Sunday, March 01, 2009

Partition and Disk Management: Part IV – Secure Wiping

Previously posted in this series:

It doesn’t seem that long ago that I was making this post:

In that post I outlined how we were doing a systems refresh across our area and we were formatting, then fdisking the recovered drives.

Degaussing FAIL

Then we would apply a big portable A/C plug-in “degaussing” unit to the sides of the systems to “wipe” the drive data.

Only I got curious after a while and decided to off-line boot the system and peer at the sectors to see what a degaussed drive looked like.

Turns out it looked just like a standard Windows drive that had been reformatted and fdisked.  Which is to say I could see all the data right there untouched and recoverable.

Hogfly made a similar observation: Forensic Incident Response: Tales from the field - the degausser

I’m sure that with a big enough and powerful enough degausser, that once could theoretically “secure wipe” a drive.  But it seems to be pretty impractical for most IT shops when using modern drives.

I still laugh when I overhear end user managers (and some IT staff) fussing at end users because they stuck a refrigerator magnet on the side of a case.  How it could destroy the user’s data and is a big no-no. Unless it was a Wondermark-grade fridge magnet, perhaps…I doubt there is no issue.

How many wipes does it take to get to the center of a….securely wiped disk?

We now use a number of DoD class (3-pass or greater) wipe software tools to truly scrub the data off our drives before we trash them or return systems that have expired leases.

As a recent series of posts in the security world have stated, it appears that a full and complete single-pass overwrite of drive data is sufficiently secure to prevent recovery…as long as all the sectors are overwritten.  This could be “zero” or an alternating pattern or even randomized data.  Doesn’t really matter so much as long as all sectors get overwritten.  Once now appears to be for all practical purposes, wholly sufficient to prevent recovery.

For treatment on this subject consider these recent posts in the field by Dr. Craig Wright at the SANS Computer Forensics, Investigation, and Response Blog

If this is sufficient and your company policy support it, there are a few very simple command-line tools at your disposal that can assist you with quick at-hand secure wiping of systems before releasing them.

As most GSD readers know, I prefer using a Win PE boot disk to off-line boot our Windows systems for service and system processing.

If you also use them, there are two tools right at hand to assist you with secure drive wiping, as well as a third you can freely download and use as well if you put it on your Win PE disk during building.

Yes, there are lots and lots of great tools and utilities (Win and Linux) that can securely wipe a drive. These are some that are dead-simple and do the job.  They are not all inclusive, but should be available for most advanced users looking to do down-n-dirty disk prepping.

Word of warning…improper or accidental use of any of these tools on your (or your buddy’s) system could accidentally or purposefully render some, most, or all of the data irrevocably un-recoverable.  Be sure you understand them and “practice” on a safe and otherwise useless drive/system before using in real-fire situations.

M’kay?

Cipher.exe

I wasn’t aware of this tool that is on all XP/Vista systems in the Windows/System32 folder until just this weekend as I was working on a post about sector-viewers.

Cipher.exe does a lot of things, but in this application it can secure-wipe unallocated free space from a drive via the command-line.  Be clear, this doesn’t secure-wipe the entire drive as allocated file space remains untouched (hopefully!) after the process completed.

How To Use Cipher.exe to Overwrite Deleted Data in Windows – Microsoft Help and Support Article ID: 315672.

Administrators can use Cipher.exe to encrypt and decrypt data on drives that use the NTFS file system and to view the encryption status of files and folders from a command prompt. An updated version of the Cipher tool has been released for Windows 2000, and is included with Windows XP. The updated version adds another security option. This new option is the ability to overwrite data that you have deleted so that it cannot be recovered and accessed.

When you delete files or folders, the data is not initially removed from the hard disk. Instead, the space on the disk that was occupied by the deleted data is "deallocated." After it is deallocated, the space is available for use when new data is written to the disk. Until the space is overwritten, it is possible to recover the deleted data by using a low-level disk editor or data-recovery software.

The Cipher.exe utility that is included with Windows XP provides the ability to overwrite deleted data.

How to Use the Cipher Security Tool to Overwrite Deleted Data

To overwrite deleted data on a volume by using Cipher.exe, use the /w switch with the cipher command. Use the following steps:
  1. Quit all programs.
  2. Click Start, click Run, type cmd, and then press ENTER.
  3. Type cipher /w:driveletter:\foldername, and then press ENTER. Specify the drive and the folder that identifies the volume that contains the deleted data that you want to overwrite. Data that is not allocated to files or folders will be overwritten. This permanently removes the data. This can take a long time if you are overwriting a large space.
    Note With mount points in Windows 2000, you can mount a volume on any empty folder on an NTFS volume. When you do this, the mounted volume does not have a drive letter of its own. The only way to address that volume is by using the path where you created the mount point. Therefore, the /w switch requests a path of a folder, and from that, it determines the associated volume to wipe. Because of the way the file system works, the whole volume must be wiped. A file can be written anywhere on the volume at any time. A folder does not address a specific physical location on disk but is a logical container for file entries in the volume's table of contents (MFT or FAT). To make sure that there is no leftover data in unallocated space, all unallocated space on the volume must be wiped.

Appendix A: Using Cipher.exe to Wipe a Used Hard Disk Clean – Microsoft TechNet technical details about this tool and command line argument.  Must read before using.

Cipher.exe Security Tool for the Encrypting File System – Microsoft Help and Support Article ID: 298009

Wipe your Deleted Data Away: Using cipher.exe – WindowsSecurity article with screenshots.

Use cipher.exe for command line encryption – TechRepublic article with all kinds of details and screenshots.  Section about overwriting data is at the way-bottom of the post

Now I know some folks aren’t CLI enthusiasts.  Luckily I found a free, simple, and tiny GUI interface that might help.

Cipher GUi  - Fileforum

Why even worry about zeroing out unallocated drive space?  Well it prevents baddies and malware from hiding in there, but it also makes file recovery easier in an emergency situation if the mission-critical drive is both un-fragmented frequently as well as wiped of free space.  That makes it (generally) easier for file recovery programs to find whole and complete files after they have been deleted.

Diskpart.exe and the “clean all” command

Use of the DiskPart tool and the “clean all” command securely wipes the entire drive (unless interrupted by power-off of the system before activity completion).

DiskPart Command-Line Options – Microsoft TechNet article

clean

Removes any and all partition or volume formatting from the disk with focus. On master boot record (MBR) disks, only the MBR partitioning information and hidden sector information are overwritten. On GUID partition table (GPT) disks, the GPT partitioning information, including the Protective MBR, is overwritten; there is no hidden sector information.

clean [all]

Specifies that each and every sector on the disk is zeroed, which completely deletes all data contained on the disk.

So to securely wipe (zero-out) a drive, boot the system with a Win PE boot disk, and run the following commands (assuming that the drive to be wiped in this case is disk 0  Change accordingly to your needs:

  1. Diskpart
  2. select disk 0
  3. clean all
  4. exit

Note the time that passes between steps 3 and 4 is dependent on many factors including the hardware of the system, drive speed, and your patience level.

Be patient and let it run.  Eventually it will return to the diskpart prompt and you can exit out.

In my tests of a hard-drive and this process, followed by a sector-level pre/post reviews of the drive, the drive was indeed fully zeroed out and no information was found on any sectors across the entire drive.

Again it is CLI based and may scare some folks off.

Luckily Claus has done all the digging and found two GUI based tools that might just be the cat’s meow!

Diskpartitioner V1.2 - The CD Forum – As best I could tell, this was the ending link of the original WinPE 1.0 supported DiskPart GUI tool discussion.  There are a few more in the CD Forum posts.

PE Part - The CD Forum – This seems to be the latest forum thread for a newer version that works for WinPE 2.0.  I tested this one on my running Vista system and it seemed to work pretty well.  I still prefer the CLI myself but it seems to do the job.  Haven’t tried it yet under Win PE 2.0 itself or Win PE 3.0.

PE Part - The CD Forum – Link to post #28 which still has a live-link to the XP/Vista compatible DiskPartitioner GUI application zip-file download link.  It calls the diskpart.exe file from the %systemdrive%\Windows\System32 folder automatically.

It’s pretty cool and a neat effort to make a CLI-based tool more approachable for the masses.  I’m going to spend more time with it in the coming weeks.

wipe.exe

This one isn’t a native Windows tool.  So you will need to download it and place it in your PE building structure prior to making a Win PE boot disk.  Or else copy it to a USB bootable WinPE boot stick and run it off there.

It is included as part of the Forensic Acquisition Utilities package offered by George M. Garner Jr.

According to page notes it is “…an original utility to sterilize media prior to forensic duplication.”

I have not used it on a real test system yet, so I can’t yet say how well it performs in comparison to diskpart.exe’s “clean all” command.

The idea here is that to ensure no cross-contamination of data results, the forensics examiner should first wipe the drive on which they will be placing the captured duplicate image from the evidential drive.  This should (theoretically) allow the hash-files for both drives to be identical when the image restoration is completed.  Thereby ensuring that any data on the duplicated drive is only that from the evidential drive and was not present originally on the drive used for examination work.

I’m not quite sure what output it provides (zeroed, 1/0’ed, or random-patterned), how many passes it makes, or other details.  I would image it would zero out all sectors.

I’ll update after I have played with it a bit.

--Claus V.

1 comment:

Anonymous said...

I'd definitely be interested in a tool like DBAN, that is as trusted and can easily be used from a WinPE boot disk.