Security Basics mailing list archives
RE: Interesting One
From: "Holmes, Ben" <Ben.Holmes () getronics com>
Date: Fri, 1 Nov 2002 19:38:30 +1100
Magnetic force microscopy and other such things could (and do) indeed read past data from a hard drive that has been wiped many times (I have heard many conflicting and often wild claims about the exact number). A single pass can defeat anything the drive circuitry can grab from the disk and if you bypass the circuitry and connect the right equipment directly to the drives heads, you would be able to read remapped sectors such as grown defects, a full overwrite (on pass again) on most modern drives even eliminates this if it can access these areas. MFM involves pulling the hard disk apart and doing a physical analysis. There is a place in Australia that does it and at least 2 in the US and 1 in New Zealand I have heard of. A doctor one of our techs knows tried to get data back from a HDD that had NO overwriting, just a very bad head crash. He was charged AU$1600 and they recovered ONE file. It was a part of the OS. Remember that a modern hard disks store data in very advanced ways and VERY tightly packed together... I am not sure how fast you could manually recover data using a highly advanced (and very expensive) microscope, but if you recover an average of 8 BITS per second of REAL DATA (and there is no doubt a lot of hamming code written for the sake of data integrity), it would take you about 17 minutes for a kilobyte. It would take you about 83333 DAYS (approx 228 YEARS) working 10 HOURS A DAY FULL TIME WITH NO BREAKS to recover a standard 3Gb data set. To quote some experts: "Magnetic Media Microscopy (MMM) is used in cases where data has been overwritten. MMM is a lengthy process that involves examining each bit of data at a magnetic level to determine that bit's previous state. Recovering just a floppy disk using this technology can take days or weeks. MMM is rarely used because of the cost factor." - ESS Data Recovery Lets say you knew the exact location of the data (or at least the filename because you could find where you want to go, lets say the SAM in WinNT), you would have to recover the boot sector (to find the $MFT), the $MFT to find the $DATA stream of the directory entry for WINNT.. etc.. then finally when you find the exact offset of the disk the SAM is on, you would have to go the right amount of bytes into the SAM and recover the encrypted password... still it is very daunting and would cost money. Data recovery is always much easier if everything is defragmented properly... just imagine the pain if it was part of a striped RAID system! The DoD standard is very paranoid and doesn't always work because mapped out bad sectors are not always wiped (look up "Grown Defect List" on Google). If you really want the data gone, incineration is the best method, then buy a new drive... Degaussing will also work (but you have to use a very strong degausser and for quite a long time) but it also renders the drive just as completely inoperable as it will wipe the sector marks and everything (but at least it still LOOKS intact). If you want it so NO SOFTWARE IN THE ENTIRE WORLD can get it off (because the drive's heads cannot detect overwritten data and the firmware will therefore not translate it), a standard one pass wipe with "FORMAT /U" and I bet you can't get anything meaningful off it! (Note a standard format without the "U" option doesn't actually do any wipe passes). Still, all that said and when government bodies ask for a contract, you will win easier if you quote a standard and do what it says, no matter how silly it all is. http://www.vogon-data-recovery.com/dr_bulletin-02/dr_bulletin_02_01.htm has a little article that you may also find interesting but it doesn't have much of a conclusion. If you want a better read into MFM look here... http://www.di.com/AppNotes/MFM/MFMMain.html In conclusion, in theory wiping it a lot means it is more secure, random data passes would make MFM rally hard, but in practice, who are you trying to kid, if your data is THAT valuable (I am talking many many dollars here), the cost of completely incinerating the drive and buying a new one is far cheaper than the paying for someone that is trusted to handle that drives data to sit there and wipe it seven, nine or even 5000 times... and far, far more secure. -- Benjamin Holmes
-----Original Message----- From: Vlad [mailto:vlad () verat net] Sent: Thursday, October 31, 2002 6:10 AM To: maillist Subject: Re: Interesting One U.S. DoD - seven pass extended character rotation wiping [DoD 5200.28-STD]. And for the sake of argument the program i use has a limit of 100 passes. ----- Original Message ----- From: "maillist" <maillist () avoiderman com> To: <security-basics () security-focus com> Sent: Wednesday, October 30, 2002 7:45 AM Subject: RE: Interesting OneI disagree with you both - the NSA standard for a drive that will be recycled is a nine-pass wipe ... involving pseudo-randomdata, 0s and 1s ...preferably in a non-predictable order ... Reading after thirty overwrites is just scare mongering.Depending on themedia it might just be possible on some drives (where theheads have movedover time) ... but the kit to read from drives after just acouple of wipesis expensive, and usually just the provision of government types ... Avoiderman-----Original Message----- From: Nero, Nick [mailto:Nick.Nero () disney com] Sent: 29 October 2002 17:30 To: Dave Adams; security-basics () security-focus com Subject: RE: Interesting One Well, the NSA standard I believe is that zero-filling adrive (writingall 0's to the platter) will make the data impossible torecover, but Iam sure there are some instances when this isn't thecause depending onhow retentive the media is and all that. If iselectromagneticallydegaussed for an extended period of time, I can't imagineanything couldrecover the data. Nick Nero, CISSP -----Original Message----- From: Dave Adams [mailto:dadams () johncrowley co uk] Sent: Monday, October 28, 2002 5:06 PM To: security-basics () security-focus com Subject: Interesting One Greetings Folks, I had an interesting conversation today with someone from FAST (Federation Against Software Theft) They pretend not tobe a snitch wingof the BSA. Anyway, to get to the point, the guy thatcame to see mesaid that their forensics guys could read data off a harddrive that hadbeen written over up to thirty times. I find this veryhard to believeand told him I thought he was mistaken but the guy wasadamant that itcould be done. My question is, does anyone have any viewson this, or,can anyone point me to a source of information where Ican get the factson exactly how much data can be retrieved off a harddrive and underwhat conditions etc etc. Thanks Dave Adams
Attachment:
smime.p7s
Description:
Current thread:
- Re: Interesting One, (continued)
- Re: Interesting One easy (Oct 31)
- RE: Interesting One Michael Vaughan (Oct 31)
- Re: Interesting One Candice Ward (Oct 31)
- RE: Interesting One Tim Donahue (Oct 31)
- RE: Interesting One Carol Stone (Oct 31)
- RE: Interesting One Rygg Christian (Oct 31)
- RE: Interesting One Trevor Cushen (Oct 31)
- Re: Interesting One ONEILL David J (Nov 01)
- Re: Interesting One Greg van der Gaast (Nov 01)
- RE: Interesting One Leonard.Ong (Nov 01)
- RE: Interesting One Holmes, Ben (Nov 01)
- RE: Interesting One Trevor Cushen (Nov 01)
- Re: Interesting One Meritt James (Nov 01)
- Re: Interesting One Chet Uber (Nov 01)
- Re: Interesting One Pablo Gietz (Nov 01)
- RE: Interesting One Rodney, John (Nov 01)