CERBERUS HOME ICON
CERBERUS

THE NEED
Vulnerabilities Threats Countermeasures

PRODUCTS
Document Security

STANDARDS
FIPS PUB 140-1
DOD 5220.22-M
NCSC TG-25
FIPS PUB 81
FIPS PUB 180-1
DOD 5200.28-STD

TUTORIALS
INFOSEC
Cryptosystems
Passphrases
Windows® Leaks
System Settings

DOWNLOADS

QUESTIONS?
E-MAIL


AMEX WELCOME

CERBERUS SYSTEMS, INC.
Windows®-compatible encryption
DoD 5220.22-M SANITIZING
IN
DOCUMENT SECURITY MANAGER
The command performs DOD 5220.22-M multiple overwriting of the contents of the selected file. The file contents would otherwise be left on your hard disk for potential recovery with the "undelete" command, or with a disk editor utility. (The "delete" command merely unlinks a file's disk clusters from the File Allocation Table; "format" merely constructs a new FAT; and defragmenting is not guaranteed to overwrite any particular area.) The file's entry in the FAT is then overwritten with random characters to obliterate its name; its date/time set to midnight, 1-JAN-1980; and its size truncated to zero. Only then are the overwritten file clusters unlinked. This Sanitizing method is designed to counter attackers attempting to recover sensitive data with disk-scanning software installed on your computer (or on theirs, since stealing your hard drive is easy on most personal computers).
NOTE: Each byte is first overwriten with 01010101. The second overwriting pass uses 10101010. This cycle is repeated three times. The final overwriting pass is performed with random bytes generated with an ANSI X9.17c keystream generator. Disk caches are flushed after each overwrite, and the final overwrite is read-back verified. This method meets or exceeds the Purging requirements of NAVSO P5239-26, AFSSI-5020 and AR380-19. It is approved in DOD 5220.22-M for any reclassifying of Classified hard drives in secure Automated Information Systems, even those certified and accredited for Special Access Programs, but is not approved for Purging disks at any level above Secret. Due to the residual magnetization necessarily left to hold the disk tracking servo data, the only way to truly destroy disk data is through degaussing and destruction of the disk. However, the residual magnetization recovery techniques used by intelligence services require expensive laboratory equipment and are only practical for very small amounts of targeted data, as opposed to scanning entire hard drives for possibly interesting files.

If the selected file had ever been recorded in your encrypted Document Inventory file (as a result of your Securing, Opening or Verifying it), its recorded size at its last decryption will be used to ensure that the overwriting covers any "tail" left from any subsequent editing you may have done that shortened it. The record of any Destroyed document is automatically purged from the Document Inventory.

NOTE: The Destroy command is used by the Secure command to Sanitize the un-encrypted file, after completion of constructing the secured document. This procedure is used rather than the faster approach of encrypting-in-place, which could leave you with a partially encrypted, damaged file, in the event of a power interruption.

Your encrypted Document Inventory file may be accessed with a command on the System Menu, so you can conveniently Destroy (or Open or Secure) multiple documents from a batch dialog (whose Destroy button is shown above). Opened documents are listed with a preceding ' - ' to contrast them with secured documents (marked with an ' x '). The dialog has a 30-second inactivity time-out, as opposed to the 15-second inactivity time-out that normally clears from memory the keying information generated by your most recent passphrase dialog.

There is also a Declassify command to independently purge a document record from the Document Inventory, as is automatically done as the last step of the Destroy command. This prevents Document Security Manager from tracking its security state or automatically re-encrypting it on exit.

The System Menu also includes a sub-menu for disk-wiping utilities, including a Sanitize a disk's free clusters command. This command performs DOD 5220.22-M multiple overwriting of all unocupied sectors on a user-selected disk, and is intended for purging disks whose files have already been "deleted."

The Destroy command is also accessable from the System Menu. On Win9x/NT4 systems, this allows you to keep Document Security Manager discretely minimized and to control its functions by right-clicking on its Task Bar button. On Win3x systems, which don't have a Task Bar, the Destroy command is also appended (along with the Open and Secure commands) to the System Menu of any other active program. These features are designed to allow your remote control of a minimized Document Security Manager from within those programs that you are using to work on the contents of your documents.


Cerberus Systems, Inc. develops, manufactures and markets
software cryptosystems designed to level 1 of FIPS PUB 140-1
with DOD 5220.22-M disk data recovery countermeasures.

The Cerberus logo and the ...Security Manager product names are trademarks of Cerberus Systems, Inc.
© Copyright 1997-99, all rights reserved.