000026679 - How to perform a secure data wipe on an RSA NetWitness Informer appliance

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000026679
Applies ToRSA NetWitness NextGen
RSA NetWitness Informer
RSA NetWitness Informer
RSA NetWitness Informer
RSA NetWitness Informer
IssueHow to perform a secure data wipe on an RSA NetWitness Informer appliance.
*** WARNING ***
Following method ensures secure deletion of majority of sensitive data on Informer appliance, however there might be some residual data (IIS logs, page files, temporary files, crashreports/memory dumps, etc) that can remain on the system. If you want to ensure that no residual data remain on the system you would have to use LiveCD to wipe entire HDD including Operating System, however this procedure needs to be consulted with support before wiping entire HDD.
You can use any utility that conforms to your prefered standard of secure data deletion. One of such utilities is Eraser utility (http://eraser.heidi.ie/) that offers good selections of secure methods for wiping the data. 
1) Uninstall Informer. 
2) Use Eraser utility to wipe the following directories (include all sub-directories included files): 
a) Erase the entire C: or D:\inetpub\wwwroot\NwReporterWeb\ (depends on where Informer is installed) directory.
This is the most important directory to wipe since this is the Informer web component and contains most of the configuration and more importantly the outputs from rules/alerts/reports/charts that are saved into 'results' subdirectory. There's also 'content' directory that might contain some raw data.
b) Erase the entire C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\DATA\ directory.
This directory contains the Informer connection database files. Note this directory could be installed on other directories depends on your OS platform.
(You'll need to detach it in SQL Management Studio or use DBdetach from informer toolkit).
c) Erase the entire C: or D:\Program Files\NetWitness\NetWitness Informer Service\ (depends on where Informer is installed) directory.
This directory contains Informer service component configuration and application files.
3) Finally, use Eraser utility to wipe unused disk space on the C: or D: drives that contained the 3 directories in 2) above. This will wipe out all deleted data in any unused space on C: or D: drives, including all data deleted in 2) above.

Refer to the screenshots below on sanitizing standards offered by the eraser utility and brief explanation of some of them from the Appendix of the RSA NetWitness Administration documentation.

We can not guarantee that the eraser utility conforms to any of the listed standards since this is a public utility.


Legacy Article IDa58895