RE: Advice regarding servers and Wiping Drives after testing

["Craig Wright" <Craig.Wright () bdo com au>]

Ansgar is correct.

Yes it is physically possible to recover data using an electron scanning
microscope (ESM's) etc. The issue is that this is from a random
(effectively) sector and bit by bit at a rate of bits per hour. This is
BITS not bytes or KB etc. Bits per hours.

The statistical likelihood of recovering anything is minimal.

Next if a random pattern is interposed, there is only statistical
correlation to use to rebuild the drive. This is done through multiple
passes and intense mathematical bitwise correlation.

This is achieved in the order of bits per week at best.

Multiple ESM's may be deployed, but there is little gain for the cost.

Further, when the drive is not new, the chances of correlation diminish
exponentially with the numbers of writes that have occurred prior to the
reconstruction process.

There is no manner to determine if a prior write (bit flip) was the
first or last. So there is some hope of reconstruction in cases of a
large file that has been static for a long time, but little for a
dynamic drive.

Next there is the economic cost and time. Let us assume a budget of 4
shifts - 24x7 of analysts and 10 ESM's - so 40 people at an average cost
of US $85,000. We have a cost of $3.4 Million - with lab etc make this
$5 million. The ESM's would set us back $8million or so (I have not
checked in a while for the latest cost). This is about US $13 million pa
total.

The recovery would be 1-5 kb per week. So 156kB pa.

This is thus $83,300 US per kB recovered. This is remember also a random
recovery. On a small (10GB) drive that is 30% utilised and has 500MB of
evidence, the chances that you will recover something of interest are
about 1 in 160,000 per year. Or you can be 50% certain of recovering
anything/something of interest  in about 87 years (Bayesian methods).

So is the data that time and cost critical. FUD vs. economics.

Regards,
Craig



Craig Wright
Manager of Information Systems

Direct : +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains.  If you have 
received this message in error, please notify the sender by return email, destroy all copies and delete it from your 
system. 

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls.  
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls.  It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects.  BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached.  A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and entities.

-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Ansgar -59cobalt- Wiechers
Sent: Wednesday, 5 September 2007 4:03 AM
To: security-basics () securityfocus com
Subject: Re: Advice regarding servers and Wiping Drives after testing

On 2007-09-01 gjgowey () tmo blackberry net wrote:
> A since pass with all zero's really won't protect your data from being
> recovered by more advanced data recovery software let alone alone
> hardware.

I'd like to see a single case where someone was able to recover data
from an overwritten harddisk, even after a single pass with zeroes.

> Multiple passes isn't much better, but if that's all you got...
>
> You would be better off looking at better utilities if you really need
> to keep the data from being recovered.

Nonsense. If you're worried about the zeroes just replace /dev/zero with
/dev/urandom. Your "better utilites" don't work any different from that.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq