Sample Procedure for CISA 310: Cybersecurity processes & technologies Step-by-Step Procedure for Media Sanitization Lab 0 Part 0 Valorie J. King 6/25/2015
Title: Media Sanitization
Operating Environment:
1. Operating System: Linux (Paladin version 3.0 boot USB or DVD/CD)
2. Firmware: BIOS which allows boot from removable media
3. Hardware:
a. Compatible workstation or laptop
b. Boot Device: DVD, CD-ROM, or USB port
c. Boot Media containing Paladin
Description:
This system administration procedure provides instructions for using Paladin to sanitize media prior to reuse or disposal. This operation results in media which are forensically sterile. The “forensically sterile” state is achieved by using the following approved procedure to overwrite the media with a pattern of 0x00 in every byte.
Notes, Warnings, & Restrictions:
1. The Paladin tool is distributed free of charge by Sumuri, LLC. See the vendor’s website http://sumuri.com/products/paladin/ for additional details about the product. You must register before you can download the software distribution. Instructions for creating bootable media from the software distribution package are available from the vendor’s Website.
2. All imaging media checked out from inventory or supply cabinets must be verified as forensically sterile before use as target media for a forensic imaging process. To verify that media is forensically sterile, you should perform steps 7 – 9 in the Sterilization Procedure (as shown earlier in this document).
3. This procedure will remove all information (“wipe”) from the selected hard disk, solid state drive, or other writable computer storage media (“device”).
4. Verify that the correct device has been selected prior to starting the “wipe” operation. Selecting the wrong device or drive may result in corruption of the system hard drive for the workstation or laptop on which Paladin is running.
5. This procedure will remove all partitioning and/or formatting information from the hard drive or removable media. This information must be restored using the appropriate partitioning and/or formatting utility prior to the media being used.
Resources:
Kissel, R., Regenscheid, A., Scholl, M., & Stine, K. (2014). Guidelines for media sanitization (NIST SP 800-88, revision 1). Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf
Sumuri, LLC. (2015). Paladin. Retrieved from http://sumuri.com/products/paladin/
Procedures:
Boot & Launch Paladin
In this section, you will launch the Paladin Toolbox after booting the local computer using the Paladin Boot Media. This media can be either USB or Live CD/DVD. You may need to change the BIOS or UEFI options in order to boot from USB.
1. Boot a laptop or workstation using a Sumuri Paladin version 3.0 Live CD/DVD or boot USB.
2. Choose your Language Option (English is the default)
3. Boot Paladin (default choice) by pressing Enter
4. Click OK to accept the usage agreement
5. Launch the Paladin Toolbox application
6. Paladin Toolbox at Startup
Forensic Sterilization of Physical Devices / Media
In this section, you will forensically sterilize a physical device (USB or hard drive) using the “Wipe” function in Paladin. After the wipe operation has completed, you will verify that the device is forensically sterile using DCFLDD (to check for zeroes in all bytes of the device).
1. Physically connect the drive or media to be sterilized (Note: You do not need to put a hardware write-blocking device into the data path since Paladin has a software write-block installed in the operating system’s control files.)
2. Click on the WIPE tab at the top of the Paladin window
3. Using the drop down box, select the drive to be wiped. Note the drive designation as displayed by Paladin, e.g. /dev/sdc.
4. Click WIPE to start the wiping process.
5. You can switch to the TASKS tab to monitor the progress of the WIPE operation from within Paladin. There should also be a pop-up window which provides task progress.
6. After the wipe has completed, launch a terminal window
7. Type the following command to verify the wipe: sudo dcfldd pattern=00 vf=drivedesignator
For our example, the drive designator was /dev/sdc
The command to verify the wipe is: sudo dcfldd pattern=00 vf=/dev/sdc
8. If the command output is “match” then your media has been properly wiped and is now forensically sterile. If you receive any other output, your media has not been properly wiped. Restart this procedure at step 4.
9. If the media is to be reused, label it appropriately and then store in an approved storage container. For installed hard drives, affix the label to the outside of the drive enclosure.