The oft touted tool to clean ones hard drive of questionable content to avoid a date with “bubba” in the big house is called Evidence Eliminator. This app is supposed to scour your hard drive and remove all of the little secret files your every movement supposedly catalogs. This program uses a quite aggressive and ethically questionable marketing campaign, often rife with graphic depictions of anal rape in prison, to entice (scare) you into buying.

Does this program deliver what it promises? It largest claim to fame is its ability to completely baffle the most frequently used forensics program, EnCase. While I have nothing to hide, except the occasional plan for world domination, one never knows what malfeasant and corrupt federal agent has planted on your drive, or what new freedom restricting law has just been passed in secret minutes before your arrest warrant.

I have used this program myself some time ago, perhaps a year now. In short I thought it sucked. It consistently tricked my computer into thinking the hard drive was maxed out, requiring me to perform no end of disk maintenance scans. This is a nasty side effect of the program filling up your drive with empty data to force a wipe of all slack space. Other than that it did seem to work, but I never reinstalled it after a hard drive crash. Now there is a new version, v 5.0, which promises better performance. I almost downloaded it…

I was half way through the 4 MB download when I finished a review of the program, the first real review of this software package, and might I say this review confirmed some lingering suspicions I had about this program. I won’t leave you in suspense, read the review here: <a href="http://www.radsoft.net/resources/software/reviews/ee/" target="_blank">http://www.radsoft.net/resources/software/reviews/ee/</a>

It would seem that ee cannot even make EnCase break a sweat with its mere one pass file wiping. When I first heard about computer security products some 7 years ago I was informed that military grade shredding technology would be secure only after several HUNDRED passes because scanning electron microscopy can recover about 150-200. It is quite possible that this conversation was relaying classified material by the way (my apologies to the feds if you didn’t want this known :p ).

I routinely use 35 pass wiping after encrypting certain files, and more recently I have taken to wiping my slack space every day. This is where the recent interest in file wiping has come in, and recent, um, events. I always wondered why in 7 years (not that I looked much) that I have never found a touted app that shreds files 400+ times. Then I realized it doesn’t matter, all you have to do is shred all the time. I suspect the reason I have never seen such robust wiping has something to do with why it takes me 3 hours to do one pass of my computer using the PGP slack space wiper. 400 passes would take me 50 days to complete. No matter, my computer stays on constantly, and like my own version of the SETI analysis program or protein folding version of that, my spare CPU cycles are occupied forever more in wiping.

Now I know that may sound excessive, and indeed it may be. One is comforted to know that the only way the demonic powers that be can extract out a file wiped out 150+ times is with the vast majority of the resources available to the secret three letter organizations we all know and love (hi guys). It would take them years of hard work and many millions of their weapons dollars to do this. Unless you happen to be a certain millionaire who masterminded a certain group of planes crashing into a certain pair of buildings, you get a lazy overworked forensics tech (who likely graduated at the bottom of his class, or otherwise dislikes money, respect, authority) using EnCase to look for deleted files. I am sure there is a bit more to it than that, but as the above review mentions, EnCase is only capable of recovering less than 3 wipes.

I even had EnCase on my computer at one time, and damned if I won’t put it back on. The way I see it file recovery programs are rather hard to come by for some reason, as those who have accidentally deleted a file must know. Why not get a forensic package to do the job? It is rather complex for the casual user, though.

I don’t mean to go into all of the myriad methods of protecting oneself from the incompetent ineptitude of the authorities, or the scoundrelly schemes of hackers. Chock this up to the second of what I hope is many threads concerning the tools and techniques we have to protect ourselves in these uncertain times. I want to hear if any of you have used this program, if you have found out any other reviews of what it can do (good or bad), and if you have found any better alternatives. Speaking of which I shall try out the E3 program (evidence eliminator eliminator) offered for free by that review site.

I tried the evidence eliminator 5 and in my opinon it sucked major ass. Not only did it take longer than PGP to wipe my file slack, it keeps a log of all the files it deletes and very slowly goes through the comands witch it includes in the log. This log is not deleted automatically and I'm not sure if it's wiped like the other files are supposed to be wiped by the program.

I had this program called cyberscrub a while back but I lost it after the trial expired. The cyberscrub program would wipe your hard drive's space with a predetermined or random data pattern as many times as you told it to. I'm gonna get that program back now that I'm running windows as my main os again.

The best program I've found and use is called DoD wipe. I knew a hacker (whos in jail at the moment) that wiped his hard drive using this before he was caught... from what I heard they were unable to recover any data from his hd. The program is fairly slow but it does the job. You also may want to check out <a href="http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html" target="_blank">http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html</a> if it really spikes your interest. Wipe is for unix though it does have a windows port floating around the internet.

Well, I had the opportunity to use Encase to recover some deleted files for an aquaintence.

He suspected his wife was fucking around on him with someone she met on the internet. He knew I'm big into computers and all this security shit, so he asked me what I could find.

Hey, $10/hour while the computer does its thing.... :)

Anyways, she had deleted a lot of stuff, but just the standard windows delete/empty recycle bin. NO secure wipe.

I did find some yahoo e-mail and a LOT of urls and webpages about divorce. Nothing concrete to confirm the fucking around, but it was definately proof that she was thinking about leaving him.

So, I got my $150, he got what he needed to know to beat the bitch to the punch.

I've tried Encase against both EE and PGPwipe. EE was shitty before it even started. Constant freezeups, slow as snails, and too many "options". Plus, Encase was still able to recover most of the shit anyways. :(

PGP wipe did the job. Couldn't recover anything from an 8 pass wipe. :)

Though...could still find the file name or the majority of it until I did a slackspace wipe. <img border="0" title="" alt="[Frown]" src="frown.gif" />

at the moment i'm using a trial version of east tec eraser.
<a href="http://www.east-tec.com/" target="_blank">http://www.east-tec.com/</a>
it is pretty good. not only does it include privacy protector and clean free space functions, it also includes a function for making your own algorhythm, which i used to create my "uber secure pass" algorhythm which does a 150 pass delete. another good thing is that the company accept cash. it also indicates which methods of deletion stop software recovery, and which methods stop hardware and software recovery
eats tec eraser comes with 4 stop software recovery algorhythms and 3 stop hardware recovery algorhythms.
including the guttman algorhythm.

another product that i was testing was directory snoop
<a href="http://www.briggsoft.com/" target="_blank">http://www.briggsoft.com/</a>
its more of a hard disk tool kit than an eraser program. It does "unretreveable" deletes using the guttman algorhythm. it also acts as an undelete tool for deleted files, and shows the hex and text content of files. as well as the disk clusters assigned to these files

Firstly I must say that I'm not very well educated in the computer realm. I started worrying about myself just giving sensitive info about myself to anyone, and having it be accessible to others. I remembered hearing about firewalls, I still don't fully understand what they do, so I read a little and downloaded Sygate Personal Firewall <a href="http://soho.sygate.com/default.htm," target="_blank">http://soho.sygate.com/default.htm,</a> and then I went to <a href="https://grc.com/x/ne.dll?bh0bkyd2" target="_blank">https://grc.com/x/ne.dll?bh0bkyd2</a> and tested my computer and it said it couldn't access anything. So am I safe?

Basically I don't want others and "they" to be able to see what I'm buying and reading.
I guess ebay kinda gives away a bit too much info.

Next I think I will try the anonymous credit card trick in the other thread. No more buying supplies with Mom's credit card.

What does everyone else do to try to stay safe?

Id like to take issue with a scanning electron microscope being able to recover data after 200 erase passes.

Ive done some math on data density, domain size etc and come to the eventual conclusion that it is utter bullshit. Ive also attempted to find any real evidence of recovery after 1 erase pass on a modern HD and failed.

Very very early on in magnetic recording, and still the case with audio tapes, the media was 'thick' in comparason to the size of the recording head. The media is a fine suspension of ferromagnetic material in a plastic matrix, and the strength of the recording bears relation to the strength of the magnetic field used to produce it. Its, for want of a better word 'analog'.

If you erase a tape, not all of the domains oriented in the recording phase will be reordered and the tape contains a faint 'analog' version of the signal on it before. By subtracting any data on it as part of the erase, and by exploiting depth differences in the domain layout I'm sure its possible to recover a good amount of the data on the tape/disk that was on it before the erase.

You can see where I'm going with this.

Harddisks are nolonger analog recording devices at heart. In the effort to get the maximum data density possible indivdual domains (each of which only have 2 states) are used to store the 1's and 0's of the lowest level of data. To increase the data density the domains in the solid film of ferromagnetic material on the surface of the disk need to be made smaller, and as they depend mainly on the physical size of the film, making it thinner does the trick. The new problem is, the smaller the domain, the less energy is required to flip it, make it too small, and thermal energy will be enough to exchange between states. IBM solved this problem with 'pixie dust'. As I understand it the solution involves 2 seperate ferromagnetic layers, seperated by a 3 atom layer of ruthenium. When you write a bit to the top layer, the bottom layer automatically switches to the oppasit state, becuase this is of lower energy. The two states are now NS|SN and SN|NS which is more stable than a single layer NS or SN state. (Domains are laying flat on the media, hense N and S are close together/low energy state). Becuase the domains are in the reverse in one layer as to the other is why this is more formally called Antiferomagnetically coupled media.

Regardless of which method is used on any particular HD, the important thing is that in single domain recording, the domain is the smallest unit of memory on the drive. Physics tells us that the domain size and shape is only affected by the dimentions of the media, and the immediate magnetic field, but lets be generous, lets ignore general physics and assume that if data is rewritten by a string of 0's, that some form of analysis, maybe mapping of the exact domain shape or position can possibly reveal some of the erased data. But recovering data after 200 random bit writes would require not just complete storage of all 200 bits of data (by definition this must be true) written by the eraser program on top of one another, but also the exact order in which they were written, and all in a single domain only capable of retaining 2 states.

If anyone has any recent information on the subject, I would be very interested to see it. Id also expect a STM, probably the only tool for the job now domain sizes are of the order of 80nm, to take longer than a human lifetime to map 10% of a HD data area. I think a few passes of a crytographically strong bit stream to all unused clusters, as well as spare cluster space would be enough even for the most paranoid of people, except that both data eraser programs and the police have a vested interest in projecting a kind of 'Macbeths syndrome' where no matter how many times you wash it with your old powder, its still not clean.

Hmm... if I had extremely 'naughty' information on a harddisk, and was in fear of being busted by the gestapo - I wouldnt trust no steenkin software package :p

If I were to be using extremely sensitive information, that could land my ass into bubbas lap if discovered, then I would use removeable and flimsy discs like iomega Jazz - or some various MO drive. A Gb or two should be plenty for most uses (unless you have one shitload of kiddy pr0n \ terrorist plans \ credit card numbers \ fotos of president with hookers).

This drive would be accessible at all times, right next to you. You see the cops on the video screen (ofcourse you have independantly powered closed circuit surveilance...) you simply pull out the disk,
plop it into a ceramic pot and sit a premade thermite charge onto the thing. Tssss!

No more data.

This could be done with a demountable harddisk also, but I like the idea of the Zip \ Jazz \ MO drive.

If you have a small amount of really sensitive info, use a suitable compact flash card (upto about 1Gb $$$) and incase of trouble - its hammer time :D

One thing that was not mentioned in this thread was the fact that there is a lot of information that gets stuffed in swap files and some various other files that windows likes to keep around. If i recall from my days of reading Fravia's old reverse engineering pages, user.dat and some others had some 'interesting' information cached in them. Not only that, but if your computer is left on, it is possible for the gestapo to read any tidbits left in ram. Removeable storage is not a complete solution.
Rather, the best solution may be to run an OS like OpenBSD that has support for encrypted swap, and to power down your machine when not in use, and encrypting the removeable media as recommended in the RTPB.

If you want to be totally secure, you have to run the computer strictly from a RAMdrive, with NO permanent storage media installed, like a hard drive. The computer would have to be disconnected from any network/net connection, checked for any attached keystroke recorders, built-in transmitters, etc.

Now, assuming you don't have the FBI sneaking into your computer to attach hidden data transmitters to your computer, you should be fine with just disconnecting from the net.

[shameless plug]
If you use PGPfloppy (ftp://username:password@209.195.155.80/Recent/PGP-Floppy.exe), you can take files from removable media, like CD-RW, encrypt them using PGP, store it on the RAMdrive, then burn it to CD-R/W in encrypted form using a DOS burning utility from a seperate disk.
[/shameless plug]

Thanks to USB data keys, you can now carry around many megabytes of encrypted data on your keychain in a dongle no bigger than a pack of gum. 'Course you're going to pay premium prices, but that's the trade-off.

The user.dat and swap386.dat file risks have been mentioned in prior threads on this subject. I've got all of fravias articles archived somewhere in the many gigs of data I've accumulated over the years.

CF cards can be used just like bootable hard drives (with an IDE adapter)- though not under OS's that have a scratch file (Any windows) because of the finite write cycles of flash RAM. DOS \ Linux \ BSD would be fine though.

As before... in case of 'troubles' - its hammer time :p

If we want a decent RAMdrive, we gotta have some college geek invent it. A device like so: a physically large PCI card, detected by BIOS as an Adaptec SCSI controller (extremely standard hardware), but instead of a disk controller, it's loaded on both sides with SDRAM slots. A bloke can pick up PC133 SDRAM sticks for cheap now, up to 512MB. A PCI card with, oh, say, 6 SDRAM slots could have some real capacity. Since the system BIOS detects the card as a SCSI controller, and the SDRAM as a hard disk, no matter what OS you run, you could set it to use the RAM disk as swap file. Current PCs are shipping with DDR RAM, so the PC133 sticks are cheap. A RAMdisk doesn't have to be as fast as regular RAM, just faster than the HDD (easy). I remember when college geeks were designing MP3 players around HDDs in 96-97, selling circuit boards, kits, and complete devices, and a few were working on CDROM models. If they can do that, then a PCI memory card detecting as a SCSI controller can't be too hard.

Harry

i personally wouldn't rely on and kind of software to remove questionable data from my computer.

altho you may delete the orginal file with 200 passes or something, whos to say windows hasn't stored part of the file some where? or theres not a shadow of it left in your ram.

its a pretty big risk to take.

personaly, i would going along the lines of pysicaly distroying your ram and HD.
there was a thread here ages ago about thermiting your computer should you be raided or something.
i think that would be the only way to be absolutly sure everything was gone.
something simple like contact patch under your computer, so if its lifted off you desk - then it ignites and everything burns.
they can't very well use an electron microscope to recover data from a blob of hard drive.
maybe thermite wouldn't be the way to go cause it doesn't always ignite.
either way..physicaly distroying something is the only way to be absolutly sure that it is gone forever.

I've got a small DOS program that allows you to use up to 2GB of RAM as a RAMdrive. I'm currently using a 2GB HDD, so a RAMdrive of the same size would be more than adequate, and no hardware expense besides buying the memory modules.

</font><blockquote><font size="1" face="Verdana, Arial, Helvetica">quote:</font><hr /><font size="2" face="Verdana, Arial, Helvetica"> If you want to be totally secure, you have to run the computer strictly from a RAMdrive, with NO permanent storage media installed, like a hard drive. The computer would have to be disconnected from any network/net connection, checked for any attached keystroke recorders, built-in transmitters, etc. </font><hr /></blockquote><font size="2" face="Verdana, Arial, Helvetica">Errr... What would be the point of using volatile RAM as storage? Im sure you realise that SDRAM needs a constant voltage supply to retain its memory - while that may be convenient if som1 walks in the door... the possibility of loosing power for a moment is quite likely. Then all your data is gone :(
And having a backup hardrive to replenish the RAM incase of a power loss brings us back to the problem of physical magnetic storage.

(RAMdrive is usually the term given to a virtual harddisk that exists on a portion of a systems RAM... im not sure if this is what you were referring to completely?)

I still believe a CF card would be perfect...

use a UPS, that provides the backup power, and if anyone walks in the door (as you said) then you hit the big red button (gotta' have a big red button for anything like this :D ) and it cuts the link between the UPS and the computer (hence also cutting mains supply) equating to a dead computer. THEN you start hitting all the other big red buttons that control the various anti-intruder systems that have installed (you did install them didn't you <img border="0" title="" alt="[Wink]" src="wink.gif" /> )

EDIT: spelling

<small>[ December 19, 2002, 10:17 AM: Message edited by: vir sapit qui pauca loquitur ]</small>

I as well am heavily into computers, computer security and such things. If you really have seriously sensitive data on your computer then you don't need to do anything near the amount of stuff you guys are talking about. For example the NSA's method of erasing top-secret files and what-not is to do a low-level format, then binary overwrite repeat three times. Doing that will erase any chance of ever recovering the data no matter how much time you have.

Just some notes on how memory and stuff works for you guys. If you're running windows( which i assume most of you are) when something is deleted it actually isn't deleted. What happens is, it's marked with a "delete flag" that just tells windows that this memory is open, and free to overwrite. Now, when you download/install/get new files windows will overwrite the memory of the old files, which is when it is permanently deleted. If you don't believe me open up debug in dos and look at some raw memory dumps. The way the NSA CIA FBI etc.. recovers those files is to look at the raw memory instead of having windows do it for them. But if you still don't think this is enough, when the feds break down your door run a powerful magnet over your hard drive, that will do the trick nicely.

Mega, Im curious as to how you set up the PGP wipe to work durring off spare CPU cycles. Did you just input an extremely high number of wipes then leave the program on, just minimized? Or is there something more?
Thanks in advance.
Chemwarrior

Well, you've got to sleep sometime, right? That's when the program is wiping your trail.

Also, I've been thinking about how you could make it impossible for piggies to turn off the computer before it can finish doing a panic wipe, or to disable a self-destruct before it can complete the job.

The motherboard itself could be enclosed in a close fitting case that leaves only an inch or two above the board. This case has a few small, and convuluted, openings for the various ribbon cables, power cords, and cool/hot air to enter/exit the casing before the whole assembly is encased in concrete.

A UPS sufficient to power the assembly for the needed time is also entombed in the concrete at the same time.

The only things exterior to the "Cube" (as I think of it) are the connectors for plugging in the keyboard, mouse, monitor, and ethernet cable. The HDD are inside the Cube where they can't be fucked with.

In case of piggie intrusion, the big red shiny button <img border="0" title="" alt="[Wink]" src="wink.gif" /> is pressed, which starts the wipe program, destroys all the connections to the outside world (making any attempt to stop the process impossible), and ignites the pyro delay that'll ignite the thermite contained within the Cube.

It's HIGHLY doubtful the pigs will be able to disassemble a massive concrete block to get the HDD out before the wipe and burn process can be completed. :)

'Course, upgrades and such will be impossible once the Cube is cast, so you'd want to make SURE that it's EXACTLY the way you want it before you cast it. Also, it'll be immovable once cast, so you'd also better like where it's at, though it can be operated from quite a distance thanks to the ethernet connection and remote terminal hardware, so you could cast it in the basement or backyard.

came across a site contains links to various file\HDD erasers for various systems and some information concerning the topic which may be of interest to some
the link is
http://www1.umn.edu/oit/security/assureddelete.shtml

Just a few thoughts:

Knoppix (To get a copy, go to http://www.knoppix.org/) is a bootable Linux CD which you drop in your CD tray. Everything runs from there, and it lets you read and write to FAT drives, and read NTFS, as well as full support for EXT2 and EXT3 UNIX file formats.

When booted, you can set up an encrypted disk on a Flash card or whatever, as your home directory, using Blowfish or CSS or whatever, but the most interesting thing is that you can tell Knoppix to NOT use a swap disk! Yes, it will run a bit slower if you don't have a load of RAM, but it will run, and that way, you will never have anything dodgy in swap for anyone to look at!

It also works great for getting a look at all those files that XP doesn't let you look at, like the swap file!

All data that is normal is stored on whatever you want, the rest is on an encrypted file that can be taken with you, and you just need to take a CD with you with Knoppix on it. It will run on almost any computer, and has a full set of OpenOffice.org, disk tools, packet sniffer, etc. like any other Linux distro!

The great advantage of *nix based systems is that they keep data more strictly isolated, and are less likely to drop something in the wrong place. And, of course, the vast majority of the OS is totally read-only, and so known safe. The rest is a boot heel away from destroyed, yet easily taken with you.

to completely destroy a HDD with all data:
1: remove HDD
2: place HDD in freezer (preferably overnight)
3: strike HDD with hammer or crush in a press

Freezing the drive ensures that disk platters shatter into tiny shards.
Smash the drive by hitting the sheetmetal cover.
It will be impossible to retreive any useable data from the HDD.
There is not much need to worry about things like RAM as successful data recovery is very unlikely.

My solution is to use a Kingston 5GB PCMCIA Type-II hard drive which contains one PGPDisk partition.

That way, I don't have to worry at all about wiping my disk regularly -- the data is always encrypted.

Kingston 5GB PCMCIA Type II HD: http://www.kingston.com/products/pccard.asp

PGPDisk: http://www.pgpi.org/products/pgpdisk/

Alternatively, I could create a PGPDisk partition on a Flash device, except I have seen them reset themselves with complete data loss on too many occassions. Plus, I have more data that needs to be encrypted than their current capacities will allow.

Also, I could create a PGPDisk partition on my main hard drive, but I prefer the freedom to take that little drive out and store it seperately.

Voyager, if professions wanted access to the information on that hard drive isn't it the same with anything else that is encrypted? The Feds, and many other pros have all the time and resources they need to decrypt anything. I know in some extreme cases, the government can subpoena the manufacturer to provide information as to how to gain access. I guess however being able to store it seperately would be a great advantage, since it can be hidden.

DimmuJesus:

The manufacturer can only give them knowledge of how the encryption lagorithm is designed -- which in this case is already published.

Data protected by a well designed algorithm is completely secure -- even after you understand how the algorithm works.

Without the encryption passphrase, this data is indecipherable.

Theoretically, the government *could* break the algorithm, with two important caveats:

1. This algorithm has no known significant flaws.
2. If this algorithm did have a flaw -- and the government was aware of it -- my butt is of far far far too little importance for them to let that fact become public knowledge just to prosecute little old me.

Also theoretically, the government *could* brute-force my passphrase, with the important caveat that the sun will supernova long before they manage to randmonly discover my passphrase.

Much much easier, and more common, is for the government to intimidate an individual into giving up their passphrase. I am not that individual.

An option I haven't seen discussed here yet, but one that makes a ton of sense to me:

Encrypt the entire partition.

It's not difficult to create an encrypted partition with Unix variants, but it's harder with Windows. There is at least one product out there that seems trustworthy and does a decent job though: search for SafeBoot Solo, then check Google Groups for sci.crypt discussions of the product.

This is a program that loads a device driver, asks for your passphrase on boot (make it a long one!), then loads Windows from the encrypted partition. Windows doesn't know about it, though there is a runtime app that allows you to uninstall the program or change your passphrase. Installation goes on in the background, so you don't need downtime to install the app. It slows things down a touch, but it's not enough to affect gameplay on my Athlon 1800+.

The big win here is that everything Windows writes to disk -- temp files, swap space, etc -- is all to the encrypted drive. Without the passphrase, there's nothing to analyze.

Next best bet is something like pgpdisk, or bestcrypt's comparable product. Just use applications you trust not to write temp files all over the drive.

Knoppix ROCKS! :D

This is one of the things NBK has downloaded, and, of course, I got a copy, and I just burned it and booted from the CD, and now am posting this via linux :)

Anyways, back to windows to finish burning.

If you are interested in a registered copy of the commercial version of the very good "East-Tec Eraser 2004 Pro 5.0" (http://www.east-tec.com/eraser/reviews.htm), you can find it here:

http://fosisoft.home.ro :)

If only this POS library computer had a CD drive, I'd be using KNOPPIX too, just to actually have a functional computer to use here, rather than the gimped piece o' shit that they have to enforce on everyone because of all the morons who'd fuck it up otherwise.

I read an article in New Scientist today that might offer some clues about data recovery presented in this thread.

There were two noteworthy methods of data recovery mentioned:

The first was reading over-written data by detecting the "ghost" magenetic charge left behind. Apparently if a 1 is overwritten by a 1, the field is slightly stronger than a 0 overwritten by a 1. Same with zeros, you get positive reinforcement.

I've no idea how many overwrites this works with, but apprently it is a very labourious process, requiring approx 1 hour per Kb of data.

The second, and more interesting was something I hadn't considered before. Data on HDDs is stored in concentric rings. Apparently the read/write never traces the same line every time, so you get a bit of wobble in the track. When the data is overwritten, you get a different wobble, and in places you have two seperate ajacent data tracks.

Again, no idea how how many wipes will overcome this.

There was a reference to a suspect who had microwaved their HDD and was completely unrecoverable. Personally, I would have doubted it, as the drive casing is completely metal, which would surely form a faraday cage around the platters? Unless of course the whole lot melted...

Many people say destroying all your data on a drive (and still being able to use the drive) is impossable. These people never provide any proof to back up the claim. I guess only the NSA can answer the question and they are not talking.

There are varying levels of data protection. The first layer is what the cops rely on most, the ignorance or apathy of the criminal, i.e. they don't bother to wipe anything. If you are up to anything legal or not even having the simplest form of data encryption and file wiping will stop 90% of all police investigation in its tracks.

If you are the local drug kingpin they will probably send your drive off to the forensics experts. Using the strongest available encryption, long keys, and regular disk wipes will likely protect you up to 99% of police intrusion.

If you really did something bad the boys at the FBI or the NSA will get your gear, in which case you had better take encryption and wiping to the extreme.

What is the moral of the story? Look at the increasing level of progression of criminality you have to commit in order to warrent increased scruinity of your drive. Do you think the NSA spends millions of dollars and thousands of man hours decoding the harddrives of every pedo suspected of downloading kiddie porn? Hell no. Do you think the FBI will get involved trying to read a drive with electron microscopy for every pyro with a pipe bomb? Not going to happen.

While it is possable no drive can be 100% secure, what are the odds you are worth the effort to find out? Just take the simplest of precautions. PGP your messages, create an encrypted partition on your drive, regularly wipe free and slack space. You don't even have to be up to anything, if you use encryption in the course of your day to day activities it becomes second nature. Don't encrypt because you think you have something to hide, encrypt because criminals and hackers are out to get you.

If everyone encrypted everything the gov thugs would be so busy trying to decrypt emails to grandma that they would not have time to do their usual persecutions and framings.

Thought I'd better add that the microwave reference was from the US DoD computer forensics lab. They do spend time trying to recover data from hackers, crims and kiddy porn suspects, approx 150 drives a month. Although, like you say, it'd have to be a real matter of national security to image drive platters with microscopes.

Also, for completeness, allegedly as data density on HDDs ever increases, recovering "off track" data becomes harder and harder.

If you're constantly wiping, then that's great if you downloaded some kiddy pics, or recieved world domination emails and then deleted them. But what about the stuff you don't delete? histories, caches, your personal information collection, stuff you use everyday.

I'm going to experiment with PGPdisk. I'm assuming that it's possible to encrypt an entire drive, requiring a passphrase before booting commences, that way everything is covered.

So your HDD would be secure when your computer was off, but what if you left it on, went out and got raided in your absence. Since the machine is in session, "they" would have access to your shit. Obviously, if they switch it off to confiscate your machine, then their access is gone.

Are "they" likely to check for disk encryption before turning the machine off, or likely to copy your HDD in-situ before turning off and removing it?

I'm not experienced in this area. I dont know how PGPDisk works but the PGP for e-mail is just fine for me. As for various disk deleting/wipe/cleaning programs it is not particularly usefull to me...I downloaded some kind of DoD wipe program very long ago from some .mil site (look who else don't want other people to know their files...just kidding:) -but it felt nice). I used removable disks, and it is OK; but then I discovered true wonder and it is named Knoppix. I give my vote to Knoppix, I use 3.4 version from this year LinuxTag and of course I have small USB disk for my private data. As I don't mess with law I don't have much secret data to hide, so my next step will be to make that USB drive a bootable device through zipslackware or something. Imagine you walk into a some internet caffe some place into world want to post a thread to E&W Forum, find a dark corner space, place a USB drive, reboot a computer and after the OS is loaded come here to tell us the lattest news. Someone wanted to sell Megas story to as a movie script...this one is mine:).

Recently I tested SuSe Linux distribution (since I don't want to pay several hundred dollars to purchase MS OS and Office stuff for one of my computers. And I must admit that I failed (i.e. the machine was very slow) since the machine I am trying to install has a low memory and an obsolete CPU).
During setup the setup interface (YasT) allows you to partition and format your HD, if you chose custom settings you may encrypt HD partitions (both main partition and swap partition). Whenever you chose this option the setup interface asks you passphrase, and after you enter it and click on accept viola, everything is OK. The encrypted files system is called CFS (Crypto File System). However the CFS slowed down my already slow machine (due to memory and CPU restrictions). Maybe somebody with a decent machine configuration may give a try to this.

I believe there is a member called Xload (I don't know if he disappeared due to infamous IDefense event), who is quite experienced in Linux thingies. Maybe he may give us insight into the linux thingies :).

You can configure PDPdisk to automaticially unmount after x minutes of inactivity. The default should be 15 minutes. Click on your PGP tray and click "options." Select the PGPdisk tab and you will see the time settings. I think you may want to select forcible unmount for open files to prevent your disk from remaining open forever.

Enabling a hot-key for dismounting the drive on demand is a good idea too. Then you have only to hold down the CTRL key while punching the other while the cops come running up the stairs to dismount your PGP disk, rather than trying to use fine motor control to get the mouse on the cursor and all that while your hands are shaking like Jell-O. ;)

Automatically unmounting the disk surely defeats the object of leaving the computer running in your absence? If you leave it on, say wiping, then task will be halted after say 15 mins.

Or must you run on-going applications from a non-encrypted disk/partition?

I'm going to have to reinstall my PGP with an earlier version, as my current version (7) doesn't included pgpdisk.

Anthony,

I am using a full version of PGP 8.0.3 which I believe is the latest version. I think it's on the FTP in the APPZ folder (I can't seem to login at this point in time :confused: ). Anyway, if you'd rather upgrade to the 803 instead of backtracking to a previous version, let me know and I'll email you the keycode to unlock the complete registered version (PGP disk included).

Offer good to any who need it, but better to ask for it in by email rather than busying up this thread with requests.

I may be reached at vectorinspector@yahoo.com

Wiping the slcak space only effects the non-encrypted portion of your HDD, so if PGPdisk unmounts after 15 minutes, then there's no problem. Besides, you can't run the wipe program with PGPdisk open anyways, so the problem is moot. ;)

I've found that trying to copy/move a 4GB PGPdisk volume (unmounted) sometimes isn't possible on my machine. I don't know why, but if you ever get the warning "Unable to copy, invalid drive" or something similiar, you can still copy/move the PGPdisk volume by opening up a DOS prompt window and using the XCOPY command. :)

Another SNAFU is when, during the creation of a PGPdisk, if the power is disconnected or the process hangs, that you'll lose the space that the drive was set for, and not be able to regain it.

I had this happen while creating a 4GB drive, when my battery died, and I lost 4GB of a 12GB drive. :eek:

Deleting the PGPdisk volume doesn't work, either.

You can fix this by first deleting the PGPdisk volume, then running scandisk and having it create a .CHK file of any lost files. Then run the disk cleanup program and have it clear all .CHK files. Voila! You've regained your space. :)

What I find negative with PGP disks is the temporary files. For example assume that you have a RAR file on your mounted PGPDisk and try to open a file contained in such rar file on clicking on it. The WinRAR program places temporary files to tmp folder of your non-encrypted volume (generall c:/something/tmp/).
But a positive thing is you may set PGP disks to unmount even open files on them by enabling (checking) "Allow forcible unmounting of disks with open files" and also enabling (checking) "Dont ask before forcibly unmounting of a PGP disk".

In this manner you may unmount the PGP disks any moment by pressing respective HotKey. However as I said before, the temporary files are really concerning.

Good old Win98 problems... good old tricks to solve them.
The only difference.. I use the COPY command to copy huge video files (> 2GB) :p

If anyone is looking for an alternative to PGPDisk: --> http://www.jetico.com
BestCrypt is my favourite encrypter since the MS-DOS era. It's an European product and 100% "NSA backdoor free" :)

Thanks for the offer festergrump, I'll probably email you shortly.

I am in the process of obtaining another HDD (8GB) to use as a guinea pig. the FAQ on pgpi.com doesn't cover pgpdisk unfortunately, and I'm getting conflicting information from other sites. E.g. one says that you can encrypt an entire HDD, another says that you cannot. So I'm probably going to have to suck it and see.

I can't get my head around the idea of unmounting the pgpdisk volume if it contains the operating system (what I want to do), surely the system would crash? I'm also assuming that pgpdisk volumes are bootable.

As far as I know, PGPdisk volumes are NOT bootable, as the neccessary program to decrypt it is only available from the OS, which you can't get to without decrypting the disk in the first place. :(

Unless there's a command-line PGPdisk decryptor that I'm not aware of...

Perhaps finding a single software solution to this problem is not yet viable. There are some other encryption programs that offer boot drive encryption. Using multiple forms of encryption never hurts to throw off the criminals trying to break in either. One such product of interest is Drive Encryption at http://www.eracom-tech.com/drive_encryption.htm

Another program the offers total drive encryption is DriveCrypt plus pack at http://www.securstar.com/products.php I have been testing DriveCrypt myself for a few things, but not the plus pack.

For added safety you can then use a PGP disk to hold your important files, and encrypt critical files individually within the PGP disk.

Ok, finally something i can contribute worthwhile to.
1. Freeze HDD(btw maybe instead of a freezer, maybe liquid nitrogen???) and break. The problem is, that the ABC's can still reassemble the drive and scan it. And its not that hard for them. A pain in the ass yes, but it pays off for them with your ass behind bars.
2. Multiple passes. Unfortunately the entire 'wobble' thing is correct, as its damn near impossible for everything to run in the exact same line. (A good analogy is a skyscraper about 30 stories high, hovering three inches above the ground, traversing the ground 400 times a second-kinda hard to be precise).
3. Encrypting is bad too. Another pain for the cops, and thankfully with 128-bit its even harder to crack. But unless you wipe the temp files then you are still potentially boned. Not to mention that it should slow down your computer considerably.
4. The best way. (Heh) to completely erase something like this? Probably make some passes over with a Electromag. Then Liquid nitrate it, break, throw some thermite on it. And ditch it in someone else's back yard a continent over. Excessive yes. But i've seen, and read numerous reports on how easy it is for 'them' to crack encryption and scan your HDD. You can actually send your computer, no matter what's been done to it, to this place(brainfart) and depending on the damage you can spend quite a bit, but almost all cases can be retrieved.

Frightning. No?

StegFS- http://www.mcdonald.org.uk/StegFS/
Wipe- http://wipe.sourceforge.net/

Silentnite,

Frightening is not the word I'd use. I'd be thinking 'clueless'.

They can reassemble a smashed drive and read the data off?
A HD head is somehow incapable of retracing its path to erase the data it wrote? Yet oddly when it needs to read the data it can do that every time.
"thankfully with 128-bit its even harder to crack", a bit harder? Not for example with TDES completely impossible to bruteforce, just a bit harder?

My suggestion. Pending a security review of the hardware to ensure no copy of the key is ever stored, what we need is a way to adapt one of the hardware drive encryption systems to use a key we supply instead of the default key they supply in the dongle. A small explosive charge under the programmed chip would provide a safe and secure way to smash the key electronically. Done properly this would be beyond the ability of police to crack without planting a bugging device in the machine, and if theyre going to bug everything you do, they'll get the evidence anyway HD access or not.

I was thinking now that I have a spare computer laying around and an extra hard drive that I could swap out a drive with stuff to be wiped and use the spare computer solely for wiping the disk over and over again. I never really liked using wiping programs with Steve Gutman level wiping because it would take several days to wipe my disk and it interfered with using the computer.

I finally found one that works well while using the computer and is somewhat faster, or maybe it's because I just doubled my RAM. Anyway, with a spare system running nothing but disk wiping day in and day out for as long as your hearts desire would that not be extremely difficult for criminals to recover your data? You could thoroughly wipe a disk with about 400 overwrites in a week. IIRC 400 writes is about as many time the criminals can recover with an electron microscope.

My current computer security for data is a 64Mb CF card with one small text file GPG encypted. At this time its good for me as its a place to write down stuff I don't want people to see. However it contains nothing illegal(at least with the BOR in place). In the coming years I plan to obtain a small computer(small in case size to be somewhat portable in say a backpack but powerfull) and install OpenBSD on it - this will be my ultra secure system and will work like so:

http://www.littlepc.com/ has the sort of boxes I speak of

By using one of these computers the rouge(us) could hide it in a multitude of places depending on living conditions, power considerations and other factors in addition to stealth and security. :D

For example as far as I know NBK lives in an old house with no power or running water. With a small solar collection device such as are sold on the internet he could power one of the small DC powered computers - of course in that example a laptop might make more sense.

If you were handy with tools(lets hope we all are) then a small DC powered wireless computer could be hidden most anywhere providing interesting legal difficulties for the pigs and general stealth. If you could use space in a car to hide the computer so its powered by the alternator yet compleatly hidden even from a very carefull search(ie hidden around the engine(under a fluid container or something) or near the transmition). Once its well hidden any time the car is on so is it and it can be controlled from afar perhaps even by multible people.

Something like this could even perhaps be hidden in a public or simi public location. Consider a small PC hidden under a bridge somehow drawing power from lines(induction? or perhaps solar) with a wifi anntenna. Now you have a remote data repository that you can access from far away with a directional wifi anntenna and it has a very high chance of not being found by police because it would only 'listen' for a specific signal so it would not fall pray to a ping type of location determination attack such that pigs might try to use(if they knew about it) This would ensure that data could be shared between people in the same city/area forming a subnet. They would be passive of course - not even providing a prompt; you would have to ping it with a password packet thing before it would respond at all and then log in with the real u/p.

I don't understand complex crypto so I think its best to use both physical and electronic means of protecting our data(and in turn our lifes and assholes :p) as many other people here reccomend.

If the nsa wants your data, they will most likeley get it unless you use EM wipes or physically destroy the drive. also, if your computer is left on and has usb ports, there are multiple commercial devices available which can download your entire HDD in a matter of minutes. It is not relevant that your hdd is encrypted; if you left it on and the drive is mounted, they can get the data. Your best bet therefore is physical destruction.


Now, as to why I am here...
What is the optimum method of destroying a HDD? so far, the best bet seems to be putting a thermite charge in my case with a covered arming switch on the side (I don't want that thing going off because someone bumps it with a beer),but what would be an optimum chemical(non-explosive) means?

I poured 32% hydrochloric acid on an old 45MB HDD I had, it didn't last long. If the disk was still spinning destruction would happen in seconds if you had enough to nearly fill the HDD. However, it might bubble over and ruin your entire computer.

You could probably use a stronger acid to act faster, perhaps some concentrated nitric acid could also work, assuming the rapid gas production doesn't cause nitric acid to spray all over your computer, or perhaps your arm.

If you're going to destroy the thing, the most effective method is most likely a large EM device followed by a nice, shaped explosive, all preferably connected to a switch on your desk. Only problem? Some idiot touching the switch...

As for encryption, I've heard many reports of such and such type of encryption taking so long to brute force, yadda, yadda. Personally, I'm not particularly willing to take guesses at what the government can and cannot do. Always assume the worst, while hoping for the best, after all.

The latest Encase Forensic Edition is on the FTP now... version 4.20 from Oct/2004.
The date of the archive (2003) is wrong.

Dumping acid into the still-spinning HDD would certainly kill the drive! Of course, drilling a small hole into the case to pour in the acid would introduce swarf, and that would destroy the usefulness of the drive, as it would have random errors.

One way might be to add a small amount of magnetic metal swarf, such as iron fillings, into the spinning drive. A small amount would trash the surface of the disk, and the magnetic nature of it would, although not strong enough to erase data, ensure it stuck to the seek heads, scouring the magnetic coating from the platter. Anything on an encrypted disk would be useless, since the amount of data destroyed would prevent the mounting of the drive, as it would fail checksum.