1

I'm an avid fan of file system forensics but I'm an amateur so far. I've been reading up on NTFS forensics and I've noticed you sometimes can know if a file was on a certain volume even if it was deleted and the free space shredded with a tool. You can find it either in the USN journal (if it exists) or in the slack of an index block.

What I don't know is if any of the algorithms used for shredding are reversible. That is, if it just writes to free space random values or it just scrambles cluster by cluster whatever it finds there.

Also, is there a way to determine which algorithm was used to prove the shredding was deliberate? Is there a pattern?

Thank you, in advance, for your answers.

4 Answers4

3

NTFS Meta datas

Considering ntfs, if you overwrite a block with any data, this block is irreversibly overwritten but,

  • NTFS hold name, size and some other information (meta data) in another place than data. So overwriting data won't hide this.
  • If the data written in place is totally random or zero only, origin of data won't be surely determinable.

Low level

If you do a full overwrite of your disk or partition, many times with random data, than finally with zero, your disk will seem cleen as never used..

wikipedia: Zeroisation

But if you wanna really know what's happens with a disk, you may try to use forensic hardware, like white room and magnetic force microscope to reconstruct some generation of data

wikipedia: Data remanence

SSD and flash

Warning! This kind of material work with a limited life time. this mean: each generation of data would use another physical space on flash memories!

Shredding wild just reduce life time, but won't hide anything for forensic labs!.

wikipedia: Flash memory

Rashad Novruzov
  • 678
  • 3
  • 13
1

If you're doing a full-disk wipe on a modern drive, a single pass of ones and then a single pass of zeros is enough (technically speaking, with modern hard drives, even one pass is enough). You don't need a complicated algorithm, or PRNG-generated data. Your disk will look as if it were new, and you can deny that you wiped it.

If you're wiping free space or specific files, don't bother. A copy of your file will be somewhere on the disk in the cache, temp files, indexing files, etc. So you have two options:

  • Full-disk encryption with something like TrueCrypt. But if your goal is full plausible deniability, you must know that there will be random-looking data on your disk, and you find an explanation for that.

  • Full-disk wipe with zeros, using something like WipeDisk. The disk will look new, and you can just say it's an unused disk.

Adi
  • 43,953
  • 16
  • 137
  • 168
  • I'm not trying to hide something :) I'm trying to find out if the content of a large document, for example, was scrambled or wiped on purpose or better yet if there are ways to find that out. – Sebastian-Laurenţiu Plesciuc May 22 '13 at 15:07
  • Just a comment on wiping with zeros - You can indeed get rid of data that way, but it won't look new. Even if the platters themselves don't give you away, the S.M.A.R.T data will. – Xander May 23 '13 at 19:26
-1

Generally speaking, free space shredding is simply the act of overwriting unused clusters with (pseudo-)random data. If the PRNG in use is good, it should not be possibly to differentiate shredding from random noise. The one interesting note about the shredding is that most brand new drives will read as if they have all bits set to 0 -- so a drive with all unused clusters full of "random noise" is likely to have been shredded.

David
  • 15,939
  • 3
  • 50
  • 73
-2

It's very interesting question. At not shredded filesystem (after some real work) we can "undelete" some files. That's why for "invisible shredding" we need write at free space parts of real files (copy of existing files or files from other HDD). At other way, to determine was HDD () shredded or not - we need only run any program for "undelete" files. If program can't find anything we can be almost certain HDD was shredded or it's new. If free space filled non zero and program can't undelete files - perhaps :) HDD was shredded. If free space contain same byte overall - maybe it was one of the algorithm. )) And at last if MFT fragmented and free space have only zero - HDD was shredded (or clone?) + If volume have many fragmented files and free space more than used and filled zero - HDD shredded (or cloned)).

Lzo
  • 1
  • 1