Preparing a disk for the suspect image

One common practice in forensic disk analysis is to “wipe” a disk prior to restoring a forensic image to it. This ensures that any data found on the restored disk is_from_the image and not from “residual” data. That is, data left behind from a previous case or image.

We can use a special device as a source of zeros. This can be used to create empty files and wipe portions of disks. You can write zeros to an entire disk using the following command:

dd if=/dev/zero of=/dev/hdx bs=4096

This starts at the beginning of the drive and writes zeros in every sector in 4096 byte chunks. Specifying larger block sizes can speed the writing process. Experiment with different block sizes and see what effect it has on the writing speed (i.e. 32k, 64k, etc.). I’ve wiped 60GB disks in under an hour on a fast IDE controller with the proper drive parameters. Specific drive parameters can be set using thehdparmcommand. Checkhdparm’sman page for available options. For instance, setting_dma_on a drive can dramaticallyspeed things up.

So how do we verify that the write (of zero’s) was a success? You could check random sectors with a hex editor, but that’s not realistic for a large drive. One of the best methods would be to use thexxdcommand (command line hexdump) with the “autoskip” option (works if a drive is wiped with0x00). The output of this command on a zero’d drive would give just three lines. The first line, starting at offset zero with a row of zeros in the data area, followed by an asterisk (*) to indicate identical lines, and finally the last line, with the final offset followed by the remaining zeros in the data area. Here’s and example of the command on a zero’d drive (floppy) and its output.

xxd -a /dev/fd0

_0000000: 0000 0000 0000 0000 0000_0000 0000 0000 ................

0167ff0: 0000 0000 0000 0000 0000 0000 0000 0000 ................