-
testing erasers
Not many of us have a clean room complete with ££££'s of VOGON forensics kit. However basic tests on secure erasure can be easily performed with PC Inspector file recovery:
http://www.pcinspector.de/file_recovery/UK/welcome.htm
Personally I use Cyberscrub; its much more professional and you can create your own algorithims. Guttmann wipe is slow but effective.
-
I think for most people (unless your being pursued by mysterious black helicopters) it would be sufficient to use linux and dd if=/dev/random of=/dev/hda , a few times, maybe overwrite with zero's every other time. 5-10 times should pretty much fsck anything underneath.
-Maestr0
-
And how about those flash devices? Those pen devices or Compact Flash memory cards... For EUR 100 you can already buy one with a 1 GB size. So, if you would use them to store sensitive data, then format them, are they clean enough? Or is forensics even able to read data from these devices?
And how about rewriteable CD/DVD disks? After formatting the sensitive data from those disks, is there still a way to retrieve the data again or won't even the most advanced forensics lab be able to retrieve anything from it?
Just curious. :)
-
You can recover from flash devices from slackspace anyway. I suppose due to the nature of the technology the data will persist until it is overwritten.
Low level formatting and rewriting should take the flash devices beyond reasonable recovery. I don't know if it's possible (even in theory) to recover overwritten data from flash.
CD/DVD considering the cost of disks, if you want the data gone shred them physically or scratch the top surface down to the dye. I wouldn't mess about with formatting.
I suppose it could be possible to detect subtleties in the dyes of CD/DVD after formatting. Black helicopter time there though.
-
A quick question (not to hijack the thread) that I thought would fit into this thread.
You have a file server setup. The clients connect to the file server and copy a file to their machine. On the client machine, the file is saved to a temporary location and then written to disk. So, there are two places one might find a file. The temporary location (normally RAM?) and on the disk.
Does the server put the file in a temporary location (either in RAM or a temporary folder) and then transmit it?
I just recently picked up one of my forensics books again today doing some review. However, I never remember seeing that mentioned. I suppose it would be an easy test using filemon...
-
Use TrueCrypt with a good algorithim and a long complex password and only store your incriminating information on there.
Now and then securely remove caches and such. I use FireFox Portable and Miranda-IM so I know where all of that is stored, the only thing left is the swap file.
To erase a hard drive so that it is completely unrecoverable, or unrecoverable to the point that anything recovered would be inadmissable, just load your favorite linux live and do:
dd if=/dev/random of=/dev/hda1
I guarantee, all of this is more than sufficient to protect yourself from a FBI/CIB investigation. As long as you don't leave any loose ends lieing around. :-)
-
Well since the thread is back, I guess I might as well ask, If you turn windows page file usage to 0, will it still use page files ? At all ? I know that it shouldn't, but considering window's track record on things like that, I gotta ask.
-
Hi dmorgan
I don't think that you can do that, there is a "minimum allowed" value these days. It is 2Mb on this Win 2000 box.
:)
-
BC Wipe will wipe file slacks, and it also can encrypt your swap file.
Maybe he was running an older version of EE and it missed some of the cache? Maybe he p.o.'ed someone and got setup? Maybe his computer was "0wn3d"? There was a case in KY a couple of years back where the guy used that defense. He claimed his computer was hacked and used as a server. I've seen similar cracks firsthand.
No telling from the article what really happened but Katja's right: pretty dumb doing that at work.