bugtraq@planetcobalt.net



Hi,
Myself, Dave Kleiman and Shyaam Sundhar R.S. have a paper submitted
and accepted for ICISS08 (the Fourth International Conference on
Information Systems Security (2008)). The paper is titled,
"Overwriting Hard Drive Data: The Great Wiping Controversy".

The abstract follows:
"Abstract. Often we hear controversial opinions in digital forensics
on the required or desired number of passes to utilize for properly
overwriting, sometimes referred to as wiping or erasing, a modern hard
drive. The controversy has caused much misconception, with persons
commonly quoting that data can be recovered if it has only been
overwritten once or twice. Moreover, referencing that it actually
takes up to ten, and even as many as 35 (referred to as the Gutmann
scheme because of the 1996 Secure Deletion of Data from Magnetic and
Solid-State Memory published paper by Peter Gutmann) passes to
securely overwrite the previous data. One of the chief controversies
is that if a head positioning system is not exact enough, new data
written to a drive may not be written back to the precise location of
the original data. We demonstrate that the controversy surrounding
this topic is unfounded."

The paper is to presented in December this year and is being published
under the LNCS (Lecture notes in Computer Science) series from
Springer Verlag.

The answer is simple. Actually scientifically test the proposition
that data can be recovered using an electron microscope. We have done
this and the paper provides a definative report on both PRML drives
(such as where used by Dr. Gutmann) as well as the differences in
modern ePRML drives.

Regards,
Craig
--
Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ...

---In reply to ---

On 2008-10-08 Matt wrote:
I've been lurking here for the last 6 months or so and this thread
caught my eye.

I'd agree about most of the comments in this thread with the exception
of a few regarding data recovery after a file has been 'zeroed' and
whether there is any benefit to using random data during the
overwrite.

The below thread/link was responded to by a senior engineer from a
well known disk manufacturer, and according to him - data can be
recovered after being over-written with new data (several generations
back).

Given Mr. Barila has decades of experience and plays an active role in
the design and development of mass storage devices along with the
supporting firmware, I'll take his word for it...

http://www.osronline.com/showThread.cfm?link=92173

That's the theory. However, as I said in another mail: I'd like to see
a credible report on even a single file actually having been recovered
after the disk it was stored on had been wiped in a single pass with
zeroes.

I'm not saying it can't be done, mind you. However, all I ever see is
statements saying that in theory it could be done, but up to now
nobody could come up with an example where this has been actually
done. Thus I'm having my doubts.

Of course if you'd want to avoid any risk, you'd feed the disk to a
furnace and get rid of the problem once and for all.

Regards
Ansgar Wiechers