 Welcome back, everyone. This week we're gonna talk about how to zero out or write random data to your disks whenever you want to, completely clean or completely remove data from your disks. Now, we would do this in digital forensics for a number of reasons. But one reason might be that you have suspect data on one of your hard drives. And once the case is finished, once you don't need the data anymore, you don't want to have the data anymore. You might want to zero out or what we call zero out the disk the suspect data was on. Now, you wanna make sure that all of the data on that disk is completely removed and you definitely don't want the defense to be able to claim that remnants of a past case are kind of getting confused with the current case. So for example, if you delete the files only, then as we know the file data might still be on the disk or recoverable from the disk. And if you somehow combine that with a past case and a current case where the current case is written to a space that was used in the past with a different case, then the defense might have a claim that somehow the data is getting mixed up and you're actually looking at an old case. So to get around this, we can just zero out our disks or destroy all of the data on the disks. We can do this in a number of ways and just to show you kind of how it works. I have WinHex working in a virtual machine in Windows. I'm going to show you today how to zero out a disk in Linux. And then in another video, I'll show you how to do it in Windows. But I'm going to go to tools and open disk and then in physical storage devices, sand disk is extreme using this USB stick. Just as an example, click okay. And we can see here, there is some data. We see the familiar missing operating system code here. So I know that there is some real data on this disk, okay? So I definitely want to get rid of this. And this is just basically a copy of deft, yeah, a copy of deft. So I'm going to close this for now. I'm going to switch over to Linux, first I have to eject the disk, sorry. I'm going to switch the sand disk back to my Linux box. And then in Linux, I first need to identify the drive that I want to erase, okay? And this is really important because I need to make sure that I'm erasing the right drive. And I can do that in a number of ways. So first I'm going to just to make this easier. This is what I normally do. I'm going to remove the disk from my computer, okay? So now it's removed from my system. And I'm going to do the command lsblk, list block devices, lsblk. And then I'm just going to pipe that into a file, temp, blk, okay? So this is the, basically I've saved the state of my computer. All of the disks or the drives in my current local system. And now I'm going to plug the disk, my suspect disk that I want to erase back in. Not the suspect disk, sorry, just the disk I want to erase, don't erase suspect disks. And it automatically got it in Windows, so I'm going to remove that, okay? And then now I have lsblk in the current state of my system in temp block. I'm going to do the command lsblk and then pipe that to diff, give it the old file. And then this dash command basically says take everything from the pipe and then use that as the second variable here. So then whatever I get diffed out is the difference between the computer without the disk and the computer with the disk, okay? So here we can see that it's listed as SDF, okay? So I can tell that the partition or the disk that was just inserted is identified on my system as SDF. So this is a quick trick if you have a bunch of disks. I have a lot of disks in my system, so I don't want to memorize how they're mapped every single time. So in this case, I can just use this trick and do a diff and then see what the difference is. Now just to give you an example of what lsblk would look like with all of the disk information, if you run that, then I have all of my disks on my partitions. And I could just insert the disk and then go through and check if I'm missing something, but it's pretty noisy. So I prefer the diff method, okay? So now my disk is SDF, so let's say that this is the disk that I want to wipe out. I can do that in a number of ways. First off, we need to use sudo because I want to access the disk. And then I would normally use dd, but dd does not give you a meter or any indicator of how much data has been written. So I'm just going to use ddcfldd, and this is a forensic version of dd. But if I was actually acquiring a suspect disk with it, I would not use this. And it does have a bug, it's based on an older version of dd. I would acquire disks with something like just mainline dd or ftk imager, something like that, okay? So sudo dcfldd, just so I have an indicator. And then if the input interface that I want to use, first I'm going to use dev and u random, okay? And then the output interface is slash dev slash SDF, okay? Now, really, really make sure that the drive that you're actually saving to is SDF, right? Because if you run this command on any disk that's important to you, it will overwrite data, okay? Yeah, that's all I can say. Just before you run this command, be very, very, very certain about what you're doing because you will destroy whatever is on SDF. In this case, I know SDF is the disk that I'm interested in, okay? Now, we have two different things here. We have a random that we can use, dev random and dev u random. u random is actually not completely random, but it's much, much faster, okay? We want to wipe this disk out as fast as possible. And random, you basically have to collect a lot of entropy and it's just much slower. u random is consistent, but it's less random. In this case, we don't really care about randomness, we care about wiping the disk out. So I'm gonna run this command, and then it's gonna ask for the password because of sudo, okay? And I'm just gonna write about, let's say about a gig. Notice that's pretty slow, okay? So, two gig in and out, and then I stopped it manually. Now, I'm gonna jump back over to Windows and win hex just so we can see the current state. Now, remember before it said operating system not found, we could see that there was actually some structure in there. So I'm going to go to tools, open disk, sand disk extreme, okay? And then now that data has been overwritten with what looks like random data. There doesn't look to be any structure here too much, okay? And then I didn't write data to the entire disk, so yeah. So then it should be zeroed out later, okay? So we actually do have random data, but if you write random data to the disk, I need to check that again. If we write random data to the disk, the problem is that we don't know if this was actually random data or if some suspect data was left over. So instead of doing dev u random, I better check this again, LSB okay? Okay, just to make sure that SDF is detected into 29 gigs, so that's the one that I want, okay? So I'm gonna clear this and I'm gonna run again, pseudo DCFLDDIF dev. Instead of u random, I'm going to use zero, okay? And this will just, like it says, write zeros to SDF, okay? So let's see how much faster that was. It already wrote quite a bit more data, so let's now jump back over and check out the current state of the disk. So tools, open disk, sand disk, okay? And now the disk starts with all zeros. Now the reason that I would want to do this is because I want to be able to prove, and this is what I wanted to show you basically. I didn't write so much data. So this should be the random data that I wrote, right? I didn't write to the end of the disk, and I intentionally wanted to show you the point at which the zeroing stops. Okay, so we have our random data, and then, well, you get the point. I don't wanna scroll around forever. But basically, this is past the point where I wrote random data, and then before this, we have all zeros. Now, we can check and make sure that all of the disk where we're saving, where we will save, let's say, data for the next case, is actually zeroed out properly. Now, you might want to go even further than this, but I think one or two passes with zero is more than sufficient. If you're actually trying to get rid of your disks or you're worried that your disks might be copied or read from somewhere else, you might wanna do more passes than just two or three, probably around, I forget what the DoD standard is, something like 10 passes with zero or random, that's if you don't want the data read. But we're not really interested in the data being read, we just want to wipe all of the data out and confirm that all of the past suspect data, or data from past cases, is no longer on the disk. So what we can do is use DDIF with dev zero in Linux. Write those zeros to our disk that we wanna save the data to. And then open up a hex editor, go through, check that it is all zero, and then document when you zeroed out all the data. And maybe a screenshot about the fact that there is no data left on there, okay? So if you do that, that will remove any possibility that past case data is somehow available on your storage device. And you avoid the problem of a defense lawyer saying, somehow old data got mixed up with our current case. And can you prove that no past data exists? Okay, yeah, so that's pretty much it. I'll show a couple different ways to actually shred data in Linux. But for now, basically, I wanted to show zeroing out and what zeroing out actually does. So in the beginning of the disk, you can see in Windows and WinHex here that the data is actually zeroed out. So whenever you are writing either random data or zeroing out, make sure you do load up a hex editor and check that the data is actually gone, okay? So that's it for today. Thank you very much.