Security Basics mailing list archives

RE: Interesting One

From: "Holmes, Ben" <Ben.Holmes () getronics com>
Date: Fri, 1 Nov 2002 19:38:30 +1100


Magnetic force microscopy and other such things could (and do) indeed
read past data from a hard drive that has been wiped many times (I have
heard many conflicting and often wild claims about the exact number).  A
single pass can defeat anything the drive circuitry can grab from the
disk and if you bypass the circuitry and connect the right equipment
directly to the drives heads, you would be able to read remapped sectors
such as grown defects, a full overwrite (on pass again) on most modern
drives even eliminates this if it can access these areas.

MFM involves pulling the hard disk apart and doing a physical analysis.
There is a place in Australia that does it and at least 2 in the US and
1 in New Zealand I have heard of.  A doctor one of our techs knows tried
to get data back from a HDD that had NO overwriting, just a very bad
head crash.  He was charged AU$1600 and they recovered ONE file.  It was
a part of the OS.

Remember that a modern hard disks store data in very advanced ways and
VERY tightly packed together... I am not sure how fast you could
manually recover data using a highly advanced (and very expensive)
microscope, but if you recover an average of 8 BITS per second of REAL
DATA (and there is no doubt a lot of hamming code written for the sake
of data integrity), it would take you about 17 minutes for a kilobyte.
It would take you about 83333 DAYS (approx 228 YEARS) working 10 HOURS A
DAY FULL TIME WITH NO BREAKS to recover a standard 3Gb data set.  

To quote some experts: 
"Magnetic Media Microscopy (MMM) is used in cases where data has been
overwritten. MMM is a lengthy process that involves examining each bit
of data at a magnetic level to determine that bit's previous state.
Recovering just a floppy disk using this technology can take days or
weeks. MMM is rarely used because of the cost factor." - ESS Data
Recovery

Lets say you knew the exact location of the data (or at least the
filename because you could find where you want to go, lets say the SAM
in WinNT), you would have to recover the boot sector (to find the $MFT),
the $MFT to find the $DATA stream of the directory entry for WINNT..
etc.. then finally when you find the exact offset of the disk the SAM is
on, you would have to go the right amount of bytes into the SAM and
recover the encrypted password... still it is very daunting and would
cost money.  

Data recovery is always much easier if everything is defragmented
properly... just imagine the pain if it was part of a striped RAID
system!

The DoD standard is very paranoid and doesn't always work because mapped
out bad sectors are not always wiped (look up "Grown Defect List" on
Google).  If you really want the data gone, incineration is the best
method, then buy a new drive... Degaussing will also work (but you have
to use a very strong degausser and for quite a long time) but it also
renders the drive just as completely inoperable as it will wipe the
sector marks and everything (but at least it still LOOKS intact).  If
you want it so NO SOFTWARE IN THE ENTIRE WORLD can get it off (because
the drive's heads cannot detect overwritten data and the firmware will
therefore not translate it),  a standard one pass wipe with "FORMAT /U"
and I bet you can't get anything meaningful off it! (Note a standard
format without the "U" option doesn't actually do any wipe passes).

Still, all that said and when government bodies ask for a contract, you
will win easier if you quote a standard and do what it says, no matter
how silly it all is.

http://www.vogon-data-recovery.com/dr_bulletin-02/dr_bulletin_02_01.htm
has a little article that you may also find interesting but it doesn't
have much of a conclusion.

If you want a better read into MFM look here...
http://www.di.com/AppNotes/MFM/MFMMain.html

In conclusion, in theory wiping it a lot means it is more secure, random
data passes would make MFM rally hard, but in practice, who are you
trying to kid, if your data is THAT valuable (I am talking many many
dollars here), the cost of completely incinerating the drive and buying
a new one is far cheaper than the paying for someone that is trusted to
handle that drives data to sit there and wipe it seven, nine or even
5000 times... and far, far more secure.

-- Benjamin Holmes

-----Original Message-----
From: Vlad [mailto:vlad () verat net]
Sent: Thursday, October 31, 2002 6:10 AM
To: maillist
Subject: Re: Interesting One


U.S. DoD - seven pass extended character rotation wiping [DoD 
5200.28-STD].
And for the sake of argument the program i use has a limit of 
100 passes.
----- Original Message -----
From: "maillist" <maillist () avoiderman com>
To: <security-basics () security-focus com>
Sent: Wednesday, October 30, 2002 7:45 AM
Subject: RE: Interesting One

I disagree with you both - the NSA standard for a drive that will be
recycled is a nine-pass wipe ... involving pseudo-random

data, 0s and 1s
...

preferably in a non-predictable order ...

Reading after thirty overwrites is just scare mongering.

Depending on the

media it might just be possible on some drives (where the

heads have moved

over time) ... but the kit to read from drives after just a

couple of
wipes

is expensive, and usually just the provision of government types ...

Avoiderman

-----Original Message-----
From: Nero, Nick [mailto:Nick.Nero () disney com]
Sent: 29 October 2002 17:30
To: Dave Adams; security-basics () security-focus com
Subject: RE: Interesting One


Well, the NSA standard I believe is that zero-filling a

drive (writing

all 0's to the platter) will make the data impossible to

recover, but I

am sure there are some instances when this isn't the

cause depending on

how retentive the media is and all that.  If is

electromagnetically

degaussed for an extended period of time, I can't imagine

anything could

recover the data.

Nick Nero, CISSP

-----Original Message-----
From: Dave Adams [mailto:dadams () johncrowley co uk]
Sent: Monday, October 28, 2002 5:06 PM
To: security-basics () security-focus com
Subject: Interesting One


Greetings Folks,

I had an interesting conversation today with someone from FAST
(Federation Against Software Theft) They pretend not to

be a snitch wing

of the BSA. Anyway, to get to the point, the guy that

came to see me

said that their forensics guys could read data off a hard

drive that had

been written over up to thirty times. I find this very

hard to believe

and told him I thought he was mistaken but the guy was

adamant that it

could be done. My question is, does anyone have any views

on this, or,

can anyone point me to a source of information where I

can get the facts

on exactly how much data can be retrieved off a hard

drive and under

what conditions etc etc.

Thanks

Dave Adams

Attachment: smime.p7s
Description:

Current thread:

Re: Interesting One, (continued)
- Re: Interesting One easy (Oct 31)
- RE: Interesting One Michael Vaughan (Oct 31)
- Re: Interesting One Candice Ward (Oct 31)
- RE: Interesting One Tim Donahue (Oct 31)
- RE: Interesting One Carol Stone (Oct 31)
- RE: Interesting One Rygg Christian (Oct 31)
- RE: Interesting One Trevor Cushen (Oct 31)
- Re: Interesting One ONEILL David J (Nov 01)
- Re: Interesting One Greg van der Gaast (Nov 01)
- RE: Interesting One Leonard.Ong (Nov 01)
- RE: Interesting One Holmes, Ben (Nov 01)
- RE: Interesting One Trevor Cushen (Nov 01)
  - Re: Interesting One Meritt James (Nov 01)
- Re: Interesting One Chet Uber (Nov 01)
- Re: Interesting One Pablo Gietz (Nov 01)
- RE: Interesting One Rodney, John (Nov 01)