-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Like I have posted before to other lists.. here is what I think about all of this
"Disk Sanitizers"
1. Drives remap bad sectors, most disk sanitizers do not wipe previously allocated bad
sectors (that is, sectors in the Grown Defect List of an IDE drive etc). This is not
"Slack Space" and cannot be addressed without special low-level (often drive specific)
software or a Type II degaussing apparatus (Big coil of wire, mucho HF electricity,
drive becomes dead because address marks disappear.. you often just get "clunk,
Clunk!")
2. You can wipe a drive with ONE PASS and for all practical purposes "FORMAT C: /U"
will do the trick, or 'dd'ing a bunch of "0"s over it.. Once that has been done there
is NO known software that can recover ANY meaningful data from an IDE, or normal SCSI
drive that has not been mapped as a grown defect (If you just did a FORMAT /U it only
wipes data from THAT partition, and it is UNRECOVERABLE by software - A normal format
does nothing but READ except for the first few sectors and so it is all still there).
3. It is possible to recover data that has only been overwritten once using Magnetic
Force Microscopy or other such methods. All of these methods are SLOW and require the
drive to be COMPLETELY DISSASEMBLED.
4. A modern HDD may hold 60Gb + and may be part of a stripe raid set, the time it
takes to re-assemble enough meaningful data extracted by MFM or any other such system
makes it impracticable for all except the most sophisticated, high $$$ scenarios.
Also as a drive gets overwritten in normal use, the most used sectors (where the
sensitive data is most likely) may not have stored the data for as long and so it may
be hard to tell what magnetic "ghost" the right information is (this is very true for
SAM files where the password gets changed on a regular basis and on NTFS where the MFT
gets relocated and resized on the fly by the OS making the files hard to find)
In conclusion, Guttmann or DODWipe will make it hopefully unrecoverable from non
software means of recovery (Electron Microscope, Magnetic Force Microscope etc),
unless that is the scope of what people will go to to get YOUR data, ONE PASS WIPES
DATA FULLY.
I am yet to hear of a case where someone has actually gone to this trouble and
successfully broken into a firm using gathered data, that doesn't mean that it doesn't
happen, but I have never heard of it. If there was a case, you would think that the
many companies trying to flog "RedundantWipe 2000 Plus Deluxe Enterprise Edition" (or
however they want to market another multi-pass disk wiper) would have it on their web
page.
If the data is worth more than the time needed for a one pass wipe, Thermite or a very
hot furnace will do a much better job. A hard drive is rarely worth the price of the
time of running DODWipe of a 60Gb Hard drive and then remapping all the grown defect
lists and even then, those Magnetic Force Microscopes are pretty good, if the data was
THAT secure and I thought someone would spend thousands of dollars and moths of time
to recover a bit of data, I would melt it..
Here is my little flow chart:
Is the data valuable enough for someone to use MFM to examine the drive?
|
+----------+-----------+
Yes No
| |
Put the drive One pass of a
in a very hot random data
furnace and stream or a
make sure it "0" wipe will
is a molten do fine.
mess of gue.
I hope this helps.
If you can prove to me that you can recover my SAM from an arbitrary 5Gb HDD after I
have run:
dd /if=/dev/zero /of=/dev/<hard drive>
without breaking the seal off the hard drive, THEN I will say otherwise.
- -- Benjamin Holmes
> -----Original Message-----
> From: John Daniele [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 7 March 2002 3:07 AM
> To: Mike Donovan
> Cc: [EMAIL PROTECTED]
> Subject: RE: Unclassified Disk "Sanitizers"
>
>
>
> Could you point me towards SOFTWARE (not STM equipment) that
> would be able
> to recover data that had been OVERWRITTEN from a sector of a drive?
>
> i.e. dd if=/dev/zero of=/dev/dsk/c0t0*
>
> Read each physical sector of the drive and explain to me how
> meaningful
> data is recovered from 00's using software recovery tools?
>
> Sorry for my abrasive response, but you are out of line. I was not
> referring to a scenario where portions of a deleted file may
> be recovered
> from file slack, or swap space but rather in the case that it
> had truly
> been OVERWRITTEN!
>
> _________________________________________
> John Daniele
> Technical Security & Intelligence
> Toronto, ON
> Voice: (416) 605-2041
> E-mail: [EMAIL PROTECTED]
> Web: http://www.tsintel.com
>
> On Wed, 6 Mar 2002, Mike Donovan wrote:
>
> > >===== Original Message From John Daniele <[EMAIL PROTECTED]> =====
> > >The data only has to be overwritten once such that it is
> unrecoverable
> > >using standard forensic recovery methods.
> >
> --------------------------------------------------------------
> -------------
> > This is false. Completely. A one-time pass --- making data
> "unrecoverable?"
> > Why is it that Bruce Schneier and others are constantly
> harping on how we
> > can't assume ANYTHING is truly "unrecoverable" using
> software methods? Period!
> > Even Gutmann's paper questions his own method! John, in
> referring others for
> > more information to the over-used "Gutmann Paper" (which is
> going now on
> > six-years old), need I remind you how recovery capabilities
> have changed in
> > SIX years? Let me refer you to something more current and
> more realistic from
> > SANS:
> > http://rr.sans.org/incident/deletion.php
> > It must be remembered the Gutmann 35-pass method is
> *completely* different in
> > what a "pass" is than, say, the D.O.D 7-pass method.
> Gutmann's method takes
> > into account various encoding methods used my makers of the
> drives. It's
> > totally different. Hard drive slack space and unallocated
> space? Not even
> > mentioned in John's all-inclusive sentence above. How can
> anything be securely
> > deleted without even touching these data storage hogs that
> a simple one-pass
> > method will NOT touch? In the very paper John referred to,
> Peter Gutmann says
> > in the opening sentence of his conclusion,(point 9)"Data
> overwritten once or
> > twice may be recovered by subtracting what is expected to
> be read from a
> > storage location from what is actually read."
> >
> > The kind of misinformation in John's post is dangerous -
> especially in today's
> > world. Bottom line: Stick with Department of Defense
> regulations for secure
> > deletion or use the 35-pass Gutmann method. Please, don't
> let **anyone** tell
> > you a one-time pass will make data "unrecoverable."
> >
> > Mike Donovan
> >
> >
>
>
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
Comment: Pee Gee Peeeeee!
iQA/AwUBPIgvvXLvuelW5gClEQLD6QCdETThEqwORWBWWPqVBX6FHrYtGA4An2Ph
oqhcdCpxNWdL8fxoWUMsw9Hk
=AAcz
-----END PGP SIGNATURE-----
