A statistical method for detecting on-disk wiped areas Antonio Savoldi * , Mario Piccinelli, Paolo Gubian Department of Information Engineering, DEA, University of Brescia, Via Branze, 38, I-25123 Brescia, Italy article info Article history: Received 12 May 2010 Received in revised form 23 June 2011 Accepted 28 June 2011 Keywords: Wiping detection Anti-forensics Data wiping Anti-anti-forensics Linear classifier abstract Data-wiping tools are meant to securely erase data. Malicious users may resort to such tools to eliminate traces of a crime they have committed. State-of-the-art wiping detection techniques rely on artifacts left by the use of such tools. However, in certain cases such artifacts can be obfuscated and the investigator is left with almost no clues that could point to a digital crime. Indeed, in this paper we would like to present a scenario involving an ideal data-wiping case (i.e. a method that does not leave any usual exploitable artifacts). In addition, we demonstrate an efficient statistical technique which allows the detection of on-disk wiped areas, both filled with random and periodic data. The performance and usability of the proposed techniques are discussed as well. ª 2011 Elsevier Ltd. All rights reserved. 1. Introduction Digital forensics has initially emerged as an applied discipline and has eventually grown into a science to face the issues posed by cybercrime, by providing certified and reliable methodologies for answering basic questions such as who committed the digital crime, when it happened, and which techniques were used against the system. An example of a well-know illicit action is the broadcasting or downloading of contraband images by means of a computer system. The perpetrator can easily destroy the evidence of the illicit action by means of the plethora of wiping tools, available as commercial and free offerings. Usually, when such a tool is installed/uninstalled, or launched, it generates artifacts such as an installation folder, a prefetch file, various Registry keys, and signatures in the file entry on an NTFS file system. However, with the advancement of the anti-forensics field (Harris, 2006), defined as the set of methodologies used against a computer system to conceal any evidence that an illicit action has been done, new challenges to the digital foren- sics science are posed. Particularly, in some cases the use of specific and crafted wiping tools might not leave any ordinary artifacts on a system that can be exploited in a digital investigation. In fact, the aim of this paper is to discuss a possible ideal data-wiping scenario where usual artifacts left by data- wiping tools are obfuscated. In addition, a statistical procedure on how to detect on-disk wiped areas is outlined and analyzed. The remainder of this paper is structured as follows. Initially, a brief overview of the data-wiping technology is given, by outlining the basic algorithms that are used on portable wiping tools. This is followed by a discussion on the methodology that highlights artifacts left by wiping tools. Furthermore, an example of artifacts generated by a well-known portable wiping tool is illustrated. Moreover, a perfect data-hiding scenario is presented, where usual artifacts left by the surveyed tool can be easily obfuscated. The article proceeds with a statistical analysis to detect on-disk wiping areas. This paper concludes with a brief overview of related works and some final general observations. * Corresponding author. Tel.: þ39 303715436; fax: þ39 30381014. E-mail addresses: antonio.savoldi@ing.unibs.it (A. Savoldi), mario. piccinelli@gmail.com (M. Piccinelli), paolo.gubian@ing.unibs.it (P. Gubian). Contents lists available at SciVerse ScienceDirect Digital Investigation journal homepage: www.elsevier.com/locate/diin 1742-2876/$ – see front matter ª 2011 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2011.06.005 Digital Investigation 8 (2012) 194–214