RE: Advice regarding servers and Wiping Drives after testing

["Craig Wright" <Craig.Wright () bdo com au>]

Hello,
I will do a longer write-up when I get to work, but this is a simple answer.
 
The hard drive heads can not reliably be used for this purpose. The error rate of mis-reads from firmware and system 
errors is greater than that of head misallignment.
 
What you are suggesting is based on error analyslis. The read errors are not statistically significant and do not allow 
this type of data reconstruction. White noice is always greater than recovery and there is no way to determine which 
error is the "right" error.
 
This is compounded as the magnetic image is not just a single ghost, but there is one for each prior write. The field 
strength is not lineraly related to the age of the overwrite and there is no distingiushing timestamp on a residual 
magnetic trace. All bit correlations are probabilistic. See a paper I did for my SANS forensic cert for an example - 
http://www.giac.net/certified_professionals/practicals/gcfa/265.php.
 
As I stated in an earlier post - there is an inverse exponential relaionship to recovery with the number or prior 
writes - over the life of the drive. As stated - there is a small chance of recovery when a single file was copied and 
a single delete was done. More is FUD.
 
By the way, a low level format is a write for the purpose of this. The burn in test is a prior write etc. 
 
Now, if you can not do Multivariate Correlations by hand and do not kn ow what Bartett's Kolmogorov-Smirnov is, then I 
suggest that you brush up math and engineering skills prior to issuing snake oil. This is what is required to do what 
you are suggesting and it is not a topic most IT people seem to enjoy. I have tried doing presentations on these 
issues, but the level of math knowledge is far to low these days. 
 
Regards,
Craig



Craig Wright
Manager of Information Systems

Direct : +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains.  If you have 
received this message in error, please notify the sender by return email, destroy all copies and delete it from your 
system. 

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls.  
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls.  It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects.  BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached.  A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and entities.

________________________________


From: listbounce () securityfocus com on behalf of gjgowey () tmo blackberry net
Sent: Thu 13/09/2007 3:52 AM
To: Ansgar -59cobalt- Wiechers; listbounce () securityfocus com; security-basics () securityfocus com
Subject: Re: Advice regarding servers and Wiping Drives after testing



What you're forgetting is that these pieces of software aren't you normal "access the hdd through regular os calls". 
These pieces of software are sending low level commands to the drive its self an interpreting what's sent back instead 
of relying on a middle layer.  They can literally have the head scan a particular sector as many times as is needed 
until it gets a signal back that resembles something useable.  Writing all 0's will never prevent against software 
recovery because the all 0's approach is like recording over a used VCR tape once.

Geoff

Sent from my BlackBerry wireless handheld.

-----Original Message-----
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>

Date: Wed, 12 Sep 2007 12:48:42
To:security-basics () securityfocus com
Subject: Re: Advice regarding servers and Wiping Drives after testing


On 2007-09-11 William Holmberg wrote:
> On Tuesday, September 04, 2007 1:03 PM Ansgar -59cobalt- Wiechers wrote:
> > On 2007-09-01 gjgowey () tmo blackberry net wrote:
> > > A since pass with all zero's really won't protect your data from
> > > being recovered by more advanced data recovery software let alone
> > > alone hardware.
> >
> > I'd like to see a single case where someone was able to recover data
> > from an overwritten harddisk, even after a single pass with zeroes.
>
> No doubt you are an intelligent and well educated person in these
> fields, and probably have many areas of expertise more proficient than
> mine. I do have to state however, and nearly any Infragard member can
> tell you, the FBI uses tools that accomplish this on a regular basis.
> I have no doubt other agencies do as well. We have had demonstrations
> of it remotely in a class I help instruct, SAFE computing for Law
> Enforcement and Non-Profits (SAFE is Security And Forensic Education)
> at Metro State University of Minnesota, MCTC campus.

Demonstrations of recovering data from fully overwritten media, without
opening the case? Sorry, but I seriously doubt that. Feel free to prove
me wrong, but without evidence I find that really hard to believe. Keep
in mind we're not talking about wiping single files, but overwriting the
entire media.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq