In a recent cybercrime investigation, a forensic analyst found that the suspect had used anti-forensic techniques to complicate the investigation process. The criminal had been working to erase data, manipulate metadata, and employ encryption, which made the investigation significantly more complex. Which of the following scenarios would indicate that the suspect had overwritten data and metadata in an attempt to evade investigation?
If the investigator finds that the majority of the hard drive's sectors contain the null character, it indicates the use of disk wiping utilities. Disk wiping involves overwriting data with null characters or random data, ensuring that the original information cannot be recovered.
Disk wiping involves erasing data from the disk by deleting its links to memory blocks and overwriting the memory contents In this process, the application overwrites the contents of MBR, partition table and other sectors of the hard drive with characters such as null character or any random character several times (using data wiping standards). In this case, the forensic investigator finds it difficult to recover data from the storage device.