You lack understanding and still continue to argue and attack? Your almost antagonizing comment on Canadian standards was laughable.. I am so glad that you represent a minute portion of Americans that think of Canada as the inferior 51st state? (at least I hope... ;-))
I own and build much of the equipment you mentioned below. For the most part it is simply standard computer equipment built into a compact, portable chassis so it is easy for a forensic investigator to lug around and interface with many different drive types/connectors (i.e. 50/68/80 pin SCSI or ATA66/100/133 type drives). I have also designed and built electronic equipment to dump various types of EEPROMs for reverse engineering or recovery purposes. The forensic imaging equipment you mentioned is standard across the community. The purpose is to create an exact, bitstream copy of the contents of a drive, including file slack and freespace, regardless of filesystem format in such a way so that the data recovered from the drive can be admitted as evidence during criminal proceedings. As well, it provides an investigator with an exact replica of the drive from which to perform his/her analysis, so that they are not working with the original. It is a very big no-no to perform analysis on the original evidence as electronic data is extremely volatile and any mistakes could severly hurt an investigation. The investigator would then examine file slack and freespace for deleted data that could be recovered using forensic analysis software that will examine a drive at the physical layer, completely ignoring the logical filesystem. I have personally assisted government/police agencies in the past recover data from these areas of a drive, even if they are highly fragmented. One case in particular, I was able to repair the header of a deleted video file as most of its contents were still intact and could still be viewed. However, if these areas have truly been overwritten, even simply one time, it is unrecoverable. If there are bad blocks on the drive and whatever disk sanitization tool used did not properly overwrite the data, then there are other recovery techniques that can be applied. Just because a drive is damaged, doesn't necessarily mean that data is unrecoverable. Using one of my past examples, I have personally worked with data recovery teams that have done wonders with drives that have really been put through hell and back. Even in cases where the disk platters have been slightly mangled, there may be things one could attempt from a recovery perspective. Please Mr. Donovan, DO NOT put words into my mouth and DO NOT claim that I am spreading misinformation. Right now, decent MFM equipment is quite expensive and requires a very specific skillset to use. As well, it requires an excruitiatingly large amount of time to even recover 1Mb of meaningful data. Although I do understand that MFM equipment is becoming increasingly cheap to obtain, not every corporation on the planet has to worry just yet. Some perhaps, like defence contractors, yes.. Be paranoid, but within reason. Is your organization extremely worried about the possibility that their competitors have improved upon Shamir's cracking device or built a quanutm computer in which to crack all their encrypted communications? I highly doubt it.. If they have good reason to, then should you really be communicating on an open mailing list? Congratulations!, You have just compromised your organization's operational security! In most cases, there are far easier and more efficient ways to break into an organization than using an electron microscope. ttyl, _________________________________________ John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 E-mail: [EMAIL PROTECTED] Web: http://www.tsintel.com On Sat, 9 Mar 2002, Mike Donovan wrote: > >===== Original Message From "Holmes, Ben" <[EMAIL PROTECTED]> ===== > > >"...makes it impracticable for all except the most sophisticated, high $$$ > scenarios." > > First, for John: for the hundredth time, your focusing only on "software > recovery tools" is baffling to me. The above post seems to argue the same > thing. ("All but...") I only included one small part to keep the limits down > that bugtaq faces. > > WHY do you two believe that hardware recovery methods (which makes a one-pass > method as a "secure" method a joke) is: > > A) Rare > B) Expensive > C) Not worth protecting information from, since John, you have defined > "standard" as SOFTWARE RECOVERY only. > > The expense of hardware recovery has come down so dramatically that just about > ANY large US police department owns forensic hardware tools. In the U.S. many > COUNTY **sheriff's** departments have these tools and have been trained in > their use. In my city, which is in the 50-100 largest city range, our PD has > an "Electronic Evidence Department" with a staff of FIVE. The costs have come > WAY down as the demand has risen. > > http://www.forensicpc.com/ > http://www.vogon-computer-evidence.com/evidential_systems-02.htm > > Some of us believe that true security and the word "unrecoverable" should only > be used when taking ALL factors into consideration. We get it now, (for the > hundredth time)that you believe one-pass is sufficient to thwart "standard > recovery methods" -- SOFTWARE methods! Apparently "standard recovery methods" > in Canada and the United States ARE two different things. You keep asking to > be given the name of software that can recover the data. Why are you hung-up > on SOFTWARE recovery tools? Clients expect as high a level of security as > possible. That means protection from HARDWARE FORENSIC TOOLS! Look at Enron: > right now the police and FBI are putting information back together because of > Enron's IT department FAILING to offer them TOTAL wiping security. After all, > what's being thrown at Enron is NOT simply software recovery tools, or > "standard recovery methods." Not in the case of Enron obviously, but many > companies, individuals, etc. can be **falsely accused** of all manner of > things. Recovery of certain documents can be taken out-of-context. They must > be protected from ALL possible attempts at recovering their data. I can't even > believe this is an issue. By the way, individuals desiring privacy deserve the > same. > > The Gutmann method can be used to wipe free space overnight on a 60 gig drive. > Why the need for speed? Individual documents can be erased using Gutmann in > maybe five seconds as opposed to one. So, why promote the insecure one-pass > wipe when the more secure methods are no more expensive, take only a little > more time, and would protect your clients as securely AS POSSIBLE from ALL > attempts at recovering wiped data? > > I think I rest my case on this. The D.O.D. and other government agencies > aren't about to let a one-pass wipe suffice. Why should I offer anything less > to a client? > > Mike Donovan > >
