My Road to Digital Forensics Excellence

Verifying a Wiped Drive, Part 2

Posted by Paul Bobby on September 26, 2010

I have added my complete enscript to the My Files page. This enscript now includes GUI elements as well as a routine to precalculate the MD5 checksum of any given wiping pattern. Mismatches found across the hard drive are displayed in the console as well as bookmarked. (Note that the bookmark points to beginning of the data that is read, it doesn’t identify the bytes that are different).

Out of necessity of testing, I included a ‘selected files’ option. This way you can create custom files using a hex editor, with specific wiping patterns and verify the operation of the enscript.

Using this enscript I’ve discovered that BCWipe doesn’t make every byte on the target device equal to the wiping pattern. For some reason BCWipe likes to used bytes 0-4 as a counter. Granted the data is overwritten, but the drive doesn’t exactly contain just the wiping pattern.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: