Forensics: Wiping a Drive

There is a lot of misleading information on the internet in relation to the deletion and destruction of data. Some of this is due to confusion in language, e.g. the difference between wiping and deletion and some of this is due to urban myth.

Below is a video, taken with the popular computer forensics tool EnCase.This video shows what happens when a single wipe is used on a drive. Not 2, not 8, o32, or any of the other “recommended” number of wipes. Just a single, simple, wipe.

Add to Technorati Favorites

Videos: EnCase Forensic

Below are a selection of videos demonstrating the popular forensic tool, EnCase

Encase Videos:

How do I Access EnCase Files?

E01 Files

Sometimes people in IT or in law firms will come across EnCase files, that have been provided by forensics companies. The question they will often ask is “How do you open an EnCase image? A video guide on using Encase to open E01 files is available here

E01  Identification

Firstly you must identify that you have an EnCase image. If the media provided contains a series of files, which all have the same name, but difference extensions,  and the first one is has the extension E01, then you have been provided with an EnCase Image.  After the “E01 file” each file has the same name but a different extension, increasing in increments. E02, E03, etc.


If the first file is called ExhibitA.E01, the second one will be ExhibitA.E02, and the third one will be ExhibtA.E03.

Regardless of how many files there are starting “ExhibitA” [or whatever the prefix is], if there is only one E01 files, there is only one image. The reason for the multiple files is that Encase can chunk up the image for ease of movement/storage.

Identifying the number of images

If the following files are on on the media  Disk1.E01, Disk1.E02, Disk1.E03, Disk2.E01, Disk2.E02, Disk3.E04 that means that there are two different images. Disk1 and Disk2.

Opening an E01 Image

EnCase images are not “raw” files and so can not be easily opened, they need to be viewed with a correct tool. The two best tools for this EnCase – which can only (legally) view an image with a full license  i.e. You have to pay for it (RRP £2,000 to £3,0000).

FTK Imager Lite, produced by AccessData which is free to use can also access EnCase images, and allow you to browse through the data.

Other tools, such as MountImagePro are also able to mount the files and virtual drive. This allows the user to browse through the files, can copy files off the image, as if it was a drive. This does not give full forensics capability, and if you want to investigate data theft or the like, this is not the tool for you. But does allow access to active files.

FTK continues to try and buy EnCase

After AccessData’s failed attempt to by Guidance Software (the makers of EnCase) in October 2008, Access are now trying to put its own candidates on the board of Guidance.

The CEO of AccessData, Tim Leehealey, stated that CEO, Tim Leehealey, stated that “We are not trying to force a transaction, we simply want the shareholders to decide as opposed to Guidance Software’s board,”

Encase 6.10 Videos

Recovering Deleted Files with EnCase

Opening a E01 file with EnCase

Viewing File Slack with EnCase

Keyword Searching with EnCase

Locating the MFT with EnCase

Videos: EnCase Videos

Below are links to “How To” guides of EnCase Videos. The Videos all made using EnCase 6.10 and are based on NTFS drives

Basic Keyword Searching

Analysing Slack

Partition Information in the MBR

Locating the MFT



Tags: , , ,

What is File Slack?

What is File Slack?

This article looks at file slack, where it is, how to find it, and includes a video guide of how to view this data in EnCase 6.10


To understand File Slack, one must first understand the basic concepts of Cluster and Sectors.

This article is based on the assumption that the reader understands these concepts. It is also written with the assumption that the hardware under consideration is a standard windows hard drive, with sector size of 512 and a cluster size of 8 sectors.

Clusters and Sectors

As the operating system can only address clusters, rather than sectors which hard drives can, it means that files are stored on a hard drive in units of clusters and not sectors.


A 5000 byte file, takes up 9 sectors, however the operating system will allocate the file 2 clusters (16 sectors, 2*8 sectors), as it does not fit into 1 sector. 2 Sectors is 8 KB ( 2*4KB)

A 2500 byte file will fit into 5 sectors, however the operating system will allocate the file 1 full cluster (8 sectors), which is 4 KB

A file which is 10,000 bytes will be allocated 12 KB – 3 sectors.

Different Sizes

From this it can be seen that a file has two different sizes, the logical file size the actual size of the file and the physical file size, the size given to the file on the hard drive.

The physical file size is always greater than or equal to the logical file size (ignoring resident data for the moment).

File Slack

File slack is the difference between the physical file size and logical file size.

E.g for a 5000 byte file, which is given 2 clusters (8192 bytes), the file slack will be 8192 – 5000, which is 3192 bytes. The file slack should always be less than 1 cluster (4096 bytes).

As file slack is literally the space on the hard drive between the logical and physical file size, it means that anything that was in that space before become file slack. As a new file is created by overwriting unallocated space (even if it means deleting a file immediately before the request to write) this means that file slack is essentially old fragments of unallocated file space (RAM slack is not being discussed at this point).

This means that file slack can contain anything at all, from fragments of web pages, emails, and even complete small pictures, to junk text. It is more often than not the latter, however complete EML files, and thumbnail pictures have been recovered than can prove an entire case.

Below is a video showing file slack, using EnCase 6.10. Encase is currently better at viewing this type of data than FTK.