An Interesting Challenge.


Active Member

It will be interesting to see the conclusion to this. :)

If proved correct, this will save hard drives from unnecessary wear and Eraser users a lot of time !!

A single pseudorandom pass has been my favourite method for some years now. I suspect it will stay that way ! :D
Overwriter said:
From a site you mentioned on another thread.

I also mentioned the work in this thread ;)

Overwriter said:
Craig Wright seems to know what he is doing and I don’t think I need to disagree with him. :D

His findings makes one big assumption, the program doing the wiping works as advertised. There will be bugs, in some cases bugs big enough to cause data to remain. I'll give you an example:

- Eraser (along with many others) back in 2002 did not properly NTFS alternate data streams resulting in pwnage (see KSSA-003)

Have we learned from it, yes but there is always the possibility for bugs to be (re)introduced, especially when doing something major like rewriting a program from scratch... Which brings us back to the other thread calling for eyes :)
Correct - can't remember who said it, I think it was Schneier, but the quote goes something like this: security-related software should almost always be public in order for code reviews so as to ensure that the security of the application is not compromised. Perhaps I even mis-quoted him or anyone else (sorry), but I still believe it holds.

Modifying MS Word Metadata and MACE values

Perhaps a less difficult challenge - I am running an anti-forensics test - In a nutshell, I have a MS WORD document on an NTFS/XP/Windows Small Business Server. As part of the test, I want to modify the timestamp meta-data on the document - both the MACE values and the actual WORD metadata. Perhaps using timestomp and http://ms-word-document-file-properties ... nshot.html or whatever tools would be best. The goal of the test is to modify the MS WORD document's timestamp meta data - both in the document and on the server system/MACE - so that the effort to make the modifications are not detectable via any computer forensics tools that could be used on the server, including analysis of the MFT. As part of this test, I have full access to the server via my laptop and no forensic testing will be performed on the laptop - only the server.

Responses are welcome via email as well -

Furthermore, if someone is available for consulting work to assist in conducting this test, please contact me.