Low Level Format

New user here! I appreciate everyone’s assistance as I’m learning my way around.

I purchased a few used disks to analyze. They were low level formatted by the seller and Autopsy (v4.12) reports it cannot determine the file system. Is it that easy for bad guys to just low level format a drive to thwart analysis?

Yes, it can actually be “that easy”. Zero-filling and/or wiping drives (writing data across sectors), etc. is nothing new and has been available to anyone who wants to thwart analysis for a long time. Low level formatting takes it a step further to touch even sectors normally not visible to an OS/Kernel.

But don’t confuse a simple message like “cannot determine partition type” (or file system) with “no data available”. Tools like Autopsy look for particular structures to access volumes and file systems. If those structures are not available (or are corrupted) that does not mean there are no sectors with data to be parsed. Journal analysis, signature analysis (carving, etc), etc. are all available to help recover files and data where file system structures don’t exist.

For the sake of your original question: if the data has been wiped either via a low level format or writing out /dev/zero to media, or any other method, then “yes”. Analysis using tools like Autopsy (EnCase, Axiom, etc.) are effectively thwarted. In your case it sounds like you already know they were wiped, but it might be worth having an actual look at individual sectors to see if data still exists (not everyone gets their terminology right - you may have been told they were low level formatted, but that does not mean they actually were).

In actual practice though, having a subject wipe a drive before you reach it is somewhat rare. Most digital devices are seized during warrants (without notice) or taken from enterprise settings where the subject is unaware they were the victim of an intrusion or infection, etc.

Hope this helps.