Usually we receive data carefully preserved by investigators here at the LCDI; however, receiving intact data is not always possible. In many forensic investigations, data is destroyed or damaged because of an individual trying to hide or destroy the data through various means (such as throwing the hard drive into the lake or smashing the hard drive with a hammer). We will subject different hard drives to various physical tests in an attempt to destroy the hard drive and its contents. We will then attempt to recover as much data as possible from the hard drives. We suggest that examiners research what is the best possible way to retrieve this data without further destroying what evidence might remain, and attempt to capture it. We are looking to find how much data we can get from these devices, and how well the LCDI can handle destructed data. With this project, we hope to provide general knowledge and research on the most common destruction techniques used as well as how to effectively recover data.
Before we begin our testing, we will add our FIRE (Forensic Image for Research and Examination) to each of our hard drives, so that we do not have to generate additional data. The FIRE image contains numerous forensic artifacts that can be used for any project, from tool testing to research and development. It is a very large image containing data on three different operating systems: Windows, Linux, and Mac. We will acquire each hard drive before beginning our mass destruction.
Our first test will be submerging a hard drive in water for different intervals of time, starting at 10 minutes and ending at 24 hours. Between each interval of time, we will dry off the hard drive and then attempt to acquire data with FTK Imager, FTK (Forensic Toolkit) 4.1, and/or EnCase. We will then drop a hard drive from different heights, smash a hard drive with a hammer, and place magnets on a hard drive to try and destroy the data, upon which we will also attempt to recover as much of the data as possible.
-Colby Lahaie