SISY 2018 • IEEE 16th International Symposium on Intelligent Systems and Informatics • September 13-15, 2018, Subotica, Serbia

Wiping techniques and anti-forensics methods

Miroslav Ölvecký*, Darja Gabriška*
* Department of Applied Informatics, University of SS. Cyril and Methodius, Trnava, SK-917 01, Slovak Republic
[email protected], [email protected]

Abstract— This paper presents a theoretical background of Gutmann (called Gutmann 35-passes): “With modern
main research activity focused on the evaluation of high-density drives, even if you've got 10KB of sensitive
wiping/erasure standards which are mostly implemented in data on a drive and can't erase it with 100% certainty, the
specific software products developed and programming for chances of an adversary being able to find the erased
data wiping. The information saved in storage devices often traces of that 10KB in 200GB of other erased traces are
consists of metadata and trace data. Especially but not only close to zero” [10]. More specific equipment is according
these kinds of data are very important in the process of to Gutmann able to recover information from storage
forensic analysis because they sometimes contain devices even after multiple overwriting processes of files
information about interconnection on another file. Most [11]. But the results of other researchers [11, 12] shown
people saving their sensitive information on their local that the process of the only single overwrites phase can
storage devices and later they want to secure erase these make the questionable recovery. Therefore exists many of
files but usually there is a problem with this operation. wiping methods/standards, which have different
Secure file destruction is one of many Anti-forensics possibilities to use in specific secure eraser software. But
methods. The outcome of this paper is to define the future also is not only important to secure erase sensitive
research activities focused on the establishment of the information of the storage devices, but also to remove and
suitable digital environment. This environment will be destroy metadata and trace data of the specific file.
prepared for testing and evaluating selected wiping
standards and appropriate eraser software.
III. METADATA
Anytime file information is created and saved on
I. INTRODUCTION storage devices, they become their own metadata. Often
Digital forensics as a science is focused on the operating system or specific software create metadata
investigation process of the digital evidence. There are automatically without the user knows this. Therefore is
created tools to identify files on the evidence, collect and possible to create the timeline about specific file saved on
analysis appropriate information and create a report the storage device and in this way is possible to track
(presentation) of the outcome of the investigation. On the user’s activity. Metadata of specific file “Fig. 1” is a part
other hand, anti-forensics as a science is focused on the of file system data and (information about information)
file destruction on any type of storage devices, hiding have the basic structure which may consist of the sensitive
information (especially metadata or trace data) that can be information about the author of the file, date of creation,
important to find a collection of the sensitive information. modify, type of file and more and more information [13].
This process is important to use by everyone who wants
secure erase sensitive information about personal or
business data and don't want to share with anybody. [1] In
the recent years increase the amount of sensitive
information especially in the area of financial services,
government, healthcare sector, IoT (Internet of Things) for
many kinds of applications [2, 3, 4].
In general, the sensitive information is defined as
information which has to be protected from unauthorized
access. As for the best idea how to secure erase not only
sensitive information from storage devices is to write
zeros or random information to each file's allocation or to
all places on the devices that are not used [5]. This method
is often called as overwrite information and it can be
considered as oldest and most common method in the area
of anti-forensic tools [6]. The main goal of this paper is to
create appropriate digital environment contains anti- Figure 1. File metadata of word document and image file
forensic tool, a sample of information which can be secure
erased, eraser software with selected wiping There exist many metadata standards “Fig. 2” on a
methods/standards and also storage devices. specific area of use [14, 15].
II. RELATED WORKS
Many studies in recent years were focused on wiping
data or secure file erasing on any type of storage devices
[7, 8, 9]. One of the oldest wiping methods was from Peter

978-1-5386-6841-2/18/$31.00 ©2018 IEEE 000127

M. Ölvecký, D. Gabriška • Wiping Techniques and Anti-Forensics Methods

for operating system creators. For web robots (search

engines) is easy to follow web information and indexes to
a database for everyone to locate a specific document on
the Internet.

IV. TRACE DATA

The next part of the file system data is trace data “Fig.
5”, which present these data, which sometimes remain
after files deletion, formatting and partitioning. In digital
forensics investigation are these files very important,
because with metadata they should create a timeline to
detect user and files activity on a live system.

Trace data of partition table

Trace data of format Deletion

Figure 2. Part of File metadata standards [16] Trace data
Trace data of format

Trace data of file

Metadata are very important in semantics meaning how Addition

to correctly use specific information – which software

could handle it, for which user should it be seen and what Modification

is an interpretation of data for future use. The creation of

metadata of the specific file is often an automatized
process. Sometimes have to user created the metadata
manually, especially in the creation of information about Figure 5. Trace data [13]
some photographs and documents. According to
Reference [17] is most important to secure metadata
management with data lifecycle. Is exists various V. WIPING TECHNIQUES/STANDARDS
interpretation of data lifecycle, but in general it consists of It exists various techniques/standards how to secure
the process of definition of data, capture, validation and erase information on digital media. Especially NSA/CSS
formatting, movement and sharing, model and storage, published storage device sanitization manual [19] which
finding and also presentation “Fig. 3”. contains guidance on how to destroyed files on different
kind of storage devices. According to this guidance
especially for a hard disk drive is important to use
Validation and Movement
automatic degausser – hardware component used to
Formatting and Sharing “physically damage the hard drive by deforming the
internal platters prior to release by any means or by using
Definition Capture Quality Process
Model and a hard disk crusher” [19]. Besides this fact is not so
Storage
important whether to use hardware or software, but which
specific wiping technique/standard is used.
Presentation Finding
The term "data sanitization" is often used in connection
with secure erase information of specific storage devices.
Data sanitization is the process of secure erasing digital
Figure 3. Data Lifecycle Model [18] information from storage devices, in which is a problem to
recover information to the previous readable state.
One of the best possibilities how to imagine the Therefore, wiping techniques/standards are often
metadata are on creation web page in HTML, in part implemented in the specific eraser software like Eraser,
<head> as metadata about the author of page, keywords KillDisk, DBan, HDDErase, MHDD, Disk Wipe and
and description “Fig. 4”. another [20].
The list of several data wiping techniques/standards that
are most used in various research studies [21, 22] “Tab.
1”:
Figure 4. Metadata on the web page 1. DoD 5220.22 M – this method is very often
implemented in most secure eraser software to
Metadata on a web page are very important in search overwrite information on specific storage
results. The decision to visit specific web or not often devices. This method exists in 2 main forms: 3
depends on shown web metadata. As to compare with file or 7 phases. It is developed and supported by US
metadata is it similar. Because many operating systems
National Industrial Security Program and the
used indexing methods to analyzed metadata of specific
files on the computer and put their information into the algorithm is based on following steps: writing 0
database – often for fast searching or maybe as a backdoor and verify; writing 1 and then verify; writing a
random character and then verify.

000128
 SISY 2018 • IEEE 16th International Symposium on Intelligent Systems and Informatics • September 13-15, 2018, Subotica, Serbia

TABLE I.
MOST USED WIPING TECHNIQUES/STANDARDS [21, 22]

Wiping Number Data recovered Data recovered Secure erase tool

technique/standard of passes from SSD from USB
DoD 5220.22 M 3 - - Eraser, Freeraser
NCSC-TG-025 3 - - Disk Shredder
AFSSI-5020 3 5,8 – 7,3 % 0,0 – 63,5% Eraser, PrivaZer
AR 380-19 3 6,91 – 7,07% 1,1 % Eraser, File Secure Free
NAVSO P-5239-26 3 - - Blancco Drive Eraser
Gutmann 35 0,8 – 4,3% 71,7% DBAN, Eraser
Schneier 7 1,7 – 8,0 % 84,9 % Eraser, CBL Data Shredder

2. NCSC-TG-025 – this method is developed and one or more methods are used to prevent unauthorized
supported by US National Security Agency. This access to sensitive information: secure erase information,
standard is based on the wiping techniques DoD hiding information, overwriting metadata and trace data,
5220.22 M but offers more options especially in modification of time stamp. Anti-forensics techniques can
the number of overwriting processes. be divided into different categories: [23, 24, 25, 26].
3. AFSSI-5020 – this method is developed and A. Destruction of Evidence
supported by the United States Air Force. This
Secure erase of sensitive information may be physical
standard is comparable with the DoD 5220.22 M
or logical. While the preferred method is to use hard disk
but there is one difference in the verification drive grinders, physical destruction of information on the
process – on the last step of the process. The specific storage device may include various methods, such
process consists of: writing 0; writing 1; writing as the use of a magnet to destroy a storage device.
a random character and then verify. Regardless of method, the result is the same: getting
4. AR 380-19 – this method is developed and information impossible. Logical destruction, in which
supported by the US Army. This standard has bytes are overwritten by random bytes, this method is also
the different process which contains these highly efficient and makes it impossible to search data. In
phases: writing a random character; writing a the case of secure erase sensitive information, judicial
typical character; writing the specified character attempts to collect evidence are apparently limited.
complement and then verify.
B. Artefact Wiping
5. NAVSO P-5239-26 – this method is developed
and supported also by the US Navy. The process Artefact wiping is evidence-destruction tools and is
consists of: writing a specified character; writing available for many years. Available tools for artefact
wiping are BC Wipe, Eraser, and PGP. Secure erase of
the typical character complement; writing a
digital information with multiple transcripts will cause
random character and process of verification. data recovery to be nearly impossible unless it is
6. Gutmann 35-passes – this method is developed completely impossible.
by Peter Guttmann, but according to several
authors is unusable on modern storage devices, C. Hiding information
because of another storage devices technology Sensitive information hiding can be done in different
used in manufacture. This method consists of 35 ways. With steganography, we can store any form of
passes in which is writing a random character. digital information in many file types, including images,
7. Schneier method – this method is developed and audio, video and executable files. The steganography
supported by Bruce Schneier. The process of methods below may also be used to prevent computer
wiping information consists of 7 passes: writing forensics. For example, a person can hide an image, a
1; writing 0; writing a pattern of random spreadsheet, or a text block below the images in a
character in last 5 passes. PowerPoint or Impress graphics presentation.
Most of these data wiping techniques are often Alternatively, a hidden message can be stored on a white
implemented in freeware eraser software. As is shown in background with a white text block. Morse code messages
“Tab. 1” there is compare of data recovery from SSD and can be embedded in the image. There are many ways to
USB and also some information is missing. Not only hide sensitive information, at least from hidden searches.
nowadays, it is important to find out the best wiping Sensitive information may be hidden in unallocated spaces
techniques with appropriate secure erase software to on the storage devices as well as in metadata of many file
destroy sensitive information in storage devices. types.

VI. ANTI-FORENSICS METHODS VII. METHODOLOGY

Anti-forensic methods offer the possibilities to prevent Nowadays is implementation only in the theoretical
the disclosure of the sensitive information from digital way. The next research activities will be concerning on
storage devices by using several of techniques. In general, wiping techniques/standards and metadata information

000129
M. Ölvecký, D. Gabriška • Wiping Techniques and Anti-Forensics Methods

recovery from the specific storage devices. According to

Reference [11] the evaluation process could be in these
steps:
1. Choice of appropriate storage devices – compare
of the hard drive (HDD), solid-state drive (SSD)
and flash disk (USB key) to know, whether
technology plays a significant role in wiping and
recovery data or not.
2. The file system of the specific storage device
could play the significant difference in the
information recovery - maybe not - the choice is
between NTFS and FAT32 - the most used file
systems. Figure 6. The timeline in Autopsy
3. Create a sample of the dataset with specific
format files. This dataset (files (especially
sensitive data) may contain specific metadata VIII. CONLUSION
information,), like: The main goal of this paper was to create and described
a. archive format – zip, rar; the theoretical background of data wiping
b. mount images – iso, img; techniques/standards and anti-forensics methods. The
c. database – sql; metadata and trace data are very important in the area of
d. document files – doc, pdf; sensitive information recovery possibilities. The
e. graphic files – bmp, exif, jpg, png; methodology of future research activities was clearly
f. presentation – ppt; defined by the reference on various research studies.
g. reference management – bib, ris; Therefore if it is no matter how possible we have to do
h. programming language and scripts – asm, steps to secure erase sensitive information in storage
js, php; devices with the use of the fast and reliable anti-forensic
i. audio files – mp3, ogg; method hand in hand on wiping techniques/standards.
j. spreadsheet – xls, ods;
k. video files - mp4, avi;
ACKNOWLEDGMENT
l. plain text file,
m. web page format - html, css,
The work was partly supported by the grant APVV
n. temporary and log files,
SK-SRB-2016-0003 Adaptation of Parallel WoBInGO
The amount of collection of files will be about 1
Framework for Protection of Cloud and Grid Computing
GB. The main reason for selecting these file
Systems by Computational Intelligence, and partly by the
types was the ability to create metadata [11].
grant VEGA 1/0145/18 Optimization of network security
4. Selection of appropriate software for backup
by computational intelligence.
image collection of data – FTK Imager and for
wiping sensitive information – Eraser, KillDisk,
DBan. REFERENCES
5. Analysis of recovery sensitive information, [1] Chiang, Fei and Dhruv Gairola. 2018. “InfoClean: Protecting
Sensitive Information in Data Cleaning.” J. Data and Information
metadata and trace data obtain from storage Quality 9. 22:1-22:26.
devices by appropriated software like Autopsy [2] Brečka, Peter & Olekšáková, Monika. 2013. Implementation of
and free available metadata extractor. “Autopsy Interactive Whiteboards into the Educational Systems at Primary
is a digital forensics platform and graphical and Secondary Schools in the Slovak Republic.
interface to The Sleuth Kit® and other digital 10.2991/icaicte.2013.24.
[3] I. I. Dirgová, Luptáková & Pospíchal, Jiří. 2015. How Random Is
forensics tools” [5]. This software has a lot of Spatiotemporal Chaos of Langton's Ant? 1. Journal of Applied
useful functions (timeline analysis “Fig. 6”, Mathematics, Statistics and Informatics. 11. 10.1515/jamsi-2015-
keyword searching, web artefacts, email analysis 0008.
…), is free and have feature when different [4] Hosťovecký, Marián & Prokop, Pavol. 2018. The relationship
modules run in parallel mode to take advantages between internet addiction and personality traits in Slovak
secondary schools students. Journal of Applied Mathematics,
of multi-core systems. Statistics and Informatics. 14. 83-101. 10.2478/jamsi-2018-0006.
6. Evaluation of wiping techniques/standards by [5] Carrier, Brian. 2005. File System Forensic Analysis. J. Clerk
secure eraser software according to the quality Maxwell, A Treatise on Electricity and Magnetism, 3rd ed., vol. 2.
of recovered sensitive information, metadata Oxford: Clarendon, 1892, pp.68–73.
interconnection on another digital data and trace [6] Garfinkel, S., 2007. Anti-forensics: techniques, detection and
countermeasures. In: 2nd International Conference on i-Warfare
data on the storage device. and Security, p. 77.
[7] Jin Kwon, Se & Ranjitkar, Arun & Ko, Young-Bae & Chung, Tae-
Sun. 2011. FTL algorithms for NAND-type flash memories.
Design Autom. for Emb. Sys.. 15. 191-224. 10.1007/s10617-011-
9071-9.

000130
 SISY 2018 • IEEE 16th International Symposium on Intelligent Systems and Informatics • September 13-15, 2018, Subotica, Serbia

[8] Howie Huang, H & Li, Shan & Szalay, Alexander & Terzis, extended, granular taxonomy. Digital Investigation. 18.
Andreas. 2011. Performance modeling and analysis of flash-based 10.1016/j.diin.2016.04.006.
storage devices. 2011 IEEE 7th International Workshop on
Storage Network Architecture and Parallel I/Os, SNAPI 2011. 1 -
11. 10.1109/MSST.2011.5937213.
[9] Cachin, Christian & Haralambiev, Kristiyan & Hsiao, Hsu-Chun
& Sorniotti, Alessandro. 2013. Policy-based secure deletion.
Proceedings of the ACM Conference on Computer and
Communications Security. 259-270. 10.1145/2508859.2516690.
[10] Peter Gutmann. 1996. “Secure Deletion of Data from Magnetic
and Solid-State Memory”, In: Proceedings of the Sixth USENIX
Security Symposium, San Jose, CA. Volume 14
[11] Martin, Thomas & Jones, Andy. 2011. An evaluation of data
erasing tools. The Proceedings of the 9th Australian Digital
Forensics Conference, Edith Cowan University, Perth Western
Australia, 5th -7th. DOI: 10.4225/75/57b2c01440cef December
2011M.
[12] Wright, Craig & Kleiman, Dave & Sundhar, Shyaam. 2008.
Overwriting Hard Drive Data: The Great Wiping Controversy.
243-257. 10.1007/978-3-540-89862-7_21.
[13] Yinghua Guo, Jill Slay. 2010. Data Recovery Function Testing for
Digital Forensic Tools. Kam-Pui Chow; Sujeet Shenoi. 6th IFIP
WG 11.9 International Conference on Digital Forensics (DF), Jan
2010, Hong Kong, China. Springer, AICT-337, pp.297-311, 2010,
Advances in Digital Forensics VI. Springer, Berlin, Heidelberg,
ISBN: 978-3-642-15505-5
[14] International Standard Organisation. 2009. ISO 15836:2009 –
Information and documentation – The Dublin Core metadata
element set.
[15] Brian Matthews, Shoaib Sufi, Damian Flannery, Laurent Lerusse,
Tom Griffin, Michael Gleaves, Kerstin Kleese. 2009. "Using a
Core Scientific Metadata Model in Large-Scale Facilities", 5th
International Digital Curation Conference, pp. 2-4, December
2009.
[16] Landesman, Betty. 2011. Seeing Standards: A Visualization of the
Metadata Universe. Available on: http://www.dlib.indiana.
edu/~jenlrile/ metadatamap. Technical Services Quarterly. 28.
459-460. 10.1080/07317131.2011.598072.
[17] Sen, Arun. 2004. Metadata management: past, present and future.
Decision Support Systems. 37. 151-173. 10.1016/S0167-
9236(02)00208-7.
[18] Vivek Kumar Singh. 2018. Integrated Data Quality (DQ) along
Data Life Cycle. Available on: https://viveksingh36.wordpress.
com/2014/12/05/integrated-data-quality-dq-along-data-life-cycle/
2018-05-10
[19] NSA/CSS Storage Device Declassification Manual. 2014.
Available on: https://www.nsa.gov/resources/everyone/media-
destruction/assets/files/storage-device-declassification-manual.pdf
2014-12-15
[20] 41 Free Data Destruction Software Programs. 2018. Available on:
https://www.lifewire.com/free-data-destruction-software-
programs-2626174
[21] 8 Effective Algorithms to Wipe and Erase Data Permanently.
2018. Available on: https://www.datanumen.com/blogs/8-
effective-algorithms-wipe-erase-data-permanently
[22] Michael Wei, Laura M. Grupp, Frederick E. Spada, and Steven
Swanson. 2011. Reliably erasing data from flash-based solid state
drives. In Proceedings of the 9th USENIX conference on File and
stroage technologies (FAST'11). USENIX Association, Berkeley,
CA, USA, 8-8.
[23] Kessler, G. C. 2007. Anti-Forensics and the Digital Investigator,
Burlington – USA, Champlain College, 2007, p. 7.
[24] De Beer, Richard & Stander, Adrie & Van Belle, Jean-Paul &
Publications, SDIWC. 2014. Anti-Forensic Tool Use and Their
Impact on Digital Forensic Investigations: A South African
Perspective.
[25] Pajek, Przemyslaw & Pimenidis, Elias. 2009. Computer Anti-
forensics Methods and Their Impact on Computer Forensic
Investigation. Communications in Computer and Information
Science. 45. 145-155. 10.1007/978-3-642-04062-7_16.
[26] Conlan, Kevin & Baggili, Ibrahim & Breitinger, Frank. 2016.
Anti-forensics: Furthering digital forensic science through a new

000131
M. Ölvecký, D. Gabriška • Wiping Techniques and Anti-Forensics Methods

000132