Sunday, April 12, 2009

Secure Drive Wiping postscript…

In a very recent GSD post Economic Stimulus Package Linkfest I covered the following items related to secure free-space disk wiping:

  • Eraser – Freeware secure erasing tool has gotten a radical site update.
  • Eraser 6-rc4 released! – Amazing new and fresh GUI to Eraser. Still has some bugs to be worked out. Looks like it will be a great update when finally released. Not sure if it will survive in a “portable” mode release as I think .NET will be required moving forward.
  • InstallingBetas – Eraser – Read this page as well as you need to download a signed security certificate to install the latest Eraser beta versions. Not that big a deal, but a bit of work.
  • Disk Redactor – New free disk freespace wiping tool (portable) that I found this week. I like the interface and it seems to run very fast.

Side note: Is it just me or do none of these freespace wiping program tools seem to work under Vista very well. I think I’m missing something here. I’ve been playing with them and I can run DiskDigger and find a large number of deleted (but recoverable) files. Then I do a freespace wipe (as admin level) using either of these tools. Then I rerun DiskDigger and the files are still all there and recoverable. Surely I’m doing something wrong? It’s not just the “names” but the actual files themselves as I can preview most of them just fine in the clear. Thoughts?

It took me a while but I eventually worked it out. Turns out I didn’t RTFM closely enough:

Turns out this issue looks like a "Doh!"moment. I went back and re-read the DiskDigger product info and on the page (linked above) found this tidbit: "Because DiskDigger bypasses the file system of the device being read, it will detect files that haven’t been deleted in addition to files that have. This means that you might have to sift through files that still “exist” in the file system before you find a file that’s actually been deleted. However, the Preview feature makes this process quick and painless."

Looks like the freespace was probably getting wiped effectively after all. DiskDigger is just displaying all files it finds. I'm going to have to retest with Recuva as I believe it only reports truly "deleted" files. That and do some sector-based testing as well (create file, observe sector location, delete file, wipe freespace, go back with sector viewer tool and see if now gone).

I did—in fact—go back and use Recuva to test a number of free-space wiping tools.

Turns out that Eraser appeared to offer the most effective free-space wiping solution when using Recuva to count the number of files that could be potentially recovered after free-space wiping.  There wasn’t much left to see after Eraser chewed on things.

In getting to that point as I was doing research, I located yet another tiny tool that could be used to clear free-space on a drive.

SDelete – Microsoft Sysinternals – This is a command-line only tool that has a number of flexible options for secure wiping and cleaning of free space.  It is tiny and relatively fast at what it does.  Mark Russinovich also goes into great detail explaining just what the tool does and why it is good information to know about.  Read the page closely to understand the command-line arguments particular to it as well as the method it uses.

Then there is the previously described…

cipher.exe -- nV News Forums.  Another command-line only tool that should be present on most XP/Vista systems, this Microsoft utility can also wipe out deleted files and remnants from free-space on a drive.  The basic command is CIPHER /W:directory  so to wipe the free space on your C: partition you would issue the command CIPHER /W:C:

Add these tools to the CLI tools those I have also mentioned here for whole disk wiping:

Team up XP/Vista’s DISKPART and the “clean all” command to zero out a physical drive, or try “wipe.exe” which is included as part of the Forensic Acquisition Utilities package offered by George M. Garner Jr.  I spent some time a few weeks ago playing with this one and it is very fast and full-featured. (for example: use the command: wipe –w 00 \\.\PhysicalDrive0 to irrevocably zero out the primary physical drive.)

Yes there are lots of other larger, GUI-based tools to secure wipe a disk/system/freespace, but with proper usage, these free and tiny CLI tools should cover most of your storage sanitization needs pretty well.

Want more information?

Secure Wipe/Delete Utilities - Provider Wiki – University of Pennsylvania information page.  Great overview discussion on secure wipe/delete tools with lots of great links.

Looking for something with more a more technical bent?

SANS white paper - Secure Deleting – Excellent paper from John R. Mallery and SANS Institute that details the whole package relating to secure deleting of file information on storage media.  Covers unallocated space, slack space, common files created by the system and applications that may contain useful information for forensic investigators and system administrators, methods of erasing data securely, verification methods, discussion of legal and ethical issues, and a lot of great links and reference material to pursue further.

Additional Grand Stream Dreams Subject Reading

Partition and Disk Management: Part IV – Secure Wiping – Grand Stream Dreams blog

Secure Disk-wiping Software – Grand Stream Dreams blog

Security and Forensics Roundup #4: Eyes on you – Grand Stream Dreams blog

Cheers.

--Claus V.

No comments:

Post a Comment