Scott said:
This might be another mad question, but what is the best way of
ensuring that deleted files cannot be recovered later? I realise the
sensible approach would be to 'shred' them in the first place (an
option in Norton Utilities) but what would you guys recommend to carry
out a clean-up later? I assume a back-up, reformat and restore would
work but I was wondering if anyone could recommend reliable software
that would avoid going to this extreme.
Heidi Eraser is a free shredder.
*******
To clean up after the fact, is tricky.
If you use a VSS based backup of the partition, the tool used
may just copy the $MFT, and there could be fragments of things
still present in there. VSS works at the sector level, copying
things that are "busy". But it might not be designed as
a "forensic cleaning tool".
If you use Robocopy, that works at the file level. If you start
with a clean partition (empty $MFT), then copy all the files
over to the clean partition, the $MFT is built from scratch.
But then the question would be, how good a job does Robocopy do of
copying modern bells n' whistles NTFS file systems
(hard links, junction points, reparse points). I don't
know the answer to that. I use Robocopy to move WinXP
around, but I haven't tried it with any newer OS.
(If you do that to WinXP, you'll need to do fixboot
later...)
Personally, I don't think the answer to the clean up
question is that clear. You would need a utility that
promotes "forensic cleanliness", and even then, you'd be
left wondering if there is anything it missed (like, cluster
tips).
Windows file systems "leak like a sieve", and it's easy to be
lulled into a false sense of security.
Sometimes, it is the fault of the programs you use. Like
the time Microsoft Word was leaving some "undefined" storage
near the end of a Word file. That's not something you
can fix with Robocopy...
I don't consider myself competent to address even half
of the leakage methods. Or, more importantly, how you'd
go about testing for the various leakage mechanisms
(in a way that *guarantees* nothing will leak).
*******
While hardware full disk encryption would be a possible
answer, I still haven't seen an announcement that the
transition is complete. The disk companies were promising
that all disks would have encryption capabilities, but
I haven't heard a squeak since. I don't know if the
government had anything to say about it, or not. On
the plus side, government does like security designs
in the products it buys (to keep our info safe). But
doesn't like that same protection, when it makes
finding out what the "bad guys" are doing. And that
might carry more weight.
Full disk encryption already exists, in the form of
Seagate Momentus disks with FDE. But for that to work,
there seemed to be a need for something at BIOS time,
to enter a key so the disk could be used. And that
didn't appear to be something that an end-user could
easily do. At least, I haven't seen any "how-to" articles
for an FDE. I presume part of the transition to all disks
having hardware encryption, is having a standard method
of authentication. (It's not really authentication,
it is the ability to deliver a key to the disk controller
board, such that you get unscrambled data back. Enter the
wrong key, and all you get is binary garbage.)
*******
The safest way to deal with high-security content, is
to use a Linux LiveCD, where temporary file storage is
in RAM. Do your edits, put the results back on your
USB flash. Shut down Linux, and allow the BIOS to come
up at least once more (to initialize and overwrite RAM),
before turning off system power. You allow the BIOS
to POST, and then press the key to enter Setup. And when
the Setup screen appears, at that point the RAM should
be flushed. Then, turn off the power. At least that won't
leave tracks on any hard drives (unless you want it to).
Paul
