(imported topic written by jpeppers91)
What is the wipe command? I keep hearing about it but can’t find it.
(imported comment written by jpeppers91)
Can anyone make any recommendations as to what tools can be used to kill stolen laptops for example?
(imported comment written by tratz91)
That all depends on what your tolerance is for “accidental” wipes, what parameters the wipe process need to be able to execute under, etc. If you have absolute certainty that your deployed machines will have Internet access back to your BES envrionment whenever they are “on” for longer than X minutes, hours, etc., then you could take a hard-line approach for BES check-in activity.
The local machine could be configured with a deployed agent that simply sits in the background and pays attention to the last time the BES server was contacted. If no contact has been made in the required time period, the agent could initiate data destruction via DoD wipe processes. Of course, this depends on the machine to be on and booted in to the operating system with Internet access so the agent can perform its “check” function and avoid an unwarranted wipe.
The above leads in to the next phase of the wipe process - intentional, targetd wipes by a BES admin who would react to a report of a stolen laptop and queue up a kill fixlet for the target machine for the next time it checks in. This also depends on the target machine being on and booted in to the operating system with Internet connectivity back to the BES server in order to get the wipe fixlet.
Unfortunately, many systems are stolen for their hardware value and may never be turned on and booted on the original operating system again. For those that are stolen for data contents, keep in mind that these instances more than likely involve theives that know how to evade the processes outlined above. Those with even a novice level of experience would either mount the hard drive (read only) in another system for data extraction or, at a minimum, a forensically sound image, or they would simply boot the system on a live forensic boot CD. Bottom line - physical access equates to data exposure if a strong encryption and authentication processes are not in place.
Recommendation for stolen laptops: design and implement a strong data encryption process (whole disk or targeted data) that relies on a strong two-factor authentication process where those factors can not both be retrieved from the stolen laptop. Many good whole disk encryption products are available that only rely on single-factor (password/passphrase) authentication, but depending on the value and sensitivity of the data you are trying to protect, this may not be sufficient.
Hope this helps.
(imported comment written by nberger91)
Your recommendation is valued and implimented, however back to the original question…
Does anyone know of a method to nuke a machine, initiated from within the OS/BES ?
We’ve scripted native Windows commands like rmdir, del etc … to delete specific files and folders but wanted something a little more hardcore.
(imported comment written by cstoneba)
I’ve been thinking how to do this too. Some thoughts of mine are:
#1 - del
.
/f /s /q
#2 - somehow download and run fdisk, create a second partition and make it bootable, then reboot to the new partition, then run a disk wipe utility automatically against the first partition
I thought I heard someone that IBM/Lenovo has a utility that will basically freeze the hdd and it take a Lenovo technician to unlock it.
(imported comment written by cstoneba)
I’m currently working on this in my spare time. So far I found an app that will take a picture via command line. I think I am going to just use sdelete from Systernals to delete files in Docs and Settings. I’ll keep you posted.
(imported comment written by SystemAdmin)
No comment from BigFix? It would be great if there was a lock/wipe/encrypt command that could be initiated from the BES console the next time (if) the stolen computer reconnected!
(imported comment written by cstoneba)
It would be nice if they had that. My fixlet is pretty much dones. If it sees that there is a camera in wmi it takes come pictures, then it gets the external IP address that the user is using, then uploads that info the BES server and finally, starts deleting files off the drive.
(imported comment written by BenKus)
Hey j2johnson,
We think about this a lot… but to make this work properly, we will want some solid software that we can use to do a full wipe and also we will need to ability to launch it (or schedule it to launch) inside of Windows – this last piece is a problem for some software that expects you to boot into a removeable media…
If anyone knows of some wipe software with those two pieces, then we are not far at all from either a simple custom solution or maybe we can partner directly with the company to provide this.
cstoneba, your Fixlet sounds very cool… I bet people would be interested if you post it…
Ben
(imported comment written by MattBoyd)
I could be wrong, but doing a complete, and secure, wipe of the System drive while the OS is being wiped is impossible. To completely wipe a system drive, you must boot to another partition or removable media and wipe the drive while it is “offline.”
If you were primarily concerned with wiping content from specific folders (such as My Documents) instead of the entire disk, you could probably get away with using something like
SDelete.exe
to delete those folders.
I agree with tratz that disk encryption is the best way to go here. Secure deletes and wipes of data on stolen hardware should be thought of as a secondary precaution, and not your first line of defense from data theft.