This task deals with discarding or reusing media, like paper documents, CDs, DVDs, old tapes from backup systems, and hard drives. Discarding or reusing this media is a potential security breach, unless the media has been successfully and completely purged of recoverable data.
There are times when you don’t want to purge all data on a disk but just the deleted files. When you delete a file off your computer, the file system doesn’t actually remove the file from the disk. In the table of contents for the partition, it simply overwrites the first character of the filename with a question mark. This tells the file system that the space previously occupied by the file is now free space. The actual file content remains on the disk itself and can be recovered—by a good guy or by a bad guy—with digital forensic tools.
The National Institute of Standards and Technology’s Special Publication 800-88 Guidelines for Media Sanitation (February 2006) recommends sanitizing magnetic media by physical destruction; by magnetic degaussing, which requires a special magnetic chamber; or by using a software tool called Secure Erase (hdderase.exe), a free download from the University of California–San Diego (UCSD) at http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml.
The Secure Erase tool (hdderase.exe) will destroy all data and all partitions on the entire disk!
Many software tools are available to guard against anyone being able to recover your deleted files. You can also use a free tool provided by Microsoft, called Cipher.exe, which can be used to overwrite the free space on a partition to accomplish this task.
Using this tool on your partition will also mean you may not be able to recover your own files that you’ve perhaps inadvertently deleted.
Scenario
You want to ensure that all files that you’ve deleted are rendered unrecoverable. You do not wish to destroy all data on the disk, but just to protect the deleted files from being recovered.
Scope of Task
Duration
This task should take about 25 minutes to initiate. The completion of the disk-wiping process may vary, depending on the amount of free space on the partition being wiped and other factors.
Setup
Cipher.exe is built into Microsoft Windows 2000 and later Microsoft operating systems.
Caveat
These tools are destructive and render deleted files intentionally unrecoverable. Be sure you have copies of any files you do not intend to lose.
Cipher.exe is nondestructive and only overwrites free space (that is, the space in clusters that is marked as free in the partition’s table of contents). Cipher.exe does not overwrite slack space. Slack space is the unused space in the last cluster of each file. Forensic tools can recover old data from slack space.
Procedure
You will calculate the amount of free space and slack space on your drive. You will then use Cipher.exe to wipe all free space on your partition.
Equipment Used
For this task, you must have:
- Windows XP Professional system with an NTFS partition
- Administrator access
Details
Determining the Amount of Free Space and Slack Space
1. Log on to the Windows XP Professional system as the Administrator.
2. Open a command window. Select Start ⇒ Run, and then type CMD in the Open field. Click OK.
3. In the command window, at the command prompt, type chkdsk /? and press Enter.
4. Review the help information for CheckDisk.
If you add the /F switch that will attempt to fix detected errors on the disk, the system will need to be rebooted to complete the scan. The CheckDisk scan will take several minutes to complete.
5. At the command prompt type chkdsk c: /i to check the index entries on the C: partition only and press Enter.
6. Notice the amount of space available on disk approximately 2.5 GB (2530792 KB) in the graphic. This is the amount of free space. You will be wiping that space using the Cipher.exe utility.
7. Notice the number of bytes in each allocation unit. An allocation unit is a cluster. In the graphic, the cluster size is 4 KB (4096 bytes).
8. Minimize the command window.
9. Launch Windows Explorer by right-clicking on the Start button and selecting Explore.
10. In the left pane, select the Local Disk (C:).
11. In the right pane, right-click on the white space and choose Select All.
12. In the right pane, right-click on the selected files and folders and select Properties.
This process may take a few minutes to complete.
13. Once the properties page opens, view the number of files on the C: drive at the top of the dialog box.
In the graphic, there are 10,510 files on the C: drive.
14. Slack space exists in only the very last cluster of each file. Statistically speaking, the amount of data in slack space is the number of files on a partition times 50 percent of the cluster size. The last cluster will be almost empty for some files and will be almost full for other files. On average, the slack space will be 50 percent of the cluster size. Calculate the slack space on the C: drive. From the data in the graphics, the calculation is as follows:
4 KB (the cluster size) × 50% (statistical slack space/file) = 2 KB (slack space/file) × 10,510 (files on C:) = 21 MB of potentially recoverable data that exists in slack space on the C: drive
Many partitions grow to have several hundred thousand files. Each 100,000 files will typically yield 200 MB of recoverable data from slack space on a Windows system (since the default cluster size for NTFS is 4 KB).
The data in the slack space will remain unprotected and available for recovery when using Cipher.exe. To protect the data in the slack space, third-party tools will be required.
15. Close the System Volume Information Properties dialog box.
Protecting Deleted Data from Recovery Using Cipher.exe
1. In the command window, at the command prompt, type cipher /? and press the Enter key.
2. Review the help information for Cipher.exe.
3. At the command prompt, type cipher /W:c: and press the Enter key.
This process could take several minutes to possibly longer than 1 hour. Cipher first writes all zeroes in all free clusters on the partition. Then it writes all ones in all free clusters on the partition, and then it writes a random pattern of ones and zeroes in all free clusters on the partition. This provides three overwrites of data in the free clusters. It is generally recommended that you not use the system for other purposes while Cipher is performing these tasks.
4. After Cipher completes its series of overwrites, close the command window.
Criteria for Completion
You have completed this task when you have calculated both the amount of free space to be protected with Cipher.exe and the amount of data in slack space, which could be compromised.