So, you've got data to delete...
Thu Apr 12, 2007 at 07:34:58 PM PDT
For me, the timing of DogAte has been interesting. I've been in the middle of completely overwriting the hard drive on my new laptop (it caught a lovely little difficult-to-uproot virus -- I'd like to send a big "thank you" to the creators of "vundo" -- and in the course of attempting a disinfection, I accidently nuked Windows). In the process of re-installing everything from scratch, I decided to encrypt part of the hard drive.
So, say you want to completely erase sensitive data and/or protect private information from prying eyes. How do you go about it? As it turns out, it's not all that tough, and most of it can be done with software that is absolutely free.
What follows is a Windows-centric description of this process. Similar (and sometimes, the same) programs are available for most operating systems, though.
The first thing I did, of course, was back up my data. I couldn't get into Windows, and couldn't even "repair" my copy of the operating system, since one or more Windows Updates had left the system incompatible with the original install. However, all was not lost: I had a copy of a Windows Live CD onhand (a version of Windows that can be booted and run entirely from a CD-ROM).
Anyone can make such a CD in case of emergency. The easiest way (in my opinion) is to download and install a program called "BartPE" (link). Run the program, and it basically walks you through the process and can burn the CD directly, assuming you have a CD burner. You will need your Windows CD or the Windows installation files (frequently found on your computer, anyway).
So, I booted into Windows, attached an external hard drive via a USB cable, and backed up everything critical. What next?
I wanted to start from scratch. I didn't want to take the chance of any private data being left someplace it shouldn't be on the hard drive. So my next step was to nuke my hard drive (not literally).
The best-known and easiest way to do this, IMHO, is to use a program called DBAN (short for "Darik's Boot and Nuke". As the name suggests, DBAN is a program that lets you boot a computer and completely overwrite all data on its hard drive. As with BartPE, you'll need to download the program and burn a CD-ROM. It comes in several forms; the easiest is the .iso format (a disk image), which can be burned to CD's using programs such as Nero or the freeware Windows plugin ISO Recorder.
The author of DBAN, by the way, has another excellent free program out there. Eraser can overwrite files and clear free space on a hard drive, making data selectively unrecoverable.
Start your computer with the DBAN disk in it and follow the directions. Just be ready for everything on the disk to be destroyed beyond any hope of recovery. That's what you want, right?
My laptop has a 100 GB disk, and I overwrote everything on it once with random data. The process took about 30 hours. No, it isn't quick. But there's a lot of data to destroy, and DBAN will destroy absolutely everything, with one exception: there is an area on many hard drives called the "Host Protected Area" that DBAN can't reach yet. The HPA may or may not be in use, but if it is it has to be removed before doing the wipe, or DBAN won't get it all.
On to the next step. This being a Dell laptop, there were a number of specific things I had to do. But the long and the short of it is, I needed to partition the hard drive to make room both for the operating system and the encrypted data. I made two partitions, one 35 GB in size and one about 55 GB in size (the remainder was for Dell-specific stuff). This can be done using a Windows install disk, by the way.
Once done, I loaded Windows onto the 35 GB install partition, and proceeded to re-install everything I needed. By now, I had two accounts: an administrator account and a limited user account. It was the limited user account I wanted encrypted.
My program of choice for this task is called Truecrypt. Truecrypt allows you to create and mount encrypted files that act like little hard drives. It also allows you to do this with entire partitions. Truecrypt is an open-source program that implements several world-class encryption algorithms including AES (certified by the NSA for government use in protecting data up to the top secret level). It can run in the background, providing seamless access to your encrypted data once you enter the password.
In this case, I wanted the profile (e.g. everything normally found for a Windows account under "C:\Documents and Settings\xxx" for the limited user entirely encrypted.
Fortunately, a Truecrypt user has created an add-on to do just this. It's called TCGina, and it works in conjunction with the normal Windows logon to mount an encrypted partition that contains the profile in question. The installation is a little bit beyond the scope of this writeup, but the included manual/help file is more than adequate for describing the process, which is highly automated.
So here I am typing away on a laptop in which all my data is stored entirely within encrypted partitions, utterly unrecoverable without the password. Not bad. Wonder if the RNC did anything like that?
Permalink | 32 comments