With the mass arrests of 25 anons in Europe and South America, and the rumors of an FBI sweep on the east coast of America floating around, times look dicey for hackers. Over the past few days, a lot of questions have been posed to me about removing sensitive data from hard drives. Ideas seem to range from magnets to microwaves and a lot of things in-between. So, I'd like to explain a little bit about data forensics, how it works, and the steps you can take to be safe.
Often, an anon will delete files from his computer, but that is only half the story, as those files are still really there. And if the careless anon doesn't take steps to fix that, when his door gets kicked in and the FBI takes his hard drive, they will be able to see everything. Don't be that anon.
Computer forensics is the collection, preservation, analysis and presentation of computer-related evidence. In summary, it helps determine the who, what, where, and when related to a computer-based crime or violation. When the feds are finished arresting you and boxing up your belongings into evidence crates, they will ship them off to the FBI data lab in Washington, D.C.
In addition, an examiner will work to uncover all files on the subject's system. This includes existing active, invisible, deleted, hidden, password-protected, and encrypted files. In many cases, information is gathered during a computer forensics investigation that is not typically available or viewable by the average computer user, such as fragments of data that can be found in the space allocated for existing files (known as "slack space"). Special skills and tools are needed to obtain this type of information or evidence.
An expert can recover pretty much all of your deleted files, along with other data that has not yet been overwritten. As a computer is used, the operating system is constantly writing data to the hard drive. From time to time, the OS will save new data on a hard drive by overwriting data that exists on the drive, but is no longer needed by the operating system, i.e. a deleted file. So, the ongoing use of a computer system may destroy data that could have been extracted before being overwritten.
While erasing files simply marks file space as available for reuse, data-wiping overwrites all data space on a storage device, replacing useful data with garbage data. Depending upon the method used, the overwrite data could be zeros (also known as "zero-fill") or could be various random patterns. This is why simply deleting information is never enough. You must take proactive steps to ensure your removal is complete.
We are going to use a great boot disk called DBAN to perform this operation.
Step 1 Obtain and Burn DBAN
You can download the 2.2.6 Beta release from Sourceforge. Once you have the .ISO, all that's left to do is burn it to a blank CD/DVD. Place the media into your drive and restart the computer. Most computers are set to try and boot from the CD drive before the hard disk. If this is not the case, and your computer does not boot the CD drive, you will need to enter your BIOS setup and change the boot priority order.
Step 2 Boot and Run!
After the CD starts, you will be greeted with this screen:
We want to simply press enter here to start DBAN in interactive mode. The main menu shown below should display your hard drive to be wiped.
The next screen shows us DBAN is ready to get down to work, the default method is a DoD Short wipe, and it will work fine for us.
Hit the space bar to select and it will start. Be warned though, the DoD wipe takes a bit of time, especially on larger hard drives. But not as long as a prison sentence would be.
DBAM is a great tool to clean a hard drive. I carry a copy of it in my laptop bag when I travel and you should do the same. It is quick and easy and works better then most other tools I have used. Be careful as (obviously) it is impossible to recover if you zap the wrong hard drive!