Re: Advice regarding servers and Wiping Drives after testing

[Robert Inder <robert () interactive co uk>]

"Sec Sam" asked about wiping disks that have been used in a (striped)
RAID array.

He was concerned about the security of the data, but also
had limited time to spend erasing it.

This raised a question in my mind: does he have to erase ALL of them?

How much can be recovered from one disk of a striped array?  Assume
you can actually read the blocks on the disk: how much use is that?

I don't know much/enough about the innards of a RAID, but as I
understand it, in non-mirrored mode the smear the data (and some error
checking information) across all the disks.  

So if you have (and can read everything on) one disk from a four disk
raid, you won't have one quarter (or one third) of the files.  You'll
have dissociated fragments of data.  One drive cannot yield enough 
information to be (easily) useful, because it has never held it.

Is that right?  What are the theoretical limits to what could be
retrieved?  How far could you get?

In most practical situations (rather than theoretical limits), 
you certainly couldn't expact an ordinary operating system to read it
as a disk.  

And even if you had special software to pick up the blocks of data,
you won't be able to tell how they are organised, will you?  Even if
you get coherent blocks of data, most of them will belong to files
that continue from one of the other drives.  Which means you won't
know what they were: Maybe part of a Word document.  Or
a font.  Or a web server log.  Or a binary.  Or a JPG.  Or a
compressed file.  Or a database index.  Or a swap file.  Or...

Presumably, if you knew a *lot* about RAIDs (maybe even the very model
of RAID the disk was from), and the operating system that was used,
and maybe quite a bit about the data you were expecting to find on the
disk, you could write some software that would try to re-associate
these fragments.

But that would be a *major* undertaking, *way* beyond the value of
data that is merely "not public".  Wouldn't it?

If I've forced you to do that, I've taken reasonable steps to protect
the data.  

Haven't I?

Taking the four disks from my confidential RAID, re-formatting them
(so it is not obvious where they came from) and then 
making sure they go to different places (one into the RAID 
behind the corporate accounts system, another into the personnel
department's file server, a third one as an upgrade to randomly
selected PC somewhere, maybe one to a super-efficient eraser)
will give me a very high level of security.  Adequate for anything
less than *real* defence secrets.  

Won't it?

Robert.

--
Robert Inder      Interactive Information Ltd,          Registered in Scotland
07808 492 213     3, Lauriston Gardens,                  Company no. SC 150689
0131 229 1052     Edinburgh EH3 9HH
                  SCOTLAND UK             Interactions speak louder than words