Dooping the Investigator by don wood

1. Dooping the Investigatorbydon wood This presentation will take a look at to prevent your information from being discovered by and investigator.

2. Overview • BitLocker • BCWipe • PD-8700Hard Drive Degausser & Physical Hard Drive Destroyer

3. Windows BitLocker • BitLocker Drive Encryption is a data protection feature available in Windows Enterprise and Ultimate for client computers and in Windows Server 2008. BitLocker is Microsoft's response to a frequent customer request: address these very real threats of data theft or disclosure from lost, stolen or inappropriately decommissioned PC hardware with a tightly integrated solution in the Windows Operating System.

4. Windows BitLocker con’t • BitLocker provides both mobile and office enterprise information workers with enhanced data protection should their systems be lost or stolen and secure data deletion when it comes time to decommission those assets. Not to mention preventing investigators from accessing your data. • BitLocker enhances data protection by bringing together two major sub-functions: drive encryption and the integrity checking of early boot components.

5. Windows BitLocker con’t • Strengths • Drive encryption protects data by preventing unauthorized users from breaking Windows file and system protection on lost, stolen or inappropriately decommissioned computers. This protection is achieved by encrypting the entire Windows volume; with BitLocker all user and system files are encrypted including the swap and hibernation files. • Integrity checking the early boot components helps to ensure that data decryption is performed only if those components appear unmolested and that the encrypted drive is located in the original computer.

6. Windows BitLocker con’t • Weaknesses • BitLocker is limited to Windows Server 2008, Windows Enterprise and Ultimate Operating Systems

7. Windows BitLocker con’t • The Dooping • BitLocker prevents data from being retrieved from the hard disk once the disk has been removed from it’s original host machine.

8. BCWipe • BCWipeTM data wiping software enables you to permanently delete selected files so that they can never be recovered or undeleted. BCWipe embeds itself within Windows and can be activated from the Explorer FILE Menu OR from the context (right-click) menu OR from BCWipe Task Manager OR from a command-line prompt.

9. BCWipe con’t • Strengths • Destroys all contents of the whole hard drive, including boot records and operating system files. • Delete with wipingUsing this command, which is available in the context menus of the 'My computer' window, you can delete and wipe a file, a folder, or a group of files and folders. • Wipe free disk spaceUsing this command, available in the context menus of the 'My computer' window, you can completely and permanently remove all traces of previously deleted files. • Wipe Swap FileThe swap file is a Windows system file that is used for virtual memory support. If you are working on a file or document (even one that has been encrypted), Windows will copy all or part of it in an open unencrypted form to the swap file on your hard disk. Encryption keys, passwords, and other sensitive information can also be 'swapped' to your hard drive. Even if you use all the security features in the latest versions of Windows, simply investigating the swap file in DOS mode with readily available tools may allow for significant data retrieval. BCWipe offers the option to wipe unused portions of the swap file to ensure your total security.

10. BCWipe con’t • Wipe File SlacksA file slack is the disk space from the end of a file up to end of the last cluster used by that file. You can turn file slacks wiping on or off before running BCWipe commands. (Read more explanations on file slacks in the Tips & Tricks section.) • Wipe Empty Directory Entries*The file system records the names and attributes of files to a special area of your disk drive (so called 'directory entries' for FAT and MFT for NTFS). When a file is deleted, the corresponding directory entry is modified by the file system which makes it invisible to Windows and to you. However, most of the information still exists and the name and attributes can be restored using any recovery utility. BCWipe shreds directory entries and MFT so that the information can never be recovered. • Swap File Encryption*The BCWipe CyrptoSwap utility allows you to encrypt the Swap File, which provides you with additional security. Supported symmetric algorithms and key lengths: Rijndael 256-bit key (Cipher Block Chaining Mode), Blowfish 448-bit key (Cipher Block Chaining Mode), GOST 28147-89 256-bit key (Cipher Feedback Mode), Twofish 256-bit key (Cipher Block Chaining Mode).

11. BCWipe con’t • Hexadecimal File Viewer*Using the Hexadecimal File Viewer, you can examine contents of files after wiping. This utility is useful for investigating the quality of the wiping process, for example when you use a custom wiping scheme. • BCWipe Task Manager*Administrators now have complete flexibility for choosing what to wipe, when to wipe it, and how to wipe it. Lists of recently used files are removed from the File Menus of specific programs. Wipe your Internet Cache, Cookies, History, etc. Wipe the entire swap file. Wipe selected Registry Keys and user activity history stored by Windows. • Transparent Wiping*With BCWipe's new Transparent Wiping feature, all wiping operations can now be set to run automatically - deleted files are securely wiped on the fly.Transparent Wiping securely erases the following sensitive information on the fly:- All files and folders deleted using normal commands- Temporary files created by Windows and applications- Temporary files created when working with data secured with encryption- Data stored in Windows Restore Point when the Restore Point is deleted- Data stored in Recycle Bin when Empty Recycle Bin is selected- Or only specific types of files, folders and applications by configuring include/exclude lists

12. BCWipe con’t • Weakness • Once BCWipe is initiated it can not be recovered.

13. BCWipe con’t • The Doop • BCWipe can be initiated upon unauthorized access to your drive.

14. PD-8700Hard Drive Degausser & Physical Hard Drive Destroyer • The PD-8700 is designed to provide a safe, convenient and effective method of destroying confidential information contained on hard drives. The PD-8700 degausses and then physically destroys the hard drive ensuring that the information previously contained on the hard drive is permanently erased and destroyed.

15. PD-8700Hard Drive Degausser & Physical Hard Drive Destroyer con’t • Strengths • The Destruction mode of the PD-8700 is designed to physically disable the hard drive, preventing data from being recovered. The physical destruction visibly identifies hard drives that have been properly sanitized. • The PD-8700 does not rely on software, therefore it will erase all operating systems. In addition, degaussing is the only way of erasing hard drives that are not functioning.

16. PD-8700Hard Drive Degausser & Physical Hard Drive Destroyer con’t • Weakness • Requires an actual machine in order to accomplish the task and can not be done without someone actually placing the drive into the machine.

17. PD-8700Hard Drive Degausser & Physical Hard Drive Destroyer con’t • The Doop • Let’s see an investigator recover data from this.

18. Questions

19. Resources • http://www.microsoft.com/windows/windows-vista/features/bitlocker.aspx • http://www.jetico.com/wiping-bcwipe/ • http://www.garner-products.com/PD-8700.htm