发新话题
打印

[转载]Anti-Forensics

[转载]Anti-Forensics

信息来源:http://www.informit.com/guides/c ... seqNum=108&rl=1

Anti-forensics is one of the hottest areas of reseasch in information secuirty Anti-forensics, as the name implies, is the science of evading Forensics analysis. There are a host of useful tools and techniques for anti-forensics, which we will examine over time in the following section.

Sanitizer
Recently, a security research company bought a hard drive on eBay for $5. This is not too surprising, until they found the hard drive belonged to a bank, and was full of customer data, bank account info, and network settings. The bank had forgotten to wipe the drive when they sold it.

Of course this is really a policy failure, since a Bank's hard drive should be destroyed on site, not sold on eBay. A hammer works, as does a furnace. And before physically destroying the drive, you should wipe it with a file-wiping program.

One good wiping program we have found is Sanitzer by East-Tec. Sanitizer is a software product designed to remove all traces of information from a hard disk. It eliminates data from the entire hard disk: every sector and every bit of information is overwritten and destroyed beyond recovery. Features include:

The ability to remove sensitive information from all areas of the disk and the ability to provide protection against all methods and equipments of data recovery

Data removal methods that meet and exceed the United States Department of Defense standards

The ability to maintain detailed logs of all sanitizing operations, that can be printed and saved for permanent records

The ability to sanitize any floppy or hard disks connected to the computer, regardless of the file system and the operating system that resides on each drive (works with FAT12, FAT16, FAT32, NTFS, DOS, Windows 3.x, Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP, Unix, etc.)

According to the United States Air Force, sanitizing means removing all traces of information from a hard disk "in a manner that gives assurance that the information is unrecoverable by any means". Sanitizing (also called purging) defeats attempts to recover information based upon a technical attack, such as undelete software, sector editors, and more advanced methods.

The only potential drawback is the East Tec licensing scheme. They have a somewhat burdensome authentication mechanism where you have to manually request that a license be generated each time you wipe a drive; and then you have to go back and type it in manually, each time. East-Tec claims to have some form of site licensing scheme, although this was not made available to us at the time of this review. The default license key scheme was quite painful, and I think it is the main barrier holding this product back from becoming the market leader.

The most helpful tricks I have found are a list of command-line parameters, which are included here with kind permission from East Tec:

/H:x - using this parameter will define the drive to be sanitized using BIOS extended Int13h detection method (x=0 Hard 1, x=2 Hard 2, etc). (recommended for most users)

/H:* - sanitizes all hard drives connected to the computer, using BIOS extended

Int13h detection method

I:x - using this parameter will define the IDE/ATA drive to be sanitized (x=0 primary master, x=1 primary slave, etc)

/I:* - sanitizes all IDE/ATA hard drives connected to the computer, using the IDE/ATA controller

/P:x - using this parameter will define the partition to be sanitized from the hard disk specified in the /H:y parameter (x=1 Partition 1 of the hard drive y, x=2 Partition 2 of the hard drive y, etc).

NOTE

the /P:x parameter can only be used in conjunction with the /H:x or /I:x parameters

/F:x - you will use this parameter if you want to define a floppy disk to be sanitized.

/Ox+, /Ox- - using these parameters, the user can enable/disable the options used in the sanitizing process. The complete list of options is listed on the screen.

(e.g. /O1+ - enables the option no. 1 (Verify sanitizing);

/O4- - disable option no. 4 (Generate sanitizing log (report) file)

NOTE 1: The default sanitizing options are marked (v) on the screen. You will only have to use /Ox+, /Ox- parameters if you desire to alter the default options and run the wiping process on a customized options set.

NOTE 2: For a detailed description of each sanitize option, please read the SANITIZE OPTIONS section of this documentation file. To locate this section, use the table of contents.

/O+ , /O- - using these parameters, the user can enable/disable the default sanitizing options. (The default value is /O+)

/M:x - this parameter will define the sanitize method that will be used in the sanitizing process. You can see the complete list of the sanitize methods using the /list parameter. NOTE: The default sanitize method is the first method in the list.

Typing sanitize /list from the command prompt (once you are in Sanitize directory), the list of the available methods will be displayed on the screen.

/USER: - use this parameter if you want to mention the name of the person responsible with the current sanitizing.

/DISK: - use this parameter if you want to mention the description and ID of the disk drive;

/? - use this parameter if you want the complete command-line parameters list to be displayed on the screen.

-IDE - use this parameter if you do not want to use the IDE/ATA controller.

See below some examples on how you can use the command-line parameters:

Example 1: sanitize /h:0 /o- /o4+ /o5+ /o7+ /o9+ /m:6

Details:
/h:0 = Sanitize drive c:
/o-  = Do not use default options
/o4+ = Generate sanitizing log (report) file
/o5  = Department of Defense style log file
/o7  = Sanitize without requiring user intervention
/o9  = Use ISAAC pseudorandom number generating algorithm

/m:6 = Use DOD 5220.22-M method
Example 2: sanitize /h:0 /o- /o1+ /o4+ /o5+ /o7+ /o9+ /m:6

Details:
/h:0 = Sanitize drive c:
/o-  = Do not use default options
/o1+ = Verify sanitizing
/o4+ = Generate sanitizing log (report) file
/o5+ = Department of Defense style log file
/o7+ = Sanitize without requiring user intervention
/o9+ = Use ISAAC pseudorandom number generating algorithm
/m:6 = Use DOD 5220.22-M method
Example 3: sanitize /h:0 /p:1 /o- /o1+ /o4+ /o5+ /o7+ /o9+ /m:6

Details:
   /h:0 /p:1 = Sanitize partition no. 1 from hard disk no. 1
   /o- = Do not use default options
   /o1+ = Verify sanitizing
   /o4+ = Generate sanitizing log (report) file
   /o5+ = Department of Defense style log file
   /o7+ = Sanitize without requiring user intervention
   /o9+ = Use ISAAC pseudorandom number generating algorithm
   /m:6 = Use DOD 5220.22-M method
Example 4: sanitize /h:* /o- /o4+ /o5+ /o7+ /o9+ /m:6

Details:
   /h:* = Sanitize all hard drives connected to the computer
   /o- = Do not use default options
   /o4+ = Generate sanitizing log (report) file
   /o5 = Department of Defense style log file
   /o7 = Sanitize without requiring user intervention
   /o9 = Use ISAAC pseudorandom number generating algorithm
   /m:6 = Use DOD 5220.22-M method
You can find the product here:

http://www.east-tec.com/sanitizer/index.htm
http://hi.baidu.com/kijs 与牛人在一起不是有理由的让自己变懒,那是为了让视野更开阔

TOP

发新话题