Antiforensic Tools

It's important to protect your company's data. But how do you know whether what you think you've erased is actually unrecoverable?

By Simson Garfinkel

Regular readers of this column know of my obsession with recovering deleted information from used hard drives, USB tokens and other kinds of storage media. And I'm hardly the only person with this interest. Increasingly, disk forensic tools such as Guidance Software's EnCase and AccessData's Forensic Toolkit are not used just for solving crimes: Forensic tools are fast becoming a staple of civil lawsuits between corporations and in disciplinary proceedings against employees. These days, it seems, whenever there's a chance that somebody has deleted a file to hide evidence of wrongdoing, some forensics expert is standing by to recover that file for a fee.

Not surprisingly, there's also a growing number of products on the market designed to frustrate these experts. Some of these programs, such as Webroot Software's Window Washer and CyberScrub's Privacy Suite, are marketed as tools for protecting people's privacy. But there are also programs (Robin Hood Software's Evidence Eliminator, for example) marketed explicitly to people who want to hide information from government, police and employers.

All of these programs have legitimate uses within organizations. For example, if you have a computer for public use in a reception area, you might want to set up a program like Window Washer to automatically erase the computer's browser history, webpage cache, cookies and other data records every few hours. This will protect both your employees and your visitors.

On the other hand, your employees could be using these kinds of tools to hide evidence of inappropriate behavior at work—such as viewing pornography. So be sure you understand who in your organization is using these tools, and why.

Computers are handed down a lot inside the modern organization. Frequently, the newest and fastest machines are given to the most highly paid executives. A year later, those executives are "refreshed" with new computers, and the old machines are given to other employees. CSOs need to make sure that the data on those computers is properly erased—that the hard drive is sanitized—before a computer is reassigned. But don't despair, antiforensic tools can help here too.

I have seen cases where entry-level employees have been given desktops that contained sensitive information such as personnel reports, product plans or even e-mail of senior management. Sometimes the files are visible without any special tools. Other times the files have been "deleted" but can still be recovered using a special program. In one case, a woman I know was given a laptop that contained both the business and personal e-mail of a former salesman who had just quit the company. The disk also had a substantial amount of pornography. Luckily, the woman was not looking to sue.

In another case, a student in a class that I was teaching borrowed a USB token from a friend to complete an assignment on forensics. The student was told to make an "image" of the token's contents and then look for deleted files. Not only did the student find photos that his friend had deleted—he found photos on the USB token that had been deleted before the token had even been purchased! Apparently the token had been used, repackaged and sold as new. If my student had been a mandatory reporter and the USB token had contained child pornography, a criminal investigation might have resulted.

Wipe Clean and Restart

The most reliable way to sanitize a computer is to wipe the hard disk clean and then reinstall its operating system from scratch. Don't use the Windows Format command to wipe the disk, however. Although Windows has an option for a "Quick Format," if you leave this box unchecked, Windows still doesn't erase the contents of the disk. Instead, it reads the blocks to make sure each actually works. This doesn't match most people's expectation of what Format should do, but Microsoft hasn't bothered to fix this command in more than 20 years.

Instead of using Format, you'll need to use a program that's specifically designed to "clear" or "wipe" the disk. My favorite program right now is Darik's Boot and Nuke (DBAN), a free program available on the Internet. To use DBAN, you download the ISO file from dban.source forge.net and burn it onto a CD-ROM. Then you put the CD into the computer you want to wipe and reboot. DBAN starts up, confirms that you really want to erase the disk, and then zeroes all the drive's data. You also can tell DBAN to overwrite the disk with one or more passes of random data, though this additional step is not necessary.

But now you have a problem: A wiped computer is useless until you reinstall the operating system and all of its applications. Organizations that manage hundreds of PCs typically reinstall using an "image" or "drop" that contains their version of Windows and all of their licensed applications. Programs like Symantec's Norton Ghost can copy this image onto a wiped computer over the network or from a CD-ROM or DVD. The big advantage to this approach is consistency: Every user has the same software installation, which minimizes support costs.

If your organization sanitizes by reimaging the hard drive, take a trip to the IT department to make sure the technicians are in fact sanitizing the computers before they drop on the new image. Ask to see the program they use to do the wipe. The next user of the computer won't know the difference, but if the computer hasn't been sanitized then there is sure to be information in the "unused" space of the hard drive that contains files belonging to the computer's previous owner. That's because programs like Ghost don't overwrite the entire hard drive either.

Disk sanitization is more complicated in organizations that don't use a program like Norton Ghost. In these cases, you must rebuild the wiped computer from scratch. First, you need the original distribution disks and activation codes for both the operating system and the applications. Then you need to reinstall all of the security patches and application updates before you can safely put the computer on a network. What's worse, this process can uncover compatibility problems that were previously hidden: Sometimes older equipment doesn't work with newer drivers or with applications that are installed in the wrong order.

As a result, many organizations—and most individuals—don't wipe and reinstall. Instead, they simply delete all of the files they can find, and then once again use an antiforensics program like Privacy Suite to find the files that might have been forgotten and to make all of the deleted files unrecoverable.

While it's easy to test a disk-wiping program—just run a forensic tool on the disk and make sure it doesn't have any data on it—programs that perform selective file sanitization are harder to certify. Indeed, there's good evidence that these programs frequently leave behind at least some information on the disk that their users would rather have deleted (say, the salaries of the executive team).

After Microsoft added file-sanitization features to the Windows XP program CIPHER.EXE, Guidance Software published a white paper by Kimberly Stone and Richard Keightley with the provocative title "Can Computer Investigations Survive Windows XP?" The paper's conclusion was a resounding yes. Apparently the approach that CIPHER.EXE uses to make deleted files unrecoverable is to create a single big file filled with random data. As the file grows, the Windows operating system takes more and more blocks off the disk's "free list" and allocates those blocks to the file. This is the same technique that programs such as Privacy Suite use to make deleted files unrecoverable.

But this approach isn't perfect. It doesn't get all of the unused blocks: Because of the way the file system operates, some blocks are left behind—unused but unallocatable at the moment. Frequently, these blocks have data from a previous use. The big-file approach also doesn't overwrite the contents of very small files that are not stored in individual blocks on the NT file system. And it doesn't obscure the names of deleted files.

Last December, graduate student Matthew Geiger at Carnegie Mellon University reviewed Window Washer, Neo-Imagic Computing's Windows & Internet Cleaner, and Privacy Suite to see if they actually did what they claimed. To test these programs Geiger took a clean computer, installed a file-sharing program, did some Web browsing, loaded additional confidential data and then set the privacy-protecting programs to work. Then he analyzed the hard disks with Forensic Toolkit. Geiger's conclusion: "All three privacy tools failed to eradicate some sensitive information. In one case, the tool failed to wipe any of the records it had deleted."

What's particularly troubling about Geiger's study was his assessment of the product reviews written about these programs. It seems that none of the reviewers had actually tested the programs to see if they worked. Instead, the reviews were written mostly from a user's perspective—do the programs have easy-to-use interfaces and a good feature set?

Antiforensic programs shouldn't be necessary. Windows and other operating systems should have provisions for removing personal data, and deleted files should actually be removed from the disk. Until that day, however, these tools are a necessary part of any CSO's arsenal. 

Simson Garfinkel, CISSP, is a Boston-based technology writer. E-mail him at machineshop@cxo.com.

Illustration by Anastasia vasilakis