On Wed, 12 Mar 2008 13:34:18 -0400, Meat Plow wrote:
>
> I took a college credit on computer forensics as part of my training.
> I already knew a lot of it so it was a bit hard at first
My guess is you know dick about shit.
Standard LEA pc forensic tools such as EnCase can be found on p2p
networks, if people would like to learn to use these to check their hard
drives for recoverable data they'll find out what can be found via
prosaic methods. Last time I used it it's not really much different to
ordinary file recovery tools, so you could use those instead, except it
offers the ability to freeze and label a snapshot image of a drive and log
all investigator actions for court evidence purposes. There are training
materials for EnCase around. A snapshot of ram contents can be taken but
that's not going to be any good unless the pc was on when seized, or
very recently shutdown. A recent paper showed recovery from ram was
possible, but they were only "momentarily" interrupting power. Another
EnCase feature is there are available hashes of known CP images which
can be used to search for same. They might have added some other
capabilties in the last few years.
Data can be recoverable from swap if swap wasn't encrypted.
Sure, there are more sophisticated data recovery tools eg magnetic force
microscopy (MFM) and magnetic force scanning tunneling microscopy (STM)
that recover data that has been overwritten several times. This was
easy to do with very old drives, which were easy to extract overwritten
data from - some companies claimed to be able to recover data that had
been overwritten 12 times. For these, a "Guttmann wipe" is the
recommended security measure, or better, destroy the drive. But for recent
high density hard drives, a "good random scrubbing" is as good as anything
else according to Peter Guttmann.
AFAIK if a drive has been heavily scrubbed, it will be expensive to try to
recover data and there is no guarantee of success. Try getting a quote
for recovery of data from a trashed drive.
The weakest privacy point is the Windows operating system, which leaks
information all over the place via temp files and other means. Some say it
might as well be spyware.
Finally, hard drive data recovery technology means *nothing* if the data
was never written in plaintext to a drive in the first place, but was
securely encrypted on the fly.
Solutions: Encrypt the entire drive containing your operating system
applications, and data, especially if using Windows. Google for more
information.
|
|