| Author | Message | ||
     Lowell V. Jacobsen Username: jakester Registered: N/A |
Hello, Is there a way to wipe certain emails only from unallocated/free space? I am under court order to take a blown out image, "wipe" over only certain emails on a hard drive. I have used a wiping program to wipe the emails located in the allocated section of the hard drive, but now I need to search through the unallocated section of the hard drive and wipe the deleted emails. | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
No, not possible with WinHex. | ||
| Bill Spernow Username: byteguy Registered: N/A |
Is there anything in the Court order that prevents you from wiping ALL of free space on the hard drive in question? Bill Spernow bill.spernow@securitymentors.com | ||
| Lowell V. Jacobsen Username: jakester Registered: N/A |
Hi Bill, Yes there is. The only thing I can wipe is attorney/client emails between the two. The computer forensic expert hired by the wife is looking for financial records. They,the ex-wife and her attorney, are convinced that the husband has deleted financial files prior to having his computers imaged. So, the judge made a ruling that only the attorney/client communications with each other can be wiped. The problem is, the husband deleted all of the emails. So, the only place I can find them is in the unallocated section of the hard drive. I am using the "Specialists" version of WinHex and the last time I used a hex editor was in my early trainning back in the late 90's. I don't know if Stefan understood my question but, why can't I use the word search built-in tool to locate the attorney's email address in the unallocated section of the hard drive, then manually swipe all of the email and have just this highlighted section written over with all 0's, or random characters? Jakester | ||
| Jimmy Weg Username: jw Registered: 7-2006 |
The court's ruling is flawed. The approach that I have taken is to have counsel file the necessary motions to allow me to explain why the task is not feasible. Absent making this your life's work, there is little assurance that you could wipe every previously existing email and guarantee the results. For example, you may find the relevant email address, but be unable to locate the body of the message, as it may not follow the address. If you revisit the court, at least you'll have some comfort in knowing that your position was heard. | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
(Yes, you could wipe all manually selected areas in free space. I thought you were looking for an automatic way.) | ||
| Lowell V. Jacobsen Username: jakester Registered: N/A |
Jimmy, Thank you so much for your input. And I agree with you 100%! I have tried to explain this to the attorney for the husband however, he just doesn't get it. I will taking your advise and get a meeting setup with the judge in the case. And Stefan, I apologize for not making myself clear on my first question. Jake | ||
| Bill Spernow Username: byteguy Registered: N/A |
Jake, If the Judge does not agree with your argument the verbiage below might help point you in the right direction. While its not an exact solution to fix your problem it may get you rolling. I posted this on the "Forensic" forum a couple of months back. Seems lately I spend a lot of time lately responding to Court and Attorney directed instructions to sanitize an E01 image by wiping specific files containing privileged data before it is produced to the other side. Given the entire concept behind an E01 image was to make it tamper proof, this can be a challenge. I've developed a protocol I wanted to pass along just in case you might have this requirement also at some point in the future. Plus putting it down here in writing for review by forensic peers helps with Daubert challenges down the road. So these are the steps that will allow you to edit an E01 image. (1) Use XWF to open a case on the E01 image. (2) Use File ==> Create Disk Image to save the mounted E01 image as a DD image. Make sure you tell the process that you do NOT want to segment the image into sections. Write the DD image out as one big file. I've had problems in the past trying to edit DD images that are in segments. (3) Once the DD image is created shutdown XWF. Bring up WinHex and create a case using the new DD image. (4) Press the F6 key to make sure you are in the "Default Edit Mode" and the browser is displaying your image. (5) Find a file you want to wipe. Make sure the "File" tab in the center left of the screen (usually) is selected. Select the file and view its contents. (6) Right click on the filename in the browser, select "Position," then "List Clusters." Verify that the clusters need for this file are sequential in the list provided. In this case we are going to assume that they are all sequential. Non-sequential clusters are a different challenge we will touch upon at the end once you get a feel for what needs to be done. (7) At this stage your next goal is to find out what the size of the file is in Hex. Scroll down to the end of the file and click on the last byte in the file. On the left note its total size. In this case lets say is "92FFF" (8) Scroll back up to the beginning of the file. Click on the very first byte. Select the "Partition" tab. Write down the hex offset on the left for the beginning of this cluster/sector. Then select the first byte again, right click, and make this byte the "Beginning of the block." (9) Go up to the top left and select "Position ==> Goto Offset" In the box that opens up type in the size of the file in hex in the "New Position that you got from step (7) above. Select the "Current position" radio button. Click OK. (10) Step (9) takes you to the end of the file. Select the last byte in the file, right click, and make this byte the end of the block. (11) If you have done this right, there should be two hex numbers on the bottom right of the screen. This is the hex range you have selected to be wiped. Open up Microsoft's calculator, select scientific mode, then hex mode and enter the starting offset you got in step (8). To this add the hex number you got in step (7), the size of the file. This is a check to verify you are wiping out the right range of clusters. The result you get should match the last number displayed in the bottom right of your screen. If it does go on to the next step, if is does not repeat the above steps until it does. (12) OK, now you are ready to wipe the file. In the top left of your screen select "Edit ==> Fill disk sectors." WinHex should default to a simple "00" wipe. Click on OK and wipe the contents of the file you have selected. (13) Repeat the above steps as many times as required. (14) I suggest tagging the files you wipe and then when you are done "Export a list ..." of these files for the other side to have so they know what was wiped. (15) Shutdown WinHex and bring XWF up and mount the edited DD image as a new case. Use "File ==> Create Disk Image" to burn a new E01 image of the DD image for the other side. (16) Non-sequential cluster problem. You need to select sequential ranges of clusters and wipe them until you go thru the entire list. Here's hoping you've got time to kill. While I understand that this is an involved process, the good news is that it works, the bad news is that it takes a lot of time. I am hoping that in the future WinHex might have any option to wipe a file inside a DD image without having to go thru all these steps. Plus, instead of wiping with zeros an advisement like "Wiped By Court Order" written to the file sanitized might make it easier for all later on when the wiped file is re-examined by parties not aware of the previous history of the case. Bill Spernow bill.spernow@securitymentors.com | ||
| Lowell V. Jacobsen Username: jakester Registered: 1-1997 |
Bill, Thank you spelling out your "protocol" step by step. If my input to the Judge doesn't work, I'll try your detailed method. Thanks for sharing it! Jakester |