Security and MFT

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Can someone comment on security/privacy as relates to XP use of MFT on NTFS
formated drives.

This is my first go round with XP Pro and I do legal work etc that needs a
high degree of privacy. I know one can encrypt files but I am more concerned
with what and how long MFT retains file names and small files.

On FAT32 I used a wiping program that took out the files and directory
entries, I read that MFT are untouchable, file names remain and the MFT space
just keeps expanding as it needs to.

Any comments on as to what is fact and if there is anyway to clean the MFT
of deleted file entries would be appreciated.
Thanks
 
There are utilities that deal with MFT, such as BCWipe (see Jetico.com). But
if you are highly concerned about the possibility of someone finding
filenames on your system, I would not reccomend using Windows, because some
Windows restrictions on "listing" files and directories can be bypassed (i.e.
Traverse Checking restrictions and Listing restrictions) in at least two
different ways, even when the restrictions are correctly implemented.
 
Follow-up: other things to consider are MRUs in the registry and elsewhere,
although programs such as Ad-Aware attempt to clean up MRUs, but you'd need
to use this in conjunction with a secure-erase utility to completely be rid
of them. There are ways to prevent the Traverse-checking and Listing
vulnerabilities from being a problem (e.g. by using BestCrypt or a similar
program), but you need to be fairly skilled with Windows in order to use it
to its fullest potential and to keep yourself from being locked out (e.g. by
losing a key or password, or by having a file get corrupted).
 
Lexus said:
Can someone comment on security/privacy as relates to XP use of MFT on
NTFS
formated drives.

This is my first go round with XP Pro and I do legal work etc that needs a
high degree of privacy. I know one can encrypt files but I am more
concerned
with what and how long MFT retains file names and small files.

On FAT32 I used a wiping program that took out the files and directory
entries, I read that MFT are untouchable, file names remain and the MFT
space
just keeps expanding as it needs to.

Any comments on as to what is fact and if there is anyway to clean the MFT
of deleted file entries would be appreciated.
Thanks
Click to expand...

The way most organizations would deal with this is through physical security
(i.e. placing the system in a very secure room.) When you are done with the
system, destroy the hard drive in any method that sounds fun to you
(hammers, drills... dynamite maybe.)

Basically, the same way you would treat a paper document :)
 
Uh, traverse checking is what allows you to view a subfolder in a hierarchy,
without having access to the entire folder hierarchy. Show me how you can
bypass that in an unauthorized manner please.

By the way, other OS's aren't going to solve this problem magically: the
lack of physical security on *any* device will trump any protections you
layer on top of it. If what you are working on is that sensitive, it should
be on a machine in a separate room, not connected to a network at all. If
it did require network connectivity to corporate resources, you could use
IPsec transport mode to secure those communications and ensure a high degree
of privacy. You still have the "trusted attacker" scenario to deal with
however. So the problem is multi-faceted and there is no one solution. You
will have to address this as it is posed to you: in depth, and to counter
each threat at the particular layer it is arrayed against your device.

If the key concern is around privacy, then start asking questions like: Who
could *possibly* get to my data, and using what media? (i.e., wired network,
wireless network, interactive logon, someone looking over my shoulder, RF
interception, etc) What is the value of this data? Will I get fired, sued,
killed, etc if this data is compromised?

When you start this effort, before any recommendations are made as to what
to use or when to use it, you need to look carefully at the threats, and
detemine what the cost of that data is. This will help guide you down the
path of what measures you'll need to go to in order to protect the data, or
help you realize what data is *not* worth protecting to the Nth degree.

It seems to me that the concern here is about artifacts. Most of the
artifacts you've mentioned require *physical* access to get to. Lose
physical security, the rest doesn't matter (as I have already mentioned).
 
RE bypassing traverse checking without authorization: one of the ways to do
this is well known and is public knowledge, and the other is not. Several
months ago, I reported the latter issue to Microsoft. I was told that the
Microsoft Security folks had done testing on the latter, but they thought
that it wasn't a severe enough vulnerability to warrant a security patch.
They said that they'd fix the loophole in the next version of Windows. I
disagree with the decision not to create a patch, and in the meantime I don't
rely on Windows restrictions against traverse checking.
 
I just did a test on WinXP with SP2 and found that the latter loophole was
fixed in SP2. So, I'm a happier customer than I was a few minutes ago.
 
Back
Top