erasing disk securely

  • Thread starter Thread starter Shailesh Humbad
  • Start date Start date
S

Shailesh Humbad

If I format a normal IDE drive using Windows XP NTFS (long) format,
what would be the odds of recovering pieces of important, tagged data
such as a password file? If the odds are better than 0%, then what
would be the cost of recovery? I just need to know if it's beyond the
range of the average hacker who buys a used hard drive from a known
HVT (high value target) specifically to recover important passwords.
I know there are lots of tools for "secure" erasing a drive, but I
want to know how much advantage they give over an ordinary NTFS long
format.
 
If I format a normal IDE drive using Windows XP NTFS (long) format,
what would be the odds of recovering pieces of important, tagged data
such as a password file?
Click to expand...

100 per cent.
 
A long NTFS format will mark the beginning of each file with a '?' and
remove its entry from the File Allocation Table. When windows comes across a
sector with this '?' on it, it knows it can overwrite this sector. Until
this happens, the data is still there.

A secure wipe will overwrite all sectors with 0's or 1's. This will replace
all previous data so it cant be recovered
 
Do a google groups search for "german magazine data recovery". You may hear
stories about how data is always recoverable, but just try to find a company
that can perform this feat, at any price. I think there are a lot of tall
tales floating around concerning data recovery.

It is widely accepted that by simply overwriting your original data with new
data, 1 single time, is enough to keep the original data from ever being
recovered. See here:
http://groups.google.com/groups?hl=...overy&safe=images&ie=UTF-8&oe=UTF-8&lr=&hl=en

--Dan
 
Previously Eric Gisin said:
An NTFS format does no such thing.
Click to expand...

Would be pretty funny, if the data in the sector itself told
the OS whether the sector was free. Beware the files that are
all "?"!

Instead that is a method of marking directory entries as unused.

Arno
 
dg said:
Do a google groups search for "german magazine data recovery". You may hear
stories about how data is always recoverable, but just try to find a company
that can perform this feat, at any price. I think there are a lot of tall
tales floating around concerning data recovery.

It is widely accepted that by simply overwriting your original data with new
data, 1 single time, is enough to keep the original data from ever being
recovered. See here:
http://groups.google.com/groups?hl=...overy&safe=images&ie=UTF-8&oe=UTF-8&lr=&hl=en

--Dan
Click to expand...
One of my clients is a physician, and he called me to ask for my
opinion on a debate he was having with his wife. They are giving away
some of their old PCs, and he was saying he could just format the XP
partition and sell it, whereas his wife was disagreeing. The drives
may contain financial passwords and other personal information.

There doesn't seem to be much easily accessible and reliable
information on this topic. The software vendors want to sell their
software, so they only hawk the security of their methodology. No one
seems to have any clue as to what are the actual costs and
probabilities involved in recovery.

Anyway, as you (Dan) suggest, I am going to advise them to do a single
pass over-write of the entire drive. I know that, at the very least,
no software-only solution will be able to recover from this. Once the
data is overwritten with zeros, recovering it again probably requires
highly specialized and ridiculously expensive hardware. If
overwritten once with random data, then it is probably totally
impossible. What is the point of making multiple passes I have no
idea, although most software offers this option. Just to waste time I
guess.
 
Shailesh Humbad said:
If I format a normal IDE drive using Windows XP NTFS (long) format,
what would be the odds of recovering pieces of important, tagged data
such as a password file? If the odds are better than 0%, then what
would be the cost of recovery? I just need to know if it's beyond the
range of the average hacker who buys a used hard drive from a known
HVT (high value target) specifically to recover important passwords.
I know there are lots of tools for "secure" erasing a drive, but I
want to know how much advantage they give over an ordinary NTFS long
format.
Click to expand...

One has to use a disk wipe program or a disk diagnostic to write the whole
disk surface. That technique will clear everything that an average hacker
could ever recover but will not always clear everything a sophisticated
hacker might be able to recover. The data in flawed sectors may still have
some useful data in it and the sophisticated might be able to get that. The
odds of there be anything useful there are low.

Very sophisticated techniques(national technical means and not simple data
recovery services) may be able to recover data that has been over wriiten.
But not data overwritten(erased) as many times as Rosemary Woods did it<g>.
 
Shailesh said:
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=b3m326
241o56r1%241%40ID-2964.news.dfncis.de&rnum=1&prev=/groups%3Fas_q%3Dgerman
2520magazine%2520data%2520recovery%26safe%3Dimages%26ie%3DUTF-8%26oe
3DUTF-8%26lr%3D%26hl%3Den
One of my clients is a physician, and he called me to ask for my
opinion on a debate he was having with his wife. They are giving away
some of their old PCs, and he was saying he could just format the XP
partition and sell it, whereas his wife was disagreeing. The drives
may contain financial passwords and other personal information.

There doesn't seem to be much easily accessible and reliable
information on this topic. The software vendors want to sell their
software, so they only hawk the security of their methodology. No one
seems to have any clue as to what are the actual costs and
probabilities involved in recovery.

Anyway, as you (Dan) suggest, I am going to advise them to do a single
pass over-write of the entire drive. I know that, at the very least,
no software-only solution will be able to recover from this. Once the
data is overwritten with zeros, recovering it again probably requires
highly specialized and ridiculously expensive hardware. If
overwritten once with random data, then it is probably totally
impossible. What is the point of making multiple passes I have no
idea, although most software offers this option. Just to waste time I
guess.
Click to expand...

There is a specific government requirement for the procedure to be used to
erase classified information, that involves multiple passes. That's why
it's there in the software, with options in case (a) that changes, or (b)
it's being used somewhere where the Powers That Be require different
procedure.

How secure you need to be depends on how valuable the data is and to whom it
is valuable--if it's really, really valuable to a First World government
then the only _sure_ bet is to melt the drive down or grind it to chips.

Don't assume that the commercial data recovery services define the state of
the art--it's not cost effective to go after a drive with electron
microprobes and scanning tunnelling microscopes to recover commercial
data--any organization large enough to have data that valuable will have it
backed up, RAIDed, off-site archived, server-mirrored, hot-sited, and
anything else you can think of--the people who need the data recovery
services are the small shops that haven't yet learned that it's cheaper to
protect than to recover and the occasional midsize outfit that has run into
a disaster beyond what they planned for. Consider the amount that such a
business can spend on the recovery, then consider the resources brought to
bear if George Bush says to the Director of the NSA "get the data and hang
the expense". But the likelihood of that sort of resource being brought to
bear on your client, unless he turns out to be a spy, major crime figure,
or international terrorist, is vanishingly small.
 
Shailesh Humbad said:
One of my clients is a physician, and he called me to ask for
my opinion on a debate he was having with his wife. They are
giving away some of their old PCs, and he was saying he could
just format the XP partition and sell it, whereas his wife was
disagreeing. The drives may contain financial passwords and
other personal information.

There doesn't seem to be much easily accessible and reliable
information on this topic. The software vendors want to sell
their software, so they only hawk the security of their
methodology. No one seems to have any clue as to what are the
actual costs and probabilities involved in recovery.

Anyway, as you (Dan) suggest, I am going to advise them to do
a single pass over-write of the entire drive. I know that, at
the very least, no software-only solution will be able to
recover from this. Once the data is overwritten with zeros,
recovering it again probably requires highly specialized and
ridiculously expensive hardware. If overwritten once with
random data, then it is probably totally impossible. What is
the point of making multiple passes I have no idea, although
most software offers this option. Just to waste time I guess.
Click to expand...


I think it is all to do with what is called magnetic shadow data.
People like Peter Gutman (who signs himself on his website as a
Professional paranoid) suggest that a properly secure way of
erasing data from hard drives is to write to them with randon data
as many as 35 times.

http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

"Data overwritten once or twice may be recovered by
subtracting what is expected to be read from a storage location
from what is actually read. Data which is overwritten an
arbitrarily large number of times can still be recovered provided
that the new data isn't written to the same location as the
original data (for magnetic media), or that the recovery attempt is
carried out fairly soon after the new data was written (for RAM).
For this reason it is effectively impossible to sanitise storage
locations by simple overwriting them, no matter how many overwrite
passes are made or what data patterns are written. However by
using the relatively simple methods presented in this paper the
task of an attacker can be made significantly more difficult, if
not prohibitively expensive." [UNQUOTE]

There is software available which claims to work to Gutman's
recommendations such as apm-Schredder (sic). Others are not sure
that Gutman's method works well:

"Peter Gutman of the University of Auckland speculated ...
that overwriting a drive 35 times with varying hexadecimal values
may force the write head to vary magnetic effect on the iron oxide
particles to such an extent as to remove the shadow data. Still,
there is no guarantee that software solutions will effectively wipe
out all this information because the process relies on the drive's
controller, which is not suited for this purpose." [UNQUOTE]

http://www.forensics-intl.com/art15.html
Click to expand...
Click to expand...
 
Previously Shailesh Humbad said:
One of my clients is a physician, and he called me to ask for my
opinion on a debate he was having with his wife. They are giving away
some of their old PCs, and he was saying he could just format the XP
partition and sell it, whereas his wife was disagreeing. The drives
may contain financial passwords and other personal information.
Click to expand...
There doesn't seem to be much easily accessible and reliable
information on this topic. The software vendors want to sell their
software, so they only hawk the security of their methodology. No one
seems to have any clue as to what are the actual costs and
probabilities involved in recovery.
Click to expand...
Anyway, as you (Dan) suggest, I am going to advise them to do a single
pass over-write of the entire drive. I know that, at the very least,
no software-only solution will be able to recover from this. Once the
data is overwritten with zeros, recovering it again probably requires
highly specialized and ridiculously expensive hardware. If
overwritten once with random data, then it is probably totally
impossible. What is the point of making multiple passes I have no
idea, although most software offers this option. Just to waste time I
guess.
Click to expand...

Not in all cases. E.g. for floppies you need multiple overwrites. The
critical characteristic of the medium is how far the used capacity
approaches the maximum possible capacity (as derived from s/n ratio
and minimal track size). A standard floppy can store a lot more than
the 2MB (unformatted) it is normally used at. A HDD cannot. The thing
is that in order for data that was overwritten to be recoverable at
all, the medium must be able to hold both old and new data. (Even if
the hdd can only read the new data, the old one must actually be
present.). I suspect that with modern HDDs this is impossible, since
they are close to the media limit in normal operation, i.e. an
overwriten signal vanisches in the medium noise.

I believe the reason for multiple overwrites is that older HDDs
actually did not manage to get close to the medium limit and
recovery from one or even more overwrites was possible then.
The problem was mostly that HDD head technology was behind what
the used hdd platter coating could do. It is not anymore.

Additional fact: The german computer magazine c't tried some
time ago to get a file recoverd that was overwritten once on a
modern HDD. All commercial data recovery companies asked said
they could not do this.

And a comment on the long format: Without being rally sure it
overwrites all, it is unusable. Thet is the real problem: You
actually do not know what it does in detail.

Arno
 
The current counter argument to these articles is that they are nowhere near
as sloppy today, compared to 1996 article, when it comes to wasted space on
a hard drive platter now. The data density is so much greater that these
concepts no longer hold true. The theory that is, im not saying that the
articles arent true.

--Dan

Mark M said:
Shailesh Humbad said:
One of my clients is a physician, and he called me to ask for
my opinion on a debate he was having with his wife. They are
giving away some of their old PCs, and he was saying he could
just format the XP partition and sell it, whereas his wife was
disagreeing. The drives may contain financial passwords and
other personal information.

There doesn't seem to be much easily accessible and reliable
information on this topic. The software vendors want to sell
their software, so they only hawk the security of their
methodology. No one seems to have any clue as to what are the
actual costs and probabilities involved in recovery.

Anyway, as you (Dan) suggest, I am going to advise them to do
a single pass over-write of the entire drive. I know that, at
the very least, no software-only solution will be able to
recover from this. Once the data is overwritten with zeros,
recovering it again probably requires highly specialized and
ridiculously expensive hardware. If overwritten once with
random data, then it is probably totally impossible. What is
the point of making multiple passes I have no idea, although
most software offers this option. Just to waste time I guess.
Click to expand...


I think it is all to do with what is called magnetic shadow data.
People like Peter Gutman (who signs himself on his website as a
Professional paranoid) suggest that a properly secure way of
erasing data from hard drives is to write to them with randon data
as many as 35 times.

http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

"Data overwritten once or twice may be recovered by
subtracting what is expected to be read from a storage location
from what is actually read. Data which is overwritten an
arbitrarily large number of times can still be recovered provided
that the new data isn't written to the same location as the
original data (for magnetic media), or that the recovery attempt is
carried out fairly soon after the new data was written (for RAM).
For this reason it is effectively impossible to sanitise storage
locations by simple overwriting them, no matter how many overwrite
passes are made or what data patterns are written. However by
using the relatively simple methods presented in this paper the
task of an attacker can be made significantly more difficult, if
not prohibitively expensive." [UNQUOTE]

There is software available which claims to work to Gutman's
recommendations such as apm-Schredder (sic). Others are not sure
that Gutman's method works well:

"Peter Gutman of the University of Auckland speculated ...
that overwriting a drive 35 times with varying hexadecimal values
may force the write head to vary magnetic effect on the iron oxide
particles to such an extent as to remove the shadow data. Still,
there is no guarantee that software solutions will effectively wipe
out all this information because the process relies on the drive's
controller, which is not suited for this purpose." [UNQUOTE]

http://www.forensics-intl.com/art15.html
Click to expand...
Click to expand...
Click to expand...
 
Ron Reaugh said:
Very sophisticated techniques(national technical means and not simple data
recovery services) may be able to recover data that has been over wriiten.
But not data overwritten(erased) as many times as Rosemary Woods did it<g>.
Click to expand...

Did you ever change your opinion on the last few generations of IBM
harddrive, Ron? You used to be quite an ardent supporter of IBM, if I
recall correctly...
 
Nonsense.
Click to expand...

Indeed. There is a base-level of noise on any magnetic madium. As
soon as a signal has been weakened enough to be somewhat below this
noise level, it is just not there anymore in the stong (mathematical)
sense. A loose upper bound can be found with Shanon's channel
chapacity, since a moving magnetic media can be regarded as a channel:

http://www.sciencedaily.com/encyclopedia/shannon_limit

Bandwidth has to be derived from closest bit-distance and medium
speed. S/N-ratio is what the best theoretical reading head could do.

In order to recover one overwriting, the medium has to have enough
bandwidth to store the overwritten signal and the overwriting
signal. If it does not have that, there is no way for both sets of
data to be on the medium.

One aspect that makes things a little fuzzy is that this limit
actually applies after data compression. So in theory overwriting with
badly compressable true randomness is more secure than overwriting
with zeros. In practice older signals will just be to weak to be seen
in the background noise. HDD heads, modulation and electonics are very
close to the medium limit today. That was not allways the case.

Arno
 
One aspect that makes things a little fuzzy is that this limit
actually applies after data compression. So in theory overwriting with
badly compressable true randomness is more secure than overwriting
with zeros. In practice older signals will just be to weak to be seen
in the background noise. HDD heads, modulation and electonics are very
close to the medium limit today. That was not allways the case.
Click to expand...

Did anyone mention these devices yet?

http://www.tecchannel.com/security/client/418/
http://www.tecchannel.com/security/client/418/9.html
 
Ron said:
Such a degausser seems like a waste of money. Shred the drive or heat it
above the Currie temperature seems better.
Click to expand...

Interesting point.

Cooking the HD sounds simple enough. Do you know what the coating
materials are for current HD platters? Do you know what the Curie
temps are for those materials? Do you know where to buy industrial
ovens, for modest prices, that will work at those temps?

Cobalt, for example, has a Curie temp of 1388 deg.K, which is about
1115 deg.C or 2040 deg.F. I don't think my kitchen oven will get
the job done <g>.
 
Interesting point.

Cooking the HD sounds simple enough. Do you know what the coating
materials are for current HD platters? Do you know what the Curie
temps are for those materials? Do you know where to buy industrial
ovens, for modest prices, that will work at those temps?

Cobalt, for example, has a Curie temp of 1388 deg.K, which is about
1115 deg.C or 2040 deg.F. I don't think my kitchen oven will get
the job done <g>.
Click to expand...

Assuming the Curie temps are right, I think the substrate materials
will melt, first. Aluminum melts at 1220F.

I just put the disk on a concrete floor and give it a shot with the
sledge hammer that I a keep in the computer room. It also serves
to intimidate the servers.

If I have to return a disk for warranty replacement I'll eat the cost
of the disk if the risk of loosing the data exceeds the cost of the
disk from business risk point of view. The decision is easy for a
$150 disk.
 
I just put the disk on a concrete floor and give it a shot with the
sledge hammer that I a keep in the computer room. It also serves
to intimidate the servers.
Click to expand...

That's the best plan, IMO.
 
Back
Top