deleting a hard drive

Discussion in 'Computer Security' started by ., Sep 13, 2004.

  1. .

    . Guest

    I am enrolled in an on-line Digital Forensics class and the instructor
    has asked the following question....Why can't you delete a hard drive?
    If he means delete as in rendering every bit empty...holding neither a
    1 nor a 0. I don't think that that is possible, is it? Any help would
    be appreciated.
     
    ., Sep 13, 2004
    #1
    1. Advertising

  2. .

    JM Guest

    .. wrote:

    > I am enrolled in an on-line Digital Forensics class and the instructor
    > has asked the following question....Why can't you delete a hard drive?
    > If he means delete as in rendering every bit empty...holding neither a
    > 1 nor a 0. I don't think that that is possible, is it? Any help would
    > be appreciated.


    The Del command only removes the file name from the index, the data is still
    there. You can over write the data with 1 & 0's multiple times to attempt
    to mask what was there. But if you have the time and the resources the
    recovery of data is possible, due to a slight charge of the past image
    remains. It has been said by some that the recovery of the last 7 layers of
    data is possible off of media. The only way to ensure the data is gone is
    to destroy the media or over-write it multiple times and run it through a
    degausser.
    --
    NEMO SALTAT SOBRIUS NISI FORTE INSANIT.
     
    JM, Sep 13, 2004
    #2
    1. Advertising

  3. Why can't you delete a hard drive?
    What a broad and incorrect question. Does the instructor mean delete the data on a hard
    disk ?

    If he means the data and not the hard disk itself, degaussing will delete all data and data
    structures. This is also known as "sanitizing" a hard disk.

    Dave



    "." <> wrote in message news:...
    | I am enrolled in an on-line Digital Forensics class and the instructor
    | has asked the following question....Why can't you delete a hard drive?
    | If he means delete as in rendering every bit empty...holding neither a
    | 1 nor a 0. I don't think that that is possible, is it? Any help would
    | be appreciated.
     
    David H. Lipman, Sep 13, 2004
    #3
  4. .

    Jim Watt Guest

    On Sun, 12 Sep 2004 20:41:16 -0400, . <> wrote:

    >I am enrolled in an on-line Digital Forensics class and the instructor
    >has asked the following question....Why can't you delete a hard drive?
    >If he means delete as in rendering every bit empty...holding neither a
    >1 nor a 0. I don't think that that is possible, is it? Any help would
    >be appreciated.


    If a hard disk really was a digital device you could set all the data
    bits to 0, 1 or a random patten and any data it held would be
    effectivly deleted.

    Or you can shred it. Then its deleted.

    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Sep 13, 2004
    #4
  5. .

    someone Guest

    "." <> wrote in message
    news:...
    > I am enrolled in an on-line Digital Forensics class and the instructor
    > has asked the following question....Why can't you delete a hard drive?
    > If he means delete as in rendering every bit empty...holding neither a
    > 1 nor a 0. I don't think that that is possible, is it? Any help would
    > be appreciated.


    An excellent article re this topic can be found via this link

    http://www.nber.org/sys-admin/overwritten-data-guttman.html

    What institution is your digital forensics class provided by?

    I would be interested in the information provided by the instructor on this
    topic.
     
    someone, Sep 13, 2004
    #5
  6. .

    Apollo Guest

    "." <> wrote in message
    news:...
    >I am enrolled in an on-line Digital Forensics class and the instructor
    > has asked the following question....Why can't you delete a hard drive?
    > If he means delete as in rendering every bit empty...holding neither a
    > 1 nor a 0. I don't think that that is possible, is it? Any help would
    > be appreciated.


    I would answer;

    You can't delete a hard drive because it's a physical device ;o)

    If your instructor means why can't you delete the data on a hard drive, you
    should suggest that he did not ask that question and he should be more
    specific. If this is the case, then the rest of the course content and the
    competence of the 'instructors' will probably be just as dubious.

    Good luck,

    --
    Apollo
     
    Apollo, Sep 13, 2004
    #6
  7. Well I for one would like to know the name of your class. Anyways you are
    correct it is a vague question low level formatting would create all zeros,
    there has to be some value on the disk in order for the bios to talk to it.
    Let me know what he says
    "." <> wrote in message
    news:...
    > I am enrolled in an on-line Digital Forensics class and the instructor
    > has asked the following question....Why can't you delete a hard drive?
    > If he means delete as in rendering every bit empty...holding neither a
    > 1 nor a 0. I don't think that that is possible, is it? Any help would
    > be appreciated.
     
    Melissa Royer, Sep 13, 2004
    #7
  8. .

    a Guest

    Only for shure as in Circuit Cellar

    format

    then take out in woods and put a round all the way thru it

    works every time



    On Sun, 12 Sep 2004 20:41:16 -0400, . <> wrote:

    -I am enrolled in an on-line Digital Forensics class and the
    instructor
    -has asked the following question....Why can't you delete a hard
    drive?
    -If he means delete as in rendering every bit empty...holding neither
    a
    -1 nor a 0. I don't think that that is possible, is it? Any help would
    -be appreciated.
     
    a, Sep 14, 2004
    #8
  9. Nope, residual flux would leave data and those areas not damaged by the "round" could still
    be used to retrieve data. Albeit, it would be like a puzzle with pieces missing but, enough
    of the puzzle would be left to gather much information on the big picture.

    The only way to truly sanitize a hard disk is to supply an alternating magnetic field with a
    large amount of Oersted power (e.g, >5000 Oersted). Once complete there will be no residual
    flux left on the ferrous grains or molecules.

    Dave




    "a" <> wrote in message
    news:...
    |
    | Only for shure as in Circuit Cellar
    |
    | format
    |
    | then take out in woods and put a round all the way thru it
    |
    | works every time
    |
    |
    |
    | On Sun, 12 Sep 2004 20:41:16 -0400, . <> wrote:
    |
    | -I am enrolled in an on-line Digital Forensics class and the
    | instructor
    | -has asked the following question....Why can't you delete a hard
    | drive?
    | -If he means delete as in rendering every bit empty...holding neither
    | a
    | -1 nor a 0. I don't think that that is possible, is it? Any help would
    | -be appreciated.
    |
     
    David H. Lipman, Sep 14, 2004
    #9
  10. .

    Colin B. Guest

    a <> wrote:
    >
    > Only for shure as in Circuit Cellar
    >
    > format
    >
    > then take out in woods and put a round all the way thru it
    >
    > works every time


    Nope. Not even to a passable degree.

    Grinding and incinerating is better.
     
    Colin B., Sep 14, 2004
    #10
  11. I like what Jim Watt stated -- "...shred it." However, I have yet to come across a 1/8"
    cross-cut shredder that does hard disks ;-)

    Dave




    "Colin B." <> wrote in message
    news:...
    |
    | Nope. Not even to a passable degree.
    |
    | Grinding and incinerating is better.
    |
     
    David H. Lipman, Sep 14, 2004
    #11
  12. .

    Herbert West Guest

    On Sun, 12 Sep 2004 20:41:16 -0400, . <> wrote:

    >I am enrolled in an on-line Digital Forensics class and the instructor
    >has asked the following question....Why can't you delete a hard drive?
    >If he means delete as in rendering every bit empty...holding neither a
    >1 nor a 0. I don't think that that is possible, is it? Any help would
    >be appreciated.



    Each bit holding "neither a 1 nor a 0" sounds more like a question of
    quantum mechanics and physics (or even philosophy and Taoism) than of
    digital forensics. I sort of envision a situation like "Shroedinger's
    Hard Drive," where every possible bit of addressable surface area on
    the drive is in an inderterminate state until acted upon by an outside
    force, even if the force is that of an observer spinning the disk
    while passing a read head over it. The problem is that that the disk
    is a magnetic surface, and thus can't ever be rendered 100%
    magnetically neutral. Any specific bit of surface space we examine
    will have settled in one state or the other, even if only weakly.

    The instructor probably means that a flat Gaussian random stream of
    bits would be output when the drive is read. As others have said,
    degaussing the drive would be the best *physical* way to do it (short
    of grinding the platter into microscopic dust). <g>

    Alternatly, we could do our damdest to synthesize a pseudorandom
    sequence and constantly overwrite the existing data in order to
    eliminate all traces of the original magnetic patterns. The following
    link should provide some info.

    http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/

    There are a number of secure deletion utilities based upon the above.
    Being a Windows user, I like Sammy Tolvanen's "Eraser," a free but
    effective solution.

    http://www.tolvanen.com/eraser/
     
    Herbert West, Sep 14, 2004
    #12
  13. .

    AlanP Guest

    Herbert West wrote:
    > On Sun, 12 Sep 2004 20:41:16 -0400, . <> wrote:
    >
    >
    >>I am enrolled in an on-line Digital Forensics class and the instructor
    >>has asked the following question....Why can't you delete a hard drive?
    >>If he means delete as in rendering every bit empty...holding neither a
    >>1 nor a 0. I don't think that that is possible, is it? Any help would
    >>be appreciated.

    >
    >
    >
    > Each bit holding "neither a 1 nor a 0" sounds more like a question of
    > quantum mechanics and physics (or even philosophy and Taoism) than of
    > digital forensics. I sort of envision a situation like "Shroedinger's
    > Hard Drive," where every possible bit of addressable surface area on
    > the drive is in an inderterminate state until acted upon by an outside
    > force, even if the force is that of an observer spinning the disk
    > while passing a read head over it. The problem is that that the disk
    > is a magnetic surface, and thus can't ever be rendered 100%
    > magnetically neutral. Any specific bit of surface space we examine
    > will have settled in one state or the other, even if only weakly.
    >
    > The instructor probably means that a flat Gaussian random stream of
    > bits would be output when the drive is read. As others have said,
    > degaussing the drive would be the best *physical* way to do it (short
    > of grinding the platter into microscopic dust). <g>
    >
    > Alternatly, we could do our damdest to synthesize a pseudorandom
    > sequence and constantly overwrite the existing data in order to
    > eliminate all traces of the original magnetic patterns. The following
    > link should provide some info.
    >
    > http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/
    >
    > There are a number of secure deletion utilities based upon the above.
    > Being a Windows user, I like Sammy Tolvanen's "Eraser," a free but
    > effective solution.
    >
    > http://www.tolvanen.com/eraser/


    Wow...

    Awesome topic next time we get munted...
     
    AlanP, Sep 14, 2004
    #13
  14. .

    Moe Trin Guest

    In article <>, Herbert West wrote:
    >On Sun, 12 Sep 2004 20:41:16 -0400, . <> wrote:


    >>If he means delete as in rendering every bit empty...holding neither a
    >>1 nor a 0. I don't think that that is possible, is it?


    Yes

    >Each bit holding "neither a 1 nor a 0" sounds more like a question of
    >quantum mechanics and physics (or even philosophy and Taoism) than of
    >digital forensics.


    Grab a book that discusses data encoding on hard disks. Any of Scott
    Mueller's "Upgrading and Repairing PCs" would do as one example. Data
    is stored on the modern hard disk as a pattern of magnetic flux
    reversals - the encoding scheme you are looking for is called "Run
    Length Limited" although even the earlier FM and MFM (from the 1970s)
    used the same principle. Using the RLL "2,7" Scheme, a disk full
    of "zeros" would have the magnetic domains encoded NNNTNN for every
    _THREE_ zero bits (where N means no flux reversal, and T means that one
    occurs), while the same disk full of "ones" would be encoded TNNN for
    every _TWO_ one bits. The encoding scheme is such that there is ALWAYS
    a flux transition, yet the transitions are neither to close (resolution
    problems) or to far apart (loss of synchronization).

    So - to render every bit empty, one need only magnetize the sh1t out
    of the disk in one direction or the other so that there are NO flux
    transitions. It does not matter if the magnetic domains are all
    "North" or "South" - just that they are the same. Of course, this also
    destroys the low level format, which might also be a good thing. Is
    this a _practical_ technique? No, probably not, but it answers the
    academic question, rather than the practical or real life question.

    >The problem is that that the disk is a magnetic surface, and thus
    >can't ever be rendered 100% magnetically neutral. Any specific bit
    >of surface space we examine will have settled in one state or the
    >other, even if only weakly.


    And that may allow data recovery. Also, people forget that modern disks
    have "reserve" sectors that are automagically substituted for failing
    sectors. The data that _was_ on the failing sector is COPIED to
    these spare sectors, and the disk is remapped. Your operating system
    has no control over this. Murphy's law states that the critical data
    you are trying to conceal will have been on a failing sector, which was
    copied to a "safe" replacement sector. COPIED!!! It was not deleted
    from the failing sector. All of your "wipe the disk" tools can't get to
    this, because the disk itself won't let you access the bad sector. But
    it's still there. _THAT'S_ why the only secure deletion is physical
    destruction of the platter.

    Old guy
     
    Moe Trin, Sep 14, 2004
    #14
  15. .

    . Guest

    On Mon, 13 Sep 2004 11:57:25 -0400, "someone" <>
    wrote:

    >
    >"." <> wrote in message
    >news:...
    >> I am enrolled in an on-line Digital Forensics class and the instructor
    >> has asked the following question....Why can't you delete a hard drive?
    >> If he means delete as in rendering every bit empty...holding neither a
    >> 1 nor a 0. I don't think that that is possible, is it? Any help would
    >> be appreciated.

    >
    >An excellent article re this topic can be found via this link
    >
    >http://www.nber.org/sys-admin/overwritten-data-guttman.html
    >
    >What institution is your digital forensics class provided by?
    >
    >I would be interested in the information provided by the instructor on this
    >topic.
    >
    >

    Champlain College (champlain.edu) in Burlington Vermont is the
    school. They offer both a certification program and a bachelors
    degree. I'll let you know what the instructor says after I recieve my
    corrected homework...should be by the end of next week. Thanks for
    your help everyone.
     
    ., Sep 14, 2004
    #15
  16. .

    . Guest

    On Mon, 13 Sep 2004 20:21:40 GMT, "Melissa Royer"
    <> wrote:

    >Well I for one would like to know the name of your class. Anyways you are
    >correct it is a vague question low level formatting would create all zeros,
    >there has to be some value on the disk in order for the bios to talk to it.
    >Let me know what he says
    >"." <> wrote in message
    >news:...
    >> I am enrolled in an on-line Digital Forensics class and the instructor
    >> has asked the following question....Why can't you delete a hard drive?
    >> If he means delete as in rendering every bit empty...holding neither a
    >> 1 nor a 0. I don't think that that is possible, is it? Any help would
    >> be appreciated.

    >

    The school is Champlain College (champlain.edu) in Burlington Vermont.
    They offer both certification and/or a bachelors degree on-line or on
    campus in "Computer and Digital Forensics"
    I'll let you know what he say's when he returns my homework...should
    be sometime next week. Thanks for your help.
     
    ., Sep 14, 2004
    #16
  17. .

    Herbert West Guest

    On Tue, 14 Sep 2004 12:10:00 -0500,
    (Moe Trin) wrote:

    >In article <>, Herbert West wrote:
    >>On Sun, 12 Sep 2004 20:41:16 -0400, . <> wrote:

    >
    >>>If he means delete as in rendering every bit empty...holding neither a
    >>>1 nor a 0. I don't think that that is possible, is it?

    >
    >Yes
    >
    >>Each bit holding "neither a 1 nor a 0" sounds more like a question of
    >>quantum mechanics and physics (or even philosophy and Taoism) than of
    >>digital forensics.

    >
    >Grab a book that discusses data encoding on hard disks. Any of Scott
    >Mueller's "Upgrading and Repairing PCs" would do as one example. Data


    <snip>

    I'll have to research it further, as you say.

    >>The problem is that that the disk is a magnetic surface, and thus
    >>can't ever be rendered 100% magnetically neutral. Any specific bit
    >>of surface space we examine will have settled in one state or the
    >>other, even if only weakly.

    >
    >And that may allow data recovery. Also, people forget that modern disks
    >have "reserve" sectors that are automagically substituted for failing
    >sectors. The data that _was_ on the failing sector is COPIED to
    >these spare sectors, and the disk is remapped. Your operating system
    >has no control over this. Murphy's law states that the critical data
    >you are trying to conceal will have been on a failing sector, which was
    >copied to a "safe" replacement sector. COPIED!!! It was not deleted
    >from the failing sector. All of your "wipe the disk" tools can't get to
    >this, because the disk itself won't let you access the bad sector. But
    >it's still there. _THAT'S_ why the only secure deletion is physical
    >destruction of the platter.


    That was lingering in the back of my mind, but didn't quite occur to
    me at the moment. I completely neglected the issue of reserve
    sectors. And with drives approaching Terabyte capacity, it becomes a
    major issue (Murphy be damned!). Not that I have anything sensitive
    enough on my drives to warrant it, but physical destruction of the
    platter would be the _only_ means to secure the drive upon
    decommissioning.

    Thanks for the clarification.

    -Herb-
     
    Herbert West, Sep 14, 2004
    #17
  18. I trust the US DoD's new methodology.
    It was expressed in a memo by the Acting SD Linton Wells II, June 2001, entitled:
    "Disposition of Unclassified DoD Computer Hard Drives"

    It basically describes writing a pattern such as 01010101 the writing its complement
    10101010 then another patter such as 11001100 and repeating this six times. Thus,
    "Sanitization is not complete until all six passes of the three cycles are completed".

    Dave




    "Herbert West" <> wrote in message
    news:...
    | On Sun, 12 Sep 2004 20:41:16 -0400, . <> wrote:
    |
    | >I am enrolled in an on-line Digital Forensics class and the instructor
    | >has asked the following question....Why can't you delete a hard drive?
    | >If he means delete as in rendering every bit empty...holding neither a
    | >1 nor a 0. I don't think that that is possible, is it? Any help would
    | >be appreciated.
    |
    |
    | Each bit holding "neither a 1 nor a 0" sounds more like a question of
    | quantum mechanics and physics (or even philosophy and Taoism) than of
    | digital forensics. I sort of envision a situation like "Shroedinger's
    | Hard Drive," where every possible bit of addressable surface area on
    | the drive is in an inderterminate state until acted upon by an outside
    | force, even if the force is that of an observer spinning the disk
    | while passing a read head over it. The problem is that that the disk
    | is a magnetic surface, and thus can't ever be rendered 100%
    | magnetically neutral. Any specific bit of surface space we examine
    | will have settled in one state or the other, even if only weakly.
    |
    | The instructor probably means that a flat Gaussian random stream of
    | bits would be output when the drive is read. As others have said,
    | degaussing the drive would be the best *physical* way to do it (short
    | of grinding the platter into microscopic dust). <g>
    |
    | Alternatly, we could do our damdest to synthesize a pseudorandom
    | sequence and constantly overwrite the existing data in order to
    | eliminate all traces of the original magnetic patterns. The following
    | link should provide some info.
    |
    | http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/
    |
    | There are a number of secure deletion utilities based upon the above.
    | Being a Windows user, I like Sammy Tolvanen's "Eraser," a free but
    | effective solution.
    |
    | http://www.tolvanen.com/eraser/
     
    David H. Lipman, Sep 14, 2004
    #18
  19. .

    autodog Guest

    On Mon, 13 Sep 2004 01:14:41 GMT, "David H. Lipman"
    <DLipman~nospam~@Verizon.Net> wrote:

    >Why can't you delete a hard drive?
    >What a broad and incorrect question. Does the instructor mean delete the data on a hard
    >disk ?
    >
    >If he means the data and not the hard disk itself, degaussing will delete all data and data
    >structures. This is also known as "sanitizing" a hard disk.
    >
    >Dave
    >
    >
    >
    >"." <> wrote in message news:...
    >| I am enrolled in an on-line Digital Forensics class and the instructor
    >| has asked the following question....Why can't you delete a hard drive?
    >| If he means delete as in rendering every bit empty...holding neither a
    >| 1 nor a 0. I don't think that that is possible, is it? Any help would
    >| be appreciated.
    >

    My instructor has changed the question from "Why can't you delete a
    hard drive" to "Why can't you delete the contents of a hard drive" and
    given me a bonus point for questioning the question. I'll keep you
    posted. Thanks again.
     
    autodog, Sep 15, 2004
    #19
  20. Excellent !

    I look forward to further information you may provide.

    Dave




    "autodog" <> wrote in message
    news:...
    | On Mon, 13 Sep 2004 01:14:41 GMT, "David H. Lipman"
    | <DLipman~nospam~@Verizon.Net> wrote:
    |
    | >Why can't you delete a hard drive?
    | >What a broad and incorrect question. Does the instructor mean delete the data on a hard
    | >disk ?
    | >
    | >If he means the data and not the hard disk itself, degaussing will delete all data and
    data
    | >structures. This is also known as "sanitizing" a hard disk.
    | >
    | >Dave
    | >
    | >
    | >
    | >"." <> wrote in message
    news:...
    | >| I am enrolled in an on-line Digital Forensics class and the instructor
    | >| has asked the following question....Why can't you delete a hard drive?
    | >| If he means delete as in rendering every bit empty...holding neither a
    | >| 1 nor a 0. I don't think that that is possible, is it? Any help would
    | >| be appreciated.
    | >
    | My instructor has changed the question from "Why can't you delete a
    | hard drive" to "Why can't you delete the contents of a hard drive" and
    | given me a bonus point for questioning the question. I'll keep you
    | posted. Thanks again.
     
    David H. Lipman, Sep 15, 2004
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Nate
    Replies:
    1
    Views:
    1,125
    Ed Mullen
    Feb 21, 2004
  2. Anthropy
    Replies:
    4
    Views:
    1,065
    Anthropy
    Feb 24, 2004
  3. Replies:
    0
    Views:
    1,260
  4. Spin
    Replies:
    7
    Views:
    756
    Bill in Co.
    Apr 9, 2008
  5. Spin
    Replies:
    10
    Views:
    2,925
    Bill in Co.
    Apr 9, 2008
Loading...

Share This Page