joined: Sat Aug 19, 2006 12:16 am
Location: Singapore

Re: removing last access, last change data

Postby Joel » Wed May 08, 2013 12:34 am

I've looked at the 6.2 FAT erasure code and I don't see the constant 0x21 being used. Which version did you try this out on?
Be sure to read the FAQ before posting. If you found this application useful, please contribute to Eraser's development.

I develop Eraser but I am not an employee of Heidi Computers Ltd. My views do not represent those of Heidi Computers Ltd.
Don't PM or Email me questions: they won't be answered any faster than on the forum and knowledge won't be accessible by all.
User avatar
Joel
Eraser DevTeam
 
Posts: 3688
Joined: Sat Aug 19, 2006 12:16 am
Location: Singapore

Re: removing last access, last change data

Postby bountyhunter » Sun Jun 02, 2013 3:48 pm

Joel wrote:I've looked at the 6.2 FAT erasure code and I don't see the constant 0x21 being used. Which version did you try this out on?


Hi and sorry to butt in - was interested in your conversation.
I believe he said "while working with Eraser 6.0.10"
Where do I get 6.2 by the way?
bountyhunter
 
Posts: 1
Joined: Sun Jun 02, 2013 3:36 pm


Return to Data Forensics

Who is online

Users browsing this forum: No registered users and 0 guests