bugtraq@planetcobalt.net



Hi,
Myself, Dave Kleiman and Shyaam Sundhar R.S. have a paper submitted
and accepted for ICISS08 (the Fourth International Conference on
Information Systems Security (2008)). The paper is titled,
"Overwriting Hard Drive Data: The Great Wiping Controversy".

The abstract follows:
"Abstract. Often we hear controversial opinions in digital forensics
on the required or desired number of passes to utilize for properly
overwriting, sometimes referred to as wiping or erasing, a modern hard
drive. The controversy has caused much misconception, with persons
commonly quoting that data can be recovered if it has only been
overwritten once or twice. Moreover, referencing that it actually
takes up to ten, and even as many as 35 (referred to as the Gutmann
scheme because of the 1996 Secure Deletion of Data from Magnetic and
Solid-State Memory published paper by Peter Gutmann) passes to
securely overwrite the previous data. One of the chief controversies
is that if a head positioning system is not exact enough, new data
written to a drive may not be written back to the precise location of
the original data. We demonstrate that the controversy surrounding
this topic is unfounded."

The paper is to presented in December this year and is being published
under the LNCS (Lecture notes in Computer Science) series from
Springer Verlag.

The answer is simple. Actually scientifically test the proposition
that data can be recovered using an electron microscope. We have done
this and the paper provides a definative report on both PRML drives
(such as where used by Dr. Gutmann) as well as the differences in
modern ePRML drives.

Regards,
Craig
--
Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ...

---In reply to ---

On 2008-10-08 Matt wrote:
I've been lurking here for the last 6 months or so and this thread
caught my eye.

I'd agree about most of the comments in this thread with the exception
of a few regarding data recovery after a file has been 'zeroed' and
whether there is any benefit to using random data during the
overwrite.

The below thread/link was responded to by a senior engineer from a
well known disk manufacturer, and according to him - data can be
recovered after being over-written with new data (several generations
back).

Given Mr. Barila has decades of experience and plays an active role in
the design and development of mass storage devices along with the
supporting firmware, I'll take his word for it...

http://www.osronline.com/showThread.cfm?link=92173

That's the theory. However, as I said in another mail: I'd like to see
a credible report on even a single file actually having been recovered
after the disk it was stored on had been wiped in a single pass with
zeroes.

I'm not saying it can't be done, mind you. However, all I ever see is
statements saying that in theory it could be done, but up to now
nobody could come up with an example where this has been actually
done. Thus I'm having my doubts.

Of course if you'd want to avoid any risk, you'd feed the disk to a
furnace and get rid of the problem once and for all.

Regards
Ansgar Wiechers



Relevant Pages

  • Re: what happens to deleted files
    ... It has never been done, not even by Dr. Gutmann himself, and he is the one who first advanced the theory that it might be possible to recover data from overwritten drives. ... The best that Dr. Gutmann could do with MFM was to show that there "might" be a possibility that some bits of data might be recoverable, he was never able to recover actual files and he has never been able to publicly demonstrate that he actually could recovery files on zero written drives, and nobody else either ever could. ... The reason that the US government or any other entities who work with very sensitive data might melt or destroy drives instead of securely overwriting them is not because of the possibility of data recovery on these drives, it is because of the possibility of user or software errors when doing the wiping. ... There is one area which can be of real concern with regards to wiped drives and where actual "bits" of data recovery could be made, cluster tips. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: password auditing
    ... For non-functional drives or where overwriting is not possible ... Stand Microscopy from undamaged areas of the platter is possible at ... And as far as data recovery from failed drives goes this is rather ...
    (Pen-Test)
  • Re: [Full-disclosure] Disk wiping -- An alternate approach?
    ... "quick" wipe filling a drive only 4 times, is often enouth, but... ... I destroy drives containing credit card and other ... For non-functional drives or where overwriting is not possible ... And as far as data recovery from failed drives goes this is rather ...
    (Full-Disclosure)
  • Re: Ruined m-board with bios update
    ... Doubt that you will be back to this post to see this, but if you are, I received an an identical replacement motherboard from Intel today and just finished installing it. ... Plugged all the hard drives into the same connections as the old board and after all the other tiny little connections I turned it on. ... to re-set the clock in the bios and that was no problem. ... Turned power on & inserted recovery CD. ...
    (microsoft.public.windows.mediacenter)
  • Re: Ruined m-board with bios update
    ... Plugged all the hard drives ... reactivating on a new motherboard. ... Turned power on & inserted recovery CD. ... recovery bios! ...
    (microsoft.public.windows.mediacenter)