Analecta Cyber Company Blog: October 2014


Imaging with dc3dd

Creating a forensic image of media is one of the fundamental capabilities of any forensic investigator. A great tool for accomplishing this is dc3dd - a version of the Unix/Linux dd program redesigned by the engineers at the DoD Cyber Crime Institute (DCCI).

Here's a procedure you may consider using for imaging media with dc3dd.


Is data ever really gone?

High resolution Garnet image of a hard drive by
Advanced Integrated Scanning Tools for Nano Technology (AIST-NT)
In the realm of cyber security and digital forensics, we know that data doesn't disappear from a drive when a user "deletes" a file - the data structures that point to the data on disk are modified in such a way that the filesystem no longer believes there is a file present.


Data sanitization, on the other hand, is a process of overwriting the full contents of a disk. Even a single overwrite of each disk sector will make recovering data through the drive interface impossible.

For years I've mused about the reasons the U.S. federal government would require multiple overwrites on magnetic media before considering the media "sanitized" and I believe the answer has been made public by the NSA.