Purple Group Project Report - Hard Drive Data Recovery

Metal TableMetal TableMetal TableProject Purple - Hard Drive Data Recovery

Shelli Cafaro, Jacky Reid, Sina Mao, Terell Maxwell

Goal:

  • To use different methods to wipe data from a portable USB drive then use a recovery tool to find out which wipe method works best.
  • Hypothesis: The corruption method would be the best to make data unrecoverable

Phase 1:

  • Obtain 4gb or larger USB flash drive
  • Load each USB with file downloads used throughout the class
  • Each team member will use a different method to wipe their USB
  1. Terell - Reformatting USB
  2. Jacky - DBAN software
  3. Sina - CCleaner software
  4. Shelli - corrupt the hard drive through command prompt

Phase 2:

  • Use Recuva free software to attempt data recover
  • Compare each method to see which works the best.

Proof of Concept: Purple Team

Shelli Cafaro, Jacky Reid, Sina Mao, Terell Maxwell

  1. Team will download a set of files. Each USB will have the same set of files to ensure continuity.
  • BT.zip (Final)
  • Network.log (Final)
  • Blue-midterm-log.txt (Midterm)
  • DFRWS2005-RODEO (Digital Forensics Workshop)
  • Sift Workstation (Digital Forensics Workshop)
  • Metasploitable-linux-2.0.0
  • CyberRed Final (Red Team Final)
  • LSA Ova (Red Team Intro)
  • KPX Ova (Red Team Intro)
  • ZC2 Ova (Red Team Intro)
  1. Each team will download a free version of the Recuva Software to recover information. Those on the team who do not have a Windows PC will download the information on their Windows 10 VM’s.
  2. All team members will download the above files on the USB drive and verify via screenshot.
  3. One team member will reformat the drive using Windows formatting.
  4. One team member will download and attempt to wipe USB using CCleaner software
  5. One team member will download and attempt to wipe USB using DBAN software.
  6. One team member will download and attempt to corrupt a USB by writing random information using Windows Command Prompt.

There was some concern that DBAN would not work for USB flash memory. However, after doing some research and reading submissions in online forums, we came to the consensus that while it can be done using the DBAN software, it may not be reliable and several wipe passes would be needed to ensure a complete deletion of information. For the purposes of our experiment in finding which method of wiping a drive would work best for not recovering information, we will only be using a minimum pass with each of the two types of software (DBAN and CCleaner).

Proof of attempts made to delete information will be transmitted via screenshots and collaborated on Wednesday (11/17/21). If there are any difficulties in downloading and running software on computers, we will work together via our group Slack channel and Zoom to ensure each method will wipe the USB drives.

Steps to Corrupt USB using Windows Command Prompt:

  1. Open Windows Command LIne as Admin
  2. Type in:
  • Diskpart <enter>
  • List disk <enter>
  • Select disk [#] (whichever number drive the USB is) <enter>
  • Clean <enter>
  • Exit <enter>
  1. This should make the USB unreadable and trigger an error screen asking to insert media.
  2. See MVP for screenshots and results

Steps to Wipe USB Using CCleaner:

  1. Connect the drive first and then start CCleaner to enable this tool to discover and  then start CCleaner to enable this tool to discover and display the drive in the list.
  2. Select Tools from the left pane and then click Drive Wiper.
  3. Choose the type of wipe you need to perform:
  4. Then just click the Wipe button to complete the erase. Keep in mind that depending on sizes of the drive, the content and the settings you have chosen, this could take a long time.:

Loaded 10 files/folder onto USB Drive

Capacity and Free Space for USB

Download CCleaner click on “Tools” tab scroll down to “Drive Wiper” and click on the USB Drive to erase the files

CCleaner warning that all data will be erased!

CCleaner is erasing all data in the USB Drive

CCleaner securely erased the contents on the USB drive

Download Recuva and select USB to start recovering

USB Drive is being scanned with Recuva to find lost data, so far Recuva has found 2 files

The scan completed and it says 2 files were found but wasn’t able to open or read it

Steps to Wipe USB Using Darik’s Boot and Nuke (DBAN):

  1. Load your data onto the USB drive..
  2. Download DBAN. Download DBAN from the official site. ...
  3. Download DBAN onto virtual machine (Windows VM)
  4. Start DBAN in Interactive Mode. ...
  5. Select the drive for erasure. ...
  6. Start the cleaning process.
  7. Once completed use Recuva to check for any data left behind.

Downloaded ten files onto the USB drive.

Used Darik’s Boot and Nuke (DBAN) to erase all files from the USB drive.

Used Recuva software for Windows to recover file data.

After the first wipe one file was found but unreadable.


After the second wipe was completed using DBAN 0 file was recovered.

Steps to reformat USB in Windows:

  1. Open File Explorer.
  2. Click on This PC from the left pane.
  3. Under the "Devices and drives" section, right-click the flash drive and select the Format option.
  4. Use the "File system" drop-down menu and select the exFAT option.
  5. In the "Allocation unit size" drop-down menu, use the default selection.
  6. In the "Volume label" field, confirm a drive name that will appear in File Explorer. For example, “Drive”.
  7. Under the "Format options" section, select the Quick format option.
  8. Click the Start button.
  9. Click the Yes button.

10. Once the process of reformatting was done, made sure to check that the USB, now named Drive, would be empty. After confirming, open Recuva software in order to recover the recently deleted files. The first option to recover the data was quick, but it also was not successful.

 

11. Recuva then asked to subsequently do a “deep scan”. The deep scan option took a total of 52 minutes and 12 seconds, and even after almost an hour, no files were recovered at all.

Needless to say, reformatting the USB is an extremely effective way to get rid of data and Recuva was unable to recover the data.

        

Minimum Viable Product

Command Prompt USB Corruption and Recovery

  1. Load 10 files/folders onto USB flash drive

  1. Capacity and free space for USB

  1. “Disk 1” for command prompt

  1. Steps followed to clean USB from https://www.easeus.com/partition-master/how-to-corrupt-a-flash-drive-on-purpose.html#3

  1. USB clean is successful. USB shows unreadable.

  1. Used Recuva free recovery software for Windows and found Metaspoitable zip file

  1. Comparison of file information (file size)

Video Script:

Introduction:

  • (Slide 1) Hello everyone, and welcome to Project Purple! My name is Terell, and my teammates, Shelli, Sina, Jacky and I would like to introduce you to a simple way to clear your USB and ensure that your data is truly gone.
  • (Slide 2) For our project, we decided to take a USB flash drive, fill it with various file types, and compare 4 different “drive wipe” methods to delete the information. Once the drives were wiped, we used a free version of EaseUS Recuva software to scan the drives and see how much information could be recovered.

Reformatting:

  • (Slide 3) In reformatting, it is important to me that this could be replicated, even though it may not be the most difficult task. I made sure that all of the options were on the default versions and the only real change I made was changing the name of the USB drive once the reformatting was complete.
  • (Slide 4) After doing so, I used the free version of Recuva in order to recover these deleted files. The first scan did not produce anything, so the option for a deeper scan was given to me, but even after this 52 minute process, the Recuva software did not successfully recover any of the data that was erased during the reformatting process.

Darik’s Boot and Nuke (DBAN):

  • (Slide 5) For this method I downloaded Darik’s Boot and Nuke also known as DBAN onto a virtual machine. I used this software to erase the data stored on the USB flash drive. Once the disk was wiped I used  a free version of EaseUS Recuva for Windows to check if any of the files could be recovered.
  • (Slide 6) After two scans 0 data was found so it was successful. I also checked disk utility for any available space and the disk was empty proving no data was found.

CCleaner: proving no data was present.

  • (Slide 7) Hi my name is Sinna I used “C_Cleaner”
  • C_Cleaner Software not only has an option to erase data but it also has Recuva on the same website to download, install and recover data. I downloaded both options. Recuva from C_Cleaner webpage and Recuva from its own website. In the end the results were exactly the same but I believe the original version of Recuva off of their site was easier to use with more advanced options. ……...
  • (Slide 8) Both Recuva said there were 2 files found but they weren’t readable. In conclusion I think C_Cleaner is a great effortless software to use to erase data. On the other hand Recuva was not able to recover the files that were erased.

Windows Prompt Clean:

  • (Slide 9) For this method, I used Windows built-in command prompt. I found the steps on an online forum and followed them to corrupt the USB and make it unreadable by the computer.
  • (Slide 10) After following the steps to corrupt the USB, I ensured that it was unreadable by plugging it into three different machines. Two Windows 10 laptops, and a Windows 8 laptop. Each result was the same with a window asking to “insert disk”.
  • (Slide 11) Once I made sure the drive was successfully corrupted, I used the free Recuva software available for download through the EaseUS website to scan the USB and attempt to recover information. While most of the information was gone, there was one file that was recovered with almost 2GB of data.

Conclusion:

  • (Slide 12) Per our results, we found that the most successful method of erasing data is simply reformatting the USB. While the windows command prompt cleaning method was still successful in erasing data, there were large bits of information left over to be recovered, even by free scanning software.
  • In conclusion, you don’t have to buy some expensive USB key or cleaning software. If you want to get rid of all those extra USB’s you can reformat to clean off that important information and keep your data secure.
  • And if all else fails… you can always SMASH IT!!!!