RE: Interesting One reading a 30x over-written drive

[mike <lists () webfargo com>]

DoD drives that contain classified data must be destroyed (typically 
through incineration).  Drives that didn't contain classified data may go 
through the 7 wipe process you mention.  BCwipe is a program for windows 
that does a good job.

At least some data can be restored from a drive with anything you do other 
than destroying the drive through heat or chemicals.  It is true that most 
of this restoration is only done by government sources and in important 
cases.  I've discussed this with more than one Air Force OSI personnel.

Since a hard drive does not write over EXACTLY the same spot every time 
there are some fragments left.  You just can't get rid of those fragments 
through normal drive operation.


mike


At 09:49 AM 10/30/2002 -0600, Tim - IBL wrote:
> I believe that DoD recommendations is to completely overwrite the drive
> 7 times.  As stated in other posts this does not mean "deleting the
> files" this means actually overwriting all the sectors during a "low
> level" format.  There are tools available from hard drive manufacturer's
> web site for free...I know that Maxtor and Seagate have tools on the
> website that run from a bootable floppy.  What you're looking for is a
> generally going to be called a "low level formatter" for the benefit of
> the general public.  What you want it to do is write patterns to the
> hard drive.  All 0's is called "zeroing a drive"; write all 0's to a
> drive is nice, but even when over-writing once there is a trace of the
> underlying data that can typically be recovered using very expensive
> tools and a time consuming process, this is why the DoD decided to
> suggest multiple times.  7 was picked after conducting some tests on the
> recoverability of data.  Every computer that leaves the DoD is formatted
> (and overwritten) 7 times, because their research indicated that the
> original data is then too hard to hard recover.  There are variations on
> a theme that will let you write all 1's, write alternating 1's and 0's,
> or write random patterns of 1's and 0's.  If you use these different
> methods instead of just writing 1's every time, I imagine it would be
> even harder to extrude any useful data from the drive with each pass.
>
> To answer the original question, if the drive in question is a standard
> hard drive, that has been overwritten with patterns or bogus data 30
> times, I don't think that there is any way to recover original data,
> even with electron microscopes and such, but if that's not the case,
> feel free to prove me wrong.
>
> -t
>
> -----Original Message-----
> From: Nero, Nick [mailto:Nick.Nero () disney com]
> Sent: Tuesday, October 29, 2002 11:30 AM
> To: Dave Adams; security-basics () security-focus com
> Subject: RE: Interesting One
>
> Well, the NSA standard I believe is that zero-filling a drive (writing
> all 0's to the platter) will make the data impossible to recover, but I
> am sure there are some instances when this isn't the cause depending on
> how retentive the media is and all that.  If is electromagnetically
> degaussed for an extended period of time, I can't imagine anything could
> recover the data.
>
> Nick Nero, CISSP
>
> -----Original Message-----
> From: Dave Adams [mailto:dadams () johncrowley co uk]
> Sent: Monday, October 28, 2002 5:06 PM
> To: security-basics () security-focus com
> Subject: Interesting One
>
>
> Greetings Folks,
>
> I had an interesting conversation today with someone from FAST
> (Federation Against Software Theft) They pretend not to be a snitch wing
> of the BSA. Anyway, to get to the point, the guy that came to see me
> said that their forensics guys could read data off a hard drive that had
> been written over up to thirty times. I find this very hard to believe
> and told him I thought he was mistaken but the guy was adamant that it
> could be done. My question is, does anyone have any views on this, or,
> can anyone point me to a source of information where I can get the facts
> on exactly how much data can be retrieved off a hard drive and under
> what conditions etc etc.
>
> Thanks
>
> Dave Adams
>
>
>
> This message (and any associated files) is intended only for the
> use of the individual or entity to which it is addressed and may
> contain information that is confidential, subject to copyright or
> constitutes a trade secret. If you are not the intended recipient
> you are hereby notified that any dissemination, copying or
> distribution of this message, or files associated with this message,
> is strictly prohibited. If you have received this message in error,
> please notify us immediately by replying to the message and deleting
> it from your computer. Messages sent to and from
> John Crowley (Maidstone) Ltd may be monitored.
>
> Internet communications cannot be guaranteed to be secure or error-free
> as information could be intercepted, corrupted, lost, destroyed, arrive
> late or incomplete, or contain viruses. Therefore, we do not accept
> responsibility for any errors or omissions that are present in this
> message, or any attachment, that have arisen as a result of e-mail
> transmission. If verification is required, please request a hard-copy
> version. Any views or opinions presented are solely those of the author
> and do not necessarily represent those of John Crowley (Maidstone) Ltd.

---------------------------------------------------------------------
www.webfargo.com
CCDA   CCNA   CCSA   CCSE   MCP+I   MCSE
PGP key available