From: Chris McDonald STEWS-IM-CM-S (1/26/93) To: orvis%llnl.gov@wsmr-simtel20.ar, Mail*Link¨ SMTP Product Test 19 ******************************************************************************* PT-19 November 1990 ******************************************************************************* 1. Product Description: Norton Utilities is a commercial disk management utility program with tools for data recovery, disk repair, disk performance enhancement, data security, etc. 2. Product Acquisition: The product is available from Symantec Corporation, Peter Norton Computing Product Group, 10201 Torre Avenue, Cupertino, CA 95014-2132. A toll free number is 1-800-343-4714. There are also a variety of mail order sources. The retail price is $189.00; but there is no reason to pay that price if one is a careful shopper. Users who have earlier versions of Norton Utilities can upgrade to Version 5.0 for $49.00. [Note: I have ordered Version 6.0 for an upgrade cost of $44.00 as of 2 Jul 91.] 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5030, DSN: 258-7548 or DDN: cmcdonal@wsmr-emh03.army.mil. 4. Product Test: a. I acquired Version 4.0 in August 1988 for $52.00 from Telemart in Phoenix, Arizona. The retail price at that time was around $100.00. I moved to Version 4.5 in April 1989 for a $39.00 update fee. Finally, I moved to Version 5.0 in August 1990. b. Product tests occurred on the following systems: (1) Unisys PC, Model 3137, MS-DOS 3.10, 512K; (2) Zenith PC, Model 248, MS-DOS 3.30, 640K; (3) Zenith PC, Model 248, MS-DOS 3.3, 1MB; and (4) WYSE PC, Model 1100-1, MS-DOS 3.1, 512K. c. Norton Utilities has 20 separate utilities. I tested all the utilities with three exception: Batch Enhancer, Norton Cache, and File Fix. This test report will not detail the results for each utility. Readers who need detailed information on the product should consult recent editions of "PC WEEK", "PC Magazine", "PC WORLD", and "BYTE". It is sufficient to say that the utilities perform as advertised. Independent evaluations in the referenced publications identify strengths and weaknessess, particularly in relationship to comparable software products such as PC-Tools, Mace Gold, PC-Fullbak, Professional Master Key, and others. I have chosen to concentrate on those features in Norton Utilities which have significant information systems security implications for the security professional and for the individual user. d. The documentation received with Version 4.5 and Version 5.0 is excellent. In fact, the "Norton Disk Companion: A Guide to Understanding Your Disks" and "The Norton Trouble-Shooting Guide for Disks" may be worth the price of their respective upgrades. Since the Norton Disk Editor utility is a powerful tool to access and edit sensitive areas of a disk, these supplementary documents are essential if one is to use the product to its full capabilities. Interestingly, the "Disk Companion" document states: "We recommend that you do not attempt to edit any area of any disk--but especially a hard disk--unless you understand what you are doing". The same warning is equally applicable to other utilities. e. In no special order here are those utilities which I recommend for their security significance: (1) UnFormat (2) UnErase (3) Disk Editor (4) Disk Monitor (5) Diskreet (6) Image (7) WipeInfo f. UnFormat lets you recover a hard disk that has been formatted accidentally or deliberately. Possible uses include recovery after an accidental format, after a viral or other malicious program activity, or after corruption because of a power failure. g. UnErase searchs for and recovers erased (deleted) files. Possible uses include recovery of files that have been erased by accident or by deliberate action. Over the last two years I have had the occasion to use the utility in both applications. The number of users who accidentally destroy files and who do not have backup copies may not be large, but there are at least two calls per quarter in my small activity. If an erased file remains intact, UnErase will automatically attempt to recover the file. The user has the option to supply the filename; or if that is not known, the user may search by data type, text, or other file identifier. At a worse case the user can simply identify all erased files and then attempt the recovery. If the automatic UnErase is unsuccessful, or the user notices that in unerasing text the clusters are not in the right order on the screen, then manual UnErase is the next step. Enhancements in Version 5.0 have greatly simplified manual operations. However, one needs some practice time to become competent and feel comfortable with the utility. h. Disk Editor lets you view and edit the entire contents of a diskette or hard drive. I have used this utility extensively for audit purposes and for information reviews. Some Internet users have suggested that one could use Disk Editor to "search" for computer virus strings or signatures. I think there are enough anti-viral scanning products available to accomplish this function more effectively. i. Disk Monitor is a new utility available in Version 5.0. It provides three features: disk protect, disk light and disk park. Disk Protect prevents any program from writing on your disks without your approval. The user has the options to write protect system areas, or only files by extensions, or system 2 areas and files, or the entire disk. The latter option protects not only the system areas and all files (no exceptions), but also the FAT, the directories, and the unused clusters. Once a user turns on some level of disk protection, Disk Monitor reviews all attempts to write to all disks. Whenever an attempt is made to violate the selected protection, a dialog box appears to give the user the opportunity to approve or to disapprove the attempted write operation. Users familiar with Flu-Shot+ and F-PROT will recognize this feature as a potential safeguard against malicious, suspect, or unknown software. Disk Light displays the name of the drive currently being accessed in the upper right corner of the screen. Disk Park parks your hard disk heads for those disk units which do not automatically perform this task when power goes off. j. Diskreet protects files through software encryption. The utility provides two options in Version 5.0. One method is to encrypt files individually by selecting the file, asking Diskreet to encrypt it, and supplying a password. The other method is to create an NDisk on one of your disk drives. NDisk looks like a hidden file to DOS but behaves like a disk drive. The user saves files in it just like any other drive, but every file placed in it is automatically encrypted. The user must access the NDisk by supplying a password. Once the user has "opened" NDisk, encryption and decryption of files occurs automatically. NDisk has these additional features: (1) Optional automatic opening of NDisk during booting (2) Optional automatic closing of NDisks by timeout or by hot-key (3) Optional audit report of all attempts to open NDisk, successful or not (4) Two encryption operations, either a proprietary algorithm or a Data Encryption Standard (DES) implementation (5) Optional wiping of NDisk clusters when NDisk is created, expanded, shrunk, or deleted (6) Optional keyboard and screen locking by hot-key The proprietary encryption operation is fast. The DES encryption operation is is slower, but faster than other DES implementations which I have used. Both operations have the following options: (1) Wipe/Delete the original file after encryption (2) Set the encrypted file to a hidden file (3) Set the encrypted file to read-only (4) Delete encrypted file after decryption (5) Use the same password for an entire session where one intends to encrypt and decrypt several files and where one wants to use the same password for all of them 3 While I am not qualified to evaluate the strength of either implementation, here are some approximate times for encryption/decryption operations on the Unisys test system. Size of File Proprietary Algorithm DES Algorithm 13,802 Bytes 3 seconds 6 seconds 46,189 Bytes 5 seconds 12 seconds 193,885 Bytes 9 seconds 45 seconds 224,744 Bytes 12 seconds 54 seconds k. Image takes a "snapshot" of your system area and saves the information to a file. This file, IMAGE.DAT, contains the Boot Record, File Allocation Table, and root directory information. If a user accidentally formats the hard drive, UnFormat searches the disk for the IMAGE.DAT file and uses it in recovering data. UnErase uses the Image.Dat file to recover highly fragmented deleted files. The documentation suggests that a user include the Image command in his or her AUTOEXEC.BAT file. l. WipeInfo protects deleted data by totally obliterating it from a disk so that an unauthorized individual cannot recover it. WipeInfo in Version 5.0 replaces WipeDisk and Wipefile in previous versions. WipeInfo includes these features: (1) Ability to select the area to be wiped (i.e., the entire disk, specific files, unused portions of the disk, or the slack area of a file) (2) Ability to specify what value should be written over the wipe area (3) Ability to specify the number of times to repeat the wipe procedure (4) Ability to automatically implement the DoD guideline on declassification procedures for magnetic disks (i.e., CSC-STD-005-85, 15 November 1985, subject: Magnetic Remanence Security Guideline) 5. Product Advantages: a. Norton Utilities has a variety of tools for data recovery and disk repair. The product provides several features to improve data confidentiality and data integrity. b. Written documentation is excellent, for both the novice and for the more advanced user. c. Peter Norton and Symantec Corporation have good reputations for quality products and customer support. 6. Product Disadvantages: a. Users of Version 4.0 and 4.5 will be initially surprised by the "look and feel" of Version 5.0. It definitely took some time before I felt comfortable. 4 b. The cost of the product may discourage many government users who are already on tight budgets, or who are committed to software purchases from the Desktop III contract. Desktop III has PC-Tools, Version 5.5, for $21.00 per copy. Although Version 5.0 of Norton Utilities has features not available in the Desktop III version of PC-Tools, users may find that economics, not necessarily technical capabilities, is the dominant selection criteria. c. The product documentation identifies "warnings" and "important" facts to assist users in their use of the various utilities. Those users who dislike reading manuals may find themselves in difficulty. Therefore, it would seem appropriate to provide user training and a user support capability within activities which acquire the product. d. The use of the DES algorithm in software requires a waiver for Federal agencies under Federal Information Processing Standard 46-1. e. The National Security Agency announced earlier this year that it would no longer "certify" software declassification products for its Evaluated Products List. Any discussion of "magnetic remanence" declassification procedures must therefore take this into account. 7. Comments: Whether one selects Norton Utilities, PC-Tools, or some other comparable product, the point is that one must have such a utility on hand simply as a prudent course of action. It makes little sense to wait until a user accidentally deletes an extremely important file to then form a committee to discuss what course of action should have been taken. There are clearly some decisions to be made as to who will acquire the utility, to whom will it be distributed, who will conduct user training, who will provide customer support, and who will address the subject of program upgrades. If life cycle management procedures operated as they appear in existing policy documents, these decisions would be easy. Unfortunately the reality is that many users have never even heard of recovery programs, have differing perceptions of data security, and have no single source from which to obtain customer support. These matters should be the concerns of managers, not the exclusive domain of technicians. If information resources are really important to our respective missions and functions, then it seems reasonable to factor in protective measures as a normal business activity. Norton Utilities could be an important component of an overall protection strategy. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] 5 ------------------ RFC822 Header Follows ------------------ Received: by internetqm.llnl.gov with SMTP;26 Jan 1993 21:08:22 U Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #12441) id <01GTZLL73L9SERWNIT@icdc.llnl.gov>; Tue, 26 Jan 1993 21:08 PST Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #12441) id <01GTZLKRWZF4ERWQIT@icdc.llnl.gov>; Tue, 26 Jan 1993 21:07 PST Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA16355; Tue, 26 Jan 93 21:01:39 PST Received: from WSMR-SIMTEL20.ARMY.MIL by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA16324; Tue, 26 Jan 93 20:58:32 PST Received: from wsmr-emh03.army.mil by WSMR-SIMTEL20.ARMY.MIL with TCP; Tue, 26 Jan 1993 21:54:49 -0700 (MST) Resent-date: Tue, 26 Jan 1993 21:08 PST Date: Tue, 26 Jan 93 21:48:58 MST From: Chris McDonald STEWS-IM-CM-S Subject: Product Test 19 Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV To: orvis%llnl.gov@wsmr-simtel20.army.MIL Resent-message-id: <01GTZLL73L9SERWNIT@icdc.llnl.gov> Message-id: <9301270458.AA16324@pierce.llnl.gov> X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov X-VMS-To: IN%"orvis%llnl.gov@wsmr-simtel20.army.MIL" ======================================================================