Security Basics mailing list archives
RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?
From: "Troy Larson" <ntevidence () attbi com>
Date: Fri, 27 Jun 2003 12:42:19 -0700
Sonja, I would be very interested (actually, surprised) if any software tool could recover any data after only one overwrite. It is my understanding that software is limited to the capability of the drive--and the hard drive itself isn't going to see data once it is overwritten. The overwritten data is noise to filter out to prevent data corruption. I am familiar with the research that you mentioned (we must run with the same crowd). My only point was that unless you needed to worry about someone spending money for an expensive, hardware-based data recovery, one pass should be sufficient. (I don't want to do 7-31 passes on a 160GB drive unless I really, really have to.) Thanks for the excellent points. Troy
-----Original Message----- From: Robinson, Sonja [mailto:SRobinson () HIPUSA com] Sent: Friday, June 27, 2003 6:23 AM To: 'Troy Larson'; 'NC Agent'; security-basics () securityfocus com Subject: RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? According to information I received at an HTCIA meeting about 3 months ago, as well as some reading that I have done, 31 times is now what is recommended. I can't locate my notes that had the speaker's name in the piles on my desk but he was from NY State Dept. of Health I believe and in charge of info security. They had performed a number of tests on a number of different wiping utilities (30 or so). They specifically stated that although their tests were obviously not exhaustive since there are a myriad of tools out there, that s/w such as Maresware DeClafy and a few others (somewhere in my notes) were the best because not only did they wipe the drive completely, but it did the MBR's and even did past the EOF Flag at the end of the drive. They also spoke about shredders, magnets, etc. and the pros and cons of each. It was a very good training session and brought up a lot of interesting points and dialog. 7x was the de facto standard for D0D. I am not sure if they have adjusted their requirements. 7x times was recommended to ensure that the full clusters and sectors were completely overwritten. I agree in many instances 1 wipe is sufficient depending upon what data you are trying to conceal, i.e. confidentiality and depending upon whether you are resiisuing the drive or selling/diposing of it. I also agree with you that MOST tools will not recover past one wipe however, there have been arguments stated in this thread that it is recoverable and theoretically it IS possible although you are correct it is generally more difficult. I wipe mine to the original D0D specs currently, 7x. I will be testing FTK, Encase, R-Studio and some other generally available tools over the next two weeks or so, as time permits. I will be testing against a regular format, gdisk, and BCWipe and perhaps some others. I will post a summary of the results when I have them. Sonja Robinson, CISA Network Security Analyst HIP Health Plans Office: 212-806-4125 Pager: 8884238615
--------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?, (continued)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Robinson, Sonja (Jun 24)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? dave klimen (Jun 24)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Clayton Hoskinson (Jun 25)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? George (Jun 26)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Clayton Hoskinson (Jun 26)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Robinson, Sonja (Jun 24)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Robinson, Sonja (Jun 26)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Troy Larson (Jun 27)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Bob Walker (Jun 30)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Troy Larson (Jun 30)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Troy Larson (Jun 27)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Troy Larson (Jun 30)