Evidence Eliminator Tested

Sat Sep 12 18:02:31 BST 2009

Peter Sommer wrote:
> The aim of forensic imaging is to preserve a disk (or other data media)
> in the state it was at a particular time.  A copy, which includes all
> the sectors of a disk including those that might appear to be empty, is
> created.  Among other things, it optimises the opportunities for data
> receovery while not risking any form of contamination of the original. 
> Since you can copy the resulting image,  several people can work on the
> task simultaneously and independently -  copies can also go to defence
> teams.   But forensic imaging has nothing directly to do with data
> recovery;  it simply makes  any subsequent attempts at doing so more
> likely to be forensically sound as it can be checked.

Indeed so. it used to be that people were concerned about Guttmann
recovery (which of course can't be done on forensic images, but only one
a raw disk) but it is now accepted that because modern disks *require*
error recovery to read and write reliably, any difference in remnant
saturation is likely to be due to the changes in state of nearby data
blocks, instead of previous incarnations of the data - rendering
Magnetic force microscopy all but useless.

> Evidence Eliminator-type products aim to do more than simply overwrite
> unused sectors - they claim to have knowledge of all the parts of a disk
> in which indicators of the activity of its users may be found - the
> browser cache,  cookies  swap file, hibernation file, most recently used
> lists,  the registry,  restore points etc. (and there's more in
> Vista/7)    Successive versions of Windows have different such features
> or adopt them differently or hold data in different places.   Too
> agressive a use of such products, even if good,  result in a significant
> drop in regular performance. 

again, agreed. caches are there for the very good reason that they
accelerate access to pages, and histories make typing urls easier by the
autocomplete process. similarly, lists of "last accessed" files in
popular office packages can make it easier to pull up the last thing you
worked on when you wish to resume work.

Again though, the free product CCleaner appears to be as effective as
the commercial product, and lacks both the aggressive advertising (via
email/nntp spam and popunder windows) and the phone-home behavour
reported of EE.

as has been mentioned already though, the product is unfortunately
named. A product called "Personal Document Privacy Protection" could
have had the same benefits but without the implication that you are
concealing the evidence of a crime.

> To the extent that the EE-type product is inadequate or poorly used, 
> there are opportunities for forensic examiners to locate material that
> some-one has thought was thoroughly deleted - or at the least enough
> indicators to embarass the deleter.

or indeed, to the extent that the issue isn't known and the solutions
not known (to the average user) I imagine it comes as a horrible shock
just how much an experienced investigator (or your kids, or your wife in
certain circumstances) can pull from browsing history and recent file
history...