Antiforensic Tools

It's important to protect your company's data. But how do you know whether what you think you've erased is actually unrecoverable?

Disk sanitization is more complicated in organizations that don't use a program like Norton Ghost. In these cases, you must rebuild the wiped computer from scratch. First, you need the original distribution disks and activation codes for both the operating system and the applications. Then you need to reinstall all of the security patches and application updates before you can safely put the computer on a network. What's worse, this process can uncover compatibility problems that were previously hidden: Sometimes older equipment doesn't work with newer drivers or with applications that are installed in the wrong order.

As a result, many organizationsâ¬and most individualsâ¬don't wipe and reinstall. Instead, they simply delete all of the files they can find, and then once again use an antiforensics program like Privacy Suite to find the files that might have been forgotten and to make all of the deleted files unrecoverable.

While it's easy to test a disk-wiping programâ¬just run a forensic tool on the disk and make sure it doesn't have any data on itâ¬programs that perform selective file sanitization are harder to certify. Indeed, there's good evidence that these programs frequently leave behind at least some information on the disk that their users would rather have deleted (say, the salaries of the executive team).

After Microsoft added file-sanitization features to the Windows XP program CIPHER.EXE, Guidance Software published a white paper by Kimberly Stone and Richard Keightley with the provocative title "Can Computer Investigations Survive Windows XP?" The paper's conclusion was a resounding yes. Apparently the approach that CIPHER.EXE uses to make deleted files unrecoverable is to create a single big file filled with random data. As the file grows, the Windows operating system takes more and more blocks off the disk's "free list" and allocates those blocks to the file. This is the same technique that programs such as Privacy Suite use to make deleted files unrecoverable.

But this approach isn't perfect. It doesn't get all of the unused blocks: Because of the way the file system operates, some blocks are left behindâ¬unused but unallocatable at the moment. Frequently, these blocks have data from a previous use. The big-file approach also doesn't overwrite the contents of very small files that are not stored in individual blocks on the NT file system. And it doesn't obscure the names of deleted files.

Last December, graduate student Matthew Geiger at Carnegie Mellon University reviewed Window Washer, Neo-Imagic Computing's Windows & Internet Cleaner, and Privacy Suite to see if they actually did what they claimed. To test these programs Geiger took a clean computer, installed a file-sharing program, did some Web browsing, loaded additional confidential data and then set the privacy-protecting programs to work. Then he analyzed the hard disks with Forensic Toolkit. Geiger's conclusion: "All three privacy tools failed to eradicate some sensitive information. In one case, the tool failed to wipe any of the records it had deleted."