RE: Peter Gutmann data deletion theaory?

From: Bret Morey (bam159_at_psu.edu)
Date: 07/23/05

  • Next message: Shalom Carmel: "Re: Getting round website authentication with Firefox" 
    To: "'Robert Thompson Jr.'" <rthompson@columbiabank.com>, "'Jared Johnson'" <jaredsjazz@Yahoo.com>, <focus-ms@securityfocus.com>
Date: Fri, 22 Jul 2005 21:22:53 -0400

    A simple format is nothing like a low level format or a 3* overwrite. It is
    theoretically possible to recover sporadic portions of data on a drive that
    has been 3* overwritten, by utilizing special equipment to pick up that
    areas that remain between tracks, but it requires equipment that is
    typically prohibitively expensive and the chances of reconstructing a
    significant amount of data are very slim. Consider this methods reliance on
    write head wobble, and the fact that if the write heads are wobbling during
    the original write, they will also wobble during the 3 recursive 1 and 0
    overwrite passes, meaning that you not only have to read the remaining data
    between the tracks, but you also have to distinguish between the original
    data and the overwrite pass data, but you also have to manage to recover
    enough contiguous data to reconstruct files and also figure out how to
    reassemble it correctly. I have yet to hear anyone claiming to have
    actually been able to recover and reconstruct the data from a system that
    has been 3* overwritten per dss standards. And if you are that concerned
    about data being recovered from decommissioned drives you can do like we
    used to, and disassemble them and sandblast the platters. Or you can simply
    send them to NSA, who to the best of my knowledge still degausses drives
    free of charge with degaussers that are in some case actually capable of
    physically destroying the platters.

    If I am mistaken and someone has actually developed a method for reliably
    reconstructing data from a drive that has been overwritten 3 times I would
    be very interested in hearing about the details of the equipment and methods
    involved.

    regards
    -Bret

    -----Original Message-----
    From: Robert Thompson Jr. [mailto:rthompson@columbiabank.com]
    Sent: Thursday, July 21, 2005 3:03 PM
    To: Jared Johnson; focus-ms@securityfocus.com
    Cc: bugtraq@securityfocus.com
    Subject: RE: Peter Gutmann data deletion theaory?

    "Do you all agree with Peter Gutman's conclusion on his theory that data can
    never really be erased, as noted in his quote below:"

    Absolutely...

    If you have ever done any form of data recovery, you will see how much
    information is recoverable, with just basic tools off of the internet.
    If you haven't, just google "data recovery", find almost any program with a
    free demo and take a hard drive, catalog it, format it (after backing up
    what you need of course) then recover it. Watch how much information you
    retrieve. Should be all of it, and then some.

    I recall the first time I ever did a recovery from a hard drive that had
    something off happen to it. I pulled up information on that drive from back
    when it was first used. YEARS before...

    That is just with a basic program off of the internet.

    With wiping/sanitizing of your hard drives, you have elimiated having to
    worry about any mediocre programs doing any data recovery, but "good"
    programs or hardware recovery is still an option. The software recovery
    will eventually fail if you are careful enough...

    Now imagine what a hardware based recovery could pull off?

    I would recommend using the sanitizing products as they will help keep the
    people that don't have the time or money from locating anything on your box,
    but for those out there that have the money or have the time, they will be
    able to get just about anything off of your disk.

    To keep your drives completely secure, you have two choices: either don't
    use them, ever... OR physically destroy them when you are finished.

    Rob.

    -----Original Message-----
    From: Jared Johnson [mailto:jaredsjazz@Yahoo.com]
    Sent: Wednesday, July 20, 2005 4:49 PM
    To: focus-ms@securityfocus.com
    Cc: bugtraq@securityfocus.com
    Subject: Peter Gutmann data deletion theaory?

    All,

    Do you all agree with Peter Gutman's conclusion on his theory that data can
    never really be erased, as noted in his quote below:

    "Data overwritten once or twice may be recovered by subtracting what is
    expected to be read from a storage location from what is actually read.
    Data which is overwritten an arbitrarily large number of times can still be
    recovered provided that the new data isn't written to the same location as
    the original data (for magnetic media), or that the recovery attempt is
    carried out fairly soon after the new data was written (for RAM). For this
    reason it is effectively impossible to sanitise storage locations by simple
    overwriting them, no matter how many overwrite passes are made or what data
    patterns are written. However by using the relatively simple methods
    presented in this paper the task of an attacker can be made significantly
    more difficult, if not prohibitively expensive."

    It seems that the perhaps the only real way to rid your Hard Drives of data
    is to burn them.

    I'd love to hear some thoughts on this from security and data experts out
    there.

  • Next message: Shalom Carmel: "Re: Getting round website authentication with Firefox"