RE: Unclassified Disk "Sanitizers"

From: John Daniele (johnd@tsintel.com)
Date: 03/06/02


Date: Wed, 6 Mar 2002 12:07:23 -0500 (EST)
From: John Daniele <johnd@tsintel.com>
To: Mike Donovan <donovan@paxemail.com>


Could you point me towards SOFTWARE (not STM equipment) that would be able
to recover data that had been OVERWRITTEN from a sector of a drive?

i.e. dd if=/dev/zero of=/dev/dsk/c0t0*

Read each physical sector of the drive and explain to me how meaningful
data is recovered from 00's using software recovery tools?

Sorry for my abrasive response, but you are out of line. I was not
referring to a scenario where portions of a deleted file may be recovered
from file slack, or swap space but rather in the case that it had truly
been OVERWRITTEN!

_________________________________________
John Daniele
Technical Security & Intelligence
Toronto, ON
Voice: (416) 605-2041
E-mail: johnd@tsintel.com
Web: http://www.tsintel.com

On Wed, 6 Mar 2002, Mike Donovan wrote:

> >===== Original Message From John Daniele <johnd@tsintel.com> =====
> >The data only has to be overwritten once such that it is unrecoverable
> >using standard forensic recovery methods.
> ---------------------------------------------------------------------------
> This is false. Completely. A one-time pass --- making data "unrecoverable?"
> Why is it that Bruce Schneier and others are constantly harping on how we
> can't assume ANYTHING is truly "unrecoverable" using software methods? Period!
> Even Gutmann's paper questions his own method! John, in referring others for
> more information to the over-used "Gutmann Paper" (which is going now on
> six-years old), need I remind you how recovery capabilities have changed in
> SIX years? Let me refer you to something more current and more realistic from
> SANS:
> http://rr.sans.org/incident/deletion.php
> It must be remembered the Gutmann 35-pass method is *completely* different in
> what a "pass" is than, say, the D.O.D 7-pass method. Gutmann's method takes
> into account various encoding methods used my makers of the drives. It's
> totally different. Hard drive slack space and unallocated space? Not even
> mentioned in John's all-inclusive sentence above. How can anything be securely
> deleted without even touching these data storage hogs that a simple one-pass
> method will NOT touch? In the very paper John referred to, Peter Gutmann says
> in the opening sentence of his conclusion,(point 9)"Data overwritten once or
> twice may be recovered by subtracting what is expected to be read from a
> storage location from what is actually read."
>
> The kind of misinformation in John's post is dangerous - especially in today's
> world. Bottom line: Stick with Department of Defense regulations for secure
> deletion or use the 35-pass Gutmann method. Please, don't let **anyone** tell
> you a one-time pass will make data "unrecoverable."
>
> Mike Donovan
>
>