RE: Peter Gutmann data deletion theaory?

["Earnhart, Benjamin J" <benjamin-earnhart () uiowa edu>]

I agree with most of what you say, and the general idea is valid.  However, the specifics of 

> then a full reformat is quite enough to cause them to move on 
> to the next
> machine - they're not going to have the motivation or 
> equipment to delve
> into a randomly selected disk.

is a dangerously naïve approach.  With point-and-click easy to use freeware tools under windows, I can do almost 100% 
retrieval of files after a full reformat, and even after reloading the OS and using it for a while, the simple 
point-and-click freeware tools can retieve an awful lot of stuff.  And if I have the skills to use more powerful, 
complex tools, I can do even better, without needing a lot of money, time, or even strong motivation.

Even for a home user, I'd recommend using a program that securely deletes stuff by actively over-writing with multiple 
passes of random data (sdelete and DBAN are a couple of my favorites).  A format is *not* enough. Your general idea 
(that it depends on the motivation and resources available to the attacker) is good, just that your level of paranoia 
should maybe be turned up a notch :)

I'm not positive which Gutmann piece the OP was referring to, but if it's the one I'm thinking of, it's a bit dated -- 
his methods were briefly really popular as a shortcut to secure deletion, but if they're the ones I think he's 
referring to, then they don't work with more modern file systems, so simple random passes are better, though more 
costly to implement.    


> -----Original Message-----
> From: Jeremy Epstein [mailto:jeremy.epstein () webmethods com] 
> Sent: Thursday, July 21, 2005 2:01 PM
> To: Jared Johnson; focus-ms () securityfocus com
> Cc: bugtraq () securityfocus com
> Subject: RE: Peter Gutmann data deletion theaory?
>
> Like anything in security, "it depends".  In particular, it 
> depends on what
> the assumed adversary motivations and capabilities are.  If 
> the adversary is
> a nation-state with electron microscopes and other expensive 
> devices, and
> the disk is believed to have held highly classified information, it's
> clearly true that the only way to destroy the data is to burn 
> the disk (and
> in the right way).  If, on the other hand, the adversary is 
> someone who's
> randomly buying used computers in hopes of finding carelessly 
> deleted files,
> then a full reformat is quite enough to cause them to move on 
> to the next
> machine - they're not going to have the motivation or 
> equipment to delve
> into a randomly selected disk.
>
> Where in between these two extremes it's necessary to burn 
> the disk is an
> exercise left to the reader ;-)  You really have to do a risk 
> analysis... If
> it's cheaper / easier / less dangerous for the adversary to 
> dumpster dive to
> get hardcopies or bribe someone or hack into the system, then 
> destroying the
> hardware is putting the effort in the wrong place.  For a lot 
> of classified
> systems, the assumption is that obtaining used disks is a low 
> cost attack,
> so it's cost effective to use destruction.
>
> --Jeremy
>
> > -----Original Message-----
> > From: Jared Johnson [mailto:jaredsjazz () Yahoo com] 
> > Sent: Wednesday, July 20, 2005 7:49 PM
> > To: focus-ms () securityfocus com
> > Cc: bugtraq () securityfocus com
> > Subject: Peter Gutmann data deletion theaory?
> >
> > All,
> >
> > Do you all agree with Peter Gutman's conclusion on his theory 
> > that data can never really be erased, as noted in his quote below:
> >
> > "Data overwritten once or twice may be recovered by 
> > subtracting what is expected to be read from a storage 
> > location from what is actually read. Data which is 
> > overwritten an arbitrarily large number of times can still be 
> > recovered provided that the new data isn't written to the 
> > same location as the original data (for magnetic media), or 
> > that the recovery attempt is carried out fairly soon after 
> > the new data was written (for RAM). For this reason it is 
> > effectively impossible to sanitise storage locations by 
> > simple overwriting them, no matter how many overwrite passes 
> > are made or what data patterns are written. However by using 
> > the relatively simple methods presented in this paper the 
> > task of an attacker can be made significantly more difficult, 
> > if not prohibitively expensive."
> >
> > It seems that the perhaps the only real way to rid your Hard 
> > Drives of data is to burn them. 
> >
> > I'd love to hear some thoughts on this from security and data 
> > experts out there.