Re: New leak: Alonso knew nothing of plans for Piquet's accident

peter <scoular@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

suggests that there was never any data to find...far more so than there
was data but it was erased as this itself leaves a data trial that
cannot be covered up without a full system wipe.

Even a full system wipe would leave traces. Depending on how thorough
the examination (and if it really was forensic, it should be very
thorough), it's not simply a case of wiping disks and reloading. In one
case I dealt with recently, a user used a forensic wiping tool and, not
only did that leave traces of its use (we were able to prove that it had
been used, and the number of times it had been used), but unless you use
a top quality one, traces of the original data can remain.

That most people don't realise this is the reason so many people get
caught out.

To cover up this sort of thing properly (which you might gamble on not
needing to), you need to:

* Replace all disks that have (or could have) contained the data.
Bear in mind that this may include disks unrelated to the actual
storage as computers cache data all over the place both in
user directories and in system areas (e.g. paging files).
You must bear in mind that they might smell a rat if every system
was brand new (very odd) or, just as bad, they're not brand new
but they all conveniently got new disks just as the investigation
was being considered.
* Reload from scratch taking care to ensure that there is no trace
of the dodgy data, that everything else is in place and (another
giveaway) that there is no break in the "history" (e.g. analysis
of date stamps which shows that there is regular use of a system
up until March but then no apparent use from then until July
would suggest that something that happened in that period which
is being airbrushed out. Related to this, ensure that you're
using tools which really do fix timestamps - if the date shows
use in April but has marked it as having been created in July,
that's going to look suspicious too.
* Make sure this is consistent across all of your systems. They
only have to find one example of you sanitising your systems to
indicate to the WMSC that you are hiding something, you have to
get it right every time.
* Even harder, you also need to fix up your backups. This is a
horrendous thing to do correctly, particularly if (as good
practice dictates), you have a consistent batch of full and
(various-level) incremental backups...with clones...stored
securely off-site. If you have the data and it's on backups
*and* the forensic firm really do examine all of this stuff
(you might be lucky - they might only sample it and not find
it), this is not only horrendously expensive to do, but it
would take a long time (restore to disk on systems with fixed
dates, fix the contents, resave the backup, reapply the changes
rinse and repeat for every single backup), you'd be hard pressed
to do any of it with investigators wandering around the place.

So, you're right. I would suggest that the options are:

1. The data was never there to be found
2. They never found the systems on which the data was stored (which,
by definition, suggests it wasn't widespread)
3. They didn't do their jobs properly

(3) is always a possibility, but I would suspect (1) or (2) is far more
likely...
.

Relevant Pages

  • Re: TLZ07/TLZ09 compatability
    ... >> other disks are 9 GB or less. ... So with DLT drives I shouldn't have all these problems, ... >> I may end up doing something with Netbackup. ... > In the vast majority of cases I'm against doing backups to non-VMS systems, ...
    (comp.os.vms)
  • Re: difference between striping using mdadm and LVM
    ... over various RAID types. ... backups are tested and restoreable in this way". ... On the hosting server we used - which is now no longer operational as ... optical storage - disks are typically not big enough for complete backups, so you have to have a really messy system with multiple disks for a backup set, or even worse, incremental backup patch sets. ...
    (comp.os.linux.misc)
  • Re: Time Machine backup to multiple locations
    ... So long as I have two full backups, one remote and one local, I can't see ... at both disks to find the latest files you deleted by mistake. ... and several large collections of stuff like music and original home ... I keep an Aperture vault on one of them too. ...
    (uk.comp.sys.mac)
  • Re: Again: fsck_ffs memory requirements
    ... (The price to pay for not having backups.) ... there's nothing an OS can do against hardware failure ... Disks are cheap these days. ... and store it in a safe place. ...
    (freebsd-questions)
  • Re: Ampro Littleboard
    ... A simple fix as well. ... >>> As to reading the disks on a PC. ... >>> floppies on them, most PCs that have 5.25 floppies are of the later ... Over the years I've played with a lot of the ampro boards in embdded ...
    (comp.os.cpm)