Re: BugTraq: EFS Win 2000 flaw

["Fulmer, John" <JFulmer () HRBLOCK COM>]

There is a big difference between using a simple sector editor to recover
files, like the EFS flaw would apparently allow you to, and having to use
some fairly sophisticated magnetic data recovery equipment. Sector editors
are widely available, and a person can fetch the data without your
knowledge.

To recover overwritten data you must remove the hard drive, disassemble it,
and use some pretty specialized equipment to retrieve the data. The level of
effort is pretty much beyond anyone who isn't extremely well funded, and it
would be almost impossible to do so undetected.

jf


-----Original Message-----
From: Russ
To: BUGTRAQ () SECURITYFOCUS COM
Sent: 1/19/01 2:10 PM
Subject: Re: BugTraq: EFS Win 2000 flaw

To the best of my knowledge, Peter Guttman(sp?) has demonstrated for
years
now that there is no form of over-writing which makes any substantial
difference to the ability to recover previously written data from a
computer
hard disk.

My understanding of current "high security" standards wrt the re-use of
disks which previously contained classified materials is that they only
be
re-used in similarly classified systems, or, are destroyed beyond any
form
of molecular reconstruction (e.g. melted).

So to suggest that your perceived EFS flaw can be resolved by
over-writing
is naive. The only solution is to encrypt in memory or use some
removable
partition as the temp space.

Anyone know if PGPdisk works differently than EFS does?

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor