Host Wiped Before Forensic Acquisition
The compromised host has been zeroed or securely wiped (DBAN, `dd if=/dev/zero`, `sdelete`, `shred`) before forensic imaging could begin. Traditional filesystem-carving techniques recover limited content; the investigation must pivot to peer-host artifacts, network telemetry, and cloud/identity records that survived the wipe.
Signals
- •Target disk is fully zeroed with no recognizable filesystem or slack-space content
- •Sequential 4KB blocks of repeated zero bytes detected across the entire device
- •System clock of the wipe event visible in BMC/IPMI logs or the last UEFI firmware event
Pivot Actions
- 1.Capture BMC/IPMI, UEFI firmware, and TPM event logs that survive disk wipe -- wipe tools rarely touch firmware-resident logs
- 2.Pull peer-host artifacts (adjacent endpoints, domain controllers, network devices) that captured lateral movement from the wiped host
- 3.Request backup-system restoration of the last pre-wipe snapshot if backup software was configured for the host
- 4.Harvest network telemetry (flow records, DNS logs, proxy logs, firewall logs) covering the wiped host's IP and MAC address history
- 5.Review cloud/identity traces (Azure AD, Okta, CloudTrail) for authentication, API usage, and file access originating from the wiped host
Alternate Evidence Sources
- •BMC/IPMI out-of-band management logs preserved on the management controller, not the wiped disk
- •TPM PCR event log entries providing firmware and boot-time attestation evidence
- •Backup snapshots (Veeam, Commvault, Rubrik, AWS Backup) predating the wipe event
- •Network-level evidence (NetFlow, IDS/IPS alerts, firewall session logs) matching the host's IP/MAC during the compromise window
- •Peer-host EDR telemetry showing remote sessions into or out of the wiped host