Being at college now, system security has become a priority for me. It is easy for someone to swipe a laptop and although it is password protected with windows, these are easy to bypass. And for me my computer is key (being a physics/computer science major), so I want to keep mine as safe as possible and I hope you do too.
In this instructable I intend to lead you step by step from backing up your data, to wiping the computer clean, right down to installing the OS, and then I will lead you through the process of encrypting your drives using the AES encryption algorithm that the top level government agencies use. PS, I apologize for any lack of pictures, I do not have a capture card capable of hdmi or VGA input so the screenshots I use are all from my phone or the internet.
For this instructable you will need:
- A PC
- An Operating System or two. (I will be dual booting win 7 and a linux distro and i will instruct on how to accomplish dual booting)
- Truecrypt (free and open source encryption software, available from www.truecrypt.org)
- Darik's Boot and Nuke (optional but recommended, available free from http://www.dban.org/)
- CD/DVD media (for boot discs)
- Backup media (discussed in the next step)
- Moderate-Advanced computer knowledge
- Although not required, this instructable involves the downtime of your computer so I would advise one of the following routes:
1.) Memorize every, single part of this instructable to perform during the process
2.) Print this instructable out to follow
3.) Use a second machine to follow this instructable
Notice: Although I will be walking you through the process, please be aware that every system is unique and may have specialized challenges (this is where computer knowledge helps) and I take no responsibility for any loss of data, or damage to your machine done through this process. Additionally, I take no responsibility if you are using this knowledge for illegal or immoral use. Please proceed with your own caution.
Step 1: Backing Up Your Data
The first step would be to round up all of the files you want saved (consider favorites list on browsers, pictures, videos, music, and documents) and put them all in one folder. right click the folder and view its properties to see how much data is there, and select an appropriate backup scenario.
method 1: CD/DVD (0-700 Mb (CD) or 0-4.7 Gb (DVD))
CD and DVDs are a good method for backing up limited amounts of data. Granted you could use multiple cd or dvds and achieve success as much as any other method, it will start to get crazy burning tens to hundreds of data discs. But if you have a relatively small amount of data, your good to go, start burning.
method 2: Flash media (0-64 Gb)
Flash media are great backup tools for the simple reason that they are rewritable, however they do get on the expensive side the bigger you go. If you have a moderate amount of data to backup, this could be your option. Flash media are small, more reliable than discs, and are faster than burning discs.
method 3: Removable Hard Drive (0-? Tb)
This option can work for anyone but will be more popular among people with high storage needs, for example, maybe you have your entire DVD and music collection backed up on your PC and are not willing to lose it. This option would be for you. Removable hard drives are now available in any size up to 2 Tb and some go even higher. The only downside when working with this amount of data, is speed. it takes a long time to transfer 2 Tb of data and you should be prepared for that. Maybe consider setting up the transfer before you go to bed and let it run all night undisturbed.
Once you are done your back ups, you can head on to the next step and begin the cleaning of your system.
Step 2: Getting the Installation Media
- Installation CD/DVDS for the OS you want to install (ill be using windows 7 and ubuntu)
- A disc with Darik's Boot and Nuke written on it
- Drivers for the computer (the easiest way is to go to your PCs manufacturer's website and look for drivers page and they should list the drivers for your specific make and model PC. then download them and put them on a piece of media like a cd for later)
To obtain the OS, you can use any media that came with the computer. However, computers have manly switched from physical installation media to coming with recovery partitions. A word of caution , by following this instructable you will be deleting any manufacturer recovery partitions. So if you still want to proceed, I highly recommend creating backup discs for your operating system. The manufacturer will generally include a program on the PC to do just that incase of hard drive failure.
Another note: I in no way am endorsing or advising you to use a illegitimate or pirated version of any operating system. Doing so is illegal and dangerous as the OS could be loaded with pre-installed viruses waiting to infect your clean system. If you should chose to do so anyway, i take no responsibility for the outcomes, including but not limited to arrest and property seizure.
Step 3: Wipe Her Clean
To start with insert DBAN (Boot and Nuke) into your cd drive and start the machine up. All machines have a key or combination to press during the bios flash screen that will bring them to either the bios configuration screen or the start menu. These keys generally tend to be a function key (F1...F12) or esc or del, although im sure there are others depending on the bios. Once you make it to one of these screens either modify the boot order to boot the CD drive first, or simply override the boot sequence.
Once you boot DBAN correctly you will be presented with a screen much like the one in the picture. There are a few keys to press to get information about the program, and feel free to do so, after all knowledge is power. The two bottom commands are the ones we are concerned with. If you enter the autonuke mode the process is simplified and the program does the work, however if you just press enter, you get a little more advanced options which is what i will cover here.
after you press enter you will be presented with another screen (see pictures) ont his screen you will be selecting the appropriate HD to wipe. For me,I have only one so it is rather simple choice. press enter and you will see 'wipe' appear next to the drive. If you wish you can press 'm' and select the method of wipe. The different methods really rely on how many passes it does, allow me to explain:
When a computer stores data on drives, they are stored in binary, or a series of '1' and '0's. so for example you may have a block of data that looks like this '10100111011001100'. what this program does is essentially covers these strings with all 0s. A traditional format only covers them once and is susceptible to data recovery using personal or professional grade recovery tools readily available on the internet. However, DBAN uses multiple passes which cover it with all 0s then again with random data, and then again with more 0s. In the end the more times these passes are made, the more unlikely the chances of data recovery. So, for this instructable i will pick DoD 5220.22-M. This is a medium security level at 7 passes. However, if you feel the data on your computer is life threatening, feel free to pick Gutmann Wipe which is a whopping 35 passes. But remember that the more passes performed, the longer time. The size of the drive being wiped also determines the length of the procedure.
Once you pick which algorithm to use select it with the space bar. The program will bring you back to the previous drive selection screen, if you are feeling really ambitious you can press 'r' which will let you select how many rounds to do. WARNING high number of rounds can easily turn into a VERY long run time. for this instructable I have picked 2 rounds. this is going to take an estimated 25 hours to complete on my 465 Gb hard drive. So like I said, if you need high level security be prepared to wait a while.
update: I figured I would do some updates while this is running. It turns out that the estimated time was WAY off. It has been running now for 17 hours exactly and it is reporting a remaining time of 21 hours and 39 minutes left. It is on round 2, pass 1/7 at 45102 KB/s. Ill be back with the next step of the process in probably another 17-21 hours.
Step 4: Loading Windows 7
So to start simply put your Install CD in your PCs optical drive and boot it the way you used to get DBAN earlier. Once It has started you will be prompted with a screen asking your language and keyboard type. If you are in the US you shouldnt have to change anything just click next, then click install now. Then accept the terms and agreements and you will see a screen that shows your hard drive layout. For me my disk is 465.8 GB. So now is a good time for me to start thinking about my partitioning scheme. If you are only going to be installing windows then you should end up with 3 total partitions at least. I say this because I will always recommend making your normal partition where the system resides, and then a secondary logical partition to store data on in event of a failure of the OS. In this instructable it also will provide us with extra security so for me if I was only installing windows I would partition as such:
partition 1 - 100 MB Partition Reserved (windows makes this small partition for the bootloader)
partition 2 - 200 GB System Partition (where you will install windows and install programs)
partition 3 - 265 GB Storage Partition (for data to be isolated)
However, I will be doing a dual boot system so my partitions will need to be a little more conservative to give space for the second OS. So i will be partitioning as such:
Partition 1 - 100 MB System Reserved
Partition 2 - 100 GB System Partition
Partition 3 - 100 GB Storage Partition
Unallocated Space ~265 GB
While installing you will be prompted for an account name and password. For the sake of security I will be making a password, and i recommend you do too. It will be one more level of security when we are all done. To make a strong password follow these guidelines:
1. Use alphanumeric (that is letters and numbers)
2. If allowed use special characters in place of numbers (1=!, 2=@.. etc)
3. Use capitals if the password is case sensitive and mix them in randomly (liKetHisPlEasE)
4. Use a long password. Most passwords are found by brute forcing (look below for explanation) so the long the password the harder to crack
5. Do not use birthdays, names, or sports/teams in your password. They are very easy to guess with prior knowledge of the individual.
Brute Forcing - This is when a person uses a program that essentially tries every combination of letters, numbers, and symbols to eventually find the password. They are usually guided by dictionary files that are letters, words and combinations of words. Therefore, the more closely you follow the above guidelines the longer it takes to brute force. A strong password could take decades to crack.
Once Windows has installed I recommend going into Control panel>hardware>device manager and making sure all your drivers are loaded correctly. If not, then pop in the drivers CD I mentioned earlier and start installing the ones you need. You can also get the drivers off of Windows update, however, I recommend the CD because if your network card driver isnt installed than you can not access Windows update.
Once your happy with your choices move on to the next step for installing linux, or move on to step 6 to start securing them.
Step 5: Installing a Linux Partition (or 3)
So, first insert your Ubuntu installation media and boot up the same way as the last 2 times. You will be presented with an option to 'Try' (run as a live CD) or to 'install'. We are going to pick the latter. First it asks for basic stuff like your language, and if you want to install updates while its installing. For sake of compatibility I will NOT be using this feature. I will however be using the option to install the 3rd party plugins. Next will come the advanced stuff. This is where you will need to start partitioning. It should come up with a screen telling you it detected a Windows 7 install and wants to know if you would like to install alongside it. Generally this is a good option, however, Linux has been finicky about partitons in the past for me, so I will click 'something else' and designate my own partitions. These are the partitions in which I will be implementing:
If you remember from my last step i have ~265 GB left to work with
Partition 1 - System Reserved (Windows) 100 MB
Partition 2 - System Partition (Windows) 100 GB
Partition 3 - Storage Partition (Windows) 100 GB
Partition 4 - root / (Linux) 20 GB
Partition 5 - /home (Linux) ~235 GB
Partition 6 - Swap space (Linux) ~10 GB*
*Swap space is essentially a partition that augments the ram. However you do not want to give it too much space because swapping is slower than ram so used right it can speed the system up, but if its abused it can be detrimental to the system. Generally I recommend picking a size roughly the same as the amount of ram in your PC.
Once Linux has installed it should install its own bootloader over the top of the windows loader. Generally most linux distros will use a version of GRUB launcher.
When prompted to for a password be sure to follow the guidelines I set in the previous step to make a secure unbreakable password, and select the Encrypt home folder option for an extra layer of security.
Note: Once you have Linux installed try booting up windows. Its very common that Windows will run into an error and wont start after installing linux. If this is the case go ahead and throw your windows CD back in and instead of choosing INstall pick Repair down in the left hand side and then do a startup repair. This will replace any missing files giving an error.
Step 6: Finally Time to Encrypt
You are presented with your first customization option, to encrypt normally or with a Hidden Volume. What this means is, if you select normal the entire HD gets encrypted using the algorithm you choose later. This is generally a good option for 99% of people. However, if your James Bond you may want to select the latter option. What this does is encrypts your disc AND makes a virtual copy of your OS. You will set up two passwords, A real one and a fake one. The real one will let you boot your system like the normal encryption. However, say your tortured into giving up your password, you give the fake one and when entered it will boot into an isolated OS where all your data is still encrypted, unreadable, and invisible.
The next page prompts for whether or not to encrypt the host protected area. If you have been following this instructable exactly then you will want to pick yes because your computer will now not contain a recovery partition. However, if you elected to skip the DBAN section of this instructable and your computer contains an OEM recovery partition, then click no.
The next page is asking whether or not this computer is a single or multi-boot. For my set up it will be a multi-boot (Windows and Linux). If you have only installed one OS then select single boot. The reason it needs to know is because this program over rights the boot record with its own.
The next page is where you select the algorithm in which to encrypt your system. I will be using the AES (advanced Encryption Standard). If you want you can research the others but the AES encryption is arguably the fastest at decrypting/encrypting and the most secure. The Hash Algorithm shouldnt be changed, but again if you want to do research and learn about it, knowledge is power.
Finally its time to create a password. You should follow the password guidelines I outlined in the windows installation step. Be absolutely sure you DO NOT forget this password, as once it is set and the encryption is done, the password is not recoverable. This would result in a full data loss.
Step 7: That's It for the System
If you wish to go no further than the final step is to boot your system, enter your password and pick which OS to boot and make sure everything works to standards.
Step 8: Creating an Encrypted Data Partition
First off start up truecrypt and select create volume. You will be prompted with a window much like last time between hidden and normal. For this purpose lets go with a normal encryption. The rest is very similar to the steps earlier. You will be prompted to designate whether you want a encrypted container or drive. The difference is that the container is a large file that can be mounted. For these purposes we will go with encrypting the entire drive. It will prompt for what drive to do it and then what algorithm to use. I would stick with the AES algorithm. The process is fairly straight forward. ONce done you will notice that if you go into my computer you cannot access the partition in question and will prompt for a format. This is because windows cannot natively decrypt the partition. In order to access the partition now you must launch the truecrypt program and mount the drive where you will have to enter your password. Once done the drive is returned to normal state within my computer until locked by the user or the program again.
Step 9: Configuring Tor/Vidalia
Notice that here you can download the Tor Browser, the Tor Browser Bundle and Vidalia.
Tor Browser is a web browser which is routed through proxies making it nearly impossible to track you web activities back to you. Vidalia is not required to run Tor but does offer tools such as Tor toggling and bandwith monitors.
For these purposes I will be downloading the Tor Bundle which is designed to run on both Windows and Linux (as well as Mac but who cares).
Once youve downloaded the bundle you can extract it to wherever you like and inside is a folder containing a version of firefox preconfigured for Tor as well as some other nifty tools.