Antiforensic Tools

It's important to protect your company's data. But how do you know whether what you think you've erased is actually unrecoverable?

In another case, a student in a class that I was teaching borrowed a USB token from a friend to complete an assignment on forensics. The student was told to make an "image" of the token's contents and then look for deleted files. Not only did the student find photos that his friend had deletedâ¬he found photos on the USB token that had been deleted before the token had even been purchased! Apparently the token had been used, repackaged and sold as new. If my student had been a mandatory reporter and the USB token had contained child pornography, a criminal investigation might have resulted.

Wipe Clean and Restart

The most reliable way to sanitize a computer is to wipe the hard disk clean and then reinstall its operating system from scratch. Don't use the Windows Format command to wipe the disk, however. Although Windows has an option for a "Quick Format," if you leave this box unchecked, Windows still doesn't erase the contents of the disk. Instead, it reads the blocks to make sure each actually works. This doesn't match most people's expectation of what Format should do, but Microsoft hasn't bothered to fix this command in more than 20 years.

Instead of using Format, you'll need to use a program that's specifically designed to "clear" or "wipe" the disk. My favorite program right now is Darik's Boot and Nuke (DBAN), a free program available on the Internet. To use DBAN, you download the ISO file from dban.source forge.net and burn it onto a CD-ROM. Then you put the CD into the computer you want to wipe and reboot. DBAN starts up, confirms that you really want to erase the disk, and then zeroes all the drive's data. You also can tell DBAN to overwrite the disk with one or more passes of random data, though this additional step is not necessary.

But now you have a problem: A wiped computer is useless until you reinstall the operating system and all of its applications. Organizations that manage hundreds of PCs typically reinstall using an "image" or "drop" that contains their version of Windows and all of their licensed applications. Programs like Symantec's Norton Ghost can copy this image onto a wiped computer over the network or from a CD-ROM or DVD. The big advantage to this approach is consistency: Every user has the same software installation, which minimizes support costs.

If your organization sanitizes by reimaging the hard drive, take a trip to the IT department to make sure the technicians are in fact sanitizing the computers before they drop on the new image. Ask to see the program they use to do the wipe. The next user of the computer won't know the difference, but if the computer hasn't been sanitized then there is sure to be information in the "unused" space of the hard drive that contains files belonging to the computer's previous owner. That's because programs like Ghost don't overwrite the entire hard drive either.