I have worked on a few jobs of this type and it isn't always that sinister a motivation that drives the client. In most cases it is an agreement between the two parties to remove an item (a file or application) as part of a pre-litigation agreement. The offending party agrees to remove the item and then work out a settlement or go to litigation at a later date.
We would come in and image the drive to preserve the evidence of the item. We delete the item(s) and wipe the free/unallocated space and other references and re-image the drive to prove it no longer has useful references to the items at issue.
I use BCWipe and Eraser for wiping, EasyCleaner to delete references in the registry and startup files. I also pack the registry and delete any past registry backups. I am sure I miss a few references but they are so minor that most people are not all that concerned. The fact that the party can no longer access the item or items is what really matters.
As always, I may be completely wrong, but I think that you are making it more "difficult" than it really is.
1) create a "DIR" List of every file that needs to be permanently deleted
(including exact size in bytes)
2) create (on ANOTHER HD) one file for each one of the list with the SAME exact size in bytes, these files can be either "00" filled or "random characters" filled, see also this
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=2065
3) copy, xcopy, robocopy or whatever newly generated files overwriting the ones on the "source" hard disk
4) defrag "source" hard disk
5) delete files in list
6) defrag again hard disk
Check if you can find even a tiny bit of the original files with any forensic tool.
Otherwise use a file-based (as opposed to RAW based) backup solution, re-format AND wipe the drive, then restore from backup everything BUT the "to be deleted" files.
The "old" (and "poor man" wink ) way to defrag a NT 4.00 Workstation in the old times (some of you might remember how NT 4.0 did not come with a built-in defragging tool) was exactly this, I had two installs of NT on two separate partitions, booted to the second (the "emergency") install, used xcopy to copy all the files from "main" partition to a third one, formatted (and optionally wiped) the first one, then xcopied back the files.
😯
jaclaz
Hi,
Regarding disk wiping. There can be a small proviso. That being one or more sectors mapped out by the disk controller prior to any wiping. At a later date those sectors are recovered using a disk utility. If those sectors contained data that should have been wiped it would now be available again.
If this is a case of wanting to sanitise a laptop before it changes hands installing a new hard disk would make sense considering the cost of hard drives.
Steve
Ok… here's the scoop on this weird request.
- The client supports a law office.
- The law firm has the user who is resigning from a corporation and User wants to show best effort that all information relating to that corporation that he worked for has been removed from his *PERSONAL* computers.
- The request for erasure is for his personal systems.
- The lawyers and the support company CEO (ex-lawyer) have vetted this request - there is no perception of impropriety on the user's part - he is leaving in good standing and needs to make sure his soon-to-be-ex company is comfortable that all their information is off his drives.
We are first going to image the original systems as given to us - one ExternalHD and one PC. After which
- We have a list of files that need to be removed given to us by User.
- For the ExtHD, we will copy the remaining files to another drive, wipe ExtHD, reformat ExtHD and restore those files to the ExtHD
- For the PC, we will delete requested files, delete swap, temp areas; Ghost the HD, wipe original drive clean and reimage the drive from the Ghost Image.
- Both ExtHD and PC drive will be reimaged again.
I think that will show good-faith effort on the part of the employee.
Can anyone else think of anything I should consider?
Thank you all for your caution and suggestions!
Regards…
Arthur