SANS Digital Forensics and Incident Response Blog: Author - craigswright

SQL, Databases and Forensics

by Craig Wright

For the most part, databases have become an integral part of any organization. More importantly, they have become mission critical. On top of this, many enterprise level databases are far larger than any disk you are likely to encounter. As an example, I was required to image a database that belonged to an insurance company. This database was 68TB in total size and it was business critical. The consequence is that you need to start thinking of other ways to do forensic work on databases.

As with all live system forensics, begin with gathering the evidence required starting from the most volatile and working toward that which is unlikely to change. When doing this, remember to:

  • Protect the Audit Trail - Protect the audit trail so that audit information cannot be added, changed, or deleted.

Starting a Drive Repair/Recovery Lab

by Craig Wright

I have been writing about drive wiping and recovery for a while now. So I thought it about time that I started to go over the basic tools. There are a large number of tools that should be held at the ready if you are doing drive imaging and recovery on a regular basis. I will not get into SEMs and Spin Disk stands in this post, but I will cover the basic tools that are necessary to take a drive apart and do the basics (such as changing a head and manually adjusting a gradient angle of a head stack axis in a drive.

First there are all of the tools such as screw drivers and the connectors.

I will not go into detail here other than to state that you should collect every tool available to human kind. You never know when you will need a pentagonal star security


Free Windows Drive tools

by Craig Wright

In this post I am going to talk about three free tools that are essential for diagnosing problems with failing drives. These are HDDscan, the USBASPI V2.20 MS-DOS Driver and Partition Find and Mount.


HDDscan allows you to scan the surface, view SMART attributes, adjust AAM, APM (Power Management), etc. on a drive that you are working with.

It will also report on SMART enabled drives. For instance, the report on the SMART enabled USB drive shows that the enclosure does not have adequate airflow. This has the drive running at 54 Celsius. Way too hot. Many of the drive enclosures that we find for USB hard drives are inadequate for continous use and seem doomed to premature


Overwriting can occur anytime, as long as it is done once after

In recent posts, I have reported on some of the findings published in a paper I published with Dave Kleiman and Sundhar S. R. S [1]. We are working on a series of follow-up papers on the topic where we are using Spin-disk and SEM based techniques to map out what occurs in each bit cell as they are overwritten. Prof. Fred Cohen (the person who first made the term computer virus in the 80's) has been coercing us to do this.

One thing I shall try and clear up for the moment is that of multiple overwrites. What people have missed in many instances is that use of the drive is equal to a wipe sequence. This is that the wipe can be done BEFORE as long as a wipe is also done after. This is the drive that is wiped two (2) times before being used and then is wiped before being handed over is equivalent to the drive that


What happens when you overwrite data?

My thanks to Dave Kleiman (one of the original papers [8]co-author's with myself) for reviewing and adding to this series of postings.

Drive technology is set to change in the near future with patterned media (which uses a single pre-patterned large grain per bit)1. It is this type of technology, which will soon allow us to achieve "Terrabit per Square Inch" recording densities. fig12Figure 1 - A Single Track with a Patterned Media Drive

Conventional magnetic media has been made from the grouping of sub-10nm magnetic grains. These grains have traditionally been able to form an individual magnetization