Re: Hard drives that self destruct

Sheldon <sheldon@xxxxxxxxxxx> wrote:

You mention that they may have 'over egged the pudding' but by that much?

Yes, for a start the sequence of events that they posit doesn't usually
happen that way in disk forensics. Normally one would perform an SHA256
hash on the drive, then image the drive, then perform a hash on the
image and compare the two hashes. The description of how garbage
collection works also seems wrong. The garbage collection does not start
to randomly delete data, the data is generally left alone and the
catalogue updated to show the files as deleted, once that is done the
most likely other events are wear levelling, that may result in data
being overwritten just because a particular block of memory hasn't been
used recently and it's time for that block to be used for a while.

As I say, I think they are overstating the case. If the drive is
checked, then imaged then if necessary checked again and all three
hashes are identical then there's no issue. If the hash varies between
first and third attempts then clearly something has happened.

This can also happen with mechanical drives.

I accept that no amount of drive wear levelling and housekeeping could
ever magically create 'My Plan To Rule The Earth.doc' on the suspects
drive but I am asserting that the fact that the checksums of the
original drive and the examined copies differ allows for all sorts of
claims of contamination from the defence that may be hard or even
impossible to rebuff sufficiently to convince a jury that there is not
reasonable doubt about the evidence produced.

But it's far from likely that the checksums will differ.
.

Relevant Pages

  • Re: HD recovery
    ... Hash: SHA1 ... A couple of days ago the primary master on an old system snuffed it <I ... <I've seen too many drives in the past couple of days.> ...
    (alt.2600)
  • Re: Hard drives that self destruct
    ... hash on the drive, then image the drive, then perform a hash on the ... This can also happen with mechanical drives. ... But it's far from likely that the checksums will differ. ...
    (uk.legal)
  • Re: Hard drives that self destruct
    ... Any evidence found is assumed to be valid. ... defendent had actually stored in it, it now contained a list of Al ... Agreed, but the problem is that the evidence is now tainted by uncertainty because, unlike a normal drive that is sealed in the defendants home,, the only time the evidence could be tampered with either by accident or by malice is between unsealing it and taking the first forensic bit hash. ... Sure, the prosecution could claim that the evidence is held securely at all times, the forensic experts insist that this data contamination is normal and to be expected and that no possible mistakes have been made in the process and all this could be *proved* with normal drives because of consistent bit signatures but not *proved* the same way with SSD drives. ...
    (uk.legal)
  • Re: [ANNOUNCEMENT] Wiki for discussing P35/IHC9(R)/SATA issues set up
    ... Hash: SHA1 ... Sees the pata drive but still has the wrong speeds for the sata drives: ... Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org ...
    (freebsd-current)
  • Re: [opensuse] Harddisk serial number (SuSE10.3), cloning disks
    ... A chinese prosecutor might want to differ but I think opensuse's choice to ... As far as you can boot either way, ... scheme), or swapping the drives in the machine, or moving the drive in ...
    (SuSE)