I have a few questions about security on a harddrive. If I have some files that I want to protect, what type of encryption/encryption software would I need to use?

Also, I would like to be able to permantly delete some files, I know in windows XP putting something into the recycle bin and emptying it doesn't even permantly delete the file, and it can be recovered. What would I need to permantly delete them?

I know windows also keeps track of what documents have been recently used (ie: Documents on Start Menu), and keeps logs of files accessed and the time of access. Is there any way to disable this feature?

One last thing, about external hard drives. I'm looking for an external harddrive that I can plug into a usb slot, and have immediate access to. This way I will be able to bring my harddrive with me to a friends computer, and plug it in and transfer files. I'm also wondering if someone gets onto my computer, and the external harddrive is not plugged in, will they still be able to view what files I have accessed on the external drive in the past? I would like it so this person wouldn't even know I had an external HD hooked up at one time. Possible?

Sorry for the boatload of questions, but I really need some advise. Thanks.

If you want security don't use windows, end of story. The only time you should think security and run windows is if the install is inside an encrypted container running on a VM without access to the network. Typical layering is UNIX - encrypted container - VM - Win32. There isn't really a way to turn of Windows' tracking of user history, so you need to pick up a wiping product. Those are pretty spendy and aren't horribly trustworthy. Deleted file wiping is pretty common among utility packs like Norton. Most will only do 1 or two passes, usually zeros then ones. To be really sure the data is gone, 7-13 passes are recommended, zeros, ones, random, repeat.

There are a variety of products out there to encrypt data, from simple PGP-type file encryption to steganography to double-encrypted volumes. You have to know more about what you're trying to accomplish in order to find the right one. Some apps allow you to mount encrypted files as volumes, others just allow you to take items out or in as you need. Steg programs hide encrypted data inside other file types, but these days it's increasingly obvious where things are hidden.

Also note that if you're trying to hide something from law enforcement inside a container, they can subpoena you for the key, and if you don't provide it you wind up in jail anyway. That's why doubly-encrypted containers exist, the first is essentially a honeypot with some dummy/unimportant files in them, the second is hidden inside the first and requires a second key. Most also make use of steg to hide the second. The idea here is that law enforcement gets the first key out of you and misses the presence of the second container.

Overall:
* you're going to spend a lot of money to do all this on windows
* you're probably going to end up buying closed-source apps
* closed-source apps are not particularly trustworthy, especially those released post-2001
* you're going to have to decide what type of protection is best for you, be it easily mountable containers, steg containers, or something more elaborate
* pick decent key phrases
* don't lose your keys or key phrases
* and for crying out loud, if you have sensitive data, don't blab about it or send any hint of it out that's unencrypted. so many dumbasses invest in all sorts of encryption apps and procedures only to give themselves away by opening their fat mouths.

thanks for that reply snugglebear, I had no idea it could get so complicated, I guess I'm going to have to look into all these options. Do you or anyone else have a recommended website/forum devoted to this topic?

first there are a few aps that will securely delete and overwrite freespace, but when employing NTFS its is complicated by Alternative Data Streams

1st Wipeout Pro (http://www.securitysoftware.cc/apps.html) (I have the older freeware version, that is no longer available Pro run $30 and mine can overwrite with various patterns up to 32 times

Alternative Data Streams
http://www.heysoft.de/nt/ntfs-ads.htm
http://patriot.net/~carvdawg/docs/dark_side.html
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q319300
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q101353
LADS (http://www.heysoft.de/Frames/f_sw_la_en.htm) (freeware)
Streams (http://www.sysinternals.com/ntw2k/source/misc.shtml) @ Sysinternals (freeware)
Foundstone Forensic Toolkit (http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/forensic-toolkit.htm) (freeware)
CrucialSecurity, CrucialADS (http://www.crucialsecurity.com/downloads.html) (freeware)



then there are a few cryptographic Win32 aps worth investigating

Cryptosuite (http://www.diamondcs.com.au/cryptosuite/)
employs RSA, RIJNDAEL and TWOFISH.

whatever you do dont use "new" encryption algorithms
as they really really arent "better"just less tested. stick to PGP, RSA, Rijndael ect

a few links
http://www.pcstats.com/articleview.cfm?articleID=252 (very basic mostly regarding SSL)
http://csrc.ncsl.nist.gov/
http://www.cs.auckland.ac.nz/~pgut001/links.html (linkfarm)

all in all Id still defer to Snugglebear
while I have done some decent research in this area
he actually does this stuff :p

and one more link

http://nsa2.www.conxion.com/

The key component is figuring out what the heck you're trying to do, i.e. what are you trying to protect/conceal from who? Law enforcement is one thing, private parties or nosy girlfriends are another.

It's not that hard to protect a drive full of sensitive data, it's far harder to conceal the data on the drive and make it believable. Covering your tracks on your own workstation is another thing entirely and largely depends on what OS you want to use. But overall, the biggest problem is the user(s). They do stupid things like pick easy passwords/keyphrases, leave private keys on public servers, choose short key lengths, give away their passwords, etc. If you're going to be taking sensitive data to a friend's house, make damn sure he's not going to blab about it, distribute it, and is covering his own tracks as far as usage goes.

Originally posted by Snugglebear
If you want security don't use windows, end of story.

Dont want to start a war here but cmon man... We have enough misinformed infants spreading bad information around here...

Anyone that knows a thing about security knows its whats betweent the keyboard and chair that makes or breaks a secure system....

Both have their highs & lows... Just really getting sick of this...

It's a closed-source system, one that's tracking a whole lot of what you do so it can allegedly make your life easier. If it was more configurable so all the activity logging could be easily disabled, I might feel more affinity for it. But no matter what, we come back to closed-source, and a definite philisophical difference.

Id agree, being all things to all people Windows has inheirent security issues, they are supposedly being addressed,
but that has been heard before

there are some almost bulletproof OS's
Open and FreeBSD come to mind
and there are 2 primary reasons for that
they arent as big a target
and the care with which the code was written to do specific and limited tasks, with security as the primary objective

however if it can be coded, it can be cracked
it boils down to the likelyhood

if security is the primary concern, then Snugglebears assessment is valid