Evidence Eliminator Tested

Peter Sommer peter at pmsommer.com
Sat Sep 12 15:19:16 BST 2009 

The aim of forensic imaging is to preserve a disk (or other data media)
in the state it was at a particular time.  A copy, which includes all
the sectors of a disk including those that might appear to be empty, is
created.  Among other things, it optimises the opportunities for data
receovery while not risking any form of contamination of the original. 
Since you can copy the resulting image,  several people can work on the
task simultaneously and independently -  copies can also go to defence
teams.   But forensic imaging has nothing directly to do with data
recovery;  it simply makes  any subsequent attempts at doing so more
likely to be forensically sound as it can be checked.

Evidence Eliminator-type products aim to do more than simply overwrite
unused sectors - they claim to have knowledge of all the parts of a disk
in which indicators of the activity of its users may be found - the
browser cache,  cookies  swap file, hibernation file, most recently used
lists,  the registry,  restore points etc. (and there's more in
Vista/7)    Successive versions of Windows have different such features
or adopt them differently or hold data in different places.   Too
agressive a use of such products, even if good,  result in a significant
drop in regular performance. 

To the extent that the EE-type product is inadequate or poorly used, 
there are opportunities for forensic examiners to locate material that
some-one has thought was thoroughly deleted - or at the least enough
indicators to embarass the deleter.

I have no special knowledge of the Phoenix 4/5...


Peter Sommer



John wrote:
> Without knowing the settings I can't offer any detail, but the MG
> Rover report states in the conclusion of the dedicated chapter XXIV
> entitled Evidence Eliminator,  "that data could not be recovered and
> so it was impossible to assess the importance of the material deleted." 
>  
> I have sent this information because in the legal groups there has
> been much speculation and uncertainty about the forensic recovery
> of data after deletion using EE. I see now that forensic imaging is
> not all it is cracked up to be.
>

More information about the ukcrypto mailing list