Forensics: Do you need to wipe a drive before you image to it?

Do you need to wipe a drive before you image to it? No, not if you are creating an image, rather  than a clone. Though many people still do.

Historically most people would clone a hard drive, from one drive to another drive, when collecting data. For this reason it was important to have a wiped drive before you used it for storing the clone.

However, most companies now create an image file or files (either an E01 or a DD) when collecting or preserving data. As these are files they cannont be stored on a “blank” drive, the drive they are put on HAS to be formatted, so by denfition it can’t be zeroed or blanked out. Also with many larger companies centralising their storage on large RAIDs and SANs, and using virutal machines to access data, the idea of zeroing out a multi million pound SAN or data centre is absurd.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: