File Wiping

We all value our file and free space erasers. But how well are they working?

Here is a link to a program called "File Recovery" from LC-Tech (forensics stuff).
http://www.lc-tech.com/filerecovery.asp
There is an unlimited demo for the program, no time limit at all. However, it can only find the files and not undelete them in the demo. But again, you can use the program all you want to do a drive/folder search, which is perfect for testing how well your wiping program of choice is working. I use Sami Tolvanen's Eraser and always end up with a blank screen in my tests with this product. But, I tried this new "Internet Sweeper" program and EVERYTHING it "swept" from my temp internet cache came up with enough of it unwiped that it was all rated as  "good" in prospects for recovery.

Here's the best way to test:

1. Surf for a while and pick up some cookies, fill up the cache with enough gif's and all. News sites are good, like CNN.
2. Run "File Recovery" and select "Open"
A: Find the drive your cookies and cache is on.
C: Change the radio button to search specified directories. Select Windows/Temporary Internet Files (or wherever your cache resides) and check the box for subfolders.
D.  Uncheck the "include zero byte" files. (you will only see unwiped files this way.)
E. Run "File Recovery"
F. It's that simple!
G. Do the same for the cookies.

Did your wiping program measure up?

"File Recovery" is the best for this. It is an excellent tool. Run these same tests with UNDELETE from Norton or several others and they'll show the data as gone. Run "File Recovery" and - surprise!

I hope several will actually do this and post the results. "Internet Sweeper" failed badly, as did two different products I have from Access Data: "SecureClean" and "CleanDrive."

"Eraser" (Gutmann's 35-pass) and "Window Washer" (set at 10 wipes) passed easily. I know there are many other programs in use and I would be interested to see some good, honest results after a good wipe and then being subjected to "File Recovery." You may be surprised. Example: I have a copy of Evidence Eliminator (I know, I hate the company, too.)  Every file came up as an "excellent" candidate for recovery - that's after their "defeat forensics" wipe. What a joke! Of course we all knew EE was a joke if you've read the massive material at Radsoft's  "EE Documents"
http://www.radsoft.net/resources/software/reviews/ee/
or
"The EE Files"
http://badtux.org/eesucks/

Hope to see some results. This could be interesting and helpful. Oh! If your wiper allows you to select the number of wipes, be sure and max it out for the ultimate test.

John (working late in the mad scientist's laboratory)  

 

John, two questions:

What actual data have you managed to recover after using "failing" wipers?  Is the claim that the data is recoverable actually and demonstrably true?

Have you tested FileVac?  (Personal interest here, since I bought a license.)

Gross thanks.

 

VERY GOOD question, Checkout. I should have mentioned you can undelete files up to 10K in the original post (and test it that way), but I'm glad I didn't! I just downloaded the latest version (didn't know they had a version later than mine) of "File Recovery" and it let me undelete whatever I wanted. Go ahead and hit the "undelete" and define a path and it WILL recover the file. I just tried 5 gif's and jpg's that were supposedly "wiped" by "Internet Sweeper" and all came up fine in my graphics program. Scary. let me know what happens with yours.

Paul, Thank you for the comment. I have had an eye-opening evening!

John (still awake and working in the mad scientist's laboratory....my computer)

 

Check: You asked about FileVac and I didn't answer. I'm sorry, I don't have the program.

How's that for rule #7?  
I'm trying!

John

 

I wish I had a copy of S&W here so I could print the rules in Ten Forward!

More seriously, I hope Isman will take all this constructively and offer some thoughts in his own section.  It's an important, nay critical, feature.

 

Geesh....I honestly didn't know I was hitting so close to home. I rarely go up above the privacy stuff and Ten Forward. I had no idea the official Internet Sweeper Forum is now located here on Wilders. I saw Internet Sweeper in today's issue of LockerGnome's Windows Daily...it's the second download listed after Chris' letter.
http://www.lockergnome.com/issues/daily.html

Well, that's what happened, so I guess there's no use feeling embarrased about it. Maybe it's something that just needs some fine tuning.
:-/
John

 

I wonder if the problem with failing wipers is that they fail to write through cache, and consequently wiping memory instead of disk.  There again, I would have thought that was too obvious....

Now, of course, I'm worried that FileVac might not be working, but I don't want to buy a recovery utility just to test it - I would only do that if I was testing/comparing a range of products.

What's your recommendation for a free wiper to augment FileVac?  (Just in case!  I hope somebody else can confirm FileVac and IEClean's performance independantly here!)

Hey!  500+ posts and still only four stars!

 

This is an important retraction of sorts.

After communicating with Brett Emery he told me that the default setting for "Internet Sweeper" is a simple "empty" of the files and NOT a wipe. You have to go to "Other options" and then CHECK the "wipe" function. He told me it is just a one-pass wipe, so I don't understand why it is not the default. I asked him this and he said because thousands of files would take forever to wipe if it was the default and would take a long time. Actually, I just filled my cache up with over 2000 items and it did it's one-pass thing in less than 20 seconds. Also, most all people using a tool like this would not allow their cache to become that packed out before running the program. Anyway, at one-pass it wouldn't take long at all. If you need more protection than a one-pass wipe -- you might look elsewhere. If one-pass is OK for your needs "Internet Sweeper" seems to do the job and do it well.

Thanks to Brett for getting back to me in a very timely fashion. He was also friendly in his communication.

It all comes down to the old "Who do you need to protect yourself from? The kid sister, the nosy neighbor with some computer skills or "BIG BROTHER" For the first two, one-pass is fine. For the third - no way.

John

 

There's a problem with many - maybe even most - products.  It's the nature of software development.

Developers, with rare exceptions, fail to consider ergonomics, usability and perception when realising their ideas.  Usability is the worst offender - developers, like any other human beings, make the assumption that users will instinctively understand how to use a program.  It's almost impossible for a developer to look at their own code as if they had never seen it before and didn't understand.  Consequently they write documentation and interfaces according to their own understanding, not that of the users.

Ergonomics are sacrificed by placing safe defaults instead of sensible defaults, by using obtuse labels in documentation and config files.  Should I set or reset the SchwampThrobble Indicator?  Huh?  Whassat?  Again, entirely understandable that a developer could fail to realise that his terms of reference aren't commonly shared.

Naively, users (bless 'em) often read into the program's functionality what they'd like it to do rather than what it actually does.  In the case of IS, I think I too would assume it to do a DoD wipe at the very least - am I getting protection or semi-protection?  Am I defending myself against a knowledgeable user or the sales guy at the next desk?

Developers need to learn the hard lesson that software must be written backwards from the interface, not write code and shoe-horn an interface onto it.  That the problem must first be understood and the interface for solving it developed with the people who are experiencing the problem before a single line of code is laid down.

In this industry, very often a cottage industry, developers are solving problems that they have experienced, and then selling or giving away their results.  However, they're repeatedly making the same mistake of writing code primarily for themselves, not for others, and will always fall into the trap of short cuts, insufficient error handling, and lack of documentation.

And there's another Golden Rule:  nobody who writes code should ever be allowed to test it themselves.  It is human nature to test one's own code for success instead of failure.

[hr]
Edit for typos and clarity
[hr]
If anyone's listening, I'm willing to discuss design and testing commissions....  

 

I wonder how well it will recover a stego'd .gif? Take one from my site and try it out, email me the recovered file and I will check (if you don't want to go to the trouble of learning/breaking the stego).....

This one is in Round 2 of my wargames, use it, then email me the recovered .gif:
http://www.internetwarzone.org/images/reddawn.gif


--
Colonel Flagg
colonel_flagg@internetwarzone.org

 

************************************
      steganography technology  embeds a secret message into a user selected image file        

*************************************


      CF

      have you any particular reason for thinking that it could not be wiped.......just wondering.?


                             snowman

 

   Col F

    oh I forgot to mention.....your webpage wont show on my computer.......



                        snowman

 

   Steganography is one of the lesser known  forms of cryptography (encryption)  The technique is relatively fragile.   one example of its use is "watermarking" trademarks\copyrights...... hidden messages in e mail, etc

   jpeg  bmp gif  images ........wipe\recovery should apply.  


                        snowman

 

I'm not at all happy with the idea of steganography.  I doubt if any serious forensic technician would be fooled for very long - inappropriate image sizes would be a dead giveaway.  Anyone who keeps sensitive data stegoed on their machine is ultimately vulnerable to new and upcoming audit tools.

So why keep all the data on a local disk?  It's so much more secure to distribute the data and keys separately.  For example, let's say we've got a picture (a) of my favourite dog.  Also, a picture of a daisy (b) and both pictures are the same size.

All we have to do it eXclusive OR (a) and (b) to produce a new object (c).  We can now delete sensitive picture (a) completely, because we can recover it by XORing (b) and (c).  If we then move (c) to somewhere remote, say a freebie website, then all a forensic technician would find is a picture of a daisy (b).  All anyone at the freebie website would find is a file of seeming garbage (c).  Only you, knowing that (b) and (c) are related, could ever recover the puppy (a).

Simple logic, this, and it works for any object - text, executable, image, whatever.  What's the big deal with steganography?   :-/

 

ask a steganosaurus.

snicker.

 

      Checkout

       thats what I was wondering..."whats the big deal with steganography"      Even the color of the image used can effect it........

       personally I don't download anything from unknown sources.....safe computing I think its called.

       no offense intended ......Colonel.

                                 snowman

 

Gonna answer all questions in this post:


Steganography \Steg`a*nog"ra*phy\, n. [Gr. ? covered (fr. ? tocover closely) + -graphy.] The art of writing in cipher,
or in characters which are not intelligible except to
persons who have the key; cryptography.


Snowman:

> have you any particular reason for thinking that it could not be wiped.......just wondering.?

Well, honestly, no.... just a thought. I have heard of new audio files with stego data inside, when played and monitored with a spectrum analyzer, they will display say a "smiley face". When transfered/encoded to say an mp3 file, the smiley face disappears....

just kinda wondering if the same thing may occur.

as for my webpage not showing... works fine for me on Linux/KDE 2.+/Konqueror, Mozilla, Netscape.... XP/2k IE 6.0, Opera, Netscape, Mozilla. Maybe it's a DNS issue. Try it again... Your DNS servers may have grabbed the IP's.


Everyone else:

Steganography, used as a personal encryption method, while it has a small niche isn't truly efficient. The most effective way to use steganography would be to simply tell someone to monitor a certain site for a certain pic... say you are a reporter for the BBC, you are also an espionage agent for Country "X". You pass info through your website articles. Every once in awhile, you add a pic to your article. You simply add the stego material to the pic and pass it to your operatives or whatnot. (Just an example of course).


--
Colonel Flagg
colonel_flagg@internetwarzone.org

 

what is a "whatnot"? Are they dangerous? Can they "stego" me back?

Lego-my-stego!

 

You've lost the plot, Uni.  A Stego is a small plastic brick which fits onto other small plastic bricks, but hollow so you can hide a small message inside each one.  In Denmark there's a place called Stegoland where lots and lots of stegos are built into actual working motor cars and artificial women for the long journeys and cold nights.  A Whatnot is when you get given a huge box of stegos and you wonder what you're going to do with them.  Now you know what to do and whatnot to do.

The thing you need to bear in mind about women made of stegos (whether you construct them yourself or buy them ready made) is that the secret message inside all of them is the same:  "Well, if you don't know, I'm not going to tell you" which has defeated all attempts to decode, even by the FBI and Disney.

You are better off standing still (as still as possible) and using stegos to armour yourself.  You can become a superhero that way (the colours are just right).  Don't make any sudden movements.  The entire population of Canada is known to do this once a year, on National Canadian Stego Day.

Firewalls are easy to construct, although stegos melt if they get too hot.  Kerio Personal Firewall is yellow, while Zone Alarm is that horrid green.  TDS (yes, stegos can be formed into anti-trojans too) are a combination of all four colours because DCS approaches each trojan from all possible angles, and BOclean is permanently set on red.  Evidence Eliminator just falls apart when you try to use it, so beware.

When at last all your stegos are worn and tired, recycle them - perhaps a nice crunchy red wine is your choice?

Stegos are our friends.  They're the choice of the nineties.  In Sweden they have to have their headlights permanently on, by law.  You know it makes sense.

 

[move] [/move]

 

Wow, what an eye opener, luv2bsecure.  I downloaded a demo copy of "File Recovery 98" by LC Tech and applied it to some files deleted by Windows, of course we know those files were recoverable.  I also applied File Recovery 98 to some files wiped by a program called "Mutilate File Wiper" by Craig xx.  Ooops, they were easily recovered.  I wiped same files with Sami Tovenson's "File Eraser" v 5.3.  Could never recover the files erased by Sami's File Eraser.  If recovery is possible, I could never find a way.  I am really happy that File Recovery 98 is available for testing purposes.  It is so nice to see for myself if some of the wild claims put forth by some of these vendors really hold up.
Btw, I do have a 30 day fully working demo copy of "Evidence Eliminator."  Didn't cost me a dime.  After all I have heard about this product, nope, not going to buy it.  I have yet to try File Recovery 98 on files deleted by EE.  My gut feeling is this will be a big disappoinment.  BTW, EE, as far as I can determine to this point, has neither harmed my machine nor deleted anything I didn't call for to be deleted.  So, I can't complain there.

Can anyone else suggest any other bulletproof file erasers out there, things really that WORK and render files unrecoverable?  NOT the hype and BS that some vendors are selling us.

Thanks lub2bsecure for a very informative post

 

GrayD - Welcome to the forum!

You can try NecroFile, from here: http://www.necrocosm.com/nfinfo.htm . Pete

 

Hi Gray!

Disk Wipers. Bring this topic up and you'll get a hundred opinions.

To be honest, I know nothing about the one mentioned by Pete, Necrofile. I went to the website and there is no mention anywhere of the method(s) used. It sounds interesting because of the claimed speed, but honestly without understanding the method it's hard to recommend. I wouldn't trust but just a few programs available among the hundreds available. Sami Tolvanen's ERASER is at the top of the list and is cited year after year by attendees of ISSA conferences as the "Disk Wiper of Choice." ISSA, by the way, is The Information Systems Security Association. I have only been to two of their conferences, both focusing on encryption. But our department chairman attends practically all of them and says it's always a topic that always comes up (like it did when I have been) and Sami's ERASER is always the one most often mentioned.

For one thing, Sami Tolvanen is a genius. He has been a programming pro in Finland since he was about 20. He studied at the prestigious Tampere University of Technology and is now a 25 year old genius. There is no question about his credentials and the respect he has.

The 35-pass Gutmann method is recognized as the most secure erasing option available. The 7-Pass and 3-Pass DOD methods are based on standards outlined in the Department of Defense Manual 5220.22 M . You can feel secure with these methods. The Gutmann is in a class by itself though. The data area (or freespace) is overwritten 35 times. This method uses psuedorandom data to overwrite the drive and then overwrites the drive based on the different and unique encoding algorithms used by various hard drive manufacturers, RLL (Run Length Limited), PRML (Partial Response, w/maximum-likelihood), and  MFM (Modified Frequency Modulation).

With ERASER you can select any of the above methods. Sami is no longer associated with his own program. He has given it up and moved on to other things. With the GNU General Public License, the program source code will continue to be available and developers can continue to improve it. The new maintainer of ERASER is a neat guy named Garret Trant. He has the new ERASER website up and running now at  

http://www.heidi.ie/eraser/

This is probably MUCH more than you wanted to know, but encryption and data privacy is my passion. I know little else about computers beyond the basics, but I can talk encryption and privacy all day. I am at UCSD in San Diego. If you would like further information on anything I have mentioned, feel free to write me!

John
Luv2BSecure