Our Members:

Hard Drive Wiping

Hard drive wiping is an important process in computer forensics for several reasons. It involves securely erasing data from a hard drive or storage device in order to protect sensitive information, and to prevent data cross contamination, which would affect the integrity of digital evidence in a court.

When a computer or storage device is seized for forensic investigation, the first step is to make a forensic image of the hard drive. This involves creating a bit-by-bit copy of the entire drive, including deleted files and unused space. This image is then used for forensic analysis and evidence recovery. However, before the image is taken, a clean hard drive must be wiped and prepared to receive this forensic image. This prevents cross contamination between different cases.

There are several methods for wiping a hard drive. The simplest method is to use a software tool, such as the Disk Utility in MacOS or the Disk Management tool in Windows, to format the drive. This will erase all data on the drive, but Windows formatting is not sufficient to establish forensically sterile conditions. Formatting only changes the file system on the drive, it does not physically destroy the data. Recoverable software can recover the data.

A better option is to use a software tool specifically designed for hard drive wiping, such as the wiping utility built into Encase and many other forensics packages. These tools can use a variety of overwriting patterns and methods, such as multiple passes, random data patterns, and government-approved wiping standards. In most commercial settings a single overwrite of the data is sufficient to establish forensically sterile conditions.

Another option is to use a hardware wiping device. These devices are available as part of many forensic imaging devices and do a good job at removing data.

Forensically sterile conditions should not be confused with the government standards for the protection of classified documents such as the Department of Defense (DoD) standard 5220.22-M. This standard requires the use of multiple overwriting passes, including random data patterns, to ensure that no data on the drive can be recovered even with the most sophisticated data recovery methods. While this standard does produce forensically sterile conditions in most cases it is overkill and causes excessive wear on the storage media.

In conclusion, hard drive wiping is an important process in computer forensics that helps to ensure the integrity of digital evidence and establish forensically sterile conditions. There are several methods for wiping a hard drive, which include special software or hardware. However, it is important to ensure that the wiping method used is compliant with legal and regulatory requirements for your specific circumstance. With these measures in place, a computer forensics investigation can proceed with confidence.








Click Here

Featured member


The American Society of

     Digital Forensics & eDiscovery, Inc®

      For Digital Evidence Experts™

      2451 Cumberland Parkway, Suite 3382 

     Atlanta, GA 30339-6157

     (404) 919-1143











Copyright 2024

All Rights Reserved

Powered by Wild Apricot Membership Software