Cant find an 'answer' no matter where I look or post

Hello,.

I have spent time on & off trying to understand the abilitie(s) of Defrag
and file wiping.

My question is simple, ( well at least in typing it) Does or does not
defragging eventually cleanse a hard-drive to the extent that nothing
could be recovered?
I have heard that if a drive is defragged often enough not even military
software can rebuild or identify anything the hard-drive may have had
on it.

I personally have a program called "super-shredder"., but if I feed it
anything larger than a 'meg' it seems to balk....... should I even
bother with this?

Thanks for reply.

 

Does not. Not only is it possible that the stuff you actually deleted
could be recovered because it's outside any sectors that ever get
written over by the defrag process, defragging does absolutely nothing
to obscure files or fragments of files that haven't been deleted at
all. And "eraser" programs are notoriously flawed. I doubt even
Micro$oft themselves knows every little hiding place Windows might
stash bits of your data. How is Joe from Joe's Eraser going to get them
all?

I've heard that if you dance naked under a full moon and chant the
words "baradda nikto filezgobyebye" you're safe too. <grin>

Think about it. Defrag generally tries to align and make contiguous
sectors of data that are scattered across a drive. IOW, if you have a
track that looks like this....

--------------------------------------------------------------------
File1 | File2 | File 1 | empty space | File1 | File2 |
--------------------------------------------------------------------

Defrag tries to make it look like this....

--------------------------------------------------------------------
File1 | File2 |
--------------------------------------------------------------------

See all the empty space at the end where parts of File1 and File 2 use
to be? They may or may not have been overwritten at all. Probably not.
And even if they were it's a one or two step overwrite, with other
data you might not want revealed no less. So it's a VERY good chance
that at least part of your "deleted" data is going to be recoverable.

Don't know a thing about your super-shredder, but there's literally
hundreds of utilities both big and small to "securely delete" files.
Some are better than others, some are total snake oil, and it's
debatable to what extent they're effective in the first place. Military
Wipe is pretty much a meaningless buzz word because you're not using
the same equipment the military uses. Their read/write heads are
likely to be a whole lot more sensitive and powerful than the heads in
your consumer grade drive, so it's possible that you'll NEVER be able
to completely wipe a drive to the point it will stand up to "Military
Grade" analysis. Note that "military" might mean FBI or their ilk in
this context.

If you want the best possible protection against having your files
recovered by LE or other attackers then encrypt them. Whole disk
encryption if you possibly can. If they're that valuable the penalty
for not handing over the pass phrases will be less than them having the
evidence (if there's any penalty at all), and you can be just shy of
100% sure they'll not be able to recover anything. Use very strong pass
phrases, like in the 25-30 random character range, and you're golden.
Mainstream, peer reviewed whole disk encryption using known secure
algorithms in conjunction with pass phrases of equal or better strength
and I'd even go out on the limb and give it the 100% unrecoverable seal
of approval. With a "for all practical purposes" disclaimer. You
never know if space aliens haven't given your government ultra-secret
methods of factoring very large numbers or something.

 

no.

 

Defragging a hdd is very different from securely wiping a hard disk drive.
I'm not sure how hard you looked for this info (ie. GOOGLE).

Here is a straightforward description of defragging a hdd from
http://www.compukiss.com/sandyclassroom/tutorials/article764.htm

"
When you add a file or a new program to a brand new computer, the hard disk
is relatively empty so new data is written to the hard disk in one
contiguous block. When you need to use that information, the computer can
quickly access it because it is all in one place.

As you use your computer adding files and programs, the hard disk begins to
fill up. Deleting files or removing programs creates small empty areas among
the other data that the computer will reuse. After awhile, the computer is
no longer saving information in large blocks. Instead, it stores information
in the many little empty nooks and crannies of your hard disk. The result
is that one program or file is broken up, or fragmented, into little pieces
and stored in many different areas of the hard disk. The computer
ingeniously keeps track of the addresses of each piece of data and puts it
all together when it is needed. Yet, obviously, the more broken up the
information is, the longer it takes to access the data and the slower the
computer becomes.

The solution is a simple one. Your Windows computer comes with a program
that will defragment your hard disk. This process reunites all the data into
large blocks and gathers all the free space on the hard disk into one block
making data retrieval faster and easier for the computer. "

From your post

If you don't wipe your hdd before it's reused or disposed of someone else
will be able to check out your porn, or maybe it's info on pot and drugs?

There must be something else you are doing with your time instead of
completing your homework, or learning the simple process of searching?

 

Part of the problem is the way that the file system was designed. Security,
until very recently, was never a concerrn for MS. They went for simplicity
of programming and immediate (as opposed to long term) performance. For
example, it is faster to write a file into the first available spot than to
find the best spot. That is why we have file fragments, and need a defrag
program.

Generally, when a file is updated and resaved, an entirely new file is
created in a new space, then the old one is 'deleted' so the data from the
old file remains on the drive (and a 'hole' is created for the defrag
program to deal with). Deleting a file simply means altering the file entry
in the 'table' so that is is not displayed by the 'directory' program. The
entry is still there, so the file can be 'undeleted'. The sectors occupied
by the file have their status changed from 'occupied' to 'available', but
they are not written to (yet).

As explained, if the sectors of the deleted file are over written by the
defrag process, then they are gone, but there is no guarantee of that.
Overwriting the file with a pattern will not help, as the actual sectors are
not overwritten - again a new file is created. You would have to 'read' the
file allocation table, determine the sectors occupied by the file, and wipe
them - not an easy task. Particularly since MS will not release the details
on how NTFS actually works.
Theoretically, if your drive is, say, 95% full and you defrag, pretty much
everything deleted will be overwritten, but the last few files will still
exist in two places - their new home, and the workspace where they were
moved to while defragging. When you delete one of these files, the 'ghost'
remains.

Now we have some practical considerations.
If you are looking for some text files on a drive, it is theoretically
possible to examine each sector with a hex editor and 'read' the data.
Without the entries in the file allocation table or equivalent info, you do
not have any idea which sectors belong to which file. A 10 gig partition
will have over 100 million sectors - it will take a while to examine each of
these for 'incriminating' text files. Even if you have a way to 'map' all
the sectors which 'belong' to existing files, it will take a while to
examine all the unallocated sectors. What is the value to the investigator
of the data that might be found?
If you have jpeg or mp3 files, and they are fragmented, the investigator may
never be able to put the pieces together.

If you need day to day secrecy of your data, I agree that encryption is one
way to go. Other options include physical security, offsite hosting and
such.
If you need only to ensure that erased files are truly erased, set up a
small partition for your data files. When it is time to clean up, copy the
ones you want out to a separate space, (another partition, rewriteable dvd,
whatever) reformat the partition, and copy back. Ensure that the 'separate
space' is also cleaned up. Remember to use a 'full' format, not the default
fast format which only resets the tables and leaves the individual sectors
alone.

Now it is my turn to ask - what is it that is so important?
Is this just general paranoia? Or are these specific files which are either
trade secrets or incriminating?
What about physical access to your computer? Fellow workers? Family?
Passwords?
Are you talking keyboard access? or search warrant 'take the computer apart,
put the drive in another machine and dig' kind of access?

Stuart

 

On Thu, 31 Aug 2006, in the Usenet newsgroup alt.computer.security, in article

There certainly is a lot of material available on the web - keyword search
of "secure delete" should turn up tons of material.

Simple question - simple answer. No.

Longer answer. You make it "impossible" to recover data from a disk (other
than by physical destruction) by overwriting the sensitive stuff. A single
overwrite may be enough to prevent the "Significant Other" from finding
the secret file of what you are going to buy them as a birthday gift. But
if the "Significant Other" really works for a "Three Letter Agency" and
is curious enough - that won't be enough. For some _basic_concepts_ on
the problem, the Peter Gutmann paper from 1996 gives a good explanation
(http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html) even though
it's quite dated now. Overwriting the same physical area of the disk that
held the data a sufficient number of times will make it difficult to perhaps
impossible to recover what was written _to_that_spot_in_the_past_ (but note
the qualifiers).

"perhaps impossible" because this is a mechanical process of positioning
the head over the place where the data was. If you drive a car over the
same tracks that you drove before (think driving in the snow as an
illustration), the chances of you _exactly_ lining up is quite low. You
can try repeating the attempt - with a car trying to obliterate a track,
perhaps doing this ten times may finally eliminate all traces of the
original track because some time, you'll miss to the left, sometimes to
the right, and so on. But what happens if you continually miss to the
right?

"what was written _to_that_spot_in_the_past_" refers to the fact that
modern hard drives can detect when the media is failing at one particular
spot (called a "bad block") and make a "best effort" copy of the data that
_was_ at that spot some place else, then mark that section of the disk as
being unusable. This is transparent to the operating system (never mind
to the user), and things are fine until the disk runs out of spare blocks
(at which time, the operating system gets informed, and may mark subsequent
blocks as bad) but not having spares, this reduces the available size of
the disk. (Disk manufacturers allocate a tiny percentage of the disk as
spares - you don't have access to them until this or that block gets swapped
in/out. This gives a consistent disk size, but allows for minor bad spots
in the manufacturing process.) The problem occurs when some of that
sensitive data you want to eliminate had been occupying a block that was
later determined to be faulty - and silently copied elsewhere. Even though
the disk says it can't access the old stuff on that bad block - IT'S STILL
THERE, and it's possible using low level techniques of disk access to read
some or all of the data.

You are playing with random chance here - and maybe not even random. The
defragmentation process puts data on the disk in consecutive blocks,
starting from the rim edge, and working inwards. Let's say your secret data
was written to disk after you installed the operating system but before you
installed the applications. The data might be located a third of the way in
on the disk. Then you added applications, which get written further in on
the platter (think how you normally write on a piece of paper - starting
at the top, then writing the next line, then the next, and so on). Finally
you create additional data - maybe saving pictures, or Usenet articles, I
have no idea what you are doing. The data is still being written one line
after another. Oh, wait - get rid of that picture!!! That's the same as
erasing a few lines on that piece of paper. Now, do a defrag, and what
happens. The stuff at the bottom gets moved up (overwriting the place that
held the picture). Did this have any effect with the stuff stored out near
the rim of the disk (the top of the sheet of paper)? No, the defrag has no
effect. Now, a bit of a stretch - when you write data, you write to a
complete line. If it takes a line and a half to hold things, the extra
half line is untouched. This is sometimes called 'slack space'. Anything
that _had_ been written there before is untouched. See the problem?

Not familiar with the program - can't say one way or the other. This
sounds like a b0rken program, and you may want to try something else.

What's on the disk? How much effort do you think someone is going to
make to recover the data that is/was there? The (US) DoD standard for
this is DOD 5220.22-M for the re-use/disposal of media containing data
classified as Confidential or Secret (basically, wipe the entire disk
multiple times with ones, zeros, and random data). If the disk had data
that was classified as Top Secret (or higher), the required solution is
degaussing, followed by the total physical destruction (melting, or
dissolving). Now if you have government classified data - you should
be talking to them and doing EXACTLY what they require. Is this data
relating to your violation of federal/state/provincial laws? I'd strongly
recommend physical destruction. Local laws, love letters from some one
other than the "Significant Other"? Wipe the entire disk with one of
dozens of available programs, and reinstall. Are you getting ready to
sell/give-away the disk/computer? Wipe the disk - reinstalling is optional.
Worrying about mommy or the "Significant Other" finding something, but
their computer skill levels are not even as good as yours? A deletion,
followed by a defrag might be enough. One last thought - how much would
it cost to replace the drive? A day or two worth of labor? Destroy the
drive, and replace it with something bigger. Take the old disk apart (a
screwdriver - maybe a hammer and chisel) and take the platters out. They
could be a ceramic, or aluminum disk, coated with a thin magnetic material.
A hammer or some shears will prevent most people from ever getting data off
the platter - or if your fire/air-quality regulations permit, melt it to
slag using a gas torch. Problem solved - no?

Old guy

 

If you are talking about a hard drive in a computer that you are trading
in / giving away / throwing away, the 'best' method is to physically
destroy the platter(s).
Stick in freezer for a few hours, then take out and whack with hammer and
distribute the tiny pieces in many places.
Or.
Drop in sulfuric acid.
Or.
I hear microwaves do a fair job of messing them up too.

If you want to be able to re-use the drive, then one of those programs of
the 'super-shredder' type _may_ be good enough, but you need to do _at
least_ seven 'wipes' (or so I have heard, don't remember where). The
shredder program should write random 1's and 0's. Yes, it will take a
very long time.
Should you bother? Just how illegal is the info that is there? Up to you
whether you should 'bother' or not. If it is just a pirated Windows
Office suite, probably not. If it is child porn, or instructions from
your terrorist cell's leader, or emails from your mistress, well....

 

From: "Geoff" <>

| Hello,.
|
| I have spent time on & off trying to understand the abilitie(s) of Defrag
| and file wiping.
|
| My question is simple, ( well at least in typing it) Does or does not
| defragging eventually cleanse a hard-drive to the extent that nothing
| could be recovered?
| I have heard that if a drive is defragged often enough not even military
| software can rebuild or identify anything the hard-drive may have had
| on it.
|
| I personally have a program called "super-shredder"., but if I feed it
| anything larger than a 'meg' it seems to balk....... should I even
| bother with this?
|
| Thanks for reply.
|


I describe defragging thusly...

Say you are reading a newspaper and you find an interesting article on Page 1. After a
couple of paragraphs it directs you to Page 32. You again ead a few paragraphs but now are
directed to page 17. Now you read a few more paragraphs and the article ends.

Wouldn't it have been better to have just read the entire article on Page 1 ? That's
defragging. Files get framented and broken up all over the hard disk. Defragging makes the
files contiguous and that makes accessing the disk faster and more efficient.

Defragging has NOTHING to do with removing data from a media such that forensics can NOT be
used successfully.

Wiping a drive (aka; sanatizing a drive) consists of witing alteernating patters repetively
over the data of the hard disk such athet the magnetic poles of the media no longer has any
memory of the data that was once stored on that media.

US DoD standrads for sanatizing a hard disk consists of witing an 8 bit pattern for every
bytre of data such as 10101010. Then wring its complement 010101010 then writing another
pattern such as 11110000. That process is repeating 6 times for each byte of data.

 

BULLSHIT!

 

No.

Reformating the whole thing and even writing all ones and all 0's
won't keep it from someone determined enough and an electron
microscope.

There are disk wiping tools out there and there are secure delete
programs out there as well which are effective to the point of forcing
someone to pull out the heavy machinery to get at your data. You
can even get it for your own disks at ontrack in case of a crash, but
get out your wallet.

Whether there are people that interested in your data is determined by
large part of what you're up to, and who those folks are.

Best Regards,

 

....then I hope and pray that law enforcement will get a hold of the
drive immediatedly and use the data to successfully prosecute this
individual.

....then stop violating your marriage vows and start facing and trying
to deal with whatever the problems in your marriage may be.

 

Security Services have a three or four level deletion process the last
of which entails reducing the actual drive to a fine metallic powder.
Recover that..!!

 

No it doesn't

We have a program called eraser in our software section, you can download
it for free and you'll find it's excellent, regards

--
Admin


* www.privacyoffshore.net (No Logs Internet Surfing)
* Anonymous Secure Offshore SSH-2 Surfing Tunnels

 

Why do they bother with the first two or three then?

 

On Fri, 15 Sep 2006, in the Usenet newsgroup alt.computer.security, in article

Do you have a citation for that?

Start with the paper of Peter Gutmann of the University of Auckland from
1996, (http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html) even
though it's quite dated now.

Then look at the paper by Gordon F. Hughes of the UC San Diego Center for
Magnetic Recording Research in October 2004
(http://cmrr.ucsd.edu/hughes/CmrrSecureEraseProtocols.pdf) which notes
that in 2004, a disk fragment that contains a single 512-byte record block
in size (about 1/125" or 0.20 mm) can be read in about an hour. Given the
then common disk size of (perhaps) 10 Gigabytes, the problem of finding the
"right" disk block (or disk fragment) becomes apparent.

Then look at the NISPOM (DoD 5220.22M), and see what it _requires_ for
the "sanitizing" of media that held (officially) classified material. Up
to (US) Secret, it's just a triple wipe (ones, zeros, random). Above that,
it's (basically) to slag the media. The idea is to first destroy the
magnetic media (either by using an extremely strong magnet, or raising
the temperature of the media above the Curie temperature for a long
enough period in hours to demagnetize it), and then to make sure of the
results, melting/dissolving the remains (which involves much higher
temperatures or down-right dangerous chemicals). The residue is then
buried in a secure land-fill, but I'm not sure this isn't a requirement
of the results of the dangerous materials used.

The average home user is rarely able to find a magnet of the required
strength (we're well into the 8-10,000 Oersted range now - several orders
of magnitude more than that refrigerator magnet produces), and the Curie
temperatures are generally in excess of what mummy's oven is capable of.
Finding and actually obtaining suitable chemicals is rather difficult,
never mind the hazards of using them and disposing of the results.

Thus, you're stuck with sanding the media off the platters (use 600 or
"Ultra Fine" silicon carbide grit), or chucking the platters in a drill
press (using a large bolt and nut) and using a fine file to grind the
platter to a powder with a grain size less than 0.001 inch or 0.025 mm.
Not entirely practical, and you should wear a breathing (dust) mask and
safety glasses for either method.

The fairly common urban legend cited by posers everywhere is to stick the
drive (or even just the platters themselves) in a microwave oven. While the
sparks may look impressive, this causes far more damage to the microwave
oven than to the disk drive or platters. The similar idea of passing it
through the metal detector or X-ray machines at the airport is equally
useless.

But then, if you are in England, all this is unnecessary. A recent post to
the Usenet newsgroup "alt.humor.best-of-usenet" (the original posting was
to "uk.misc") has a cheap and perfect solution:

-----

Post them to yourself via City Link to destroy them, and then post
them again via Parcel Force for disposal.

 

Late to the thread, but what the hell

Why not bury the platters in a sufficient quantity of thermite & Ignite?
There will be an explosion when the platters flash to vapor, but at
least the data will be unrecoverable. You definitely don't want to try
this in mummy's kitchen!