Re: BugTraq: EFS Win 2000 flaw

[Ryan Russell <ryan () SECURITYFOCUS COM>]

On Fri, 19 Jan 2001, Russ wrote:

> To the best of my knowledge, Peter Guttman(sp?) has demonstrated for years
> now that there is no form of over-writing which makes any substantial
> difference to the ability to recover previously written data from a computer
> hard disk.
>
> My understanding of current "high security" standards wrt the re-use of
> disks which previously contained classified materials is that they only be
> re-used in similarly classified systems, or, are destroyed beyond any form
> of molecular reconstruction (e.g. melted).

I see a big difference in being able to recover some files by simply
booting to a different OS vs. having to break out the electron microscope
and manually piece bits together.  I could boot DOS or Linux to read a
deleted file... I don't think I'd be able to find someone who could read
the bits from 3 writes ago off of a physical disk surface for me... unless
you gave me a huge amount of time and money.

If the problem does exist as described... the possibility that a
government forensics lab might recover some data is no exucse for not
handling temp files properly for EFS.

                                                Ryan