Inquisition 21
 |
 |
|
|
| Log In
|
|
|
|
|
| Search Articles
|
|
|
|
|
| Comments
|
|
|
You don't have to,
but if you log in,
you can add comments.
|
| Page Referral
|
|
|
|
|
|
|
Internet security
|
|
|
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8
Staying safe on the Internet
Clearing the hard drive and cache
This is the lower of two levels of security. The higher is below.
The purpose of this is in case you have material that could be considered illegal on your hard drive, accidentally, maliciously or voluntarily, and to eliminate evidence of surfing. To clear away any material placed there by malicious intrusions.
Dangers from your hard drive
Written with help from Steve Mathews, CEO of the UK computer security firm Articsoft www.articsoft.com/.
If you are not sure whether or not you need to protect yourself by clearing your hard drive, consider two things:
1.Your hard drive can accidentally contain criminal images, placed there by others, by Trojan Horse intrusion, browser hijack, spam, scumware or other maliciously inspired methods.
2. If you are a parent, your teenaged son and his friends may fish something up undesirable onto the hard drive.
3. Deleting images, or other data files, simply makes the space available for possible future use, but it does not delete the content, which can be retrieved by the police.
We now have enough information to know that the dangers are great. The police want to find child porn as it makes for easy convictions. We have been told that even in routine house searches for evidence of other crimes, they are seizing PCs and then, upon finding ‘criminal’ images, switching from the original investigation to child pornography charges, or adding them to existing charges. There is a real possibility that some hotlines and on-line censors who work with the police are monitoring the Internet activity of private citizens. Already there are companies carrying on surveillance for marketing purposes. Microsoft is now promising to assist the prosecution agencies, using the ‘for the good of the children’ slogan.
Let us see if we can ask the relevant questions:
1. Is the threat real?
2. Can a program that you load through a browser access your hard drive?
3. Can you delete effectively any data that have been placed upon a medium to which it is possible to overwrite to any location?
4. Is there available, or could one develop, a code of practice that would help protect innocent people from the potential threat of prosecution for acts they did not consciously commit?
5. If suitable tools for effective overwriting became commonplace, would they allow people to act with impunity knowing they could defeat law officers?
6. Are the experts available to the legal process adequately qualified, experienced and trained in the discipline of forensic work?
1. The threat appears to be real. The threat of blackmail through the claimed or false loading of pornographic material onto computer systems was discussed at a major crime conference in London in 2002 as a real problem. Representatives from all interested parties and agencies took part in the debate.
2. Can browser activity compromise your security? To judge by the serious number of updates to IE and other products, it would be hard to argue that it cannot, or that browser compromise is impossible. There is considerable interest in browsing web sites, but that ignores the torrent of email that
arrives with viruses that themselves may open other doors into the system. Browsers also allow the inclusion of various information in caches and cookie
areas.
3. Can you delete data? Yes, and some sources of software that do this are given below. Some of these tools have an ability to delete files that complies with and exceeds the requirements set by the US DoD for deleting files thoroughly. They do it by continuously overwriting file sectors for the defined file. Expert adviser, Peter Guttman, the New Zealand cryptologist, who has written what is thought to be the definitive work on this subject, notes that you overwrite as often as you feel comfortable with achieving the desired result. There is no magic number. One should note that governments insist upon physical destruction of media that contain secret information, but that appears to be simply a method of obtaining guaranteed deletion.
4. Can we develop a code of practice? Yes, we can. Steve Mathews of Articsoft, who supplied the information for this article, was one of the authors of BS 7799, so knows that such a code of practice is possible, but that it will take time, perhaps years, to get international acceptance and that we will need a group of recognized experts whose pronouncements will carry weight and conviction. He suggests that an alternative way would be to have a product supplier work with a team on the development. He adds that the real problem would likely be to get whatever techniques were adopted to be demonstrated to be effective and reliable. There is an important note below on this subject of a code of practice.
5. Could we create conditions for immunity? Steve Mathews believes that this may be ‘a bit of a non-question since the deliberate criminal would destroy to avoid discovery’, but goes on to say that it would perhaps reduce the ability of the technically incompetent. He adds: “But nothing would prevent someone from deliberately adding sectors onto a disk that were never in the file system to begin with, and it would be difficult to prove if that had happened or not. Recovering evidence of use over a limited period of time might be feasible, but it could also prove a difficult challenge.”
6. Are there suitable experts? Steve Mathews replies: “Actually this has been the subject of some discussion last year with the National High Tech Crime Unit because of the lack of enough potential experts to carry out investigations of all types. There is a potential problem in that IT specialists have the tendency to believe their own marketing and to be didactic. Investigators I have worked with in the past have sometimes been gung ho about producing evidence of guilt, rather than considering establishing all the facts. Much credence of technique was established once it became clear that using the Delete command to remove a file merely altered an index entry and did not remove the file content itself. But if the file index entry has also gone what other information is available to establish when the file was in existence. In some file types there is internal additional information (Word, Excel and so
on). In others there is nothing (Text). What should an expert conclude? A file is there but there is no evidence to suggest when it arrived or when it deleted.”
The steps you can take
Please accept this as our best known information for now. Send suggestions for better methods or updated information to us. See Contact in menu.
Dump or destroy all of your old floppy diskettes that could contain evidence of uncertain activity. Know the contents of the files you have backed up on CD ROMS. Destroy any doubtful CD ROMS.
Now, clear your hard drive. There are three ways known to us. Use all three to be sure.
Clearing individual files or images
As you finish using an individual file or image, do not simply delete it in Windows Explorer. Install the free program Eraser from Eraser from Heidi Computers in Ireland. After installing Erasure, close it and go to the normal Windows Explorer. Click on the file you want to delete. You will see an Erase function. Click on it. It is now erased. Next, clear your cache and history files – see below.
Removing previously deleted files or images
1. A DIY method. Make a large folder called Delete1. You could simply rename the contents of an existing CD-ROM that has a lot of data on it. Check how much space you have left on the C Drive, or any additional drives you want to clear. Do a quick calculation on paper to see how many Delete files you will need to fill up all the remaining available space. On a well-filled single C Drive PC, you will probably need at least 12. If 12 say, start copying Delete1 as Delete2, 3, 4, 5 and so on up to Delete11. Check as you go or check again after Delete11. If a Delete 12 is too much, begin loading smaller files until you are told the drive is full. Now do a Disk Defragment on C Drive. Check when finished how much new space has been made available. Start loading again, copying onto Delete 13 and so on until the drive is filled again. Do Disk Fragment 2. Repeat four or five times until you cannot reasonably load new files of any size. Clear your cache and history files. See below.
2. A more professional method. This is recommended in addition to, or instead of, the above. Use the appropriate software recommended by Articsoft. Or download the free Irish software package Erasure from Heidi Computers (see above). After installing Erasure, close it and go to the normal Windows Explorer. Right click on C or other drive that requires clearing. See the function – Erase unused space. This will not delete your existing files. Click on it. It may take up to an hour or more to clear all your unused spaces in which deleted files and images may still be stored. Now clear your cache and history files - see below. This may be practical for old PCs only with small storage.
3. Are you now safe and happy? Some experts say not completely, well on the way yes, but that there could still be evidence of where you have been (even over and above clearing your cache as below). This is beyond the skills and capacities of the writers of this site to assess, but one more final or alternative step can be taken.
Method 3. Nuke it. Erasure has a ‘Create Nuke Boot Disk facility’. You find it by going to Programs (Start) and following the Eraser sub menu. First back up all your files as this involves clearing your entire drive and rebooting and reinstalling Windows from your Windows CD ROM. Click on Create Nuke Boot Disk facility.
It will suggest several clearing options, two of which are DOD, for newer drives, and Guttman for older drives, the former probably the most common. After it writes the Nuke diskette, it will look like there is nothing on it as it’s written in a special format (Linux?). Switch off, restart with the Nuke diskette inserted and the clearing will begin. On a trial PC in our office it did 7 runs of clearing and rewriting and took over 4 hours for a single Drive C clearance.
The best advice so far is to use BCWIPE instead of or in addition to Eraser, but you have to pay for it.
Verifying
If you have used Method 3 above there is no need to verify that files are gone, but if you are simply removing individual files, you can verify that each has gone by using, not the Explorer method above, but by accessing the Verify button in Eraser, found in the sub menu. There you simply select the file you want to delete. Be prepared to have to step through and witness maybe 20 or more overwriting passes.
Clear your cache and history files
You have cleared your hard drive, but not the records of your past surfing activity, including sites visited. Use Window Washer to clear your browser cache. You can try it for free for 30 days, and purchase it for $39.95.
This is a program that shows you what it is doing as it washes away your history of activity. In addition to washing away browser history, Window Washer also deletes cookies and bleaches files so they are unrecoverable.
But you want to surf safely
If you have purchased Window Washer (above) you can clear after each session, or set it to do this automatically. While washing your cache makes sense, it does not protect you from the possibility of being spied on while online. Those prepared to engage in possible illegal activity, and do it safely, use several techniques and systems about which we have little knowledge, other than hearsay. If you need expert advice on these, read the article by Professor Max Taylor of University College Cork, ‘The Irish child porn collection’, in ‘Child pornography’. In it, he lists several apparently safe methods, which we cannot vouch for.
What if you are set up?
The greatest single problem appears to be that defence lawyers neither have the time nor interest to listen to, and evaluate, the technicalities of file manipulation. Files including images have dates of creation before they are deleted, but only the people who work for the police appear to know what evidence of dates still exists after deletion, when the file or image still sits in an unallocated space.
If so, a record of your last clearance and washing would be desirable. Unfortunately neither of the programs recommended above has a facility for printing out the dates when they were last used, and an internal record would not be much use after the computer is seized.
Invaded, hijacked or guilty as charged?
When the police seize a computer, it seems that they often use computer forensics experts with dubious qualifications. In the UK, for example, they use the Royal Military College at Shrivenham, but we are told that no one has ever failed its course, and that it is apparently enough just to attend. There is also a 'qualification' acquired by attendance at the course of a US company’s called EnCase. This is not open to those who want to give expert witness for the defence.
So compounding the issues of accidental acquisition and malicious intrusion is the serious risk of incompetent or prosecution driven ‘expert witness’ being used against innocent people. This demands urgent attention and places a huge question mark over the future of the Internet itself, apart from the issue of individual liberty.
Where a credit card has not been used to acquire images of child pornography, how can the police or so-called ‘expert witnesses’ know whether images found on a hard disk are there because the owner deliberately sought them out or because of either accidental acquisition or hijack? All we have for now is our own experience of what we have heard from experts and what we have read in reputable magazines.
The Mitsubishi and Jack story, which was taken up by Wired, the Register and Security Focus can be read under Child pornography' in menu.
The Wired and other stories caused us so much traffic that our bandwidth was exceeded and the server shut us down. We doubled the bandwidth since, but this is an indication of the interest in the subject.
What would a code of practice mean?
It’s simple but fundamental. If one uses or appeals to an accepted or best code of practice, there is no better defence in a court of law. What is a good or best code of practice? A system or method which conforms to a standard, such as a standard written by ISO or BSI and which has been certified by an independent inspection or certification agency as conforming to that standard. What if there is neither standard nor certification scheme? The usual alternative is an expert witness, but as there are so many incompetent or dishonest expert witnesses testifying on behalf of those who pay them, one must turn to whatever has been written on the subject and attempt to produce the best of that.
We cannot say if what is written here could stand up in court, but Steve Mathews who supplied the important information for this article is admitted as an expert in the High Court in London, and is one of the authors of BS 7799. Brian Rothery, who edited this, wrote the world’s first books on ISO 9000, ISO 14000, BS 7750 and Standards and Certification in Europe (All originally published by Gower UK).
If you are an expert and can help us, perhaps we can together produce a best code of practice and make the Internet safer.
Internet security
Checking your PC for invasions
Clearing the hard drive and cache
Operating with a high level of security - encryption
Where to get help, including expert witness
US government warning on Windows
Other general and useful information
Important information for the defense where computers are seized
 |
|
|
