On many multi-tasking systems, a swap file is used to emulate RAM. This allows
a computer to run more programs than it can fit in the available memory. It
simply writes data from memory to disk when it isn't needed, and reads it back
when it is. This is called "paging."
This practice is useful, but it has some
serious consequences. The most important is that anything in your computer's
memory can be written to disk. If it doesn't get overwritten before your computer
is turned off, then someone else can examine your swapfile to get at this data.
This does not only cover innocent pieces from a program, but also things like
your PGP secret passphrase and copies of personal files you are editing.
Wiping your swapfile
Of course you can't do anything about this while your computer is working.
This would be almost identical to removing a hard disk while the computer is on.
But once the system is finished with it, you can do anything you want with it.
Wiping it like wiping a normal file is a logical solution
to the problem described above.
There are a few pitfalls, though. The OS might
expect the swapfile to be in a certain format, or at least present on the disk.
If it can't find the file, it might refuse to boot or it might complain about
this. Below you will find instructions on how t o safely wipe your swapfile
depending on your platform.
Windows 3.1
Since Windows 3.1 is basically just a
DOS application, you can safely erase the swapfile once you have exited Windows.
You should not erase it from within a DOS box, even though this is possible!
It is recommended that you use a permanent swapfile. A temporary file gets
deleted when you exit Windows, which means that you have to take extra steps to
make sure it is deleted safely. Windows expects that the first 1000 bytes of the
swapfile contain a specific pattern. In this location no data is stored, so you
could start wiping at location 1001 or restore these bytes afterwards.
The wipe utilities
contain a special wiper for the Windows swapfile.
Windows
'95
There are three things you need to do.
- Alter your virtual memory (swap file) settings
The first thing you must do is go into Windows '95 and change your virtual
memory settings. If you don't do this, the Windows swap file will have been
insecurely "deleted" by the time that the file wiper gets to it, so the contents
will still be on the disk. Also, the standard Window95 swap file grows and
shrinks constantly, so any part of the disk could have contents of this file on
it. To stop this, we set the file to a constant size, and that stops it being
shrunk to zero when we shut down Windows t oo.
Here is how to proceed:
Select "My Computer" from the desktop.
Select the "Control
Panel" folder.
Select the "System" icon
Select the "Performance" tab
Press the "Virtual Memory" button
That gets you to the Virtual Memory
settings. Now:
Click the switch for "Let me specify my own virtual memory
settings"
Set both "Minimum" and "Maximum" boxes to the same number (this
will be the number of megabytes in your swap file, I use 32).
Click "OK"
Shutdown and restart Windows (there will be a prompt inviting this).
After
the restart, close all the open folders, panels, etc.
Shut down Windows from
the task bar, selecting "Restart the computer in MSDOS mode" from the panel when
it appears. This is in preparation for the next part of the task.
Change the boot sequence to boot into DOS
Next, you have to stop your computer booting straight into Windows '95. There
are two different ways to do this:
Put "C:\WINDOWS\COMMAND" as the last line
in your AUTOEXEC.BAT. That will run the Windows '95 version of COMMAND.COM when
you boot instead of automatically going into the Windows GUI, or
Edit the
C:\MSDOS.SYS file to change "BootGUI=1" to "BootGUI=0". You can also add a line
saying "Logo=0" so you don't get the initial graphic screen. Essentially this
restores the way that Windows used to work in version 3.x. MSDOS.SYS is a hidden
file , so you must enter "attrib -h -r -s \msdos.sys" in order to make it
accessible for editing. Use a plain ASCII DOS editor to edit the file, not a word
processor.
Windows '95 may not let you do these things in a Windows DOS box,
which is why you were advised above to exit Windows '95 via the shut down command
and restart in MSDOS mode.
Run Windows via a DOS Batch
file
Lastly, you must write a DOS batch file to use when you want to run
Windows '95. This is so that when you shut Windows down in future, execution will
return to the batch file, and further commands can be processed, in particular, a
secure deletion of t he swap file. The batch file should look like this:
cd \WINDOWS
win
mode co80
cd\
pgp -w win386.swp
I named the batch file W.BAT so that I can run Windows just by
typing "w" and Enter. If you name it WIN.BAT, it could get confused with WIN.COM
in the Windows directory when you come to run it.
The "mode co80" line makes the "it is OK to turn off your computer" Windows
shut down screen go away and returns you to the command line prompt.
Note that the last line uses PGP to wipe the swap file. You can use another
program, such as my Real Delete, which will work as a foreground file wiper if
invoked like this:
realdeal [win386.swp] /per /garb
The square brackets are required for wiping a specified file as a foreground
task (prevents accidents) and the additional switches select personal security
level (just one overwrite) and the random garbage overwrite pattern.
Note that
it can take a long time to wipe a swap file, as it is a very large file. PGP
takes about five minutes to wipe a 32 Megabyte file on my computer, and Real
Delete takes somewhat longer.
OS/2
OS/2 does not let you
at the swapfile at all. You can't even search through it to see what's in it. To
do this, you need to boot from an alternative partition or from floppies. If the
swapfile is on an HPFS partition, you must boot from OS/2 floppies, such as the
ones you can make with "Create utility diskettes" or the installation disk.
When OS/2 can't find the swapfile on bootup, it will just create a new one.
This means that you can use any file wiper on the swapfile after you have booted
from a floppy. I recommend that you set your swapfile to a large initial size, so
the chances o f it growing are low. If you use more RAM than your swapfile can
handle, OS/2 will increase the swapfile's size and shrink it later on. Some of
the data might then end up on the disk without belonging to the swapfile, so you
can't delete it.
For FAT, any DOS file wiper will do. Wiping an HPFS file is a bit trickier,
since the only HPFS-capable wipers that I know of require the graphical shell,
which is only available if you use a swapfile!
An alternative approach is to edit your CONFIG.SYS file, to make OS/2 use a
different swapfile next time it boots. The following line needs to be changed:
SWAPPATH=E:\OS2\SYSTEM 2048 32768
By changing the
path in that statement, the next time you boot the swapfile will be put in the
new path. You now have a copy of your old swapfile in the original directory, and
you can wipe that with an HPFS-capable file wiper. Don't forget to restore your
CONFIG.SYS file afterwards so you can delete the alternative swapfile as well.
Windows NT
Windows NT 4.0 has a built-in feature
which can wipe the swapfile when the system shuts down. Every page that is not in
use at the time of shutdown is overwritten with zeroes.
This feature is
enabled by changing a key in the registry. The following text is taken from the
NT Resource kit:
Registry path:
HKEY_LOCAL_MACHINE\System
\CurrentControlSet
\Control
\Session Manager
\Memory Management
Note: Do not change the size of the paging file by
editing the Registry. To create a new paging file or to change the size of a
paging file, double-click the System option in Control Panel, click the
Performance tab, then click the Change button in the Virtual Memory box.
ClearPageFileAtShutdown REG_DWORD
Range: 0 or 1
Default:
0
Specifies whether inactive pages in the paging file are
filled with zeros when the system stops. If this value is set to 1, as the system
stops, Windows NT fills all inactive pages in the paging file with zeros so that
they cannot be read by another pr ocess. It cannot fill all pages with zeros
because some are being used by the system or other remaining active processes.
This is a Windows NT security feature.
