Security Basics mailing list archives
RE: Interesting One reading a 30x over-written drive
From: "Nero, Nick" <Nick.Nero () disney com>
Date: Wed, 30 Oct 2002 14:03:17 -0500
Okay, I had read 3 times (which I forgot to put in the first email), but have since seen 7 referenced several times. A buddy of mine who did work for the NSA said they did 3 as well, so maybe it got increased recently (maybe the same time they showed DES to the door for AES). In any case, if the media is so sensitive that after 3 low-level formats/data fills you are afraid someone will employ what must be tons of monitary resources to recover it, you should absolutely destroy the media. We destroy all of ours here and for the most part the data wouldn't be much interest to anyone. Now this is driving me nuts cause everyone has heard a different standard and I can't find anything in any of my references. NICK -----Original Message----- From: Tim - IBL [mailto:timv () iceburnslair com] Sent: Wednesday, October 30, 2002 10:50 AM To: Nero, Nick Cc: security-basics () security-focus com Subject: RE: Interesting One reading a 30x over-written drive I believe that DoD recommendations is to completely overwrite the drive 7 times. As stated in other posts this does not mean "deleting the files" this means actually overwriting all the sectors during a "low level" format. There are tools available from hard drive manufacturer's web site for free...I know that Maxtor and Seagate have tools on the website that run from a bootable floppy. What you're looking for is a generally going to be called a "low level formatter" for the benefit of the general public. What you want it to do is write patterns to the hard drive. All 0's is called "zeroing a drive"; write all 0's to a drive is nice, but even when over-writing once there is a trace of the underlying data that can typically be recovered using very expensive tools and a time consuming process, this is why the DoD decided to suggest multiple times. 7 was picked after conducting some tests on the recoverability of data. Every computer that leaves the DoD is formatted (and overwritten) 7 times, because their research indicated that the original data is then too hard to hard recover. There are variations on a theme that will let you write all 1's, write alternating 1's and 0's, or write random patterns of 1's and 0's. If you use these different methods instead of just writing 1's every time, I imagine it would be even harder to extrude any useful data from the drive with each pass. To answer the original question, if the drive in question is a standard hard drive, that has been overwritten with patterns or bogus data 30 times, I don't think that there is any way to recover original data, even with electron microscopes and such, but if that's not the case, feel free to prove me wrong. -t -----Original Message----- From: Nero, Nick [mailto:Nick.Nero () disney com] Sent: Tuesday, October 29, 2002 11:30 AM To: Dave Adams; security-basics () security-focus com Subject: RE: Interesting One Well, the NSA standard I believe is that zero-filling a drive (writing all 0's to the platter) will make the data impossible to recover, but I am sure there are some instances when this isn't the cause depending on how retentive the media is and all that. If is electromagnetically degaussed for an extended period of time, I can't imagine anything could recover the data. Nick Nero, CISSP -----Original Message----- From: Dave Adams [mailto:dadams () johncrowley co uk] Sent: Monday, October 28, 2002 5:06 PM To: security-basics () security-focus com Subject: Interesting One Greetings Folks, I had an interesting conversation today with someone from FAST (Federation Against Software Theft) They pretend not to be a snitch wing of the BSA. Anyway, to get to the point, the guy that came to see me said that their forensics guys could read data off a hard drive that had been written over up to thirty times. I find this very hard to believe and told him I thought he was mistaken but the guy was adamant that it could be done. My question is, does anyone have any views on this, or, can anyone point me to a source of information where I can get the facts on exactly how much data can be retrieved off a hard drive and under what conditions etc etc. Thanks Dave Adams This message (and any associated files) is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files associated with this message, is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from John Crowley (Maidstone) Ltd may be monitored. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, we do not accept responsibility for any errors or omissions that are present in this message, or any attachment, that have arisen as a result of e-mail transmission. If verification is required, please request a hard-copy version. Any views or opinions presented are solely those of the author and do not necessarily represent those of John Crowley (Maidstone) Ltd.
Current thread:
- RE: Interesting One reading a 30x over-written drive Nero, Nick (Oct 31)