Re: Re: Erasing a hard disk easily

[Maarten <fulldisc () ultratux org>]

On Tuesday 13 July 2004 16:26, Denis McMahon wrote:

> I have a program that I wrote to do a mass overwrite, it does walking
> bit, walking null, alternating and reversed bit patterns, all 0s, all
> 1's and several other things, but I wouldn't trust it to erase any data
> that serious people with lots of money wanted to recover in a forensic
> environment.

True, but at that point, those people probably would not mind to find you and 
"extract" that priceless data any other way they see fit.  There comes a 
point where the economics dictate that it is cheaper to interrogate someone 
than to spend months in a forensic lab sifting through bits.
Most governments and most criminal organisations will resort to such measures 
when the stakes are really high enough.

It's akin to the NSA cracking passwords and / or encryption. Why would they 
sacrifice several CPU-years on cracking an encrypted message when installing 
a keylogger will do the same job much quicker, easier and cheaper.
Those same rules apply to disks, presumably.

So for your average user and his passwords and private stuff, there is little 
if any need to go to any such lengths, and a few overwrites will stop just 
about everybody.

> Forensic data recovery relies on the fact that discs have tracking
> error, and if you can read a disc with enough resolution of the tracking
> error you may discover not totally erased bits because the new data
> didn't over-write the old data completely.
>
> This is most likely to happen with data written shortly after power up,
> before the drive's temperature has stabilised.
>
> To reduce the likelihood of such data recovery techniques, you need to
> write a data stream to the disc with as much marnetic flux reversal at
> the disc surface as you can manage. The more flux reversals the better
> your chances of scrambling any ghost image of earlier data.
>
> To maximise the flux reversals when writing to a hard disc, you need to
> take into account the data that is already on the disc and the encoding
> schema for writing to the disc, and feed in a data stream that causes
> maximum flux at the disc surface. Because of the encoding scheme, this
> isn't as simple as writing all 0's and then all 1's, because if you do
> that, some bit sequences in some coding schemas will not actually change.

That's a very interesting observation...  So, a good multiple-stage disk 
eraser could (should?) read the disk, XOR that data, and write that back.
In effect, it will -by definition- reduce the residual magnetic 'sideband' 
information somewhat; thereby increasing the needed resolution of the 
equipment used to trace the data.  Then after leaving that pattern for X (to 
be determined) amount of time, start the writing of random data as usual.
This would certainly be feasible. 
( Well, except for the coding schema used. It is true that that can interfere 
enormously, and I reckon most of these scheme details are kept secret anyway, 
so as to gain an advantage on the competition. )

In a forensic lab environment, one could even test what the ideal time would 
be to zero out the previous data (by approximation of course, since some 
databits will have been written recently and some will have been there for 
years).

There aren't many more tricks you can do to modern drives.  Since the physical 
data layout is hidden from us, things like writing adjacent tracks / bits in 
a certain pattern cannot be done.

What would be _really_ neat is if you could program the drive to shift its 
read-write head off-axis, through the drives' firmware registers. That way, 
you can erase those 'sideband' residual bits, too.  
Maybe this is something for manufacturers to implement, for possibly a new 
type of drive, a "privacy-enhanced" drive ?   I'm just thinking here, but... 
Marketing-wise it would certainly be feasible, and it would leave paranoid 
people like us with a safer product, and how hard can it be to implement this 
in firmware ?

Maarten

-- 
Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html