Hive The Server Room

	Main Index Search Register Login Who's Online FAQ Links
	Main Index Search Register Login Who's Online FAQ Links

	3 Online, 0 Active		You are not logged in

This is a historical archiveThe forum is read-only. Private information has been removed. It is not possible to login.

	The Server Room

All 12 posts Subject: evidence on your hard drive Please login to post Down

starlight
(Hive Bee)
09-16-04 16:24
No 531629
      evidence on your hard drive

Thought I would share with the bees some experiments that I have been doing on my hard drive.

The experiments are really geared towards learning what is necessary in order to ensure that your hard drive contains the minimum of easily retrievable incriminating material.

I have been using my computer for browsing the hive since installing the OS on the computer around a year ago. I have, every night, used window washer 5 to attempt to eliminate as much evidence as possible.

Today I pointed Encase (http://www.guidancesoftware.com), the computer forensics software at my C: drive and did keyword searches across the whole disk for terms such as lysergic, bromine, 2-CB, MDP2P etc.

The forensic software turned up quite a few instances of search hits in slack file spaces, unallocated sectors and a couple in pagefile.sys.

A quick run of BC wipe set to write over unallocated space, slack space and clean up the directory entries has produced a remarkable improvement. The software was set for one overwrite with 0s and 1s. Now the only search hits I get are for microsoft word's dictionary (bromine and lysergic), some co-incidental LSDs and 2-CBs in binary and configuration files that are nothing to do with clandestine chemistry and a couple of hits in pagefile.sys. Both of the hits in pagefile.sys are from today's browsing.

The disk is essentially clean of clandestine material as far as the forensic software can detect apart from the pagefile.sys entries (could have wiped these with BCWipe as well but did not want to wait and have found this can fuck up the computer before now, also possible to encrypt this file with BCwipe).

So it seems that setting your computer to use Window Washer every night, followed by BCWipe can keep your computer pretty clean.

Sure if the CIA wanted to find out what was on it they could as it has only been overwritten once (if you want more than this just set window washer and BC Wipe to do 7 pass overwrite), but in probability it will make the search pretty unrewarding for law enforcement.

dasedbee
(Stranger)
09-16-04 16:56
No 531637
User Picture       Government forensic standard for hard drives

The requirement for a disk to be considered unrecoverable (NSA standard)is 5 overwrites per sector with the given value of 75 written to cover all areas. Reason would dictate the actual number of overwrites that are recoverable would bee less than that (government loves excess). The exception to the above is for floppy disks that are exposed to a bulk eraser (big electromagnet) for a period of 30 minutes, which is preferred to the overwrite method due to the nature of the file allocation tables (fat).

True Trust is having more on them than they have on you - Stalin

Lilienthal
(Moderator)
09-16-04 17:57
No 531645
User Picture       Unless you are not a Bin-Laden it doesn't make

Unless you are a Bin-Laden it doesn't make sense to use multiple oerwriting steps. Use your common-sense...

memeep
(Stranger)
09-16-04 19:37
No 531660
User Picture       BCWipe

Having performed the very same test as you on my own system in the past I found that it was absolutely essential to defrag the HD before wiping the free space with bcwipe or traces were always left lying around in unallocated clusters.

...it's turtles all the way down!

lemuralia
(Stranger)
09-16-04 22:06
No 531677
      Being securish with data

1st back-up all your important data from your disk(s)

2nd zero your ENTIRE disk with autoclave(a floppy linux distribution for securely deleting the contents of your hard-disk).

3rd Install your OS again.etc.

4th encrypt a partition with some winbloze drive encryption software.Keep your browser cache folder,chem docs,etc in there.Can you encrypt the swap file with windows?

5th paranoia is your friend.

Lem.

the link for autoclave:
http://staff.washington.edu/jdlarios/autoclave/usage.html

lemuralia
09-16-04 22:10
      Structured Passes
(Rated as: misinforming)

starlight
(Hive Bee)
09-17-04 12:43
No 531768
      I found that it was absolutely essential to...

I found that it was absolutely essential to defrag the HD before wiping the free space with bcwipe

maybe an older version of BCWipe?

Drug_Phreak
(Hive Bee)
09-17-04 20:07
No 531830
      Starlight are you using XP?

Starlight are you using XP? I know XP cleans the swap file by default upon boot, but I always wondered how well it did. PGPdisk is a real good thing to look into for storing sensitive info. Just make sure to create a really secure passphrase, but even with a simple passphrase PGP is nearly impossible to crack in a reasonable amount of time.

Crank is part of this complete breakfast.

starlight
(Hive Bee)
09-18-04 13:23
No 531978
      no not using XP

I am using windows 2000. Am now using BCWipe to encrypt my swap file.

Also using Bestcrypt for disk encryption. Easier than PGP disk and better algorithms also I have been led to believe (although don't understand crypto in detail).

MargaretThatcher
(Hive Bee)
09-18-04 17:15
No 532003
User Picture       Sanitising Disks

There is an excellent compendium of privacy related material on this page:

How to defend your Privacy (http://v4.livegate.net/wipe/#a)

It quotes Peter Gutmann, after whom the 35-pass Gutmann Wipe was named:

"Epilogue

In the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques. As a result, they advocate applying the voodoo to PRML and EPRML drives even though it will have no more effect than a simple scrubbing with random data. In fact performing the full 35-pass overwrite is pointless for any drive since it targets a blend of scenarios involving all types of (normally used) encoding technology, which covers everything back to 30+-year-old MFM methods (if you don't understand that statement, re-read the paper). If you're using a drive which uses encoding technology X, you only need to perform the passes specific to X, and you never need to perform all 35 passes. For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do. As the paper says, "A good scrubbing with random data will do about as well as can be expected". This was true in 1996, and is still true now."

I'd have thought that to retrieve overwritten data using magnetic hysteresis, you'd have to dismantle the drive and use a custom reader on the platter. Normal disk forensics just makes a digital copy of the drive and analyses that - it won't reveal overwritten data.

Are you, or have you ever been a Liberal? YES / NO

memeep
(Stranger)
09-19-04 18:23
No 532185
User Picture       >maybe an older version of BCWipe?

>maybe an older version of BCWipe?

Possibly...I wasn't using the latest update but a very recent version. I will get the latest version and test it again. Specifically, I was finding urls by the hundreds ( could've even been thousands, I just remember it was lots) and from quite a way back in time right up to present.

...it's turtles all the way down!

WizardX
(Wizard Master)
09-21-04 10:44
No 532477
User Picture       KillDisk

http://www.killdisk.com/eraser.htm

This example shows how you can run the utility with command line parameters. It will automatically detect and erase all detected hard drives in 7 passes with no user interaction.

A:\killdisk.exe -killallhdds -passes:7 -noconfirmation

Having the above command in the autoexec.bat file of a bootdisk will give you an emergency wipe boot disk od ALL hard drives.

	https://the-hive.archive.erowid.org	the-hive@erowid.org



Powdered by perlBB^TM v7.19, (c) 2016 - 2019, Psychopharmacopea Research Inc.
Links Erowid Rhodium

	All 12 posts		Subject: evidence on your hard drive		Please login to post		Down


		starlight (Hive Bee) 09-16-04 16:24 No 531629				evidence on your hard drive
						Thought I would share with the bees some experiments that I have been doing on my hard drive. The experiments are really geared towards learning what is necessary in order to ensure that your hard drive contains the minimum of easily retrievable incriminating material. I have been using my computer for browsing the hive since installing the OS on the computer around a year ago. I have, every night, used window washer 5 to attempt to eliminate as much evidence as possible. Today I pointed Encase (http://www.guidancesoftware.com), the computer forensics software at my C: drive and did keyword searches across the whole disk for terms such as lysergic, bromine, 2-CB, MDP2P etc. The forensic software turned up quite a few instances of search hits in slack file spaces, unallocated sectors and a couple in pagefile.sys. A quick run of BC wipe set to write over unallocated space, slack space and clean up the directory entries has produced a remarkable improvement. The software was set for one overwrite with 0s and 1s. Now the only search hits I get are for microsoft word's dictionary (bromine and lysergic), some co-incidental LSDs and 2-CBs in binary and configuration files that are nothing to do with clandestine chemistry and a couple of hits in pagefile.sys. Both of the hits in pagefile.sys are from today's browsing. The disk is essentially clean of clandestine material as far as the forensic software can detect apart from the pagefile.sys entries (could have wiped these with BCWipe as well but did not want to wait and have found this can fuck up the computer before now, also possible to encrypt this file with BCwipe). So it seems that setting your computer to use Window Washer every night, followed by BCWipe can keep your computer pretty clean. Sure if the CIA wanted to find out what was on it they could as it has only been overwritten once (if you want more than this just set window washer and BC Wipe to do 7 pass overwrite), but in probability it will make the search pretty unrewarding for law enforcement.



		dasedbee (Stranger) 09-16-04 16:56 No 531637				Government forensic standard for hard drives
						The requirement for a disk to be considered unrecoverable (NSA standard)is 5 overwrites per sector with the given value of 75 written to cover all areas. Reason would dictate the actual number of overwrites that are recoverable would bee less than that (government loves excess). The exception to the above is for floppy disks that are exposed to a bulk eraser (big electromagnet) for a period of 30 minutes, which is preferred to the overwrite method due to the nature of the file allocation tables (fat). True Trust is having more on them than they have on you - Stalin



		Lilienthal (Moderator) 09-16-04 17:57 No 531645				Unless you are not a Bin-Laden it doesn't make
						Unless you are a Bin-Laden it doesn't make sense to use multiple oerwriting steps. Use your common-sense...



		memeep (Stranger) 09-16-04 19:37 No 531660				BCWipe
						Having performed the very same test as you on my own system in the past I found that it was absolutely essential to defrag the HD before wiping the free space with bcwipe or traces were always left lying around in unallocated clusters. ...it's turtles all the way down!



		lemuralia (Stranger) 09-16-04 22:06 No 531677				Being securish with data
						1st back-up all your important data from your disk(s) 2nd zero your ENTIRE disk with autoclave(a floppy linux distribution for securely deleting the contents of your hard-disk). 3rd Install your OS again.etc. 4th encrypt a partition with some winbloze drive encryption software.Keep your browser cache folder,chem docs,etc in there.Can you encrypt the swap file with windows? 5th paranoia is your friend. Lem. the link for autoclave: http://staff.washington.edu/jdlarios/autoclave/usage.html



		lemuralia 09-16-04 22:10				Structured Passes (Rated as: misinforming)



		starlight (Hive Bee) 09-17-04 12:43 No 531768				I found that it was absolutely essential to...
						I found that it was absolutely essential to defrag the HD before wiping the free space with bcwipe maybe an older version of BCWipe?



		Drug_Phreak (Hive Bee) 09-17-04 20:07 No 531830				Starlight are you using XP?
						Starlight are you using XP? I know XP cleans the swap file by default upon boot, but I always wondered how well it did. PGPdisk is a real good thing to look into for storing sensitive info. Just make sure to create a really secure passphrase, but even with a simple passphrase PGP is nearly impossible to crack in a reasonable amount of time. *Crank is part of this complete breakfast.*



		starlight (Hive Bee) 09-18-04 13:23 No 531978				no not using XP
						I am using windows 2000. Am now using BCWipe to encrypt my swap file. Also using Bestcrypt for disk encryption. Easier than PGP disk and better algorithms also I have been led to believe (although don't understand crypto in detail).



		MargaretThatcher (Hive Bee) 09-18-04 17:15 No 532003				Sanitising Disks
						There is an excellent compendium of privacy related material on this page: How to defend your Privacy (http://v4.livegate.net/wipe/#a) It quotes Peter Gutmann, after whom the 35-pass Gutmann Wipe was named: "Epilogue In the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques. As a result, they advocate applying the voodoo to PRML and EPRML drives even though it will have no more effect than a simple scrubbing with random data. In fact performing the full 35-pass overwrite is pointless for any drive since it targets a blend of scenarios involving all types of (normally used) encoding technology, which covers everything back to 30+-year-old MFM methods (if you don't understand that statement, re-read the paper). If you're using a drive which uses encoding technology X, you only need to perform the passes specific to X, and you never need to perform all 35 passes. For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do. As the paper says, "A good scrubbing with random data will do about as well as can be expected". This was true in 1996, and is still true now." I'd have thought that to retrieve overwritten data using magnetic hysteresis, you'd have to dismantle the drive and use a custom reader on the platter. Normal disk forensics just makes a digital copy of the drive and analyses that - it won't reveal overwritten data. Are you, or have you ever been a Liberal? YES / NO



		memeep (Stranger) 09-19-04 18:23 No 532185				>maybe an older version of BCWipe?
						>maybe an older version of BCWipe? Possibly...I wasn't using the latest update but a very recent version. I will get the latest version and test it again. Specifically, I was finding urls by the hundreds ( could've even been thousands, I just remember it was lots) and from quite a way back in time right up to present. ...it's turtles all the way down!



		WizardX (Wizard Master) 09-21-04 10:44 No 532477				KillDisk
						http://www.killdisk.com/eraser.htm This example shows how you can run the utility with command line parameters. It will automatically detect and erase all detected hard drives in 7 passes with no user interaction. A:\killdisk.exe -killallhdds -passes:7 -noconfirmation Having the above command in the autoexec.bat file of a bootdisk will give you an emergency wipe boot disk od ALL hard drives.

All 12 posts	End of thread	Top