Experiment: Eraser and DBAN applied to CDRW media

Gralfus

Member
Since there were some questions regarding how Eraser and DBAN interact with CDRW media, I did a few experiments with CDRW media using Nero and a variety of settings. I then tried to run Eraser on the files, and ultimately tried to run DBAN on the media. The results are below.

Tools:
Eraser 5.7
DBAN 1.0.6
TDK 650MB CDRW
Lite-on DVDRW SOHW-1673S
Nero Burning Rom 6.6.0.16
Nero InCD 4.3.12.0
Slax Linux 5.1.6 Live CD
SuperBlank 3.01
Forensic Tool Kit 1.60
Foremost 1.0, ported to Win32
dd (rawwrite) 0.3 for Windows (by John Newbigin)
Windows XP Pro SP1

Note 1: It should be noted that a CDRW in its native state (out of the box), or one that has been erased, is not mountable in either Windows or Linux, and thus cannot be examined by forensic imaging programs. As far as these operating systems are concerned, there is nothing there to read, similar to trying to read a piece of cardboard. A data-recovery service may have the means to examine the disk via different means. I do not, so I can't speculate on whether anything could be found or not. But as far as erasing is concerned, to an investigator a drive that has been overwritten with random characters or all zeros is more suspicious than a blank disk. By blanking the disk, it becomes like it was out of the box. CDRW media is not magnetic, so there should be no trace remnants left over from files that have been blanked. It is more akin to a toggle switch: it is either on or off, but you can't tell if it has ever been the other or not.

Note 2: The Eraser right-click menu option to "erase unused space" is not available for CDRWs.

Note 3: One other thought was that perhaps the blanking process only rendered the disk unreadable to the OS, but didn't actually remove the data. I formatted the CDRW again, just to see if any images could be picked up afterwards. (The idea being to make the disk readable by the OS, and thus able to be examined). I tried this with both MRW and UDF formatting, by first formatting, then adding files, then blanking the disk and reformatting, then imaging. After examining the results in a hex editor, "foremost" data carving program, and in Forensic Tool Kit, I conclude that all previous data was entirely removed by the blanking process and/or the formatting process.

July 17, 2006

In each instance, I used the right-click menu option to erase files, with the option of 1 pass of pseudorandom data, with cluster tips and Alternate Data Streams.

1. CDRW - burned as CDR, no multisession, track at once, finalized
Results: Files cannot be erased with Eraser. "Access denied"

2. CDRW - burned as CDR, no multisession, track at once, not finalized
Results: Files cannot be erased with Eraser. "Access denied"

3. CDRW - burned as CDR, multisession, track at once, not finalized.
Results: Files cannot be erased with Eraser. "Access denied"

4. CDRW - burned as CDR, multisession, track at once, finalized
Results: Files cannot be erased with Eraser. "Access denied"

5. CDRW - formatted with InCD4 as Mt. Rainier (MRW)
Added JPEG and GIF files (ranging from 18KB-117KB) using InCD, Right-clicked, used Eraser to erase all files. Eraser seemed to work fine, no errors. Files no longer appeared in Windows Explorer. Unable to image drive with "dd" in windows, but able to image in Slax Linux.
Examined image using hex editor, Forensic Tool Kit 1.60, and "foremost".
All files were still present and were recoverable.
Blanked CD using SuperBlank. CDRW could not be imaged after blanking, indicating nothing to be read.

6. CDRW - formatted with InCD4 native format (UDFRDR file system)
Added JPEG and GIF files using InCD, then used right-click Eraser menu to erase the files.
Unable to image in Windows using "dd" - incorrect function error.
Imaged under Slax Linux and examined the resulting image using hex editor, Forensic Tool Kit, and "foremost".
I was able to recover the files using Forensic Tool Kit and foremost.
Blanked CD using SuperBlank. CDRW could not be imaged after blanking, indicating nothing to be read.


7. DBAN - DBAN does not recognize CD/DVD drives, so it cannot be applied to this kind of media.

Conclusion:
For CDRW media, Eraser will not actually overwrite the files. Blanking the media is the best way to permanently erase files (assuming you want to use the media again), otherwise physically destroy the disk. DBAN does not recognize this kind of media, so again, blanking is the best way to permanently erase such files. Feel free to try these tests yourself to see if this information is correct or not. I realize the FAQ for Eraser says it will work on CDRW media. I have not tried Eraser 5.8 to see if this actually does overwrite the data, but 5.7 does not appear to do so. If you believe I am in error, please detail your objections and I will repeat the experiment to your specifications.
 
Hi Gralfus

Thank you very much for your thorough testing ! You will save others a lot of time. I agree with your findings.
 
Back
Top