Security Basics mailing list archives
bugtraq () planetcobalt net
From: "Craig Wright" <craig.steven.wright () gmail com>
Date: Thu, 9 Oct 2008 13:56:36 +1100
Hi, Myself, Dave Kleiman and Shyaam Sundhar R.S. have a paper submitted and accepted for ICISS08 (the Fourth International Conference on Information Systems Security (2008)). The paper is titled, "Overwriting Hard Drive Data: The Great Wiping Controversy". The abstract follows: "Abstract. Often we hear controversial opinions in digital forensics on the required or desired number of passes to utilize for properly overwriting, sometimes referred to as wiping or erasing, a modern hard drive. The controversy has caused much misconception, with persons commonly quoting that data can be recovered if it has only been overwritten once or twice. Moreover, referencing that it actually takes up to ten, and even as many as 35 (referred to as the Gutmann scheme because of the 1996 Secure Deletion of Data from Magnetic and Solid-State Memory published paper by Peter Gutmann) passes to securely overwrite the previous data. One of the chief controversies is that if a head positioning system is not exact enough, new data written to a drive may not be written back to the precise location of the original data. We demonstrate that the controversy surrounding this topic is unfounded." The paper is to presented in December this year and is being published under the LNCS (Lecture notes in Computer Science) series from Springer Verlag. The answer is simple. Actually scientifically test the proposition that data can be recovered using an electron microscope. We have done this and the paper provides a definative report on both PRML drives (such as where used by Dr. Gutmann) as well as the differences in modern ePRML drives. Regards, Craig -- Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... ---In reply to --- On 2008-10-08 Matt wrote:
I've been lurking here for the last 6 months or so and this thread caught my eye. I'd agree about most of the comments in this thread with the exception of a few regarding data recovery after a file has been 'zeroed' and whether there is any benefit to using random data during the overwrite. The below thread/link was responded to by a senior engineer from a well known disk manufacturer, and according to him - data can be recovered after being over-written with new data (several generations back). Given Mr. Barila has decades of experience and plays an active role in the design and development of mass storage devices along with the supporting firmware, I'll take his word for it... http://www.osronline.com/showThread.cfm?link=92173
That's the theory. However, as I said in another mail: I'd like to see a credible report on even a single file actually having been recovered after the disk it was stored on had been wiped in a single pass with zeroes. I'm not saying it can't be done, mind you. However, all I ever see is statements saying that in theory it could be done, but up to now nobody could come up with an example where this has been actually done. Thus I'm having my doubts. Of course if you'd want to avoid any risk, you'd feed the disk to a furnace and get rid of the problem once and for all. Regards Ansgar Wiechers
Current thread:
- bugtraq () planetcobalt net Craig Wright (Oct 09)
- Paper on data recovery from wiped disks (was: bugtraq () planetcobalt net) Ansgar Wiechers (Oct 09)