Security Basics mailing list archives
RE: Interesting One
From: "Nero, Nick" <Nick.Nero () disney com>
Date: Wed, 30 Oct 2002 08:19:05 -0500
I was wrong on my original post. I forgot to mention that you should zero fill the drive THREE times to meet the NSA standard. A buddy of mine who has done some highly classified work says they had to write a "random pattern of bits three times" to the media. Other media (hard drives, tapes . .. .) were destroyed. My employer also simply destroys the media. It is generally considered that after 3 times of being overwritten (the previous respondant was correct that the OS only deletes the pointer to the data when it "deletes" the file), the data is unrecoverable. Simply overwriting it once will do the trick for most cases, but the NSA standards are designed for instances where the "other side" has lots of resources (other governments). Keep in mind that the goal of security is to figure out if your measures are truly cost effective. I am not gonna zero fill my drive 3 times. If someone is willing to deploy an electron scanning microscope to see my "fascinating" .pst file, I will just burn it to a CD and send the darn thing to them. -----Original Message----- From: Dozal, Tim [mailto:tdozal () cisco com] Sent: Tuesday, October 29, 2002 1:44 PM To: Dave Adams Cc: security-basics () security-focus com Subject: RE: Interesting One The NSA are the masters of these techniques, and what your hearing can absolutely be done by the right tools and the right people. There are however ways to prevent the data from being recovered. Some tools can be used to sequentially set every sector on the HD to a binary 1 there by erasing any of the patterns that these groups tools use to re-construct previous data. Aside from a sector by sector wipe of the drive I don't think there is much you can do to stop somebody from accessing even files you think were erased. Basically in a nut shell when you erase a file from your drive all you do is erase the pointer to the location where the file was kept, you don't actually erase the files until new data is added to the drive and the space allocated over writes the space where the previous file was. So you could go onto your machine and delete every file on the system but their not gone, the OS just can no longer see or reference their locations. The most basic of tools that these groups have will sequentially walk through a drive and re-create the pointers to the files, making them accessible again. I'm sure a google search can come up with more information or actual articles with names of the various tools available. Hope that helps. -Tim -----Original Message----- From: Dave Adams [mailto:dadams () johncrowley co uk] Sent: Monday, October 28, 2002 2:06 PM To: security-basics () security-focus com Subject: Interesting One Greetings Folks, I had an interesting conversation today with someone from FAST (Federation Against Software Theft) They pretend not to be a snitch wing of the BSA. Anyway, to get to the point, the guy that came to see me said that their forensics guys could read data off a hard drive that had been written over up to thirty times. I find this very hard to believe and told him I thought he was mistaken but the guy was adamant that it could be done. My question is, does anyone have any views on this, or, can anyone point me to a source of information where I can get the facts on exactly how much data can be retrieved off a hard drive and under what conditions etc etc. Thanks Dave Adams This message (and any associated files) is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files associated with this message, is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from John Crowley (Maidstone) Ltd may be monitored. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, we do not accept responsibility for any errors or omissions that are present in this message, or any attachment, that have arisen as a result of e-mail transmission. If verification is required, please request a hard-copy version. Any views or opinions presented are solely those of the author and do not necessarily represent those of John Crowley (Maidstone) Ltd.
Current thread:
- Re: Interesting One, (continued)
- Re: Interesting One James Taylor (Oct 30)
- Re: Interesting One ATD (Oct 31)
- RE: Interesting One Dozal, Tim (Oct 29)
- RE: Interesting One Tom Matthews (Oct 30)
- RE: Interesting One Paul Carroll (Oct 30)
- Basic Question only Christopher Rea (Oct 31)
- RE: Interesting One David (Oct 31)
- Re: Interesting One Jack Crone (Oct 30)
- RE: Interesting One Martijn Dunnebier (Oct 30)
- RE: Interesting One Trevor Cushen (Oct 30)
- RE: Interesting One Nero, Nick (Oct 30)
- RE: Interesting One Tim Donahue (Oct 30)
- Re: Interesting One Carlos . (Oct 30)
- RE: Interesting One John Orr (Oct 31)
- Interesting one Trevor Cushen (Oct 31)
- RE: Interesting One Trevor Cushen (Oct 31)