I was wondering as to whether or not drive wiping tools in Windows actually performed as expected by wiping all previously securely deleted content from a mechanical hard drive’s unallocated space. I was also curious as to know what information could be gleaned from a wiped drive as to the files that were wiped and if such a find was worthwhile. My tool of choice for the exercise was CCleaner’s free space wiper.

For those that don’t know, wiping is essentially instructing a program to flip bits so that the data’s pattern is permanently unrecoverable. 1 would become a 0 and a 0 would become a 1. Ideally one good pass is all that’s needed to perform this operation but rarely does so efficiently. The DoD is known for using a 7 pass method in order to be safe, erring on the side of caution. Relying on statistics, pioneer of the Gutmann Method, Peter Gutmann, opted for a 35 pass wipe which is widely regarded as over kill. Which method is best? There’s no way to be certain. Different erase tools perform differently and some secure erase programs fail to “scramble” data in the appropriate fashion.

For my desires to wipe the data from the hard drive I decided on being cautious but not outright paranoid (most of the files I deleted to do this exercise were junk anyhow). I opted for the standard 7 pass method. Regardless of what type of pattern wipe you choose – or what wiping program you use – the results below will be the same.

I found that while alternate data streams and unallocated space on the drive were essentially wiped clean, file names were recoverable in the $I30 allocation index in sub-folders on the drive. How was this possible if the $MFT also didn’t indicate that data?

I’m relatively new to forensics and didn’t have a clue at first but with proper research I figured it out. All credit belongs to those that came before me. A blog post that explained it was entitled, “NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files” by Chad Tilbury, a SANS Institute Instructor.

If you’re interested in learning more please check out that post. Essentially I learned that that in forensics we can find wiped content by viewing the NTFS Index Allocation File, $I30, still located in NTFS allocated space (FYI, I triaged the drive by examining it in FTKi). (Also if the file was ever EFS encrypted, an $EFS file may also be present in the folder in which it resided. One of the many reasons using the cipher command warns the user to encrypt an entire folder instead of contents within a folder.)

While I was unable to actually recover the files, I was able to glean the names of the files that I previously erased. Knowing that the index was in a particular sub-folder would also show a forensic investigator where the data was actually stored. But what is even more interesting is that Tilbury’s article states that MAC times can also be gleaned from an $I30. Plus, knowing file types or securely erased data may lend a hand to advanced data carving. Very cool. It truly makes the index a trove of useful information in an investigation.

As a student currently enrolled in forensics classes, my goal was to see if secure erasing completely removed “all traces” of said evidence on a Windows system. I was shocked to learn that it does not (yeah, I’m a “noob” with some things – this information has been out for a while – but I’m not afraid to admit that I’m learning). But for more in-depth information on parsing through the index or extracting more information from the file system please see the links below.

Apparently there are lots of remains left behind that indicate a drive has been wiped (the launching of the executable itself, obviously, but also of the content). If your interested in the topic I highly recommend researching it more thoroughly.

Obviously there are ways of getting rid of a data in a more effective manner. Wiping the entire disk from outside of Windows is preferable though manufacturer-style wipes are always the best. After my recent class I’ve been toying around with hdparm against SATA drives that accept the SE commands and found this method to be best. Of course you could use dc3dd/dcfldd’s pattern filling function as well.

File Wiping/Free Space Wiping Methods Used

Files securely erased with Eraser using 7 pass wipe and then performed a Free Space Wipe on the same drive in CCleaner (7 pass).

Sources

Tilbury, Chad. “NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files.” SANS Blog. September 20, 2011.

Read about the blog post first on the Wilder Security Forums after doing a Google search for $I30.