1

I have Windows 2008 R2 box on colocation. I want to remove certain files with a high degree guarantee it cannot be recovered from physical HDD access.

Could someone please explain what levels of security (NTFS-wise) can be achieved with different tools?

Please note I have RDP into this computer and plane IPMI - I can reboot it safely even if OS is frozen

Also a side note - by physicall access I mean that there are bunch of commercial labs who does fairly good job recovering data from damaged disks (even with damaged margnetic plates) - so I'd like this to be covered.. However I understand that technology available to such labs is not the same as say specialised government agencies (these I dont want to cover).

Boppity Bop
  • 245
  • 2
  • 7

1 Answers1

2

All you need is a file shredder program, there are plenty of freeware ones. Chances are good you have one included with your AV software anyway. These tools over-write the disk sectors multiple times with different data patterns to completely erase their original pattern so that they cannot be recovered even with physical access.

GdD
  • 17,291
  • 2
  • 41
  • 63
  • 1
    You really don't even need multiple overwrites. Have a read of our blog post on this, and the linekd questions: http://security.blogoverflow.com/2012/02/qotw-18-how-can-we-destroy-data-on-a-hard-drive/ – Rory Alsop Nov 20 '12 at 14:23
  • As you say in the post it depends on the sensitivity of the data. It may be multiple passes are unnecessary, or it may be advisable, there's not enough information in the question to determine. In any case extra passes won't hurt. – GdD Nov 20 '12 at 14:33
  • Thank you. could you please recommend a shredder with multiple-passes (the info is sensitive indeed otherwise I wont ask) – Boppity Bop Nov 20 '12 at 14:37
  • All the shredders do it - even the free ones, Bobb. As GdD said, you probably have one in your AV software. If not, all the ones here will do: http://www.google.co.uk/search?q=file+shredder or if you want to attach the disk to a unix machine, it will have the shred command as part for GNU core utils. – Rory Alsop Nov 20 '12 at 14:43
  • this is high profile server app. it cant have AV software. – Boppity Bop Nov 20 '12 at 14:50
  • 3
    *What is this I don't even.* But seriously, if it's high profile, it *should* have some form of AV on there, even if it's just Microsoft Security Essentials. – Polynomial Nov 20 '12 at 14:54
  • @Bobb: Oh bless. :) – Scott Pack Nov 20 '12 at 15:13
  • @Polynomial: Security Essentials would probably be a license violation. Forefront may be an alternative since it's included in the CoreCAL. Either way, it's a licensing problem. Ugh. – Scott Pack Nov 20 '12 at 15:17
  • @ScottPack Yeah, Forefront is licensed for server use. – Polynomial Nov 20 '12 at 15:22
  • It doesn't matter if the shredder overwrites multiple times. The issue is that it might not manage to overwrite even a single time. Thanks to wear leveling, volume shadow copy, etc. – CodesInChaos Nov 20 '12 at 16:01
  • @CodesInChaos actually i was hoping someone who specialise in security would tell me all of these.. but so far i am hearing blabbery from IT wise guys. I am IT wise guy myself. I use personal computers since DEC PDP11... it doesnt make me security expert... the AV suggestions are just laughable... cmon.. is there security professionals here ?? – Boppity Bop Nov 20 '12 at 22:40
  • @Bobb I don't know a shredder that'd I'd trust to wipe individual files. Most shredders I know simple overwrite the file with new data, and hope that will overwrite the physical bytes. But that's not reliable. If it's important, I'd wipe the whole drive. – CodesInChaos Nov 20 '12 at 23:01
  • yeah i was kinda sure of it.. just hoped new technologies arrived or whatever :) i cant lowlevel format the disk as the box on the colo with strict access and there are too many implications to get it done remotely.... but thanks anyway – Boppity Bop Nov 21 '12 at 01:32
  • @Bobb I'm not sure what IT security professionals you've been talking to, but AV is _absolutely_ necessary on a production server. It's your absolute last line of defence. Even if you consider the box to be entirely compromised once malware hit the disk, at least the AV will alert you to it instead of leaving you to wonder what the hell happened after an attack. – Polynomial Nov 21 '12 at 09:00
  • @Bobb, I completely agree with Polynomial on this one, the high profile servers are the ones you should put AV on **first**! – GdD Nov 21 '12 at 09:59
  • you have no idea what you r talking about guys. life is not black and white so the IT business. this box does not require defense. it works on microseconds intervals and putting AV on it would be something like telling an athlete to wear a hardhat before his attempt to break 100 m record. I don't really have time for discussions. as i said - any decent lab can recover erased files. you couldn't provide any convincing information that shredding apps can really beat that. and that was the question. AV is not. thanks for understanding – Boppity Bop Nov 21 '12 at 11:48
  • Wow @Bobb, sounds like you have all the answers. Why'd you ask a question? – GdD Nov 21 '12 at 12:08