Wiping data from drive question

In article <>, says...
> No. He was the opinion that doing so is absolutely unnecessary and just
> added for safety, which also applies to the large number of passes. Now
> RTFA.

It appears that the DOD and NSA don't agree with you or him then.

--


remove 999 in order to email me

Leythos

On Thu, 15 Jun 2006 13:20:04 GMT, Leythos <>
wrote:

>In article <>, says...
>> No. He was the opinion that doing so is absolutely unnecessary and just
>> added for safety, which also applies to the large number of passes. Now
>> RTFA.
>
>It appears that the DOD and NSA don't agree with you or him then.


It is always the case that we are re-inventing the wheel it
seems. There has always been the acknowledgement that only
overwriting the same digit (0 or 1) leaves a remnant, the
signature of the prior bit. This has actually been shown
detectable. AFAIK, it has never been shown that any data
was recoverable after a very few passes of (true) random
write.

Can the DOD go overboard? Of course, who can't? Far easier
to suggest that someone else goes to extra trouble do to
the unknown... there was a time when sailors thought they
might sail off the edge of the earth too but later we
realized it was round, not flat.

kony

kony wrote:

> On Tue, 13 Jun 2006 18:30:08 -0700, "Doofus McFly"
> <> wrote:
>
>>A co-worker made a statement that data is recoverable from a hard drive
>>even after you write zeros to all sectors of the hard drive. I was always
>>under the impression that once you wrote zeros to all sectors that any
>>data that was there is impossible to recover. Does anyone have any
>>thoughts on this? Thanks!
>
>
> Merely overwriting it once with the same digit will allow a
> professional with specialized equipment to recover "some" if
> not all of the data, at great cost (computer repair shop or
> the like could not do it).
>
> Random overwriting with a couple of passes makes it MUCH
> more difficult, practically impossible. The prior poster is
> incorrect about 10,000 passes, a couple of random passes is
> sufficient but prudence with sensitive data would suggest at
> least 3 or 4 passes.

No. Supposedly, as I have never checked, there could be a "shadow" if, for
example, a "1" had existed for some time. Overwriting it with a "0" once
would not remove 100% of the "shadow"....

Imhotep

--
*************************************
Pass a Net Neutrality Law in the US!!!!

Save the Internet:
http://www.savetheinternet.com/

Its our net:
http://www.itsournet.org/

*************************************

imhotep

"Doofus McFly" <> writes:

>A co-worker made a statement that data is recoverable from a hard drive even
>after you write zeros to all sectors of the hard drive. I was always under
>the impression that once you wrote zeros to all sectors that any data that
>was there is impossible to recover. Does anyone have any thoughts on this?
>Thanks!


A useful collection of links on this topic is:

http://staff.washington.edu/jdlarios/autoclave/

Be sure and read:

http://www.simson.net/clips/academic...eForensics.pdf

--
A host is a host from coast to
& no one will talk to a host that's close........[v].(301) 56-LINUX
Unless the host (that isn't close).........................pob 1433
is busy, hung or dead....................................20915-1433

David Lesher

Now you can do it with special magnets.

As David posted:

http://www.darkreading.com/document.asp?doc_id=97378

~David~

jsteam

"kony" <> wrote in message
news:...
> It isn't really effective at all. If one has done the
> random-overwrite the data is already gone- end of story.

Consider that your hard drive is a device that reads an analog value and
turns it into a binary value.

Starting with a 'blank' drive, every bit reads as analog zero, which
converts to binary zero.

Let's say that every time you flip a bit, its new value is 99% of the value
you're trying to set, plus 1% of the old value. Further, let's say that the
drive views a 5% or less value as binary zero, and a 95% or more value as
binary one.

Take a zero and turn it to a one, and you'll have a value of .99. This is
read as 1, but is readily readable as "currently one, but was zero last
time".

Play games with this kind of thinking, and you see that if drives do indeed
follow such an analog model, they will be reasonably easy to read after a
single random write.

The best solution, if you're in such a market, is to encrypt the hard drive
at all times.

Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | .
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

Alun Jones

On Sat, 24 Jun 2006 16:47:01 -0700, "Alun Jones"
<> wrote:

>"kony" <> wrote in message
>news:.. .
>> It isn't really effective at all. If one has done the
>> random-overwrite the data is already gone- end of story.
>
>Consider that your hard drive is a device that reads an analog value and
>turns it into a binary value.
>
>Starting with a 'blank' drive, every bit reads as analog zero, which
>converts to binary zero.
>
>Let's say that every time you flip a bit, its new value is 99% of the value
>you're trying to set, plus 1% of the old value. Further, let's say that the
>drive views a 5% or less value as binary zero, and a 95% or more value as
>binary one.
>
>Take a zero and turn it to a one, and you'll have a value of .99.

Except, we're not starting with a new drive and any data
recovery effort will not know how many times this area has
been written with any particular value, nor if the analog
writing process was producing the perfect (but offset) .99
value or something else, nor how it recalibrates itself as
it warms up. Already there are too many variables to make
it simple to recover from one single zero fill.

>This is
>read as 1, but is readily readable as "currently one, but was zero last
>time".

Sure, if over simplified that seems obvious. Nobody has
suggested to only do a one pass with only zero, or only 1.
Multiplass random overwrite- nobody has ever claimed
(AFAIK), let alone proven they could recover even one single
bit beyond a 50/50 statistical expectation.


>
>Play games with this kind of thinking, and you see that if drives do indeed
>follow such an analog model, they will be reasonably easy to read after a
>single random write.

IF it were only the isolated scenario you post, it could be
true. It isn't ever that scenario without any other
variables. It is impossible for there to be only that
scenario, literally impossible to force to happen if one
tried to do it.


>
>The best solution, if you're in such a market, is to encrypt the hard drive
>at all times.

Yes encryption is another good strategy. I'd sooner bet
that a multipass random overwrite made the data more
secure(ly gone) than that they'd never be able to break the
encryption, so I would only consider the encryption suitable
for different kinds of threats if used alone.

kony

kony wrote:

> >Let's say that every time you flip a bit, its new value is 99% of
> >the value you're trying to set, plus 1% of the old value. Further,
> >let's say that the drive views a 5% or less value as binary zero,
> >and a 95% or more value as binary one.
> >
> >Take a zero and turn it to a one, and you'll have a value of .99.
>
> Except, we're not starting with a new drive and any data
> recovery effort will not know how many times this area has
> been written with any particular value, nor if the analog
> writing process was producing the perfect (but offset) .99
> value or something else, nor how it recalibrates itself as
> it warms up. Already there are too many variables to make
> it simple to recover from one single zero fill.

There's one really important issue that's being overlooked here though,
and that's the quality of the hardware used to do these read/write
operations, and the quality (and theoretical limits) of hardware that
might be available to someone else.

The heads in a consumer grade drive are, well, consumer grade. They're
designed and built to "good enough" standards that give users an
expectation of data integrity, at minimal cost to the manufacturer.
Consequently they're not as accurate, or as sensitive/powerful as what
someone with specialized equipment might have.

All the math and probability in the universe flies out the window if
your data can be read at the edges of a track, or more sensitive
equipment is used to detect the subtle differences between a sector
with a one that's been overwritten with a zero, and a zero that's been
overwritten likewise. Things your consumer grade heads just aren't
capable of doing, but things that are possible none the less.

This is how "clean room" data recovery businesses make their big money,
by the way. The equipment is expensive, the sanitation is meticulous,
and the people are well trained, and they're an effective combination.

> >The best solution, if you're in such a market, is to encrypt the
> >hard drive at all times.
>
> Yes encryption is another good strategy. I'd sooner bet

Encryption is the only *good* strategy. Data wiping is essentially
useless unless you use specialized equipment. With whole disk OTFE it
doesn't matter.

George Orwell

"kony" <> wrote in message
news:...
> On Sat, 24 Jun 2006 16:47:01 -0700, "Alun Jones"
> <> wrote:
>
>>Let's say that every time you flip a bit, its new value is 99% of the
>>value
>>you're trying to set, plus 1% of the old value. Further, let's say that
>>the
>>drive views a 5% or less value as binary zero, and a 95% or more value as
>>binary one.
>>
>>Take a zero and turn it to a one, and you'll have a value of .99.
>
> Except, we're not starting with a new drive and any data
> recovery effort will not know how many times this area has
> been written with any particular value, nor if the analog
> writing process was producing the perfect (but offset) .99
> value or something else, nor how it recalibrates itself as
> it warms up. Already there are too many variables to make
> it simple to recover from one single zero fill.

You didn't do Fourier Analysis at college, did you?

Okay, let's see now.

No matter what the bits have been doing before the write prior to the last
one, a value of .99 to .9901 indicates that the bit was zero before its
current value of one, and a value of .9999 to 1 indicates that it was one
before its current value of one.

That's assuming that the percentages I described are applied exactly, but as
you can see, there's no overlap between the values - there's a significant
gap between .9901 (the upper end of "0 turned to 1") and .9999 (the lower
end of "1 turned to 1").

With appropriate statistical analysis, and the ability to read the analog
values to a great degree of accuracy, you find that you can accurately
determine the lifetime of a bit on the drive - not to the point where you
can say what the bit was last Tuesday, but to the point where you can say
"before its current value, it went through these sets of values".

Not the sort of thing you'd want to do if you're looking for credit cards
(they're far easier to fish out of the local landfill), but if you're
searching for national secrets, maybe you'd want to waste a mathematician or
six on this kind of a task.

Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | .
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

Alun Jones

On Sun, 25 Jun 2006 03:45:12 +0200 (CEST), George Orwell
<> wrote:

>kony wrote:
>
>> >Let's say that every time you flip a bit, its new value is 99% of
>> >the value you're trying to set, plus 1% of the old value. Further,
>> >let's say that the drive views a 5% or less value as binary zero,
>> >and a 95% or more value as binary one.
>> >
>> >Take a zero and turn it to a one, and you'll have a value of .99.
>>
>> Except, we're not starting with a new drive and any data
>> recovery effort will not know how many times this area has
>> been written with any particular value, nor if the analog
>> writing process was producing the perfect (but offset) .99
>> value or something else, nor how it recalibrates itself as
>> it warms up. Already there are too many variables to make
>> it simple to recover from one single zero fill.
>
>There's one really important issue that's being overlooked here though,
>and that's the quality of the hardware used to do these read/write
>operations, and the quality (and theoretical limits) of hardware that
>might be available to someone else.
>
>The heads in a consumer grade drive are, well, consumer grade. They're
>designed and built to "good enough" standards that give users an
>expectation of data integrity, at minimal cost to the manufacturer.
>Consequently they're not as accurate, or as sensitive/powerful as what
>someone with specialized equipment might have.
>

That would also suggest a higher random deviation between
subsequent writes of same bit. The issue is never the
quality of the equipment used to attempt recovery (if we are
being thorough, we will assume that it can't only matter
what could be recovered with today's technology but "ever"
whether there is actually any pattern remaining to the
rewritten random data.



>All the math and probability in the universe flies out the window if
>your data can be read at the edges of a track, or more sensitive
>equipment is used to detect the subtle differences between a sector
>with a one that's been overwritten with a zero, and a zero that's been
>overwritten likewise. Things your consumer grade heads just aren't
>capable of doing, but things that are possible none the less.
>
>This is how "clean room" data recovery businesses make their big money,
>by the way. The equipment is expensive, the sanitation is meticulous,
>and the people are well trained, and they're an effective combination.

Of course, but data recovery is not meant nor does it claim
to recover from multipass random overwrites. No matter how
good the equipment, personnel or method, there has to be a
statistically significant remnant of the *real* data. Is
that real data 3 rewrites past, or 6? No way to know and it
will vary per every single location on the platter. The
more the variables are considered, the more there are that
interfere with recovery onto the point where not only has
nobody ever claimed they did it (with enough credibility and
proof to be considered reliable), nobody has ever even
accounted for all the variables and described how to tackle
them.

That a bit can be overwritten once and retain a hint at the
prior value is just the tip of the iceburg.



>
>> >The best solution, if you're in such a market, is to encrypt the
>> >hard drive at all times.
>>
>> Yes encryption is another good strategy. I'd sooner bet
>
>Encryption is the only *good* strategy. Data wiping is essentially
>useless unless you use specialized equipment. With whole disk OTFE it
>doesn't matter.

Nonsense. "IF" the data were recoverable (including
encrypted), a sufficient farm of computers could break
encryption sooner than doing the impossible. We at least
know how to break encryption, the issue there is just time
(processing power).

kony