Posted: Fri May 05, 2006 8:14 am Post subject: Secure "erasing" - how effective IS it?
Does a program such as "Eraser" ( heidi.ie/eraser/ ) defeat forensic programs - to such an extent as to make them useless in gathering evidence of any kind - if Eraser is used correctly (settings-wise, number-of-passes-wise) and run religiously (once on a schedule and also at the close of any given session) in conjunction with lesser "clean-up" programs such as CleanCache, CCleaner, SBS&D, Index.datSuite, NTREGOPT and PageDefrag (run in the correct order, of course)?
After seeing what was left over of my son's Internet travels after running the "lesser" programs above by using the trial version of a program called
RecoverMyFiles ( recovermyfiles.com/ ), I ran an Eraser "free space" wipe (one pass) with Eraser set to over-write:
(a) Free Disk Space (and Master File Table Records)
(b) Cluster Tip Area
(c) Directory Entries
and got the result shown in the screenshot here: wilderssecurity.com/showthread.php?p=742026#post742026 .
Are all those files now truly "un-recoverable" - or not? If they are, why does that program say that the "Recovery" ability is "Very Good"?
I really have to wonder if there is any way to truly "erase" all vestiges of any file you have or d/l onto your computer (to a certainty of every single trace of it being "gone" or "un-recoverable" by any means) - especially when you get into all that geeky-sounding stuff about non-resident attributes; additional MFT records; extents that lie outside the MFT; MFT "slack"; file slack; RAM slack, etc., etc, etc.
What's the real answer here - and I'm asking it here because I would think that you all would really know. Pete
Of course it is recoverable. There IS data written there, all 0's. The erase or wipe prrograms don't reall erase data, they overwrite with a pattern, sometimes 0's sometimes random patterns, depends on your programs and how you configure it.
This ma be the somplistic answer to your questions but in essence ou aren't erasing anthing, just replacing the data with a pattern of new data that is meaningless.
Data Forensics and Recovery Consultants
I second deckard's conclusion. In my tests of Eraser versus forensic recovery programs (on a hard drive and on a flash card), none of the original data was recoverable after even one pass of pseudorandom data. It is possible for the FAT to retain the file names, and temp files may exist in other locations. I found that some programs keep quite a bit of information in places I didn't suspect until I found it later. This is what commonly trips up criminals during an investigation. They may be confident that they encrypted or erased information, but it is sitting there in plain sight in another location.
Let me describe my daily "exit sequence" - what I do before leaving the computer after any given session:
(Note that Windows is set to clear the swapfile at re-start and Page Defrag from SysInternals - sysinternals.com/Utilities/PageDefrag.html - is set to run automatically at every re-start. SystemRestore is totally dis-abled, as are RemoteRegistry and RemoteDesktop.
All browsers - IE, FireFox, Opera - are set to delete personal data/clear temp files/not remember history for longer than one day/remove d/l history upon exit, etc.)
Run CleanCache v3.2 - buttuglysoftware.com with all options set re: finding/deleting what's found - 35 single wiping passes - with no back-ups permitted. (Covers all three browsers and is actually pretty awesome in and of itself - notwithstanding the fact that it requires the .Net framework).
Run CCleaner v.1.28.277 - ccleaner.com, set likewise except for a seven-wipe max (it's catches a couple of things that CC misses, mainly the jre caches and Windows Update un-install stuff).
Run Index.dat Suite - support.it-mate.co.uk/?mode=Products&p=index.datsuite - to make absolutely sure all index.dats are found and deleted. (No "back-ups" and all other cleaning functions selected in that, too, although to just "deletes", doesn't multiple-pass over-write).
Run SpyBot Search&Destroy, followed immediately by NTREGOPT and another re-start .
At that point - having deleted everything I can possibly think of - I start off a single "free-space" wipe with Eraser Version 5.7 - heidi.ie/eraser/ as I'm walking out the door.
(Eraser also does another "free-space" wipe - scheduled - nightly).
I don't know, I'm just into "un-necessary" data destruction, I guess.
Can anyone think of anything I'm missing? Maybe in regard to the .Net Framework stuff? Pete
Okay, the other thing I've been wondering about is something I can't link you to (because I've forgotten where I read it) about the fact that the MFT doesn't get destroyed even in a complete low-level hard-drive format? This doesn't jive with what I'm reading at the DBAN forum however.
Is that correct, or myth?
And - how much data do the BIOS and the printer memory retain? Pete
"low-level format" refers to a factory process that users can't normally accomplish. Formatting the drive normally does not remove data, but does remove pointers to the data in the FAT or MFT, making it appear to have removed the data.
DBAN takes out everything on the hard drive, provided the whole drive is selected (not just a single partition). It has to be partitioned and formatted afterward.
BIOS doesn't retain any user data, just information about the hardware, and settings the computer will use when accessing the hardware.
Printers shouldn't retain information once it has printed. That said, I've never heard of printer memory being queried forensically, so newer printers *may* have an internal log. There can be spool files left over on the PC that describe what was printed. Print servers can also keep track of username, filename, and time of printing.
Hey spy1 get a search program like agent ransack and search for all files created in the last 1 days. You can use windows explorer as well, but it's buggy and often gives you all files created AND accessed. That's too many files to deal with.
Joined: Nov 01, 2005 Posts: 551 Location: Marion, Indiana, USA
Posted: Wed Aug 23, 2006 1:36 pm Post subject:
Unless you wipe your entire drive regularly (depending on how bad you want the data to be gone would decide how often regularly is), Data can still be recovered. By wiping it, I mean overwriting the entire drive with random characters at least 7 times. Then reinstall the OS. Then there is still a chance that something will slip between the tracks.
I hear the multiple passes claim mentioned a lot, but haven't seen anyone back up the claim with modern equipment. As I posted in this same thread back on May 6, my own experiments show that one pass of pseudorandom data completely prevents the recovery of any data that occupied the same space. It is possible for the same data to be stored in multiple locations, or at least parts of it, so it can be difficult to remove all traces from an "in use" hard drive. But if the whole drive is overwritten, the data is gone as far as forensics programs are concerned.
My instructor said that in his research of the fabled "magnetic microscopy" approach, only 20% of the data was found. That is 20% of each byte, not 20% of useful information. The result was entirely useless to an investigation. When you think about it, that isn't surprising. If a particular location on a drive has contained elements of 20 different files over the past few years, which part of which file is being "recovered"? The whole approach presupposes that only one file was there previously. Channelscience.com did a whitepaper on this that said they had never seen whole files recovered with this method, and that it just wasn't a commercially viable process.
So I encourage all of you to experiment for yourselves and see how your tools work, what you can recover, and what you can't. Get a hard drive (as well as other storage devices) just for this purpose and do legitimate testing, and keep track of the results. This way when you take the stand to testify, you know from repeated experimentation that your words are true and verifiable.
Joined: Nov 01, 2005 Posts: 551 Location: Marion, Indiana, USA
Posted: Thu Aug 24, 2006 12:16 pm Post subject:
My point was that simply zeroing unused space is almost useless since most likely there is still evidence of the files you are trying to hide in other areas on the drive. If you want to truly hide stuff, you would have to have a setup with no writing to the hard drive. For instance, boot with Knoppix, do your surfing, then restart. Since Knoppix only mounts a HD as read only and creates a ram drive for "storage", when you restart all traces are gone.
Joined: Jan 03, 2006 Posts: 255 Location: The Netherlands
Posted: Thu Aug 24, 2006 4:35 pm Post subject:
Most wipe applications that run under Windows do not take care of slack space, only free space. So forensic tools might still be able to recover some data. Question remains of course how probable it is that that information is relevant?
Regarding wiping; when using "normal" forensic tools such as FTK,Encase,Sleuthkit etc, one pass wipe should suffice. I read research that even after 7 (!) wipe passes using microscope data could still be recovered. And yes, only small remnants and not often would that be relevant / usuable data?
The reason you want to do more then 1 pass is that you do not control that process, how do you prevent that little piece of data to be relevant? More passes provide more security.
And in the end degaussing, shredding and then melting gives you better protection
All times are GMT + 10 Hours Goto page 1, 2, 3Next
Page 1 of 3
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum