Destructed Data Forensics- Part 4

data-destruction1

In this blog, we are going to discuss the data retrieved from DD2. DD2 underwent an identical submersion process to DD1 and DD5, but was submerged for 30 minutes.  Initially, we could not read the hard drive after the submersion.  We attempted to dry it out and test it again, but the drive was still not able to be read. The circuit board was found to be corroded, so we took a functioning circuit board from another hard drive of the same make and model and put it onto DD2. We then connected it to the write blocker before trying again, and this time we were able to get an image.

111222

We were concerned about the consistency of the hashes due to the circuit board switch, but the MD5 hashes remained the same in both the pre- and post-submersion images. After processing the images of DD2 in FTK 4.1, we began analyzing all of the acquired images and took screenshots of two files from each image. These screenshots will be included in the official HDD in Water report. Upon completion of manual analysis, we found that no data was lost. We have concluded testing on water submersion drives, and we are now working on finalizing the report. Next, we will begin testing hard drives that have been dropped from different heights, following the same process of checking the before and after images for any data loss.

333

444

555

6666

777

 

To read past blog entries about the Destructed Data project, follow these links!

http://computerforensicsblog.champlain.edu/2013/09/28/data-destruction-forensics/

http://computerforensicsblog.champlain.edu/2013/10/07/data-destruction-forensics-part-2/

http://computerforensicsblog.champlain.edu/2013/10/17/destructed-data-forensics-part-3/