It seems that there are still many people who do not understand what happens when storage media such as a hard drive or flash based thumb drive is wiped with a single pass. There were many comments left about my last article on other websites where people were still spreading the myth that a single pass is insufficient. So I’ve created yet another article, this time with screenshots.
Many people are under the impression that hard drives need to be wiped with multiple passes to prevent recovery of data. This is simply untrue with modern hard drives. According to the National Institute for Standards and Technology, “Studies have shown that most of today’s media can be effectively cleared by one overwrite.”
The practice of timestomping involves the deliberate alteration of timestamps, reshaping the perceived chronology of actions and potentially obscuring the true sequence of events.
In a previous post I mentioned that TrueCrypt leaves behind a string in its boot loader (that identifies it as a TrueCrypt boot loader) when using the full disk encryption feature. As you can see in the screenshot below I have modified the original “TrueCrypt Boot Loader” string to read “Windows Boot Loader.”
It's a powerful tool designed to mutilate file wiper obliterate files thoroughly, leaving no chance for recovery – a digital incinerator for your data. Unlike simple deletion, shred overwrites a file's contents multiple times with random patterns of data, effectively scrambling any trace of the original file.
Timestomp has the ability to modify or delete the accessed, created, modified and entry modified timestamp values on an NTFS system. These are also known as the MACE attributes or timestamp values.
If you use hibernation mode you are vulnerable to this sort of attack. You may inadvertently divulge trade secrets to a malicious hacker who copies your hiberfil.sys or just as easily incriminate yourself if your computer is seized and forensically examined.
