Drive Forensics - TechRepublic
General discussion
May 21, 2004 at 02:59 PM
richard.mckinney

Drive Forensics

by richard.mckinney . Updated 22 years, 1 month ago

Hi,

I have several servers that I am taking out of service. I am sure the
customer will ask me about the safety of the data when I brief him. I want
to be sure I know what the risks are. I have 3 cases:

DO CASE

CASE=1: a server, essentually desktop hardware, with a single ATA drive.
I will boot to MS DOS and run the Resource Kit DELPART to delete the NTFS
partition. I belive that only serious forensics will recover the data. Is
this true?

CASE=2: a server with 2 drives on a RAID card, using RAID-1 (Mirrored). I
will use the ROM in the RAID card to delete the logical drive. Is that the
same as the DELPART above? I am a little concerned because with RAID-1 I
have a full set of the data on each physical drive.

CASE=3: a server with 7 drives in a RAID-5 Array. I will use the ROM in
the RAID card to delete the logical drive, and then randomly shuffle the
physical disks between the various servers being sold off. I belive that
since each physical drive in a 7-drive RAID array only has 1/6th of the
data, it should not be able to be reconstructed, even by serious forensics.
Is this true?

ENDCASE

Thanks,

Rich McKinney

This discussion is locked

All Comments