| Data Destroyer |
|---|
| Section 12: Further considerations |
12A. Purging only the slack area
As mentioned in Refining and confirming the purge operation the purge confirmation window has a checkbox which is for stating that only the slack area should be purged.
Space is allocated to files on a disk incrementally in blocks, called "clusters", consisting of a certain number of 512-byte sectors. A cluster consists of one sector for floppy disks and often, but not always, eight sectors for a hard disk. The cluster size is the number of sectors in a cluster times 512 bytes. For example, if clusters consist of 8 sectors (4 KB cluster size) and a certain file is 6 KB in size, then two clusters are allocated for that file, and the actual data takes up the first cluster and half of the second cluster, leaving 4 sectors (2 KB) of unused space. This unused space is called the slack area. All files have some slack area unless the file size is an exact multiple of the cluster size.
When purging a file it is not necessary to purge the slack area, since it does not contain any data in the file. If, however, several versions of the file have been saved then the slack area may contain data from a previous version of the file. When Data Destroyer purges a file it also overwrites the slack area.
A selection box allows selection of a cluster size. The value shown when the window appears is the value that has been determined by the program. This is usually correct but if
you know that the actual cluster size for this drive and is different from that shown, you can change it.
It is not critical that the cluster size used is the same as the actual cluster size. If the estimate is too large then purge time will be longer than it need be. If it is too small then not all of the slack space will be purged.
If you choose to purge only the slack area of a file then the contents of the file remain intact and only the slack area is overwritten. This is not quicker than purging the file, because even though ony the slack area is overwritten, the entire file must be written to disk for each overwrite of the slack area. Thus it is recommended that purging the slack area only be done for one file or a small number of files, and only when there is a need for this. It is not recommended to purge only the slack area of all files on a disk if there are many files on the disk.
12B. Compatibility with antivirus software
If the Norton Antivirus Auto-Protect utility (or a similar antivirus utility) is active when a file is to be purged, and if the file extension is .doc, .mdb, .xls or one of about twenty file extensions that are typically monitored by antivirus software then that software may suspend program execution and display a warning message, e.g., "DD400.EXE is attempting to write to the file DATA.DOC." Norton Antivirus then offers you the choice of stopping, continuing or excluding the action.
If this happens then you have two options:
(i) Each time the antivirus software displays a warning message tell it to continue.
(ii) Disable your antivirus software for the duration of this run with Data Destroyer.
Either of these options will produce the same effects as if the antivirus software were not present, i.e., the file will be purged, but (ii) is recommended.
If you tell the antivirus software to exclude the action then the file will not be overwritten but it will still be deleted in the usual way (unless you have requested that the purged file not be deleted) and the contents of the file will still be present for forensic software to find.
When purging a file Data Destroyer checks to see if the file extension is one that Norton Antivirus normally monitors (these are the Auto-Protect default file extensions). If so then for each file, before the file is purged, Data Destroyer will ask:
If you answer Yes or Don't Know then a window such as the following appears:
The best thing to do is to disable the antivirus software while Data Destroyer is running (this can be done before the run or during the run). If you do not disable the antivirus software then clicking on OK will normally produce a warning message for each overwrite of the plaintext file (best avoided).
12C. Protected files
When using Method 1, files with extension bat, bin, com, dll, drv, exe, ini, kbd, ocx, ovl, pif or sys are handled with care to prevent accidental purging of files which may be necessary for the proper operation of your computer, as explained below.
A file with one of the extensions listed above may be purged only after you have confirmed that it is OK to purge such files. You can give a blanket confirmation at the start of the purge operation (see Refining and confirming the purge operation). If not given there, and if a file with one of these extensions is encountered then you will be asked for permission to purge it. This permission applies only for the duration of the current operation (the permissions are reset to No for each file extension at the start of each operation).
There is no such check when using Method 2. When all files in selected subfolders of a folder are purged (see Purging selected folders) or when a disk is purged (See Purging a disk), all the above-mentioned types of file will be purged without confirmation (unless, in a disk purge, the file is in a folder which has been excluded).
Data Destroyer will not purge the current Data Destroyer executable file (i.e., the Data Destroyer program currently being executed), and will also not purge any file which is in the same folder as that file. This is true also during a disk purge.
A special case is the Windows paging file (a.k.a. the swap file). This will not be purged by Data Destroyer. It is also not purged during a disk purge.
12D. Purging the swap file
Programs and data are loaded into fast-access RAM memory, which is normally anything from 64 MB in size and up. If many programs are running simultaneously then there may not be enough space in the RAM memory to hold all the data, so Windows stores some of it in a file on disk. As different programs are put in use, Windows "swaps" data between RAM and this disk file, so it is called a swap file or, in Windows XP, a paging file.The swap file can grow to be quite large, often well over 100 MB. It is preserved when Windows shuts down and is used again when Windows starts up, so (unless you have told Windows not to use a swap file) it is always on your computer. In Windows 98 it is normally named WIN386.SWP and is normally located in the root directory of Drive C or in the \WINDOWS folder. In Windows XP it is named PAGEFILE.SYS and is normally located in the root directory of Drive C.
The swap file holds much of the data used during your most-recent use of your computer, so it can contain sensitive information such as credit card details, passwords, images, Excel spreadsheet data and so on. A program for searching the swap file might be able to extract this information.
However, the swap file cannot easily be purged because Windows is continually swapping data to and from it and tries to prevent other programs from doing anything to it. Thus the swap file cannot be purged using Data Destroyer, because this program runs under Windows.
If you are running Windows NT, 2000 or XP then the swap file can be wiped when you shut down your computer. The NT Resource Kit says:
| To create a new paging file or to change the size of a paging file, double-click the System option in Control Panel, click the Performance tab, then click the Change button in the Virtual Memory box.
Specifies whether inactive pages in the paging file are filled with zeros when the system stops. If this value is set to 1, as the system stops, Windows NT fills all inactive pages in the paging file with zeros so that they cannot be read by another process. It cannot fill all pages with zeros because some are being used by the system or other remaining active processes. | ||||||
For users of Windows 95, 98 and ME a solution to the problem of purging the swap file is provided by means of an auxiliary program, bundled with Data Destroyer, called WIPESWAP.EXE. This is a console application and can be run under MS-DOS, without Windows being active. The remainder of this page describes how to purge the swap file using this utility.
In the Data Destroyer program menu (via Start | Programs | Hermetic Systems) you can select "Wipeswap program (ZIP file)". Save this ZIP file (WIPESWAP.ZIP) to the top folder on Drive C and unzip it to obtain WIPESWAP.EXE.
Then shut down Windows from the Start menu, selecting "Restart in MS-DOS mode" from the panel when it appears. When your computer has completed restarting you will be at the MS-DOS command line prompt. Change to C:\ if you are not there already. Now enter WIPESWAP at the command line and the command syntax for this program will be displayed, as follows:
WIPESWAP.EXE, Version 3.0, Copyright 2006 Hermetic Systems Use: WIPESWAP filename [num_writes] num_writes: number of times file is to be overwritten (at least 4 times, at most 18 times) Example: WIPESWAP \WINDOWS\WIN386.SWP 6 |
WIPESWAP overwrites the swap file first with 0xFF bytes then with zero bytes, and the subsequent overwrites (at least two) use sequences of random bytes. Like Data Destroyer it flushes the data to disk after each overwrite, so that it is the bytes on the disk which are overwritten, not just the bytes in RAM.
If the purge is taking too long then you can interrupt it by pressing the Escape key; in this case the swap file may have been overwritten a number of times but it will not have been deleted. You can delete it using the DOS DEL command (which must be done so that Windows does not try to use a swap file full of random bytes when it is restarted).
When you reboot your computer you will be asked whether to restart in MS-DOS mode or in Windows.
| Data Destroyer Main Page | Hermetic Systems Home Page |