Security Basics mailing list archives
Re: Advice regarding servers and Wiping Drives after testing
From: Robert Inder <robert () interactive co uk>
Date: 12 Sep 2007 12:28:58 +0100
"Sec Sam" asked about wiping disks that have been used in a (striped) RAID array. He was concerned about the security of the data, but also had limited time to spend erasing it. This raised a question in my mind: does he have to erase ALL of them? How much can be recovered from one disk of a striped array? Assume you can actually read the blocks on the disk: how much use is that? I don't know much/enough about the innards of a RAID, but as I understand it, in non-mirrored mode the smear the data (and some error checking information) across all the disks. So if you have (and can read everything on) one disk from a four disk raid, you won't have one quarter (or one third) of the files. You'll have dissociated fragments of data. One drive cannot yield enough information to be (easily) useful, because it has never held it. Is that right? What are the theoretical limits to what could be retrieved? How far could you get? In most practical situations (rather than theoretical limits), you certainly couldn't expact an ordinary operating system to read it as a disk. And even if you had special software to pick up the blocks of data, you won't be able to tell how they are organised, will you? Even if you get coherent blocks of data, most of them will belong to files that continue from one of the other drives. Which means you won't know what they were: Maybe part of a Word document. Or a font. Or a web server log. Or a binary. Or a JPG. Or a compressed file. Or a database index. Or a swap file. Or... Presumably, if you knew a *lot* about RAIDs (maybe even the very model of RAID the disk was from), and the operating system that was used, and maybe quite a bit about the data you were expecting to find on the disk, you could write some software that would try to re-associate these fragments. But that would be a *major* undertaking, *way* beyond the value of data that is merely "not public". Wouldn't it? If I've forced you to do that, I've taken reasonable steps to protect the data. Haven't I? Taking the four disks from my confidential RAID, re-formatting them (so it is not obvious where they came from) and then making sure they go to different places (one into the RAID behind the corporate accounts system, another into the personnel department's file server, a third one as an upgrade to randomly selected PC somewhere, maybe one to a super-efficient eraser) will give me a very high level of security. Adequate for anything less than *real* defence secrets. Won't it? Robert. -- Robert Inder Interactive Information Ltd, Registered in Scotland 07808 492 213 3, Lauriston Gardens, Company no. SC 150689 0131 229 1052 Edinburgh EH3 9HH SCOTLAND UK Interactions speak louder than words
Current thread:
- RE: Advice regarding servers and Wiping Drives after testing, (continued)
- RE: Advice regarding servers and Wiping Drives after testing William Holmberg (Sep 12)
- RE: Advice regarding servers and Wiping Drives after testing dave kleiman (Sep 12)
- Re: Advice regarding servers and Wiping Drives after testing Steve Olive (Sep 13)
- Re: Advice regarding servers and Wiping Drives after testing Ansgar -59cobalt- Wiechers (Sep 13)
- RE: Advice regarding servers and Wiping Drives after testing dave kleiman (Sep 13)
- Re: Advice regarding servers and Wiping Drives after testing Kelly Keeton (Sep 13)
- Re: Advice regarding servers and Wiping Drives after testing Robert Inder (Sep 12)
- Re: Advice regarding servers and Wiping Drives after testing Melissa (Sep 12)