Active@ KILLDISK for DOS Copyright (c) 1999-2003 LSoft Technologies Inc. USERS MANUAL 1. PRODUCT OVERVIEW 1.1. Deleting Confidential Data 1.2. Advanced Data Recovery Systems 1.3. High Standards 2. SYSTEM REQUIREMENTS 3. OPERATING PROCEDURES 3.1. Prepare bootable floppy disk (startup disk). 3.2. Run Active@ KILLDISK (Interactive mode) 3.2.1. Start data erasing on the particular HDD or partition 3.2.2. Erasing Progress 3.2.3. Erasing Report 3.3 Configuration Options 3.3.1. Erase methods 3.3.2. Number of Passes 3.3.3. Verification 3.3.5. Ignore Errors 3.3.6. Clear Log File before Start 3.3.7. Skip Confirmation 3.4. Run Active@ KILLDISK (Command Line mode) 3.4.1. Parameters description 3.4.2. Start Active@ KILLDISK with parameters 4. COMMON QUESTIONS 1. PRODUCT OVERVIEW 1.1. Deleting Confidential Data Modern methods of data encryption are deterring unwanted network attackers from extracting sensitive data from stored database files. Unfortunately, attackers wishing to retrieve confidential data are becoming more resourceful by looking into places where data might be stored temporarily. A hard drive on a local network node, for example, can be a prime target for such a search. One avenue of attack is the recovery of supposedly-erased data from a discarded hard disk drive. When deleting confidential data from hard drives or removable floppies, it is important to extract all traces of the data so that recovery is not possible. Most official guidelines around disposing of confidential magnetic data do not take into account the depth of todays recording densities. The Windows DELETE command merely changes the file name so that the operating system will not look for the file. The situation with NTFS is similar. Removal of confidential personal information or company trade secrets in the past might have used the FORMAT command or the DOS FDISK command. Ordinarily, using these procedures gives users a sense of confidence that the data has been completely removed. When using the FORMAT command, Windows displays a message like this: Important: Formatting a disk removes all information from the disk. The FORMAT utility actually creates new FAT and ROOT tables, leaving all previous data on the disk untouched. Moreover, an image of the replaced FAT and ROOT tables are stored, so that the UNFORMAT command can be used to restore them. FDISK merely cleans the Partition Table (located in the drive's first sector) and does not touch anything else. 1.2. Advanced Data Recovery Systems Advances in data recovery have been made such that data can be reclaimed in many cases from hard drives that have been wiped and disassembled. Security agencies use advanced applications to find cybercrime-related evidence. Also there are established industrial spy agencies adopting sophisticated channel coding techniques such as Partial Response Maximum Likelihood (PRML), a technique used to reconstruct the data on magnetic disks. Other methods include the use of magnetic force microscopy and recovery of data based on patterns in erase bands. Although there are very sophisticated data recovery systems available at a high price, data can easily be restored with the help of an off-the-shelf data recovery utility like Active@ File Recovery (www.file-recovery.net) or Active@ UNERASER (www.uneraser.com), making your erased confidential data quite accessible. Using Active@ KILLDISK, our powerful and compact utility, all data on your hard drive or removable floppy drive can be destroyed without the possibility of future recovery. After using Active@ KILLDISK, disposal, recycling, selling or donating your storage device can be done with peace of mind. 1.3. High Standards Active@ KILLDISK has several methods for data destruction that conform to US Department of Defense clearing and sanitizing standard DoD 5220.22-M, German VSITR, Russian GOST p50739-95. More sophisticated methods like Gutmann's or User Defined methods are available as well. You can be sure that once you wipe a disk with Active@ KILLDISK, sensitive information is destroyed forever. Active@ KILLDISK is a quality security application that destroys data permanently from any computer that can be started using a DOS floppy disk. Access to the drive's data is made on the physical level via the Basic Input-Output Subsystem (BIOS), bypassing the operating systems logical drive structure organization. Regardless of the operating system, file systems or type of machine, this utility can destroy all data on all storage devices. Thus it does not matter operating systems and file systems located on the machine, it can be DOS, Windows 95/98/ME, Windows NT/2000/XP, Linux, Unix for PC. 2. SYSTEM REQUIREMENTS To be able to use Active@ KILLDISK you require: - AT compatible CPU with 386 or greater processor - 4Mb of RAM - 1.44 Mb floppy diskette drive - Bootable Floppy disk containing MS-DOS 6.0+,or startup disk for Windows 95/98 - HDD of type IDE/ATA/SCSI attached to be erased. 3. OPERATING PROCEDURES 3.1. Prepare bootable floppy disk (startup disk). If you do not have bootable floppy, you can prepare such disk from MS-DOS, Windows 95/98 the following ways: - If you boot in MS-DOS or in Command Prompt mode of Windows 95/98, insert blank floppy and type: FORMAT A: /S and follow the instructions on a screen. - If you boot in Windows 95/98, go to the "Control Panel" then "Add/Remove Programs", then switch to tab "Startup Disk" and click button "Startup Disk..." Copy Active@ KILLDISK (KILLDISK.EXE) to the bootable floppy disk Alternatively you can use ours "Bootable Floppy Creator" that allows you to create bootable floppy with DEMO version of Active@ KILLDISK pre-installed. Look in the Downloads section at product's web site: www.killdisk.com 3.2. Run Active@ KILLDISK (Interactive mode) - Boot from the bootable floppy in DOS mode - Run Active@ KILLDISK by typing in command line: KILLDISK.EXE You will see the list of detected hard disk drives and partitions. When you move cursor through them, you'll see their system information. 3.2.1 Start data erasing on the particular HDD or partition - Using arrows select hard disk drive or partition you want to erase at the left side. Configuration dialog appears. - Using arrows and [F10] key choose configuration options (see Configuration Options section) or leave defaults and press F10 to continue - To confirm the erasing action, please type: ERASE-ALL-DATA Erasing process will start. 3.2.2. Erasing Progress See the progress and stop the operation if you want to. - Wait until operation is complete or - Stop an operation at any time by pressing [ESC] After operation is completed successfully you'll see erasing report. If there are any errors, for example due to bad clusters, you'll see them on the screen and will be able to continue or cancel the operation. 3.2.3. Erasing Report After erasing operation is complete, report is displayed. It contains target drive, timing, erase method, etc. related to the erasing session. If there were some errors, for example bad clusters, you'll see this information here. Use arrows to scroll window. Example of the Erasing Report: ------------- Erase Session ----------------------- Active@ KILLDISK started at: Thu Feb 20 11:56:51 2003 Target: Floppy (00h) 1.40MB Erase method: US DoD 5220.22-M Passes:3 Verification:40% (completed successfully) Time taken: 00:01:26 Total number of erased device(s), partition(s): 1 The report is automatically saved to KILLDISK.LOG file located at the same folder where you started Active@ KILLDISK from. 3.3 Configuration Options: 3.3.1. Erase methods Erase method allows to define security level or cleaning standard for the following erase operation. It is one of: - One pass zeros: 1 pass, quick, low security - One pass random: 1 pass, quick, low security - US DoD 5220.22-M: 3 passes, slow, high security - German VSITR: 7 passes, slow, high security - Russian GOST p50739-95: 5 passes, slow, high security - Gutmann: 35 passes, very slow, highest security - User Defined: You can specify number of passes (random) 1 to 99 3.3.2. Number of Passes For all erasing methods except User Defined this number is fixed and cannot be changed (see above). For User Defined method you can change number of passes. Each overwriting pass will be performed with a buffer containing random characters. 3.3.3. Verification After erasing is complete you can direct software to perform verification of the surface on the drive to be sure that the last overwriting pass was performed properly and data residing on drive now match data written by KILLDISK. Verification is a long process. You can turn off the verification, or turn it on and specify percentage of the surface to be verified. 3.3.4. Retry Attempts If error happens while data reading/writing onto the drive (it could happen, for example, due to the physical damage of drive's surface), Active@ KILLDISK tries to perform the operation again and again, and you can specify number of retries to be performed. If drive is not completely damaged, sometimes after several retries it is possible to read/write sector. 3.3.5. Ignore Errors If this option is turned on, you'll not see error messages while data erasing/verification is in progress. All errors have been ignored, however all information about errors will be written to the KILLDISK.LOG file and displayed later on in the Erasing Report. 3.3.6. Clear Log File before Start If this option is turned on, KILLDISK.LOG log file will be truncated before erasing starts, and after erasing completion will contain information only about the last session. If this option is turned off, KILLDISK.LOG log file will not be truncated, information about the last erasing session will be appended to the end. 3.3.7. Skip Confirmation If this option is turned on, you'll not be asked to type phrase: ERASE-ALL-DATA on the next step of the erasing process. This confirmation step is just skipped. Turning off this option (default state) is safer because you have one more last chance to see what is going to be erased completely with no possibility of future data recovery. Advanced users can turn it on to speed up the process. 3.4. Run Active@ KILLDISK (Command Line mode) Active@ KILLDISK has command line mode. To get the help type: KILLDISK.EXE /? 3.4.1. Parameters description -erasemethod=[0-6] - Erase method to be applied See "Erase methods" section above -passes=[1-99] - Number of Passes for User Defined method See "Number of Passes" section above -verification=[1-100] - Percentage of surface to be verified See "Verification" section above -retryattempts=[1-99] - Number of retries if read/write error occurs See "Retry Attempts" section above -ignoreerrors - Ignore error messages display. If any error occurs-just write to the log and skip it -clearlog - Clears the log file before erasing starts See "Clear Log File before Start" section above -noconfirmation - Skip confirmation step before erasing See "Skip Confirmation" section above -test - Create a file containing hardware configuration Send this file to us to analyze the problem if any -eraseallhdds - Automatically erase all detected hard disk drives 3.4.2. Start Active@ KILLDISK with parameters You can use this command line to erase all detected hard disk drives using the most secure Gutmann's method (35 passes) with no user confirmation: A:\>KILLDISK.EXE -eraseallhdds erasemethod:5 -noconfirmation -verification=100 After operation is completed successfully, 100% of drive's surface would be verified and information on how drives have been erased is saved to the KILLDISK.LOG file. 4. COMMON QUESTIONS 4.1 How many operating systems supported by Active@ KILLDISK? Active@ KILLDISK is a DOS program and it does not matter which operating system is installed on the machine. If you can boot in DOS mode (from boot diskette for example), you can erase any drives independently of Operating System installed (it could be DOS, Windows, Linux, Unix for PC). 4.2 I cannot boot from floppy. What to do? The reasons could be: - Your machine has boot priority for HDD higher than for floppy. Go to BIOS, check it and change the priority if so. - Your floppy disk is not bootable or damaged. Verify whether system files (COMMAND.COM, etc..) are located on floppy or not. If so, disk or some files are probably damaged If not, prepare and test bootable floppy disk (see documentation)