lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 23 Jul 2005 15:36:25 +0200
From: Andreas Beck <becka-list-bugtraq@...atec.de>
To: bugtraq@...urityfocus.com
Subject: Re: Peter Gutmann data deletion theaory?


"Robert Thompson Jr." <rthompson@...umbiabank.com> wrote:
> If you have ever done any form of data recovery, you will see how much
> information is recoverable, with just basic tools off of the internet.

It's just that way, if you don't take any care deleting your data.


> with a free demo and take a hard drive, catalog it, format it (after
> backing up what you need of course) then recover it.  Watch how much
> information you retrieve.  Should be all of it, and then some.

This is not the case, if you follow a proper procedure. The effect of
"formatting" a harddisk is grossly overestimated by the average user -
probably due to its historic effect on floppy disks.
The same is true for "deleting".

Both operations usually only change a very small part of the harddisk.
For efficiency reasons. Formatting usually only deletes tables of free
blocks, root directory and some management information.
Deleting usually only removes the directory linkage and evetually frees
up the disk space, if no hardlinks are present, but doesn't touch the
data itself.


However, while it is pretty hard to securely delete data on modern 
filesystems, if the filesystems were not designed to do this themselves,
it is relatively easy to destroy almost any data when wiping entire
drives.

Try your above experiment after you have not merely "formatted" the
disk, but rather wiped it with even a single pass of 
dd if=/dev/zero of=/dev/[harddiskdevice]

This will render almost any attempt of software recovery useless. The
only data that should be recoverable by software tools is old weak data
from mapped out sectors and the like. This requires specialized software
that talks to the drives on a pretty low level, but is doable. Of
course, only very small amounts of data should be recoverable.
Just look at the mapped out sector counts from the SMART data of old
harddisks. You'd be lucky, if you find a few hundred sectors.


> I recall the first time I ever did a recovery from a hard drive that had
> something off happen to it.  I pulled up information on that drive from
> back when it was first used.  YEARS before...

Sure. But that data was never deleted in a secure manner.

> With wiping/sanitizing of your hard drives, you have elimiated having to
> worry about any mediocre programs doing any data recovery, but "good"
> programs or hardware recovery is still an option. 

Any software recovery of a properly wiped drive will only have very
limited success. 


> Now imagine what a hardware based recovery could pull off?

IMHO: Not so much more. Modern harddisks have such a high density, that
those "off track reading" and "remanent magnetism" arguments don't quite
hold. If the signal from there were useable with a reasonable amount
of hardware cost, it would be used to put more data on the media.

Are there any public studies about what commercial data recovery providers 
can achieve after a harddisk was overwritten with a single sweep of
zeroes?


> I would recommend using the sanitizing products as they will help keep
> the people that don't have the time or money from locating anything on
> your box, but for those out there that have the money or have the time,
> they will be able to get just about anything off of your disk.

I doubt that, but if you think your data is valueable enough to make
such an attack feasible, I'd rather not recommend your choices:


> To keep your drives completely secure, you have two choices:  either
> don't use them, ever...  OR  physically destroy them when you are
> finished.

but recommend to encrypt your sensitive data. 

Reason: If you data is valueable enough to spend a few thousand dollars 
to pull it off a discarded harddrive, it is almost certain, that
you need to spend less and gain more by getting the drive right from 
your office while it is still in use and no deletion has been attempted.


Kind regards,

Andreas Beck

-- 
Andreas Beck
http://www.bedatec.de/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ