Forensics Testing

R3zk0n · October 2, 2025

Forensics   Linux   Windows
Contents

    Objective

    • Verifying whether a process to remove all sensitive information of a company is successful, and no residual data is accessible after the device has been wiped.

    Questions to ask

    • Which devices are being wiped? What type of devices are being wiped (Mac, Windows, Phones)
    • What is the process is which the device(s) are being wiped?
      • Compare with other processes such as Apple: https://support.apple.com/en-au/HT201065
    • Were the devices previous encrypted? Strength of encryption may prevent recovery of data.
    • In terms of what we need:
      • Physical access to each testing device
      • A reasonable time to test the devices (upwards of a week)
    • Are we allowed to perform destructive testing on the devices:
      • Opening the physical device
      • Removing drives
      • Mounting test-rigs to attempt data recovery

    Forensics Testing

    Types of Data Erasing

    • DBAN (Darik’s Boot and Nuke) is a free, open-source utility that is designed to securely erase data from hard drives and other storage devices. ``` zero fill (over write with random data) - works on for mechanical drives, but SSDs dont write sequentially so it might not work there built in secure erase modes on some HDDs - depends on how well it’s been implemented encrypt drive and destroy keys - probably the best method (i think) but some encryption processes only encrypt the used space, so if you’ve deleted files and those files are now marked as free space, that part of the drive might not be encrypted

    Apple’s instructions of resetting NVRAM ```

    Hard Drive Cloning

    • Create an identical clone using dd, or live boot + dd

    Destructive Testing

    • If there are controls in the laptop, open device and remove drives
    • Remove Macbook Pro hard drive: https://www.ifixit.com/Guide/MacBook+Pro+Hard+Drive+Removal/85373

    Memory Forensics

    • Explanation: https://www.varonis.com/blog/memory-forensics?hsLang=en
    • Capturing RAM Volatile Data:
      • WinPmem (Windows): https://github.com/Velocidex/WinPmem/releases
      • FTK Imager: https://accessdata.com/product-download/ftk-imager-version-4-2-0
      • Virtual Machines save snapshot as vmem file
    • Extracting sensitive data from volatile memory
      • Volatility 3: https://github.com/volatilityfoundation/volatility3
        • https://www.varonis.com/blog/how-to-use-volatility

    Data Recovery Tools

    • Recover files previously deleted (they weren’t deleted just inaccessible as the memory is considered freed up)
    • The tools will find images in dd dumps, RAM dumps, or swap files. Carving will help to identify and reconstruct files on corrupt filesystems, in slack space, or even after installation of a new operating system, as long as the required data blocks still exist.
    • Data Carving
      • Linux (General): https://www.makeuseof.com/tag/recover-deleted-files-from-your-linux-system/
        • PhotoRec: https://www.tomshardware.com/how-to/recover-deleted-files-from-any-drive-in-linux
        • Foremost & Scalpel: https://www.linux-magazine.com/content/view/full/24194/(offset)/3#article_i3
        • Recuva and TestDisk

    Twitter, Facebook