LITIGATION SUPPORT TIP OF THE NIGHT

Data wiping software like the application discussed in the Tip of the Night for February 14, 2016 may overwrite data according to any one of several widely recognized standards. Here's a brief overview of them.

1. DoD 5220.22-M method - was developed by the National Industrial Security Program, a federal government authority to manage the needs of private industry for access to classified information. (The United States Department of Defense, the Department of Energy, the CIA, and the Nuclear Regulatory Commission have authority over the NISP.) DoD 5220.22-M actually refers to a manual providing baseline standards for handling classified information. This method is a three pass review which overwrites data with 1's, then with 0's, and then with random characters. This method is no longer used by the NISP and was never intended to be a standard for private, commercial users to wipe data. Be suspicious if you hear from a vendor that data erasing is performed with DoD 5220.22-M certification.

2. RCMP TSSIT OPS-II method - was developed by the Royal Canadian Mounted Police. This approach involves three passes of 0's, alternating with three passes of 1's, and then ending with random 1's and 0's - a total of seven passes altogether. Canada no longer uses this standard, instead opting for the CSEC ITSG-06 method which writes either a 1 or a 0 on the first pass, the opposite digit on the second pass, and then a random character on the last past.

3. Gutmann method - utilizes 35 passes. It begins and ends with 4 random write patterns. The 27 passes in between are designed to address magnetic media encoding. Peter Gutmann is known for claiming back in 1996 that overwritten data could be recovered by examining magnetic media with specialized microscopes. He notes that when a 1 is overwritten with a 0 there is an anomaly which can be detected. This method may not be effective with more modern hard drives.

4. PRNG method - Pseudo Random Number Generator overwrites with randomly generated digits in four to eight passes.

5 .Quick erase - simply performs one pass, overwriting data with zeroes.

It's common to read in electronic discovery guides that Macs have an option called 'Secure Empty Trash' which allows users to overwrite deleted files with zeroes. (You'd see the option if you held down the command key when opening Trash). We know deleted files are not really removed from your computer and can be recovered rather easily with programs like Tokiwa, as described in the Tip of the Night for May 30, 2015. Apple's Secure Empty Trash was designed to give Mac users a way to permanently delete files. However the new El Capitan operating system is missing this feature. Apple deliberately chose to remove the feature because someone with very sophisticated forensic skills could still recover files overwritten with zeroes as an electromagnetic ghost. See this posting on macworld.com.

One way of forcing the Apple El Capitan OS to overwrite a file is to use the SRM command. Just follow these steps

1. Press the command key + the space bar and bring up 'Terminal' in Spotlight Search.

2. Move the files you want to securely delete to a folder on your desktop In this example we've named this folder 'delete'.

3. Enter this command in Terminal:

SRM -RVF /Users/[user name]/Desktop/delete

Your file should be securely erased. See this posting.

#SecureEmptyTrash #MACSRMcommand

An order was issued today by a federal judge requiring Apple to assist with efforts to bypass the encryption on an iPhone 5C belonging to one of the terrorists who carried out the attacks in San Bernardino, CA this past December. See this article in the Washingon Post. This bit of e-discovery news in the headlines tonight is interesting for a few different reasons. One, it proves that the government, even in a high profile criminal matter that involves a national security danger, still can't find a way to hack into the iPhone - or at least one running iOS 9. Second, the news articles point out that more than ten incorrect attempts to enter the passcode for an iPhone will wipe out the data on the smartphone. Third, a magistrate judge with the California Central District Court has found a basis under the All Writs Act to demand that a company create customized malware for the specific purpose of accessing encrypted data. Lastly, some experts believe the decision may be used as a basis for future decisions allowing the government to direct phone or software companies to secretly install programs to gather private information. See the PC World article here.

The order can be view here. Note that is also requires Apple to prevent software on the device from causing additional delays between passcode attempts. It's also notable that the order specifies that ultimate responsibility for evidence preservation rests with the Government, not Apple.