|Main Index Search Register Login Who's Online FAQ Links
|2 Online, 0 Active
|You are not logged in
|The Server Room
|All 12 posts
|Subject: evidence on your hard drive
|Please login to post
|evidence on your hard drive
Thought I would share with the bees some experiments that I have been doing on my hard drive.
The experiments are really geared towards learning what is necessary in order to ensure that your hard drive contains the minimum of easily retrievable incriminating material.
I have been using my computer for browsing the hive since installing the OS on the computer around a year ago. I have, every night, used window washer 5 to attempt to eliminate as much evidence as possible.
Today I pointed Encase (http://www.guidancesoftware.com), the computer forensics software at my C: drive and did keyword searches across the whole disk for terms such as lysergic, bromine, 2-CB, MDP2P etc.
The forensic software turned up quite a few instances of search hits in slack file spaces, unallocated sectors and a couple in pagefile.sys.
A quick run of BC wipe set to write over unallocated space, slack space and clean up the directory entries has produced a remarkable improvement. The software was set for one overwrite with 0s and 1s. Now the only search hits I get are for microsoft word's dictionary (bromine and lysergic), some co-incidental LSDs and 2-CBs in binary and configuration files that are nothing to do with clandestine chemistry and a couple of hits in pagefile.sys. Both of the hits in pagefile.sys are from today's browsing.
The disk is essentially clean of clandestine material as far as the forensic software can detect apart from the pagefile.sys entries (could have wiped these with BCWipe as well but did not want to wait and have found this can fuck up the computer before now, also possible to encrypt this file with BCwipe).
So it seems that setting your computer to use Window Washer every night, followed by BCWipe can keep your computer pretty clean.
Sure if the CIA wanted to find out what was on it they could as it has only been overwritten once (if you want more than this just set window washer and BC Wipe to do 7 pass overwrite), but in probability it will make the search pretty unrewarding for law enforcement.
|Government forensic standard for hard drives
The requirement for a disk to be considered unrecoverable (NSA standard)is 5 overwrites per sector with the given value of 75 written to cover all areas. Reason would dictate the actual number of overwrites that are recoverable would bee less than that (government loves excess). The exception to the above is for floppy disks that are exposed to a bulk eraser (big electromagnet) for a period of 30 minutes, which is preferred to the overwrite method due to the nature of the file allocation tables (fat).
True Trust is having more on them than they have on you - Stalin
|Unless you are not a Bin-Laden it doesn't make
Unless you are a Bin-Laden it doesn't make sense to use multiple oerwriting steps. Use your common-sense...
Having performed the very same test as you on my own system in the past I found that it was absolutely essential to defrag the HD before wiping the free space with bcwipe or traces were always left lying around in unallocated clusters.
...it's turtles all the way down!
|Being securish with data
1st back-up all your important data from your disk(s)
2nd zero your ENTIRE disk with autoclave(a floppy linux distribution for securely deleting the contents of your hard-disk).
3rd Install your OS again.etc.
4th encrypt a partition with some winbloze drive encryption software.Keep your browser cache folder,chem docs,etc in there.Can you encrypt the swap file with windows?
5th paranoia is your friend.
the link for autoclave:
(Rated as: misinforming)
|I found that it was absolutely essential to...
I found that it was absolutely essential to defrag the HD before wiping the free space with bcwipe
maybe an older version of BCWipe?
|Starlight are you using XP?
Starlight are you using XP? I know XP cleans the swap file by default upon boot, but I always wondered how well it did. PGPdisk is a real good thing to look into for storing sensitive info. Just make sure to create a really secure passphrase, but even with a simple passphrase PGP is nearly impossible to crack in a reasonable amount of time.
Crank is part of this complete breakfast.
|no not using XP
I am using windows 2000. Am now using BCWipe to encrypt my swap file.
Also using Bestcrypt for disk encryption. Easier than PGP disk and better algorithms also I have been led to believe (although don't understand crypto in detail).
There is an excellent compendium of privacy related material on this page:
How to defend your Privacy (http://v4.livegate.net/wipe/#a)
It quotes Peter Gutmann, after whom the 35-pass Gutmann Wipe was named:
In the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques. As a result, they advocate applying the voodoo to PRML and EPRML drives even though it will have no more effect than a simple scrubbing with random data. In fact performing the full 35-pass overwrite is pointless for any drive since it targets a blend of scenarios involving all types of (normally used) encoding technology, which covers everything back to 30+-year-old MFM methods (if you don't understand that statement, re-read the paper). If you're using a drive which uses encoding technology X, you only need to perform the passes specific to X, and you never need to perform all 35 passes. For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do. As the paper says, "A good scrubbing with random data will do about as well as can be expected". This was true in 1996, and is still true now."
I'd have thought that to retrieve overwritten data using magnetic hysteresis, you'd have to dismantle the drive and use a custom reader on the platter. Normal disk forensics just makes a digital copy of the drive and analyses that - it won't reveal overwritten data.
Are you, or have you ever been a Liberal? YES / NO
|>maybe an older version of BCWipe?
>maybe an older version of BCWipe?
Possibly...I wasn't using the latest update but a very recent version. I will get the latest version and test it again. Specifically, I was finding urls by the hundreds ( could've even been thousands, I just remember it was lots) and from quite a way back in time right up to present.
...it's turtles all the way down!
This example shows how you can run the utility with command line parameters. It will automatically detect and erase all detected hard drives in 7 passes with no user interaction.
A:\killdisk.exe -killallhdds -passes:7 -noconfirmation
Having the above command in the autoexec.bat file of a bootdisk will give you an emergency wipe boot disk od ALL hard drives.