Antiforensic Tools

It's important to protect your company's data. But how do you know whether what you think you've erased is actually unrecoverable?

June 01, 2005 — CSO — Regular readers of this column know of my obsession with recovering deleted information from used hard drives, USB tokens and other kinds of storage media. And I'm hardly the only person with this interest. Increasingly, disk forensic tools such as Guidance Software's EnCase and AccessData's Forensic Toolkit are not used just for solving crimes: Forensic tools are fast becoming a staple of civil lawsuits between corporations and in disciplinary proceedings against employees. These days, it seems, whenever there's a chance that somebody has deleted a file to hide evidence of wrongdoing, some forensics expert is standing by to recover that file for a fee.

Not surprisingly, there's also a growing number of products on the market designed to frustrate these experts. Some of these programs, such as Webroot Software's Window Washer and CyberScrub's Privacy Suite, are marketed as tools for protecting people's privacy. But there are also programs (Robin Hood Software's Evidence Eliminator, for example) marketed explicitly to people who want to hide information from government, police and employers.

All of these programs have legitimate uses within organizations. For example, if you have a computer for public use in a reception area, you might want to set up a program like Window Washer to automatically erase the computer's browser history, webpage cache, cookies and other data records every few hours. This will protect both your employees and your visitors.

On the other hand, your employees could be using these kinds of tools to hide evidence of inappropriate behavior at workâ¬such as viewing pornography. So be sure you understand who in your organization is using these tools, and why.

Computers are handed down a lot inside the modern organization. Frequently, the newest and fastest machines are given to the most highly paid executives. A year later, those executives are "refreshed" with new computers, and the old machines are given to other employees. CSOs need to make sure that the data on those computers is properly erasedâ¬that the hard drive is sanitizedâ¬before a computer is reassigned. But don't despair, antiforensic tools can help here too.

I have seen cases where entry-level employees have been given desktops that contained sensitive information such as personnel reports, product plans or even e-mail of senior management. Sometimes the files are visible without any special tools. Other times the files have been "deleted" but can still be recovered using a special program. In one case, a woman I know was given a laptop that contained both the business and personal e-mail of a former salesman who had just quit the company. The disk also had a substantial amount of pornography. Luckily, the woman was not looking to sue.