Can a Forensic tool detect if a drive has been wiped

A

Anonymous

Guest
I need to know if a Forensic program can detect if a hard drive has been wiped. Also if so can they detect when it was wiped/Nuked.....does changing the BIOS settings affect this if this is the case?

Also, a similar question is what does a hard drive look like when it comes from the manufacturer....and can this be duplicated?

My plan is to Nuke the Hard disk and then change the BIOS to certain dates and create a history in the windows syslogs to make it look like a normal used hard drive....any suggestion or discussions would be appreciated.
 
I have a question along similar lines....Does the system log time changes done through Windows versus Bios?
 
Depending on the method used, it can be obvious that a drive was wiped based on the pattern of bits on the disk. But so what? Some forensic examiners take the arrogant approach that you wouldn't be using such software if you didn't have something to hide. But that is an illogical argument (arguing from a vacuum) that ignores privacy rights and other legitimate reasons for overwriting disks, such as installing new operating systems.

There is no way to tell when a drive was wiped, that I know of.

I don't believe that the system logs a time change done in bios, but entries in the log will have timestamps that are different than previous entries. If the system disk was nuked then there are no logs or entries to worry about. Of course the operating system has to be reinstalled after that.
 
I wish the law was that simple. If for some chance the police come knocking on your door and you are wiping your hard drive they will classify this as destruction of evidence like flushing drugs down the toilet and the judge will hold this against you.

Also, what about the people who are already been sentenced or live in a country where this activity would be a great problem......Is there a way to make the drive look like it just came from the Manufacture? Or does anyone know what it may look like under investigators prying eye?

And if this is not enough reason to figure this out then how about the idea of just knowing :)[/quote]
 
I wish the law was that simple. If for some chance the police come knocking on your door and you are wiping your hard drive they will classify this as destruction of evidence like flushing drugs down the toilet and the judge will hold this against you.

Also, what about the people who are already been sentenced or live in a country where this activity would be a great problem......Is there a way to make the drive look like it just came from the Manufacture? Or does anyone know what it may look like under investigators prying eye?

And if this is not enough reason to figure this out then how about the idea of just knowing :)[/quote]
 
Drives shipped from manufacturer come zero'ed.
That is full of 0's.
Yeah, DBAN could do that (except for the remapped bad setors, they would contain non-random data on most modern hard drives) - but the drive firmware also contains a POH (power on hours) memory which would tell instantly if the drive had been in use (if not when).

But why does this bother you?

The LEA's either catch you wiping the drive == destruction of evidence,
or with a OS installed.
There is very few people who wipe a disk and then leave it wiped.
Most reinstall and OS very soon after.
 
Can updating the drives firmware zero out the POH?

I dont like leaving any clues for people to try to reconstruct the past history of a hard drive no matter what it is.

Also, probably a better explanation is that I dont trust a wiping program that doesnt wipe everything (OS included) like boot and nuke. To many things a program can miss ie file names .dat files and god nows what else windows leaves behind.
 
Can updating the drives firmware zero out the POH?

I dont like leaving any clues for people to try to reconstruct the past history of a hard drive no matter what it is.

Also, probably a better explanation is that I dont trust a wiping program that doesnt wipe everything (OS included) like boot and nuke. To many things a program can miss ie file names .dat files and god nows what else windows leaves behind.
 
Why should you be worried about this unless you have something you shouldn't have on your disk? If that is the case then people shouldn't be giving advice.
 
I live in a country that is not as free as most western countries and need to know this.......by saying what you just said you would not help someone in Iran or former Iraq escape government persecution? Shouldn’t information be kept to oneself if hurts no one by western standards......how cruel and naive for to make such a suggestion especially on a web site detected to this kind of info.
 
Tiko said:
Can updating the drives firmware zero out the POH?

I dont like leaving any clues for people to try to reconstruct the past history of a hard drive no matter what it is.

Also, probably a better explanation is that I dont trust a wiping program that doesnt wipe everything (OS included) like boot and nuke. To many things a program can miss ie file names .dat files and god nows what else windows leaves behind.

It´s a waste of time to care about the power-on-hours. If you have a 8 GB drive it will probably be some years old and if you erased the POH, what do you gain? Is it not very conspicious to have a 5 year old harddrive with 0 power-on-hours, don´t you think so? The POH only gives a hint if a harddrive was heavily used or not, that´s all and it doesn´t say anything about the data once stored on it.
 
Tiko said:
Can updating the drives firmware zero out the POH?

I dont like leaving any clues for people to try to reconstruct the past history of a hard drive no matter what it is.

Also, probably a better explanation is that I dont trust a wiping program that doesnt wipe everything (OS included) like boot and nuke. To many things a program can miss ie file names .dat files and god nows what else windows leaves behind.

No the POH is in firmware and is not writeable without special apps (as far as i know).
As mentioned above, this is not really a problem unless you want to make the drive look factory fresh.

You're biggest problem is bad sectors which the drive hides from DBAN.
The only protection from this is to encrypt everything (incl OS) right from the start. Hardware and software solutions exist for this. Hardware is the best bet.
 
Any programs or work arounds to clear the bad sectors even at the risk of hurting the disk?......Where are the bad sector info mapped? Firmware? Not totally sure what bad sectors are and why they become bad or why they cannot be used even for a write over of garbage.
 
Bad sectors are just as the name suggests, sectors on the disk that are damaged - usually physically.

Most disks gather a few over it's life, increasing quickly just before the disk eventually dies (they all do, eventually).

In the old days it was left to the OS to map them as bad and not to write to them. But then disks got smart (literally SMART) and started locating and fixing or hiding the bad sectors by itself.

The problem this causes for software wiping is that even the OS cannot access the bad sectors. The drive remaps them to somewhere else transparently. The OS doesn't know about this and bits of the old data still reside in the bad sector.

However, forensics labs can easily open the disk up and read in using special equipment. They read all the sectors including the bad ones. If the bad sectors contain intresting information then you're nicked.
 
SOL

Provide that you have read ALL of the posts pertaining to this subject, you will have undoubtedly come to certain conclusions:

1) DBAN is NOT a miracle cure. It will not absolve your HD of its Original Sins. If a certain LEA is determined to recover sensitive info from your HD, then they will. A mantra to know: if we know of DBAN, they know of DBAN. Only physically destroying your HD will permanently secure your HD.

2) If you have nothing to hide (e.g. kiddy porn and/or matters of national security), then don't worry about it. DBAN will take care of your security problems.

3) Run DBAN with the PRNG stream at 12 to 15 rounds with the "verify" option enabled. That should nuke your HD well enough (per the exceptions noted above).

If that's not good enough for you: then a sledge hammer and a gallon of gasoline is!!!
 
also

Frankly, (concerning all of the replies in this post), with all of this "bad sector" nonsense.....just buy a new computer! The prices just keep dropping on new systems. The best way to secure an old HD is to codemn it to obscurity by replacing it with a new system. Then, you can subject it to the hammer and the gasoline!!!!

NUKE IT!!!!
 
Is there a way to effectively check for bad sectors on a hard drive. Does the disk analysis-in windows (which say's it is checking for bad parts of the drive) work efficiently, or is there something that is better to use.
 
Back
Top