What is Digg?30 Comments
- schestowitz, on 10/10/2007, -3/+16Just a gentle headsup: it's from 2005.
- nogami, on 10/10/2007, -0/+9While wiping data securely is certainly possible, if you really have secrets to preserve, you're probably better-off using some high-level encryption software based at the partition level. To stay even more secure, there are a number of techniques you could utilize to reduce the probability of your system/data being compromised:
-Use a laptop, and use epoxy to seal the casing together so the motherboard/memory/harddrive can't be removed or tampered with easily (and would leave plenty of obvious damage if someone tried).
-Pick hardware that allows use of a firmware based password to authenticate before booting the system (or unlocking the HD).
-Install pre-boot encryption software that encrypts data below the operating system level
-Never use "sleep" or "standby" mode. When you're done using the computer, shut it down completely. Maybe even take the battery out to make sure it's completely down.
-Never connect a secure system to the internet. If you absolutely must have a network connection, install something like VirtualPC 2007 (free) and use the internet inside a virtual computer on the encrypted partition that keeps itself jailed from the main operating system.
Do read lots of books on encryption and security. They're also pretty entertaining! - betacmag4u, on 10/10/2007, -0/+7The best way to clean your drive is with thermite ........lets see anyone recover data from a pile of molten metal :)
- inactive, on 10/10/2007, -0/+6Problem is that a lot of those tools aren't so effective on newer filesystems. Apparently the shred tool doesn't work on ext3 for instance.
" CAUTION: Note that shred relies on a very important assumption: that
the file system overwrites data in place. This is the traditional way
to do things, but many modern file system designs do not satisfy this
assumption. The following are examples of file systems on which shred
is not effective, or is not guaranteed to be effective in all file sys‐
tem modes:
* log-structured or journaled file systems, such as those supplied with
AIX and Solaris (and JFS, ReiserFS, XFS, Ext3, etc.)"
In reality if you overwrite your data once your probably fairly safe since almost no investigations will be able to afford bit by bit recovery with an electron microscope. - trghpy, on 10/10/2007, -0/+4"If a single file has a time stamp later than the date and time that the file system was surrendered as evidence, an opposing lawyer can call the entire investigation into question."
Huh, so screwing around with your time/date on the computer could buy you some defense tactics... - bobdobolena, on 10/10/2007, -0/+4Actually yes and no. As a computer forensics examiner myself, one of the first things to note is time on bios, and time on computer. If the timestamps on the OS are later than the bios (and the bios is acurate) then you note this in your exam. Or if the timestamps are later when you initially start the exam, you note it. Having this detail in your report, and making the investigator in charge aware of this is part of the job. In 6 years of doing examinations I had only one of these come up. It is pretty rare, but it is something they train you on day one in forensic seizure, etc. One thing to note is attorney's are still pretty dumb in the realm of computer forensics (defense and prosecute alike) and they count on their experts quite a bit. It is also rare that a defense attorney hires an expert, which is a bad idea (if you are indeed innocent or if the procecuting expert is dumb). So yah in summary there are a lot of checks to determine time on the computer before an exam is even started. Bios time, OS time, timezone check (you wouldn't believe how many people still leave the timezone on windows computers set to Pacific), and the good old atom clock on the wall in the office.
- delusr, on 10/10/2007, -1/+4Thermite works well.
- inactive, on 10/10/2007, -0/+3The tools exist for a security wipe of a file. Once wiped the file can not be recovered. The people who get caught are computer illiterate.
- SoAnIs, on 10/10/2007, -0/+2TrueCrypt is excellent software. It provides strong encryption and the hidden volume feature allows for plausible deniability.
That said, windows keeps some logs of what was mounted when. If you mount the hidden volume, you'll have to delete those logs. So don't use windows.
TrueCrypt is best used in combination with a rootkit and a virus that will download data. Write the virus, rootkit yourself, then infect yourself. This gives more deniability. Etc, Etc. - YouKnowHim, on 10/10/2007, -0/+2Yup, its called a DoD ( Department of Defense ) wipe. Good Stuff
- inksmithy, on 10/10/2007, -0/+2What? Back that up would you?
- WebberGuy, on 10/10/2007, -0/+2I wonder how much has chnaged and how much is still accurate.
- mooninite, on 10/10/2007, -0/+2All Windows I'm sure? I can't wait until you get a dm-crypt/LUKS Linux hard drive. You won't know what the hell to do.
- Krhis, on 10/10/2007, -0/+2Not quite, several passes of pseudo random generated data would be better then any pattern.
- YouKnowHim, on 10/10/2007, -0/+1^^ Yeah, thanks for the tips on how NOT to get caught and prosecuted....
- peterlisanti, on 10/10/2007, -0/+1I'd like to hear this guys thoughts on TrueCrypt...
- agentbad, on 10/10/2007, -0/+1You could just use Dban.
- mooninite, on 10/10/2007, -0/+1A journal is not the same as parity. You cannot recreate an entire file from a file system journal. You could recreate a file from parity (i.e. RAID).
- SoAnIs, on 10/10/2007, -0/+1A DoD wipe includes both patterns (all zeros, all ones, etc) and random data passes.
- krnldmp, on 10/10/2007, -0/+0I still like the sledgehammer method. I really like it, and I think it's good enough. Seriously. I could make it work good enough.
- Jackmcbarn, on 10/10/2007, -0/+0He was being serious.
- timestar, on 10/10/2007, -0/+0The tool certainly does exist - the crowbar.
- Krhis, on 10/10/2007, -1/+1Files can still be recovered, but the more wipes that are preformed the less likely they will be. Then again, a journalised filesystem would defeat the entire purpose of destroying the file.
Personally I use DBAN, it wipes at the device/partition level. - joerite, on 10/10/2007, -1/+1The NSA got with Mark Shuttleworth to put a back door in Ubuntu. They also put sneak them in the GIMP and other linux things. So examine your source.
- Krhis, on 10/10/2007, -0/+0It's not always necessary to recreate an entire file to prove one's guilt.
The entire point is to destroy the file, completely. No if, ands, or buts. If you know you're only destroying part of it, then why bother putting effort towards shredding it in the first place? - Krhis, on 10/10/2007, -0/+0I'm aware of that, but those passes of zeros and ones should just be pseudo random.
- caleb4mj, on 10/10/2007, -0/+0I remember when we used to have to download the international crypt modules and patch them into the kernel to encrypt the filesystem. And I can't believe most distros don't offer these features during install. Hopefully this will change soon, the perfect setup, IMO, is encrypted RAID with LVM.
- kastyr, on 10/10/2007, -0/+0I would just like to comment this is one of the best and most accurate talks about digital forensics in civil litigation that I've seen in quite some time. It gives quite accurate information regarding the hurdles that forensics investigators face. Also, regarding the M-A-C information he talked about, what he means is that if he as an examiner unintentionally causes information from the computer he is investigated to get tainted by any oversight of his, such as using a non-forensic copy method, and it causes the data to be modified in any way, the evidence's credibility may then be called into question. Also regarding data wiping methods, once data is overwritten once it goes beyond the scope of most standard digital forensics software, but there are data recovery specialists out there, and if the data is worth enough to pay for the services of one of those companies, it is VERY possible to pull data back after an attempt at totally wiping the data from the hard drive itself.
- Giga, on 10/10/2007, -3/+0Don't forget the tinfoil...
The Digg Toolbar for Firefox lets you Digg, submit content, and keep track of Digg even when you're not on the Digg site. Download the official 
© Digg Inc. 2009
— Content created and posted by Digg users is