Date: 01 Apr 1994 08:44:49 -0700 (MST) From: Chris McDonald Subject: Product Test, PT-62, FlameFile (Macintosh) To: orvis@icdc.llnl.gov Content-transfer-encoding: 7BIT [To]: cmcdonal@wsmr-emh34.army.mil Apparently-To: orvis@icdc.llnl.gov ****************************************************************************** PT-62 March 1994 ****************************************************************************** 1. Product Description: FlameFile is a freeware program to overwrite files, folders, and unused disk space on floppy or hard disks. The current version is 1.38, released September 11, 1993. 2. Product Acquisition: FlameFile is available on Internet ftp sites, on BBSs, and from Apple user groups. The author is Josh Goldfoot, P.O. Box 203802 Yale Station, New Haven, CT 06520. The author's Internet address is jgfoot@minerva.cis.yale.edu. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5506, DSN: 258-7548, DDN: cmcdonal@wsmr-emh34.army.mil. 4. Product Test: a. I obtained the program from a local Apple users group in January 1994. I conducted tests from January through March 1994 on a Macintosh IIcx running System 7.0 with a 80MB hard drive. I also tested the program on over a dozen removable disks. b. When a user "drags" a file to the TRASHCAN on a Macintosh system, the data on that file is still on a disk until overwritten. Files on the Macintosh can have two forks, a data fork and a resource fork. A file can have either one or both forks. Most documents have only data forks, and most applications have only resource forks. The data fork stores data such as text for word processing or data for databases and spreadsheets. The resource fork stores information about dialog boxes, windows, icons, etc. c. A user should understand the distinction between certain terms to properly appreciate and to use FlameFile. The DoD Magnetic Remanence Security Guideline provides these definitions: (1) Clear = a procedure used to erase data stored on media, but lacking the totality of a declassification procedure. (2) Declassify = a procedure to totally remove all classified or sensitive information stored on magnetic media followed by a review of the procedure performed. (3) Overwrite = a procedure to remove or destroy data recorded on magnetic media by recording patterns of unclassified data over or on top of the data stored on the media. (4) Sanitize = a procedure to erase or overwrite data stored on magnetic media for the purpose of declassifying the media. For the declassification or sanitization of classified national defense information a user must invoke a specific overwrite pattern should he or she choose this method of declassification. A user may have an option, however, in the declassification or sanitization of unclassified sensitive information. In fact, agency standards could vary on the specific clearing or overwriting requirements for unclassified magnetic media. d. FlameFile proposes to provide the capability to overwrite media within the stated definitions. The program has six pages of humorous documentation in which a "user" and the "creator" (i.e., the program author) discuss what the program does and what features are available. While the "creator" mentions that he has implemented the Department of Defense overwrite or sanitization routine, the documentation does not specifically describe the method of imple- mentation. For this reason I electronically contacted Mr. Goldfoot to request clarification. His response stated that FlameFile overwrites with a logical 1, followed by a logical 0, followed by alternating 1's and 0's. e. One installs the program by simply dragging it onto a hard disk. One then overwrites information by dragging a file or folder onto the FlameFile icon. One can overwrite free space on a disk by dragging the disk icon onto FlameFile's. Double-clicking on the FlameFile icon presents an Options dialog box which allows a user to customize program operation. As mentioned earlier, one can, for example, choose the "Use DoD specs". One has four options to "disguise" a file. Specifically one may change the file name, the file size, the file creation date, and the type of file created. FlameFile makes the changes after the overwriting, but before the deleting. One may choose to require a "warning box" before any overwriting operation can execute. Finally, one has the option to play a sound when the program has completed "flaming" or overwriting a file. f. I tested all options with only one observed anomaly. I used Fedit and Norton Disk Editor to verify the operation of FlameFile's overwrite and sanitization routines. I was unable to recover any data which the program had "flamed". While it is beyond my technical capabilities to perform any type of magnetic remanence testing of storage media, I did observe that the program appeared to successfully implement the DoD guideline procedures. g. The anomaly involved the failure of the option to rename a file before overwriting. This occurred only on the hard drive on which I had installed FileSaver, an application within Symantec's Norton Utilities for Macintosh. I contacted the program author who confirmed the compatibility problem between FlameFile and FileSaver. The author stated that he was working on the problem, and suggested an interim solution would be to manually rename a file where one had installed FileSaver. 5. Product Advantages: a. FlameFile performed as documented with one minor exception. b. The declassification and sanitization of storage media is a critical concern for most government agencies. Even the private sector has shown an increased interest in this issue. FlameFile addresses this concern at no cost to the user. c. The installation and operation of the program is a breeze for even the novice user. 2 6. Product Disadvantages: a. FlameFile has no formal certification or endorsement from the National Security Agency or from the Department of Defense. Sometime ago NSA announced that it would no longer certify software declassification or sanitization programs. Therefore, approval of the program will probably require the authorization of respective information system security officers, or whoever within an organization is responsible for data security. Different agencies will logically have different approval policies and procedures. b. In those environments where the "names" of files are important, one needs to be mindful of the one documented incompatibility. While I did not look for other conflicts, I am aware that Central Point's MacTools has an application similar to Norton's FileSaver. If one uses MacTools, it might be appropriate to test the file renaming option of FlameFile. c. Operation of FlameFile is not automatic at version 1.38. A user must consciously invoke its operations. There are some organizations which insist on automatic activation, and which prefer to disallow a user the opportunity to change an option. These same organizations usually dislike public domain or freeware software. 7. Comments: There is an inordinate amount of controversy over the use of software to clean and to sanitize media. Clearly there is a major difference between removing any trace of classified national defense information versus removing any trace of unclassified sensitive data. It seems appropriate to employ a mix of programs, supplemented by hardware degaussers, to address the overall risk associated with magnetic remanence. For certain media and depending upon the sensitivity level of the data, one may still face the physical destruction of media as the only alternative. I continue to be of the opinion that there is a legitimate place for freeware software in government and commercial environments. While this view may be a minority opinion in government, a program such as FlameFile may be just the vehicle to breakdown bureaucratic resistance. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] FOR FURTHER REFERENCE: PT-29 SECURE DELETE PT-32 MACTOOLS PT-33 FT. KNOX PT-37 VIPER sT-57 NORTON UTILITIES FOR MACINTOSH PT-63 TRASHGUARD 3