Re: Unclassified Disk "Sanitizers"

From: John Daniele (johnd@tsintel.com)
Date: 03/08/02 

Date: Fri, 8 Mar 2002 00:06:26 -0500 (EST)
From: John Daniele <johnd@tsintel.com>
To: Marnix Petrarca <Marnix@DaemonLabs.com>

For the hundreth time! There is a difference between a file being deleted
from a filesystem and it being truly OVERWRITTEN. If you are sanitizing
the drive, you will OVERWRITE it with data from the first sector to the
very last PHYSICAL sector of the drive. OVERWRITTEN. Period. Unless you
wish to pursue other PHYSICAL RECOVERY methods such as the use of Scanning
Tunneling Microscopy or recovery of tiny fragments of data from the cache
chip found on the drive's circuit board, it's for all intents and purposes
GONE.

_________________________________________
John Daniele
Technical Security & Intelligence
Toronto, ON
Voice: (416) 605-2041
E-mail: johnd@tsintel.com
Web: http://www.tsintel.com

On Fri, 8 Mar 2002, Marnix Petrarca wrote:

> didn't the coroners toolkit from wietse venema and consorts do something
> like that?
> There's other interesting reading there, too.
> http://www.porcupine.org/forensics/tct.html
> -M
>
> ----- Original Message -----
> From: "John Daniele" <johnd@tsintel.com>
> To: "Mike Donovan" <donovan@paxemail.com>
> Cc: <security-basics@securityfocus.com>
> Sent: 06 March, 2002 6:07 PM
> Subject: RE: Unclassified Disk "Sanitizers"
>
>
> >
> > Could you point me towards SOFTWARE (not STM equipment) that would be able
> > to recover data that had been OVERWRITTEN from a sector of a drive?
> >
> > i.e. dd if=/dev/zero of=/dev/dsk/c0t0*
> >
> > Read each physical sector of the drive and explain to me how meaningful
> > data is recovered from 00's using software recovery tools?
> >
> > Sorry for my abrasive response, but you are out of line. I was not
> > referring to a scenario where portions of a deleted file may be recovered
> > from file slack, or swap space but rather in the case that it had truly
> > been OVERWRITTEN!
> >
> > _________________________________________
> > John Daniele
> > Technical Security & Intelligence
> > Toronto, ON
> > Voice: (416) 605-2041
> > E-mail: johnd@tsintel.com
> > Web: http://www.tsintel.com
> >
> > On Wed, 6 Mar 2002, Mike Donovan wrote:
> >
> > > >===== Original Message From John Daniele <johnd@tsintel.com> =====
> > > >The data only has to be overwritten once such that it is unrecoverable
> > > >using standard forensic recovery methods.
> >
> > --------------------------------------------------------------------------
> -
> > > This is false. Completely. A one-time pass --- making data
> "unrecoverable?"
> > > Why is it that Bruce Schneier and others are constantly harping on how
> we
> > > can't assume ANYTHING is truly "unrecoverable" using software methods?
> Period!
> > > Even Gutmann's paper questions his own method! John, in referring others
> for
> > > more information to the over-used "Gutmann Paper" (which is going now on
> > > six-years old), need I remind you how recovery capabilities have changed
> in
> > > SIX years? Let me refer you to something more current and more realistic
> from
> > > SANS:
> > > http://rr.sans.org/incident/deletion.php
> > > It must be remembered the Gutmann 35-pass method is *completely*
> different in
> > > what a "pass" is than, say, the D.O.D 7-pass method. Gutmann's method
> takes
> > > into account various encoding methods used my makers of the drives. It's
> > > totally different. Hard drive slack space and unallocated space? Not
> even
> > > mentioned in John's all-inclusive sentence above. How can anything be
> securely
> > > deleted without even touching these data storage hogs that a simple
> one-pass
> > > method will NOT touch? In the very paper John referred to, Peter Gutmann
> says
> > > in the opening sentence of his conclusion,(point 9)"Data overwritten
> once or
> > > twice may be recovered by subtracting what is expected to be read from a
> > > storage location from what is actually read."
> > >
> > > The kind of misinformation in John's post is dangerous - especially in
> today's
> > > world. Bottom line: Stick with Department of Defense regulations for
> secure
> > > deletion or use the 35-pass Gutmann method. Please, don't let **anyone**
> tell
> > > you a one-time pass will make data "unrecoverable."
> > >
> > > Mike Donovan
> > >
> > >
> >
>
>

Relevant Pages

  • RE: Advice regarding servers and Wiping Drives after testing
    ... recovery process was not shown), in this case a .jpg which was partially ... with 1's and Zeroes we can often get evidence with this new procedure". ... recovered immediately after the overwrite. ... Advice regarding servers and Wiping Drives after testing ...
    (Security-Basics)
  • RE: Advice regarding servers and Wiping Drives after testing
    ... Using a factor of the drives magnetic density that relates to a +1 ... nullify that overwrite, leaving the last write before that one plainly ... one of the speakers Red and Black connectors. ... Writing all 0's will never prevent against software recovery ...
    (Security-Basics)
  • RE: Peter Gutmann data deletion theaory?
    ... A simple format is nothing like a low level format or a 3* overwrite. ... about data being recovered from decommissioned drives you can do like we ... If you have ever done any form of data recovery, ...
    (Bugtraq)
  • Re: recovering overwritten file
    ... Apparantly professional recovery companies can recover "overwritten" files in some circumstances, maybe the OS's uses the date and time in the file name, but I don't think even this helps in Windows, as the old version of the files apparently just disapears, weird. ... Windows is good that its always warns me when about to overwrite a file on a USB flash drive, its a good idea for its easy to forget whats on the flash drive. ... The original file was detected and found with a zero byte size. ... Thats why they call them Flash drives. ...
    (microsoft.public.windowsxp.general)
  • Re: Ruined m-board with bios update
    ... Doubt that you will be back to this post to see this, but if you are, I received an an identical replacement motherboard from Intel today and just finished installing it. ... Plugged all the hard drives into the same connections as the old board and after all the other tiny little connections I turned it on. ... to re-set the clock in the bios and that was no problem. ... Turned power on & inserted recovery CD. ...
    (microsoft.public.windows.mediacenter)