Security Basics mailing list archives
RE: Interesting One
From: "Carl Grayson" <carl.grayson () team xtra co nz>
Date: Wed, 30 Oct 2002 17:06:17 +1300
Not possible to recover overwritten disks via software perhaps but physically is a different story. As a side note, for software based deletions you also need to ensure that the overwriting actually overwrites all the relevant parts of the physical disk - not all tools do that (thankfully from a forensic perspective) Two primary things to note with magnetic media: 1. The overwriting of a particular bit on the media will not always (in fact "will rarely" is a better phrase) exactly overwrite and so methods such as microscopic magnetic examination (MFM, SPM, STM) could recover such data (think about hitting a metal plate with a hammer then trying to undo it with another single hammer blow). You can probably obfuscate the original with sufficient overwrites though (refer http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html). Number of overwrites required probably depends on the density of the media, the quality of manufacture ("sloppiness" of head)... 2. There has been some research showing that data on magnetic media for a length of time may have some tendency to return to its base "state" if the media is left to sit for an extended period (can't remember period for the report but 3 years rings a bell) due to the nature of magnetic material. Can't track down the reference just now but I'll see if I can find out the details. These are at least two reasons that magnetic media containing information above Classified must be destroyed. The best type of destruction is melting it down - degaussing isn't approved. I have seen reports of data recovered from between hammer blows on a platter (since disk densities are so high now that could be a LOT of data). Carl Grayson (also CISSP - gee there are a lot of us! :)
-----Original Message----- From: Nero, Nick [mailto:Nick.Nero () disney com] Sent: Wednesday, 30 October 2002 6:30 a.m. To: Dave Adams; security-basics () security-focus com Subject: RE: Interesting One Well, the NSA standard I believe is that zero-filling a drive (writing all 0's to the platter) will make the data impossible to recover, but I am sure there are some instances when this isn't the cause depending on how retentive the media is and all that. If is electromagnetically degaussed for an extended period of time, I can't imagine anything could recover the data. Nick Nero, CISSP -----Original Message----- From: Dave Adams [mailto:dadams () johncrowley co uk] Sent: Monday, October 28, 2002 5:06 PM To: security-basics () security-focus com Subject: Interesting One Greetings Folks, I had an interesting conversation today with someone from FAST (Federation Against Software Theft) They pretend not to be a snitch wing of the BSA. Anyway, to get to the point, the guy that came to see me said that their forensics guys could read data off a hard drive that had been written over up to thirty times. I find this very hard to believe and told him I thought he was mistaken but the guy was adamant that it could be done. My question is, does anyone have any views on this, or, can anyone point me to a source of information where I can get the facts on exactly how much data can be retrieved off a hard drive and under what conditions etc etc. Thanks Dave Adams This message (and any associated files) is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files associated with this message, is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from John Crowley (Maidstone) Ltd may be monitored. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, we do not accept responsibility for any errors or omissions that are present in this message, or any attachment, that have arisen as a result of e-mail transmission. If verification is required, please request a hard-copy version. Any views or opinions presented are solely those of the author and do not necessarily represent those of John Crowley (Maidstone) Ltd.
Current thread:
- RE: Interesting One, (continued)
- RE: Interesting One Shayla Anthony (Oct 30)
- RE: Interesting One Dan Darden (Oct 30)
- Re: Interesting One Meritt James (Oct 31)
- R: Interesting One Alessandro Bottonelli (Oct 30)
- Re: Interesting One Joe Yong (Oct 29)
- RE: Interesting One Nero, Nick (Oct 29)
- Re: Interesting One Joe Barrett (Oct 30)
- RE: Interesting One maillist (Oct 30)
- Re: Interesting One Vlad (Oct 31)
- RE: Interesting One reading a 30x over-written drive Tim - IBL (Oct 30)
- RE: Interesting One Carl Grayson (Oct 30)
- Re: Interesting One Meritt James (Oct 30)
- Re: Interesting One John Orr (Oct 29)
- Re: Interesting One Brad (Oct 30)
- RE: Interesting One Dan Darden (Oct 30)
- Re: Interesting One John Dow (Oct 30)
- RE: Interesting One Mark Ribbans (Oct 31)
- Re: Interesting One Jac (Oct 31)
- RE: Interesting One David (Oct 31)
- Re: Interesting One Carol Stone (Oct 29)
- RE: Interesting One Greg van der Gaast (Oct 30)
(Thread continues...)