Hi everyone,
Im pretty sure the answer is no, but can anyone confirm, does autopsy or TSK inform a practitioner about possible secure deletion having occurred on a filesystem by flagging known wipe patterns? Im convinced there is no functionality/ingest for this that I can find?
No there is not. Does this question have anything to do with the DF Challenge 2021 201-Shredder test? If it does and you figure something out you can always create a plugin to alert an examiner to this.
Thanks for confirming. Its not actually, but I would certainly be interested to know more about the challenge. It actually concerns a recent paper published which evaluates TSK’s performance in a range of anti forensic scenarios:-
Can computer forensic tools be trusted in digital investigations? in Science and Justice.
https://www.sciencedirect.com/science/article/pii/S1355030620303002?dgcid=rss_sd_all#:~:text=Investigators%20cannot%20absolutely%20rely%20on,data%20hiding%2C%20and%20forging%20timestamps.
The article implies that the practitioner should expect that TSK should detect wipe patterns?.. but if it doesnt have this functionality?!
I understand what you are saying. I am not sure why the authors would think that TSK should detect wipe patterns. TSK’s main purpose is to access the on-disk structures and present them to the examiner for them to analyze with or without a tool. Detecting wipe patterns falls under analysis not on presentation of On-disk structures.