DD: A HARD DRIVE CLEANSING TOOL
| | ||
Sometimes you may find it financially practical to reuse hard drives to collect evidence from different source media from separate incidents. Therefore, the storage hard drive should be free from artifacts present from previous duplications. The worst case scenario an investigator could face is proving an innocent individual guilty with artifacts of a previous investigation! This is where dd can save the day once again to cleanse the evidence media before its reuse.
Implementation
In the open -source Unix operating system, such as Linux and FreeBSD, is a special file appropriately named /dev/zero, which when read returns an unlimited amount of zeros. If you use this file as the input and the evidence media as the output, you would be writing zeros to the evidence media. When the entire evidence drive is written with zeros, it is considered cleansed before its next use.
| Caution | This process deletes all data, file system structures, and unallocated space. Be careful when assigning the source and destinations using the dd command. |
The following command demonstrates how you would cleanse an evidence drive connected to /dev/hdb on a Linux system:
forensic# dd if=/dev/zero of=/dev/hdb
To perform the same cleanse on a FreeBSD platform, you would change the of ,or output file, to the correct hard drive device name , like so:
forensic# dd if=/dev/zero of=/dev/ad1
If you doubt this command zeroed out the destination hard drive, use the hex viewers discussed in Chapter 25 (such as hexdump, hexedit, xvi32, and so on) to view the hard drive to verify that it contains zeros. You could additionally use grep and the -v flag with the search criteria of . The -v flag will search for anything that is not a zero and report it when it searches the appropriate hard drive. If you do not receive a match, the hard drive contains all zeros.
| | ||
EAN: 2147483647
Pages: 175