Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Data Management

Computer forensics Sanitizing Old Computers

advertisement 
Back to Fraud Information Articles
© November/December 2005
Association of Certified Fraud Examiners
Computer forensics
Sanitizing Old Computers
B
y
R
i
c
h
a
r
d
D
.
C
a
n
n
o
n
,
C
F
E
,
C
F
C
E
From the November/December 2005 issue of
Fraud Magazine
In an age when government agencies and private companies are striving to keep up with current technology, old
computers are being sold or recycled to recoup some of the cost associated with upgrading. Does your office "clean" the
hard drives before the systems are recycled? How effective is the process they use?
A
n AP news story out of Helena, Montana, reported in May that the Montana legislative auditor announced that several
state agencies had sent to surplus a large number of computers without ensuring that their hard drives' data had been
destroyed. Most of these computers were destined to be sent to Montana public schools but some were to be sold to the
public or transferred to other state agencies. Unclear state policy was blamed as the cause of this risk to confidential
information.
How clean is clean?
Computers can store vast amounts of data. Hard drives are constantly increasing in size and speed. With technology
changing almost daily, computers purchased more than two years ago are approaching "door stop" status. Companies
and government agencies, which struggle to replace outdated equipment, are faced with the decision of how to remove
the data on outgoing machines. Some entities have opted to needlessly destroy drives altogether rather than spend the
time to properly sanitize them. What does your organization do? Are they re-formatting the drives, using a wiping
program, destroying the hard drives, or simply denying the threat and choosing to do nothing?
Simply reformatting or even repartitioning the drives and sending them out the door isn't much more effective than doing
nothing. Fraudsters can use common commercial programs to recover reformatted and even repartitioned hard drives. So
what does the formatting process actually do?
Low-level and high-level formatting
The manufacturer of a hard drive will conduct a low-level formatting or initializing to create the physical tracks and
sectors on the hard drive's "platters," which allows it to record data. (The platters are the actual disks inside the drive
that store the magnetized data.) The low-level format normally never needs to be performed again on a hard drive.
A high-level format, on the other hand, is what we typically refer to when we use the term format. A hard drive is
generally divided into regions. Some regions aren't made available for the user and are reserved for use by the system.
Other regions contain the user's data. Here the user can easily read and write data with few restrictions.
Let's say you want to reformat digital media such as a floppy disk. (While floppy disks are becoming a thing of the past,
most of us remember when formatting a floppy was a regular occurrence and are a good representation of the format
process.) You have two format options: "Quick Format" or an "Unconditional Format." In the Quick Format the "data
area" of the disk isn't touched, which means that the files you may have wanted to erase actually still exist. Your
computer's operating system just doesn't have a way to find them now. The File Allocation Table (FAT) on both the floppy
and your computer keeps track of where all the files on the floppy are located. The FAT is similar to a library card catalog
for the hard drive. At the library you search in the card catalog for the listing of your book, which tells you where it is
located in the stacks. The FAT tells the computer where to locate the file (on the floppy or the hard drive) once you
decide to access it. (In the New Technology File System [NTFS] available with Windows NT, 2000, and XP the Master File
Table [MFT] carries out a similar function to that of FAT.)
During the Quick Format, the hard drive or floppy's "card catalog" is "zeroed out" or cleaned and the root directory or
table of contents is overwritten (or replaced with a ready-to-use clean slate) so that it can store new file names but
nothing happens to the files and subdirectories that the disk contained. After a Quick Format, the data area remains
untouched. All the data can still be recovered, with the exception of the root directory file names, even though the typical
user is no longer able to access the files.
On the other hand, Unconditional Format overwrites all the data area on the floppy so that none of the data is
recoverable. Unfortunately, the Unconditional Format only works with floppies and not hard drives. So if you're reselling
your computer or trading up and diligently trying to protect yourself by reformatting the drive with Quick Format, you've
done little more than place all your important papers in a trash bag and set it out by the curb; you're safe as long as no
one tries to open the bag and remove the contents.
The NTFS file system commonly found in Microsoft's Windows 2000 and XP installations can provide an additional layer of
security through its optional encryption features, which will make it more difficult but not impossible to recover the data.
The NTFS file system is more sophisticated than FAT. NTFS without encryption, however, is little different than the FAT
file system when it comes to the ability to recover data after formatting. When simply formatting a hard drive the
contents of the drive are still retrievable.
Wiping programs
You can truly wipe or sanitize portions or all of a hard drive with one of the several commercially available products
designed for just that purpose. Products vary widely in the wiping speed and methods depending on the types of data you
want cleaned and the speed of your computer's processor. Some programs overwrite the drive in patterns that don't
completely remove data but make it very difficult if not impossible to recover files. Other programs completely overwrite
every byte on the drive and then overwrite those areas several more times so that it's impossible to recover with
conventional means. The U.S. Department of Defense has issued a data clearing standard (DOD 5220.22-M) that requires
all data on a hard drive to be overwritten at least seven times to ensure that the data can't be recovered. (Peter Gutman,
a computer engineer, created an algorithm for a program that overwrites data 27 times.)
Wiping programs offer several options from a one-pass wipe to a multi-pass wipe. Make sure you can verify a wiping
program's claims. Someone who knows digital forensic analysis should verify that the data actually is unrecoverable by
analyzing a piece of sample media that has been subjected to a particular wiping process. I've analyzed several
computers whose suspect owners assumed their wiping programs deleted all the evidence they were trying to destroy.
Unfortunately, for them, they failed to verify the process and we were still able to retrieve some evidence to use in the
investigation.
Most computer technicians don't dispute the wiping programs' claims of effectiveness but object to the effort and time
they take. Many simple wiping programs function at the DOS level in which the program can gain complete access to the
hard drive's sectors. Other programs that function in the Graphical User Interface (GUI), such as in Windows, might not
have complete access to all the drive's sectors. In some cases this may be sufficient.
The wiping process can take some time depending on the drive's size. It can take additional time to confirm through the
program's verification process that the wipe was successful. It's because of this extra effort that IT departments often
remove the drives and physically destroy them. Of course, you have to give your computers to a third party to destroy
the drives and hope that the company actually does that. (But that's another story!) Depending on whose survey you
read, 50 percent to 80 percent of the second-hand hard drives purchased through popular Internet auction sites contain
data that can be recovered.
It has been said that the only truly safe data is located on a hard drive encased in concrete and left at the bottom of the
ocean! Of course, we don't need to go to that extreme to protect the data on systems that we recycle. While it may be
time consuming to destroy this data it's important to do so. There are plenty of crooks out there who would love to get
their hands on that data. Why make it easy for them?
Richard D. Cannon, CFE, CFCE, is the forensic technology director for the ACFE. His e-mail address is: rcannon@ACFE.com.
The Association of Certified Fraud Examiners assumes sole copyright of any article
published in Fraud Magazine. Fraud Magazine follows a policy of exclusive publication.
Permission of the publisher is required before an article can be copied or reproduced.
Requests for reprinting an article in any form must be e-mailed to:
FraudMagazine@ACFE.com.
Related documents
Athens Innovation District BY: KASEY STEPHENS
Athens Innovation District BY: KASEY STEPHENS
U3 Flash Drives
U3 Flash Drives
Intro Beginning Computer Pt 2
Intro Beginning Computer Pt 2
Updated Program Review and Annual Planning Model April 24 2012 Cabinet
Updated Program Review and Annual Planning Model April 24 2012 Cabinet
Using the Verbatim Mode Change Tool
Using the Verbatim Mode Change Tool
File - Noland`s Baker College E Portfolio
File - Noland`s Baker College E Portfolio
Learn to Wipe: A Case Study of Structural Bootstrapping from
Learn to Wipe: A Case Study of Structural Bootstrapping from
Download
advertisement