RE: Advice regarding servers and Wiping Drives after testing

From: "Craig Wright" <Craig.Wright@xxxxxxxxxx>
Date: Thu, 13 Sep 2007 05:17:28 +1000

Hello,
I will do a longer write-up when I get to work, but this is a simple answer.

The hard drive heads can not reliably be used for this purpose. The error rate of mis-reads from firmware and system errors is greater than that of head misallignment.

What you are suggesting is based on error analyslis. The read errors are not statistically significant and do not allow this type of data reconstruction. White noice is always greater than recovery and there is no way to determine which error is the "right" error.

This is compounded as the magnetic image is not just a single ghost, but there is one for each prior write. The field strength is not lineraly related to the age of the overwrite and there is no distingiushing timestamp on a residual magnetic trace. All bit correlations are probabilistic. See a paper I did for my SANS forensic cert for an example - http://www.giac.net/certified_professionals/practicals/gcfa/265.php.

As I stated in an earlier post - there is an inverse exponential relaionship to recovery with the number or prior writes - over the life of the drive. As stated - there is a small chance of recovery when a single file was copied and a single delete was done. More is FUD.

By the way, a low level format is a write for the purpose of this. The burn in test is a prior write etc.

Now, if you can not do Multivariate Correlations by hand and do not kn ow what Bartett's Kolmogorov-Smirnov is, then I suggest that you brush up math and engineering skills prior to issuing snake oil. This is what is required to do what you are suggesting and it is not a topic most IT people seem to enjoy. I have tried doing presentations on these issues, but the level of math knowledge is far to low these days.

Regards,
Craig

Craig Wright
Manager of Information Systems

Direct : +61 2 9286 5497
Craig.Wright@xxxxxxxxxx
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system.

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator@xxxxxxxxxxx

BDO Kendalls is a national association of separate partnerships and entities.

________________________________

From: listbounce@xxxxxxxxxxxxxxxxx on behalf of gjgowey@xxxxxxxxxxxxxxxxxx
Sent: Thu 13/09/2007 3:52 AM
To: Ansgar -59cobalt- Wiechers; listbounce@xxxxxxxxxxxxxxxxx; security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Advice regarding servers and Wiping Drives after testing

What you're forgetting is that these pieces of software aren't you normal "access the hdd through regular os calls". These pieces of software are sending low level commands to the drive its self an interpreting what's sent back instead of relying on a middle layer. They can literally have the head scan a particular sector as many times as is needed until it gets a signal back that resembles something useable. Writing all 0's will never prevent against software recovery because the all 0's approach is like recording over a used VCR tape once.

Geoff

Sent from my BlackBerry wireless handheld.

-----Original Message-----
From: Ansgar -59cobalt- Wiechers <bugtraq@xxxxxxxxxxxxxxxx>

Date: Wed, 12 Sep 2007 12:48:42
To:security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Advice regarding servers and Wiping Drives after testing

On 2007-09-11 William Holmberg wrote:

On Tuesday, September 04, 2007 1:03 PM Ansgar -59cobalt- Wiechers wrote:

On 2007-09-01 gjgowey@xxxxxxxxxxxxxxxxxx wrote:

A since pass with all zero's really won't protect your data from
being recovered by more advanced data recovery software let alone
alone hardware.

I'd like to see a single case where someone was able to recover data
from an overwritten harddisk, even after a single pass with zeroes.

No doubt you are an intelligent and well educated person in these
fields, and probably have many areas of expertise more proficient than
mine. I do have to state however, and nearly any Infragard member can
tell you, the FBI uses tools that accomplish this on a regular basis.
I have no doubt other agencies do as well. We have had demonstrations
of it remotely in a class I help instruct, SAFE computing for Law
Enforcement and Non-Profits (SAFE is Security And Forensic Education)
at Metro State University of Minnesota, MCTC campus.

Demonstrations of recovering data from fully overwritten media, without
opening the case? Sorry, but I seriously doubt that. Feel free to prove
me wrong, but without evidence I find that really hard to believe. Keep
in mind we're not talking about wiping single files, but overwriting the
entire media.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

References:
- Re: Advice regarding servers and Wiping Drives after testing
  - From: gjgowey
- Re: Advice regarding servers and Wiping Drives after testing
  - From: Ansgar -59cobalt- Wiechers
- RE: Advice regarding servers and Wiping Drives after testing
  - From: William Holmberg
- Re: Advice regarding servers and Wiping Drives after testing
  - From: Ansgar -59cobalt- Wiechers
- Re: Advice regarding servers and Wiping Drives after testing
  - From: gjgowey

Prev by Date: Re: Why isn't full disk encryption from manufactures a slam dunk?
Next by Date: Re: Re: Threat vector of running a service using a domain account
Previous by thread: Re: Advice regarding servers and Wiping Drives after testing
Next by thread: RE: Advice regarding servers and Wiping Drives after testing
Index(es):
- Date
- Thread

Relevant Pages

Re: wipe /dev/sda
... I've had at least one company tell me that they can recover data from a ... I've always gone with overwriting and reasonably secure disposal. ... especially with modern hard drives. ...
(Ubuntu)
Re: wipe /dev/sda
... is with a sledge hammer...... ... I've had at least one company tell me that they can recover data from a ... I've always gone with overwriting and reasonably secure disposal. ... especially with modern hard drives. ...
(Ubuntu)
Re: wipe /dev/sda
... is with a sledge hammer...... ... I've had at least one company tell me that they can recover data from a ... I've always gone with overwriting and reasonably secure disposal. ... especially with modern hard drives. ...
(Ubuntu)
Re: Child porn too easy to locate
... You can only get rid of them properly by overwriting unused ... This is how police forensics recover those pornographic images that you ... I would dispute it for hard drives too, ...
(uk.legal)
bugtraq@planetcobalt.net
... "Overwriting Hard Drive Data: The Great Wiping Controversy". ... modern ePRML drives. ... of a few regarding data recovery after a file has been 'zeroed' and ...
(Security-Basics)