Forensic Analysis?

[ZCode]

I was wondering how Eraser stands against forensic specialists? In addition to the file contents, how strong is it in terms of hiding the metadata, file names, etc. Can anyone compare between 35 passes and 1 pass pseudorandom regarding their robustness against forensic analysis?

 

[DavidHB]

In a couple of days (hopefully after you have seen this reply), I shall move this topic to the Data Forensics forum, as it really belongs there.

Your question begs a lot of other questions, answers to some of which might not be in the public domain. But the really important point is that Eraser is best understood not so much as a stand-alone application but as one of a variety of tools and techniques with which users can protect their privacy and security. So the effectiveness of the defence against an adversary (in this case a forensic specialist, who will use specialist software tools) will depend on the whole defensive system, rather than Eraser in isolation.

To give one obvious (but also frequently encountered) example, it is no good claiming that Eraser is ineffective if you have failed to identify and erase all copies of the target data on your machine. You can expect that forensic specialists will know where to look for traces that have been left behind in this way; experience suggests that most users are unaware that such traces exist, much less how to remove them.

That said, some things are known with at least a reasonable degree of certainty. Experimental work on modern mechanical hard drives has shown that a single overwriting pass is sufficient to put the data that is overwritten beyond practical recovery; artefacts will remain, but they cannot be reliably used to reconstruct the original data.

Thus, when an overwriting program such as Eraser writes to the whole disk area used by a target file and the associated file table entries, that file (including any metadata the file or file system might contain) is completely and permanently destroyed. I am not aware of any published claim that this is not the case. Also, with modern drives, a single pass erase is as effective as a 35 pass erase; forensic analysis will therefore typically focus on the security weaknesses of the target system rather than attempt to recover erased data.

It is my personal belief that, because traces are so hard to find and remove, an ordinary private user will find it virtually impossible to secure his or her data against sustained expert forensic examination, other (possibly) than by encrypting all sensitive data. The ordinary user can however reasonably easily protect himself or herself against the more commonly encountered computer security threats, and that Eraser is a useful and effective tool in this latter context.

I hope that this response is helpful. It is not a full answer to your question; such an answer would probably fill a book!

David

 

[ZCode]

Hi David,

Thank you for your answer. I have a few more questions

Thus, when an overwriting program such as Eraser writes to the whole disk area used by a target file and the associated file table entries, that file (including any metadata the file or file system might contain) is completely and permanently destroyed. I am not aware of any published claim that this is not the case. Also, with modern drives, a single pass erase is as effective as a 35 pass erase; forensic analysis will therefore typically focus on the security weaknesses of the target system rather than attempt to recover erased data.

what do you mean by the "security weaknesses of the target system"? In this case we are just talking about hard-drive and the erasor software itself, right?

It is my personal belief that, because traces are so hard to find and remove, an ordinary private user will find it virtually impossible to secure his or her data against sustained expert forensic examination, other (possibly) than by encrypting all sensitive data.

what are the "traces" of the files. If I already overwrite the whole disk with random 0/1s why would there be "traces" left? You mentioned all the metadata and the contents are destroyed, but you also mentioned that " virtually impossible to secure his or her data against sustained expert forensic examination"

 

[DavidHB]

what do you mean by the "security weaknesses of the target system"? In this case we are just talking about hard-drive and the Eraser software itself, right?

No. We are also talking about the file system and the operating system with which that file system is associated. The behaviour of these very complex system components has major implications for user security.

what are the "traces" of the files? If I already overwrite the whole disk with random 0/1s why would there be "traces" left? You mentioned all the metadata and the contents are destroyed, but you also mentioned that " virtually impossible to secure his or her data against sustained expert forensic examination"

If you overwrite the whole of the disk (e.g. by formatting and it and then erasing the free space), nothing except the (almost empty) file table will be left, and that disk will be pretty much secure, even against forensic examination. But it is only when disposing of the disk or putting it to some other use that you can do this.

In day to day use, Windows (or any other modern OS for that matter) will create partial or complete copies of files in locations which the ordinary user will not know about and to which he or she will often not have direct access. As I understand it, Eraser will prevent Windows making shadow copies (the most obvious cause of security weakness) of files it erases directly. But if a file has been through a series of versions, shadow copies of those versions may still exist, and Eraser will not know about them. There will also be partial copies of user data in the paging file and in the cluster tips of files (including OS files the user is not allowed to access). Also, in the NTFS file system, the file table itself contains the data as well as the metadata of small files. I was referring to entities such as these (which are obvious targets of any forensic examination) when used the term 'traces'. I accept that the term is potentially misleading, but I could not think of a better one.

The point here is that Eraser will do a good job of destroying files, but it takes knowledge and effort to identify and destroy everything a user with reasonable security concerns might want removed. Even erasing free space (always a time-consuming job) is not the complete answer, because restore points and application clutter are in space not marked as free. Alongside Eraser, regular use of cleaning apps. such as CCleaner will also be required. It also makes sense to store data, especially sensitive data, on a non system drive, as these can usually be cleaned more easily and thoroughly than system drives. Finally, remember that effective file erasure is not possible on flash drives and SSDs, because the wear levelling firmware on those drives redirects (and thus defeats) the overwrite. Erasing free space (which writes to all the available space) does however work on these drives.

I hope this helps.

David

 

[ZCode]

As I understand it, Eraser will prevent Windows making shadow copies (the most obvious cause of security weakness) of files it erases directly.

Thanks David. This is very helpful. One more question: you said Eraser prevents Windows from making shadow copies of the files it erases directly, but Eraser cannot erase all the shadow files when erasing all the unused space, right?

 

[DavidHB]

Eraser cannot erase all the shadow files when erasing all the unused space, right?

Yes. Shadow copies are not in space marked as free by the file system, so, by definition, are not covered by a free space erase. Deleting old restore points is a good idea; they take up space in any case. Once they (and the shadow copies in them) are deleted, a free space erase will work on what is left of those shadow copies.

David

 

[ZCode]

Eraser cannot erase all the shadow files when erasing all the unused space, right?

Yes. Shadow copies are not in space marked as free by the file system, so, by definition, are not covered by a free space erase. Deleting old restore points is a good idea; they take up space in any case. Once they (and the shadow copies in them) are deleted, a free space erase will work on what is left of those shadow copies.

David

I think this is more about system files. If I am talking about erasing my personal files (and those are just plain text files, and I barely opened and have no prior versions), the chance of having shadow copies of those files should be very small?

 

[Joel]

Nope, shadow copies operate on the block level, in other words, the system will take a snapshot of the disk as it was, and only modify blocks that have changed since.

Therefore, there will be no distinction between "normal" files and "system files"; everything will be imaged as one shadow copy. But yes, this does work on a disk basis so C: will have different shadow copies from D:

On server configurations, admins can also change the shadow copy storage path.

 

[ZCode]

Nope, shadow copies operate on the block level, in other words, the system will take a snapshot of the disk as it was, and only modify blocks that have changed since.

Therefore, there will be no distinction between "normal" files and "system files"; everything will be imaged as one shadow copy. But yes, this does work on a disk basis so C: will have different shadow copies from D:

On server configurations, admins can also change the shadow copy storage path.

Hi Joel, thanks for your reply. I saw on this post ( coincidentally from you as well ) that Windows clears its old restoration points when Eraser erases unused space. So these shadow copies should be gone as well?

viewtopic.php?f=2&t=8285

 

[Joel]

That will probably be coincidental. Eraser does not tell Windows to get rid of shadow copies, but rather the system does that when disk space is low. Future versions of Windows may not do this.

 

[DavidHB]

I saw on this post ( coincidentally from you as well ) that Windows clears its old restoration points when Eraser erases unused space.

This is not quite the way it works. If a restore point (containing shadow copies) is deleted, the space is marked as free, and Eraser free space erase treats it as it would any other free space. If the restore point is not deleted, free space erasing will not touch it.

To reduce the impact of this issue, I (1) so far as possible keep data, especially sensitive data, on a separate drive from the system (C drive (including changing the locations of My Documents and the like), (2) disable System Restore on all drives except the system drive, (3) regularly delete old restore points using CCleaner (4) keep backups up to date.

David

 

[Joel]

I think it is worthwhile to mention that disabling System Restore on any drive prevents Previous Versions to work, if you should use that feature.

David, did we write this somewhere before?

 

[DavidHB]

I think it is worthwhile to mention that disabling System Restore on any drive prevents Previous Versions to work, if you should use that feature.

True. Hence the point about backups.

It is also worth mentioning that System Restore, in my experience at least, fails to complete a restore. It is probably best to regard it as a tool for undoing something you have just done, rather than as something that allows you to revert the machine to the state it was in six months ago.

David, did we write this somewhere before?

Probably

David

 

[Joel]

Agreed about the fact on System Restore.

Volume Shadow Copies on data drives tend to be hardier, especially if defragmentation processes do not move files around much.

 

[ZCode]

David, Joel,

I checked the TRAC page and found this:

http://eraser.heidi.ie/trac/changeset/1496

But I don't think I received any warnings when I tried to erase unused space with system restore on. Is that desired?

 

[Joel]

You can see the test - System Restore can be on, but if there are no images, it's as good as off, isn't it?

 

[ZCode]

You can see the test - System Restore can be on, but if there are no images, it's as good as off, isn't it?

Where is the test?

I actually just tested this myself. When eraser erases the unused space, Windows does not delete ALL the restore points all the time. Sometimes it left one, sometimes it left two. Sure enough the older restore points are erased, but the fact that there might be one or two left still poses a security threat.

 

[DavidHB]

Did Joel mean 'text', I wonder?

The warning appears in the task log, if Eraser detects that System Restore is or has been enabled.

And I repeat: Eraser does not remove extant restore points.

David

 

[Joel]

In the source code file you pointed out. I meant test - the test which will determine if Eraser thinks Shadow Copies are "enabled" (currently we're only equating existance of shadow copies with it being enabled). I don't think there's a way to determine if it's just enabled for the drive if there are no shadow copies currently enabled.

 

[Rohan Wiese]

There are many forensic tools available online that helps in forensic investigation which is stellar, Aryson Technologies, SysInfoTools etc.