General discussion

Locked

Hidden Tracking Software

By kinserkan ·
In an interesting development we had an individual
zero out a drive inorder, we believe, to remove
unauthorized data. An issue has come up concerning
weather the drive is still safe to use. Ive heard of a
tracking software which will survive formating and even
a re-partiitoning of the drive. My question is how could
we detect such a program. If it is there, we want to find it
for legal purposes.

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by BFilmFan In reply to Hidden Tracking Software

You'd need to run a scan of the drive. If properly wiped with DOS Fdisk to delete all partitions and then formatted correctly, an old keylogger left on the disk isn't an issue.

Collapse -

by softcorp.us In reply to Hidden Tracking Software

Hello...

As you may have read, it is possible to recover data from a HDD that has been overwritten. It requires a special program to do that.

If you repartition and format new volumes, the drive is safe from anything that was previously stored on it.

What tracking software is it that you have heard of that survives formatting and repartitioning?

-----Steve Jackson

CEO/CSA
Software Corporation (Softcorp)
http://www.softcorp.us/probono
Advanced pro bono tools and utilities free for personal use

Collapse -

by TechKid In reply to Hidden Tracking Software

You are correct, formatting and/or repartitioning doesn't physically erase data. It just marks it to be overwritable.

If he zeroed out the drive that DOES erase the physical data, therefore making the data irretrievable. However, caveat, one complete pass of the hard drive with a tool such as Wipe is not necessarily enough to "zero" out the drive. The US Government requires 7 passes to completely zero out a drive.

So, technically it's possible to get info from this drive but don't count on it.

Collapse -

by Synthetic In reply to Hidden Tracking Software

If you believe this is a security issue, civil or criminal, stop where you are. Any attempts to prove the issue could result in your erasing the very tracks you need to prove malintent. Plus, if this to be used in a legal case, without you properly documenting every step, keeping the line of ownership clear, and without a forensics background to prove, in court, that you know what your doing, your liable to destroy any evidence, or make it obsolete on the grounds you have tainted the drive. If you serious about finding out what was on the system, send the drive to Drive Savers, or On-Track (they do my drive recovery) for data recovery. This will cost a few thousand though, and there are no guarantees your suspicions will be played out by the findings. I do not know the person that did this, or their level of PC knowledge, is it possible this was just a bad move by the user? Is their enough reason to begin to take this into the murky waters you now face?

Collapse -

by _Christian_ In reply to Hidden Tracking Software

There are 2 issues in your question, and everybody else seem to have (correctly) answered only 1 of it.

So I separate them here:

1) As the others explained any data stored on the physical surface of a hard drive can be found and recovered unless it has been overwriten (if zeroing was a perfect overwriting process, 1 pass should be final. I actually wrote a software doing just that, many years ago (DOS was king, at the time ;-] ). Commercial zeroing software may be imperfect...)

2) Any program is stored as data until read from the hard drive and executed. A hard drive has no means (and no reason) to differentiate different kinds of data.

The second point, implicitely part of your question, and overlooked by the previous answers, mean that a special tool would need to be run to specifically recover this program before being able to run it. such program COULD NOT possibly run again by itself.

Now there is a caveat to that: The exception is the boot sector of the hard drive, which possibly some zeroing software do not touch (although it is easy to do), and VERY SIMPLE (due to small size) program could become resident, and take-over while trying to boot from the hard drive.
However making a clean hard drive install from a CD will not need to boot from the hard drive before installation, and that process will overwrite the boot sector.

There are also tools which allow you to examine the boot sector, and manually modify it (requires expert knowledge)
If you really want to find any program left on your hard drive after zeroing, check the boot sector first.

then use a commercial recovery software (there are several good ones around) to scan your Hard drive for lost content (which may or not be retievable, depending the efficiency of the zeroing software used)

I can point you to good sofware for both purposes, if you need to.

Collapse -

by _Christian_ In reply to

I forgot 1 thing: Answer 4 was incorrect.

Specifically, the commecial software I am thinking about DOES NOT modify anything on the surface of the disc scanned, but make a mirror of it on another hard drive (which would have to be big enough), and work on that mirror.
It is used by the forensic department of some police forces, according to their website (this can be verified), and is actually quite affordable.

The solution he was referring to is what you would have to do if you do not have relevant skills in your staff. In which case, you DO pay a lot for actually renting outside skill expertise.

Collapse -

by wlbowers In reply to Hidden Tracking Software

You need software that can erase the first 10 tracks of the drive. This is the area where the master boot record is kept.

This will be bootable from a locked floppy.

I use drivepro. It is an old diagnostic software. There are DOD erase software that will do the same thing.

http://www.killdisk.com/

Lee

Back to Security Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums