Full Disclosure mailing list archives
Re: Re: Erasing a hard disk easily
From: Maarten <fulldisc () ultratux org>
Date: Tue, 13 Jul 2004 17:46:11 +0200
On Tuesday 13 July 2004 16:26, Denis McMahon wrote:
I have a program that I wrote to do a mass overwrite, it does walking bit, walking null, alternating and reversed bit patterns, all 0s, all 1's and several other things, but I wouldn't trust it to erase any data that serious people with lots of money wanted to recover in a forensic environment.
True, but at that point, those people probably would not mind to find you and "extract" that priceless data any other way they see fit. There comes a point where the economics dictate that it is cheaper to interrogate someone than to spend months in a forensic lab sifting through bits. Most governments and most criminal organisations will resort to such measures when the stakes are really high enough. It's akin to the NSA cracking passwords and / or encryption. Why would they sacrifice several CPU-years on cracking an encrypted message when installing a keylogger will do the same job much quicker, easier and cheaper. Those same rules apply to disks, presumably. So for your average user and his passwords and private stuff, there is little if any need to go to any such lengths, and a few overwrites will stop just about everybody.
Forensic data recovery relies on the fact that discs have tracking error, and if you can read a disc with enough resolution of the tracking error you may discover not totally erased bits because the new data didn't over-write the old data completely. This is most likely to happen with data written shortly after power up, before the drive's temperature has stabilised. To reduce the likelihood of such data recovery techniques, you need to write a data stream to the disc with as much marnetic flux reversal at the disc surface as you can manage. The more flux reversals the better your chances of scrambling any ghost image of earlier data. To maximise the flux reversals when writing to a hard disc, you need to take into account the data that is already on the disc and the encoding schema for writing to the disc, and feed in a data stream that causes maximum flux at the disc surface. Because of the encoding scheme, this isn't as simple as writing all 0's and then all 1's, because if you do that, some bit sequences in some coding schemas will not actually change.
That's a very interesting observation... So, a good multiple-stage disk eraser could (should?) read the disk, XOR that data, and write that back. In effect, it will -by definition- reduce the residual magnetic 'sideband' information somewhat; thereby increasing the needed resolution of the equipment used to trace the data. Then after leaving that pattern for X (to be determined) amount of time, start the writing of random data as usual. This would certainly be feasible. ( Well, except for the coding schema used. It is true that that can interfere enormously, and I reckon most of these scheme details are kept secret anyway, so as to gain an advantage on the competition. ) In a forensic lab environment, one could even test what the ideal time would be to zero out the previous data (by approximation of course, since some databits will have been written recently and some will have been there for years). There aren't many more tricks you can do to modern drives. Since the physical data layout is hidden from us, things like writing adjacent tracks / bits in a certain pattern cannot be done. What would be _really_ neat is if you could program the drive to shift its read-write head off-axis, through the drives' firmware registers. That way, you can erase those 'sideband' residual bits, too. Maybe this is something for manufacturers to implement, for possibly a new type of drive, a "privacy-enhanced" drive ? I'm just thinking here, but... Marketing-wise it would certainly be feasible, and it would leave paranoid people like us with a safer product, and how hard can it be to implement this in firmware ? Maarten -- Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re[2]: Erasing a hard disk easily, (continued)
- Re[2]: Erasing a hard disk easily Michael Gale (Jul 13)
- RE: Erasing a hard disk easily Kiley, Patrick M. (IARC) (Jul 12)
- RE: Erasing a hard disk easily Schmidt, Michael R. (Jul 12)
- RE: Erasing a hard disk easily Javier Liendo (Jul 12)
- RE: Erasing a hard disk easily Peter B. Harvey (Information Security) (Jul 12)
- RE: Erasing a hard disk easily Jos Osborne (Jul 13)
- RE: Erasing a hard disk easily Marek Isalski (Jul 13)
- RE: Erasing a hard disk easily amilabs (Jul 13)
- Re: Erasing a hard disk easily Doug White (Jul 13)
- RE: Erasing a hard disk easily amilabs (Jul 13)
- Re: Erasing a hard disk easily Denis McMahon (Jul 13)
- Re: Re: Erasing a hard disk easily Maarten (Jul 13)
- RE: Erasing a hard disk easily Jos Osborne (Jul 13)
- Re: Erasing a hard disk easily Aditya, ALD [ Aditya Lalit Deshmukh ] (Jul 13)
- Re: Erasing a hard disk easily Maarten (Jul 14)
- Re: Erasing a hard disk easily Darren Reed (Jul 14)
- Re: Erasing a hard disk easily James Sneeringer (Jul 14)
- Re: Erasing a hard disk easily Larry Apolonio (Jul 14)
- Re: Erasing a hard disk easily Gary E. Miller (Jul 14)
- Re: Erasing a hard disk easily Darren Reed (Jul 15)
- Re: Erasing a hard disk easily Gary E. Miller (Jul 15)
- Re: Erasing a hard disk easily Darren Reed (Jul 16)
- Re: Erasing a hard disk easily Aditya, ALD [ Aditya Lalit Deshmukh ] (Jul 13)