Cyber Security Awareness Month - Day 16 - Securing a donated computer

Published: 2010-10-15
Last Updated: 2010-10-16 20:38:15 UTC
by Guy Bruneau (Version: 1)
9 comment(s)

Day 16 ends week two of the Cyber Security Awareness Month. If you happen to get a computer that was donated to you, it is important to trust the software that is installed on it.

Formatting a computer does not erase the data. Before using the computer, it is recommended to completely wipe the hard drive and install from trusted medias. These two programs can be used to wipe a drive: WipeDrive (commercial only) and Active @ KillDisk (free and commercial). If you are familiar with Linux, you can also use dd or cp with /dev/zero or /dev/urandom.

Note that WipeDrive SystemSaver can wipe the data and keep the operating system intact but it cost $39.95.

Wiping with dd or Linux copy (free solution)

Boot with a Linux CD/DVD and one of these methods can be used to wipe a drive:

- cp /dev/zero /dev/hda or cp /dev/zero /dev/sda
- dd if=/dev/urandom of=/dev/hda or dd if=/dev/urandom of=/dev/sda
- dd if=/dev/zero of=/dev/hda or dd if=/dev/zero of=/dev/sda


The final step is to reinstall the operating system and all your favorite software from trusted clean medias.

If you know other method for wiping clean a donated computer, you can share them via our contact form.
 

Update 1: Eraser is a tool for Windows to remove sensitive data from a drive and Terence indicated that Seagate's Seatools can be used overwrite a drive with zeros.

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Le cours "Comprehensive Packet Analysis"  sera disponible en français à Québec le 5 nov 2010

FOR 558: Network Forensics coming to Toronto, ON in Nov 2010

9 comment(s)

Comments

I thought most people used DBAN (Darik's Boot and Nuke) to wipe drives. http://www.dban.org/ Its quick, easy and effective... always worked well for me.
The ATA spec has a secure erase command. hdparm on linux can be used to execute this command. There's also a utility at http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml - Usually the secure erase can do a better job faster than DBAN or many of the other wipe utilities.
/dev/zero and /dev/urandom are also available on Max OS X.
/dev/zero and /dev/urandom are also available on Max OS X.
DBan is also included on System RescueCD amongst other useful tools, including a bootable Linux CD distro.

If you just delete the partition and install the O/S, there's nothing that can "leak" through from the previous system. So, there's really no reason to wipe it more thoroughly.
Agree with doj8, no need for the recipient to overwrite. The giver should have been advised to overwrite. Ethically, you should not use any software to retrieve unwiped but deleted/formatted data.

A fresh OS and software install is the best, most os installers can delete/repartition/format just make sure you let it do so.

Now if you suspect illegal data which could be forensically recovered and put you in suspicion, then wipe. One of the RescueCD tools is MHDD which can be used for ATA spec erase. The ATA security commands can sometimes be blocked by BIOS, but DBAN will still work but slower.
I like to use the linux badblocks utility, as it leaves the disk totally zeroed and verifies the surface at the same time. Remember, you don't know if that drive really works properly or not until you test it.
I use DBAN on the UBCD.

I've been stunned at the condition of some donated computers we get, anywhere from hardware-filthy to software-filthy. I usually boot into the OS out of curiosity or to check devices. I've found unsecured accounts with company documents (which I did not touch) and once got a donation that was crawling with malware.

I am very grateful to people/companies who choose to donate instead of toss old computers. I just wish that they'd sanitize first. Not only do they protect themselves, but it's also usually a *volunteer* working on a donated computer, and they don't have all the spare time in the world.
One of our clients once bought some "refurbished" formerly-leased laptops from Dell. The purchasing agent simply handed them directly to the recipients, without going through us (their IT department). One engineer came to us with a disturbed look to point out his "new" refurbed laptop was full of Top Secret documents from a military contractor. Thankfully, he had a high level clearance, but it was very disturbing to me that those documents were left on a laptop and that Dell's "refurbishment" did not erase the documents (or anything on the laptop). Even more disturbing was that no one even cared when we tried to report it to Dell, the contractor nor the military.

Diary Archives