Saturday, May 1, 2010

Scrub with BackTrack

I went through an exercise this weekend where I deleted data off of a hard drive. The goal was to erase all the data from the hard drive and attempt to see what information I could find afterwards.

The utility that I used to delete the data was scrub. Now this utility does not necessarily delete the data, but it overwrites the data on the drive. This utility can also be used to over write a file.

Scrub cab be downloaded to any Ubuntu distribution or *nix distribution. However, probably the best place to find this utility is on BackTrack. Scrub can be found under the BackTrack menu under Digital Forensics.



Below is a screen shot of the scrub help screen



There is some different syntax can be used with Scrub. If you would like to overwrite an entire hard drive you would use the command below. This will use the default NNSA NAP-14.x pattern for the overwrite.


The follow show the use of the DoD 5220.22-M pattern to overwrite the selected area.



Once you have selected the options that you want press enter and you will see the following outpt on the display.


scrub: using DoD 5220.22-M patterns
scrub: please verify the device size below is correct!
scrub: scrubbing /dev/sda1 79403950080 bytes (~73GB)
scrub: 0x00     |................................................|
scrub: 0xff    |................................................|
scrub: random  |................................................|
scrub: 0x00     |................................................|
scrub: verify  |................................................|


You can see that scrub will use the hex character set 0x00 through one pass then a second pass will be used with 0xff. The third pass will be a random character set and the final pass will be 0x00 again. Some of the different options can be used when scrubbing a file as opposed to scrubbing an entire disk.

In my next post I will show what I was able to find using FTK.

1 comment:

  1. > In my next post I will show what
    > I was able to find using FTK.

    Since there never was a 'next post', is it safe to assume you were unable to find anything with FTK?

    ReplyDelete