PDA

View Full Version : Secure erasure of data from your HDD



Billy T
28-10-2003, 04:57 PM
Hi Team

So as not to further hijack Alastair's post on his file deletion problem, here is a fresh post that answers PoWas' question and takes up his challenge.

Take a look here, PoWa (http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/) for Mr Gutman's own views on the erasability of disks.

And if anybody else is really keen, go back in time to one of PF1's longer posts (http://pressf1.pcworld.co.nz/thread.jsp?forum=1&thread=32082) in which the use of electron microscopes to read data off incinerated disks was postulated. After that, anything is possible so Mr Gutman's 35+ is a panacea for the mildly paranoid only. *Cough* be aware that the time taken to open a PF1 archive can be extended at busy times, especially if you are on dial-up. :(


The faithful will continue to incinerate their hard drives before deep-sixing the remains in the Atlantic Trench. :D

Seriously though, the technology available today makes data recovery possible from almost any form of erasure short of physical destruction of the disk platters as the following quotes from three separate data recovery companies indicate:

#1 Supported by professional technicians and equipment (super clean worktable, electron microscope), Nanjing Leichao Technology specializes in the data recovery and maintenance of hard disks. Currently, the company offers convenient and secure service to hard disks, especially data recovery technology (including open disk data recovery), which can solve the problem of any data disaster caused by hardware or software faults.

#2 Off-track reading relies on the fact that the disk heads are never
exactly aligned on the same track twice, an effect that is heightened
after a period of wear or when a floppy disk is written to in two
different drives. This means that the remains of an earlier write may
be found running along the edge of the track of the latest write. That such data can be recovered has been demonstrated by investigation using a scanning electron microscope.

#3 You cannot really erase a hard drive. Magnetic media including hard drives are all similar in that every write leaves faint traces behind, even when the media have been overwritten numerous times. Special electron microscopes can be used to recover overwritten tracks, bit by bit.

Be vewy vewy afwaid :D

Cheers

Billy 8-{) :|

Graham L
28-10-2003, 05:04 PM
It might be possible. But I don't think it would ever be cost-effective.

Those who might have the money for such techniques would find it much cheaper and quicker to use traditional methods. Burglary, blackmail, bribery, and seduction have been used for centuries.

Billy T
28-10-2003, 05:15 PM
Precisely Graham, but the point is that it is a practical technological proposition in disaster recovery situations where cost doesn't have quite the same relevance.

It is also practicable in forensic matters where the Police want to get to grips with an issue (e.g. child pornographers) and they don't need to recover much more than a representative sample to support charges.

In the final analysis it all comes down to the old adage:

You can run but you can't hide!

The best way to wash a hard disk is with salt water at 100 fathoms :D

Cheers

Billy 8-{)

Graham L
28-10-2003, 05:23 PM
That's covered by the another cheap method: perjury. Who would ever doubt the word of a policeman? :D (One computer forensic policeman has just been let out on home leave --- to set up a copmuter forensics company :D)

PoWa
28-10-2003, 07:43 PM
Tsk tsk BillyT, real mature having to start up a new thread to continue the discussion :| I kinda enjoy hijacking threads :) Anyway, I'd like to see some real evidence and proof in an experiment where they recovered the whole hard drive that had been erased 35 times over. Link! Link! But maybe this is just an attempt to ridicule a fellow Pressf1'er for his views, oh well I'll grin and bear it.

> And the gnomes in Nevada or wherever can read the original files using an electron microscope to read the orientation of the magnetic domains on your disk PoWa. They can read several layers back, because in electron microscope terms, the heads never quite track over the exact same path, and the magnetic field also writes outside of the allocated track area. Differential magnetisation between 0s and 1s allows recovery of data from almost any disk. That is why incineration or physical destruction is the only safe bet for the paranoid.

> Sorry to burst your bubble PoWa, but I too have read an artiicle about this, concerning the secret squirrels in the States. They use some kind of instrument that will detect the different magnetic signatures of each part that can be written. Every time you write something to your hard drive, even in the same spot, gives a different magnetic signature.
Admitted, it is only economical and practical for Government department or big industry to utilise. But even so, it can be done, which BT has pointed out.

Ok lets say that everytime something is written to the disk the heads never quite track over the exact same path, and the magnetic field also writes outside of the allocated track area. - Ok then with different bit patterns written over the disk at least 35 times, isn't it also possible that during those writes the erroneous bits that are slightly out of place get overwritten in the process, making the recovery of the bits difficult if not impossible.

Now lets say that every time you write something to your hard drive, even in the same spot, gives a different magnetic signature. Ok say some data is recorded into a sector, and then continues into another sector but this time with a different magnetic signature. We know that the magnetic signature couldn't possibly be predictable and have the same magnetic signature for different parts on the disk, because hard drive manufacturers don't build that feature purposely. Now how would you possibly make order or understanding out of the data? Lets add 35 different overwrites on top of that, plus multiple overwrites of the data with everyday use. Now with a different magnetic signature on each overwrite, then there could be literally thousands of possible magnetic combinations to retrieve the original data. Also how would you know which magnetic signature went with another from a different sector or track? Add another 1000 possible combinations.

So as you can see it would practically be impossible to analyse and incriminate over the 1000's of possible combinations, let alone piece together the original information into humanly readable form.

You also realise what you just said, means that encryption and other techniques could be thrown out the window. Becuase heck, they could just get the hard drive and recover the magnetic signatures to a time before they encrypted the data, and have all the original information. :O When will you be publishing your thesis stating that hard drive encryption is a waste of time, and try and disprove the governments and programmers and mathematicians who invented it?

Mike
28-10-2003, 07:54 PM
> It might be possible. But I don't think it would
> ever be cost-effective.

I've heard of places (in NZ) spending well in excess of $100,000 to recover data from destroyed hard drives. And no, they didn't send them to Computer Forensics :p

Mike.

mikebartnz
28-10-2003, 10:40 PM
Yeah and there were the two Auckland coppers who planted the twenty two shells in the Auther Allen Thomas case.

mikebartnz
28-10-2003, 10:45 PM
But they obviously had not done a decent backup.

Between a sledgehammer and a massive magnet I think I would be quite happy with the security of my previous data.

Graham L
29-10-2003, 01:24 PM
A few good writeovers with properly random bit patterns would be good enough for me.

It's all very well recovering "up to 35" copies of what's been recorded on tracks --- the decoding (especially since they use GCR/RLL encoding) would be a diabolically "computer intensive" task. If the content is encrypted first, it would be not nice. That's the sort of thing usually referred to as a "challenge". :D

agent
29-10-2003, 03:38 PM
a) Buy the mobo that has built in encryption between the IDE channels - your data on the HDD is protected from anyone shoving the drive in another computer (although it is, of course, crackable encryption - consider nothing safe from the hands of evil government agencies). I think the manufacturer was Gigabyte, but I don't remember.

b) Darik's Boot and Nuke (DBAN) (http://dban.sourceforge.net/)

I quote from the website: "If you are seriously concerned... then consider drilling open your hard disk, grinding down the platters, and melting all of the parts in a furnace".

"DBAN is 'good enough' for 'most people'".

It takes DBAN well over eight hours to wipe a 6GB HDD, so many wipes of the same HDD might suit some of you, and perhaps combining that with some healthy salt water baths, exposure to nasty chemicals (think mild acids through to industrial strength concentrated weed killer), a few minutes with an angle grinder, a sand blaster, and a furnace should suit those of you who are more inclined to think government agencies are after your data in particular...

robsonde
29-10-2003, 03:38 PM
the trick is to make the cost of recovery more than the cost of the data it self.

no one will spend $20,000 to recover your shopping list from a few years ago........

agent
29-10-2003, 03:40 PM
And if you did chemistry, you might be able to find chemicals that react with the materials an HDD is comprised... preferrably a chemical reaction, so as that it cannot be changed back. :D

PoWa
29-10-2003, 03:44 PM
Lets not get carried away people..

BillyT I'm still waiting for your rebuttal on my comments, is there one coming. ?:|

Graham L
29-10-2003, 03:45 PM
It took me five minutes to recover the NZ Army DB2 database files from a formatted (20 MB) hard disk on a computer I bought once. The records of percentages of training time and idle time of a unit of carpenters and plumbers at Burnham would have been worth about nothing from the KGB. I might have got more than that from the CIA. :D

Billy T
29-10-2003, 07:16 PM
> Billy T I'm still waiting for your rebuttal on my
> comments, is there one coming?

Sorry PoWa, you've lost me there. What's to rebut. ?:|

I have showed you that scanning electron microscopes can recover data from places other beers don't touch, and I have drawn your attention to your own post from 2002 where you said much the same thing.

If you are referring to my comments in Alastair's post, I have shown you the error of your ways in that instance by making it plain you mistakenly read and answered something I hadn't said.

I wasn't, and I am still not debating the efficiency or economics of sophisticated hi-tech forensic data recovery, and I am not suggesting that 100% data recovery is possible. I simply made the point that it is not possible to erase all traces of data from a hard disk by any method that relies upon the same write heads and tracking mechanism.

If a law or security agency wants to recover data from an erased HDD in the hope of finding useful scraps of evidence, money will be no object. In fact, if National Security was at stake, they'd probably throw even more technology at it.

However, normal people have nothing to hide so a simple reformat will suffice, and for the terminally paranoid, nothing short of incineration will do, but then, they will probably trot off home and fill their new disk with more of the same. Go figure!

Cheers

Billy 8-{) :|
[pre][b]If I missed something PoWa, do let me
know and I'll rebut like nobody's business.:D

Mike
29-10-2003, 08:48 PM
> But they obviously had not done a decent backup.

Obviously :D well that'd probably be because it wasn't actually their drive to start with ;)

Mike.

PoWa
29-10-2003, 09:17 PM
Grrr...I'll have to re-explain myself. Please read carefully and slowly :)

Firstly you haven't shown me any proof that data can be recovered from special multiple overwrites like a 35+ pass method. All I've got is your word, and pheonix's. And who are you? Not security experts I'm sure, yet you claim to be.

Also if you had read something, don't you think it would be weird they would publish it in the first place? Being able to recover anything and everything off a hard drive if it had been overwritten lots of times would be classifed level A. Lets say the americans discovered it, then they wouldn't want that technology falling into anyone elses hands lest the attacker happened to come across a military hard drive. If anyone else reported this information, you would have to question the validity of it, maybe its just scare tactics or superstitions.

"The second problem with official data destruction standards is that the information in them may be partially inaccurate in an attempt to fool opposing intelligence agencies (which is probably why a great many guidelines on sanitizing media are classified). By deliberately under-stating the requirements for media sanitization in publicly-available guides, intelligence agencies can preserve their information-gathering capabilities while at the same time protecting their own data using classified techniques." -Peter Gutmann

So as you can see the governments might have their own special way of erasing data that would be foolproof. Still possible to recover data eh?

Note: A pass is actually 3 overwrites on the same block of data. E.g. 01010101, 10101010, 01010101. So 35passes is actually 35x3 = 105 overwrites on that block!

Now lets talk about the electron microscopes
Ok lets say that everytime something is written to the disk the heads never quite track over the exact same path, and the magnetic field also writes outside of the allocated track area.

With different and random bit patterns written over a specific block of data about 105 times, it is possible that it will overwrite the erroneous bits outside the track area, and also scramble any magnetic fields. With all the different bit patterns being written, the hard drive will be constantly oscillating in a different area each time, enough to erase the data in the different paths.

Now lets say that every time you write something to your hard drive, even in the same spot, gives a different magnetic signature.

Note: hard drives don't store data in sequential blocks. Disk interleaving is used as the disk can spin while waiting for DMA transfer to take place. So a part of file could be 2 blocks away on a different sector.

Ok say a file is recorded onto a block, and then continues onto another block but this time with a different magnetic signature.

The different magnetic signatures couldn't possibly be predictable and have the same magnetic signature for different parts on the disk, because hard drive manufacturers don't build that feature purposely.

Now how would you possibly make order or understanding out of the different magnetic signatures? Given that a part of the incriminating file could be on a different sector, and be a completely different magnetic signature. How do you distinguish which goes with what to piece the original file back?

Lets add 105 different overwrites on top of that (35passes), plus multiple overwrites of the data with everyday use.

Now with a different magnetic signature on each overwrite, then there could be literally thousands of possible magnetic combinations to retrieve the original file. Also how would you know which magnetic signature went with another from a different sector or track? Add another few combinations because the disk interleaving would also mess things up as well.

What about filesystem types. If the disk has been wiped, how do you know which filing system was used to store the data? A windows block of data has different sized header information than a linux disk header. So add another few combinations because you have no idea how the data is formatted.

So as you can see it would practically be impossible to analyse and incriminate over the 1000's if not millions of possible combinations available to piece an original file back together, let alone piece together the original information into humanly readable form. You would probably need like 3 Cray X1 Super computers to calculate the possibilities in any reasonable amount of time, and probably by then the person who the file belonged to would probably have died of old age. Even the data on the file would have lost its usefulness by then.

Are you understanding me yet? Now lets see some evidence to prove that you can recover data from a 35+pass overwrite.

Mike
29-10-2003, 09:27 PM
> Firstly you haven't shown me any proof that
> data can be recovered from special multiple
> overwrites like a 35+ pass method. All I've got is

I'm not gonna prove it - I don't have a spare $100k :D Besides I'm not worried if it can or cannot be done.

> your word, and pheonix's. And who are you? Not
> security experts I'm sure, yet you claim to be.

When did I claim to be a security expert?

> Also if you had read something, don't you think it
> would be weird they would publish it in the first
> place? Being able to recover anything and everything

I didn't say I read it. I said I heard it. I heard it because it was told to me by someone who just happens to work in that company who did it.

> off a hard drive if it had been overwritten
> lots of times would be classifed level A. Lets

I didn't say it was a drive that had been overwritten lots of times. I don't know if it had or hadn't been. I said that the drive had been destroyed, meaning physically inoperable. And just to clarify a little more, this company didn't do the recovery themselves, they sent the destroyed drive (with the $100k+) to the US to have the contents recovered.

> So as you can see the governments might have their
> own special way of erasing data that would be
> foolproof. Still possible to recover data eh?

A different type of hard drive perhaps? Or perhaps a very hot furnace?

> Are you understanding me yet? Now lets see
> some evidence to prove that you can recover data from
> a 35+pass overwrite.

I don't really care whether its 0 pass overwritten or 29384793 pass overwritten :D You can't prove either way on this one - well perhaps you could prove that it can be, once its been done, but its impossible to prove that it can't.

Mike.

PoWa
29-10-2003, 09:40 PM
Hey, butt out, it wasn't directed at you - my debate is is with BillyT :D

mikebartnz
29-10-2003, 10:03 PM
I saw an interesting thing on TV a while ago where a yank soldier in the Phillapines or somewhere like that chopped a 5.25 disk into little peices to obliterate the data but it was sent back to the US and recovered enough data to incriminate him for murder.
The disk had not been overwritten. In my view if some data had been overwritten more than once the retrievable info would be as good as useless.
Even that place in England that cracked the German codes would have great trouble because of the random nature.

PoWa
29-10-2003, 10:19 PM
Jeepers, what was on the disk? Video footage of him murdering someone?

Thomas
30-10-2003, 08:32 AM
And there I was thinking Billy was to busy for this kind of nonsensical shilly shallying.;)

Billy T
30-10-2003, 10:36 AM
Sorry PoWa, but I don't have to prove anything to you.

I simply provided you with information sourced directly from appropriately expert organisations that can recover data from multiple-erased or overwritten disks, and evidence that Gutman, the expert you favour, also says the same things.

That a 35+ overwrite can make data irretrievable by any normally available or economic means is not in dispute. That is precisely why I referred to forensic analysis where cost and the application of technology are no object. If you read the appropriate literature you will see that patterns are created in magnetic domains on the disk that can be read to extract data if you know how to do it and have the equipment. You can bet that it is not being read from the HDD anymore, the platters will be removed and remounted for lab analysis.

I know it sound fairly incredible, but who would have believed that data could be recovered from overwritten RAM for example? I find that totally mindboggling, much more so than recovery from overwritten disks. The technology and physics for the latter are very easy to understand.

I don't intend to debate this any further because as I said before, what's to rebut? If you want proof, you do the research yourself and prove it can't be done, as all indicators available to me say it can.

Don't forget either that the techniques known and available in the public domain rarely approach the levels of technology and forensic capabilty available to government law and order or security organisations, especially in the States. Those are closely guarded secrets that we won't find on Google.

Cheers

Billy 8-{) :|
[pre][b]It is worth noting that Alastair, whose post originally
spawned this most interesting diversion, has successfully
resolved his problem without resort to writing zeros or ones
to his HDD or indeed utilising anything more hi-tech than
some logic and a judicious application of the delete button. :D

PoWa
30-10-2003, 07:14 PM
Sorry Billy T, but you do. Otherwise what was the purpose of starting this whole thread?

> #3 You cannot really erase a hard drive. Magnetic media including hard drives are all similar in that every write leaves faint traces behind, even when the media have been overwritten numerous times.

Your whole point of this thread was to prove the statement above, and discredit any data overwriting techniques, and by saying the only way to erase data was to destroy the hard disk - but yet you cannot even do that, and I disproved it by saying that there would be just too many possibilites & combinations to piece together the original data if it had been overwritten many times.

If you can't come up with any logical proof by way of article or study, then everything you have said is rubbish, and I win. Your the one that started it, so you have to provide the evidence, not the other way round.

Believe it or not you were the one taking
my idea out of proportion. I suggested to wipe the
freespace on the drive with 0's because that
actually recovers free space better than emptying
the recycle bin. Try it some time. As for something
so simple as emptying the Norton recycle bin, well
DUH.

I'm also glad I don't have Billy T on my debating
team as the team would lose very poorly indeed,
purely because they can't back up their arguments
with evidence. :D

Thomas
30-10-2003, 07:57 PM
My thoughts entirely Powa,brings the subject up then says nothing to prove,I mean to say.

Billy T
30-10-2003, 09:21 PM
You should talk Thomas, you would be the all time champion for posting when you have nothing useful to say, I reckon you missed your vocation.

You should have been a mirror tester, either that or an echo chamber demonstrator.:^O

Getting back to the thread, I'm sorry PoWa but if you can't comprehend what I have said, there is little point in my responding further. No offence intended, but you only read what you want to read, and refuse to believe that which you can't comprehend.

It is not my responsibility to educate you or try to overcome your doubts. The information has been provided so believe it or don't as you wish. You certainly seemed to believe it in 2002, or haven't you checked your old thread yet.

I'm outa here, goodnight.

Cheers

Billy 8-{):D

PoWa
30-10-2003, 09:42 PM
Roflmao @ BillyT :^O :^O What a cop out. Oh well I win then, don't argue with me again if you can't say anything useful to back up your statements with evidence. I mean, you started a whole new thread, and what the hell for?

If you recall back in 2002 I was looking for a program which would overwrite the data on the hard drive, which would solve my problem. So after I found the 35pass method I stopped worrying about the electron microscopes.

I've comprehended everything you've said and it is you who is not comprehending the situation and you haven't come up with any thing useful to refute the claims I've made.

So Billy, next time you want to argue with me
about this, I will redirect you to this thread

PoWa
30-10-2003, 10:33 PM
Anyway I've decided to treat you to a little video clip that shows an excellent way to wipe your data if the FBI is right outside your door. Very enjoyable!! :D :D
Core (http://homepages.paradise.net.nz/decimato/core.avi) - XviD/AC3 - 8.36Mb.

You'll need to download these small programs which install playback filters (necessary to play the movie). Note: they are only filters so they don't stuff up any codec settings. Play the video in WMP or your favourite video player.

AC3 Filter (http://flow.dl.sourceforge.net/sourceforge/ac3filter/ac3filter_0_70b.exe) - 296Kb
FFDShow (http://flow.dl.sourceforge.net/sourceforge/ffdshow/ffdshow-20020617.exe) - 318Kb.

The clip will only be up for a short period of time, so get it quick.

mzzzz
11-01-2005, 05:58 PM
Hi Team

So as not to further hijack Alastair's post on his file deletion problem, here is a fresh post that answers PoWas' question and takes up his challenge.

Take a look here, PoWa (http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/) for Mr Gutman's own views on the erasability of disks.

And if anybody else is really keen, go back in time to one of PF1's longer posts (http://pressf1.pcworld.co.nz/thread.jsp?forum=1&thread=32082) in which the use of electron microscopes to read data off incinerated disks was postulated. After that, anything is possible so Mr Gutman's 35+ is a panacea for the mildly paranoid only. *Cough* be aware that the time taken to open a PF1 archive can be extended at busy times, especially if you are on dial-up. :(


The faithful will continue to incinerate their hard drives before deep-sixing the remains in the Atlantic Trench. :D

Seriously though, the technology available today makes data recovery possible from almost any form of erasure short of physical destruction of the disk platters as the following quotes from three separate data recovery companies indicate:

#1 Supported by professional technicians and equipment (super clean worktable, electron microscope), Nanjing Leichao Technology specializes in the data recovery and maintenance of hard disks. Currently, the company offers convenient and secure service to hard disks, especially data recovery technology (including open disk data recovery), which can solve the problem of any data disaster caused by hardware or software faults.

#2 Off-track reading relies on the fact that the disk heads are never
exactly aligned on the same track twice, an effect that is heightened
after a period of wear or when a floppy disk is written to in two
different drives. This means that the remains of an earlier write may
be found running along the edge of the track of the latest write. That such data can be recovered has been demonstrated by investigation using a scanning electron microscope.

#3 You cannot really erase a hard drive. Magnetic media including hard drives are all similar in that every write leaves faint traces behind, even when the media have been overwritten numerous times. Special electron microscopes can be used to recover overwritten tracks, bit by bit.

Be vewy vewy afwaid :D

Cheers

Billy 8-{) :|


Hello,
check this secure data erasure software: Outstanding data erasure tool :: Blancco - Data Cleaner+ (http://top-top.net/news/software/modules/news/article.php?storyid=7) .
It can _really_ wipe data from computer, so that nobody will be able to restore it.
You may find more data erasure tools on: Software :: Security News (http://top-top.net)

MZ

Dagda
12-09-2005, 09:38 AM
[edit: spam removed]