Cant find an 'answer' no matter where I look or post

Discussion in 'Computer Security' started by Geoff, Aug 31, 2006.

  1. Geoff

    Geoff Guest


    I have spent time on & off trying to understand the abilitie(s) of Defrag
    and file wiping.

    My question is simple, ( well at least in typing it) Does or does not
    defragging eventually cleanse a hard-drive to the extent that nothing
    could be recovered?
    I have heard that if a drive is defragged often enough not even military
    software can rebuild or identify anything the hard-drive may have had
    on it.

    I personally have a program called "super-shredder"., but if I feed it
    anything larger than a 'meg' it seems to balk....... should I even
    bother with this?

    Thanks for reply.
    Geoff, Aug 31, 2006
    1. Advertisements

  2. Geoff

    TwistyCreek Guest

    Does not. Not only is it possible that the stuff you actually deleted
    could be recovered because it's outside any sectors that ever get
    written over by the defrag process, defragging does absolutely nothing
    to obscure files or fragments of files that haven't been deleted at
    all. And "eraser" programs are notoriously flawed. I doubt even
    Micro$oft themselves knows every little hiding place Windows might
    stash bits of your data. How is Joe from Joe's Eraser going to get them
    all? :(
    I've heard that if you dance naked under a full moon and chant the
    words "baradda nikto filezgobyebye" you're safe too. <grin>

    Think about it. Defrag generally tries to align and make contiguous
    sectors of data that are scattered across a drive. IOW, if you have a
    track that looks like this....

    File1 | File2 | File 1 | empty space | File1 | File2 |

    Defrag tries to make it look like this....

    File1 | File2 |

    See all the empty space at the end where parts of File1 and File 2 use
    to be? They may or may not have been overwritten at all. Probably not.
    And even if they were it's a one or two step overwrite, with other
    data you might not want revealed no less. So it's a VERY good chance
    that at least part of your "deleted" data is going to be recoverable.
    Don't know a thing about your super-shredder, but there's literally
    hundreds of utilities both big and small to "securely delete" files.
    Some are better than others, some are total snake oil, and it's
    debatable to what extent they're effective in the first place. Military
    Wipe is pretty much a meaningless buzz word because you're not using
    the same equipment the military uses. Their read/write heads are
    likely to be a whole lot more sensitive and powerful than the heads in
    your consumer grade drive, so it's possible that you'll NEVER be able
    to completely wipe a drive to the point it will stand up to "Military
    Grade" analysis. Note that "military" might mean FBI or their ilk in
    this context.

    If you want the best possible protection against having your files
    recovered by LE or other attackers then encrypt them. Whole disk
    encryption if you possibly can. If they're that valuable the penalty
    for not handing over the pass phrases will be less than them having the
    evidence (if there's any penalty at all), and you can be just shy of
    100% sure they'll not be able to recover anything. Use very strong pass
    phrases, like in the 25-30 random character range, and you're golden.
    Mainstream, peer reviewed whole disk encryption using known secure
    algorithms in conjunction with pass phrases of equal or better strength
    and I'd even go out on the limb and give it the 100% unrecoverable seal
    of approval. With a "for all practical purposes" disclaimer. ;) You
    never know if space aliens haven't given your government ultra-secret
    methods of factoring very large numbers or something. ;)
    TwistyCreek, Aug 31, 2006
    1. Advertisements

  3. Geoff

    Jim Watt Guest

    Jim Watt, Aug 31, 2006
  4. Geoff

    hdtv? Guest

    Defragging a hdd is very different from securely wiping a hard disk drive.
    I'm not sure how hard you looked for this info (ie. GOOGLE).

    Here is a straightforward description of defragging a hdd from

    When you add a file or a new program to a brand new computer, the hard disk
    is relatively empty so new data is written to the hard disk in one
    contiguous block. When you need to use that information, the computer can
    quickly access it because it is all in one place.

    As you use your computer adding files and programs, the hard disk begins to
    fill up. Deleting files or removing programs creates small empty areas among
    the other data that the computer will reuse. After awhile, the computer is
    no longer saving information in large blocks. Instead, it stores information
    in the many little empty nooks and crannies of your hard disk. The result
    is that one program or file is broken up, or fragmented, into little pieces
    and stored in many different areas of the hard disk. The computer
    ingeniously keeps track of the addresses of each piece of data and puts it
    all together when it is needed. Yet, obviously, the more broken up the
    information is, the longer it takes to access the data and the slower the
    computer becomes.

    The solution is a simple one. Your Windows computer comes with a program
    that will defragment your hard disk. This process reunites all the data into
    large blocks and gathers all the free space on the hard disk into one block
    making data retrieval faster and easier for the computer. "

    From your post

    If you don't wipe your hdd before it's reused or disposed of someone else
    will be able to check out your porn, or maybe it's info on pot and drugs?

    There must be something else you are doing with your time instead of
    completing your homework, or learning the simple process of searching?
    hdtv?, Aug 31, 2006
  5. Part of the problem is the way that the file system was designed. Security,
    until very recently, was never a concerrn for MS. They went for simplicity
    of programming and immediate (as opposed to long term) performance. For
    example, it is faster to write a file into the first available spot than to
    find the best spot. That is why we have file fragments, and need a defrag

    Generally, when a file is updated and resaved, an entirely new file is
    created in a new space, then the old one is 'deleted' so the data from the
    old file remains on the drive (and a 'hole' is created for the defrag
    program to deal with). Deleting a file simply means altering the file entry
    in the 'table' so that is is not displayed by the 'directory' program. The
    entry is still there, so the file can be 'undeleted'. The sectors occupied
    by the file have their status changed from 'occupied' to 'available', but
    they are not written to (yet).

    As explained, if the sectors of the deleted file are over written by the
    defrag process, then they are gone, but there is no guarantee of that.
    Overwriting the file with a pattern will not help, as the actual sectors are
    not overwritten - again a new file is created. You would have to 'read' the
    file allocation table, determine the sectors occupied by the file, and wipe
    them - not an easy task. Particularly since MS will not release the details
    on how NTFS actually works.
    Theoretically, if your drive is, say, 95% full and you defrag, pretty much
    everything deleted will be overwritten, but the last few files will still
    exist in two places - their new home, and the workspace where they were
    moved to while defragging. When you delete one of these files, the 'ghost'

    Now we have some practical considerations.
    If you are looking for some text files on a drive, it is theoretically
    possible to examine each sector with a hex editor and 'read' the data.
    Without the entries in the file allocation table or equivalent info, you do
    not have any idea which sectors belong to which file. A 10 gig partition
    will have over 100 million sectors - it will take a while to examine each of
    these for 'incriminating' text files. Even if you have a way to 'map' all
    the sectors which 'belong' to existing files, it will take a while to
    examine all the unallocated sectors. What is the value to the investigator
    of the data that might be found?
    If you have jpeg or mp3 files, and they are fragmented, the investigator may
    never be able to put the pieces together.

    If you need day to day secrecy of your data, I agree that encryption is one
    way to go. Other options include physical security, offsite hosting and
    If you need only to ensure that erased files are truly erased, set up a
    small partition for your data files. When it is time to clean up, copy the
    ones you want out to a separate space, (another partition, rewriteable dvd,
    whatever) reformat the partition, and copy back. Ensure that the 'separate
    space' is also cleaned up. Remember to use a 'full' format, not the default
    fast format which only resets the tables and leaves the individual sectors

    Now it is my turn to ask - what is it that is so important?
    Is this just general paranoia? Or are these specific files which are either
    trade secrets or incriminating?
    What about physical access to your computer? Fellow workers? Family?
    Are you talking keyboard access? or search warrant 'take the computer apart,
    put the drive in another machine and dig' kind of access?

    Stuart Miller, Aug 31, 2006
  6. Geoff

    Moe Trin Guest

    On Thu, 31 Aug 2006, in the Usenet newsgroup, in article
    There certainly is a lot of material available on the web - keyword search
    of "secure delete" should turn up tons of material.
    Simple question - simple answer. No.

    Longer answer. You make it "impossible" to recover data from a disk (other
    than by physical destruction) by overwriting the sensitive stuff. A single
    overwrite may be enough to prevent the "Significant Other" from finding
    the secret file of what you are going to buy them as a birthday gift. But
    if the "Significant Other" really works for a "Three Letter Agency" and
    is curious enough - that won't be enough. For some _basic_concepts_ on
    the problem, the Peter Gutmann paper from 1996 gives a good explanation
    ( even though
    it's quite dated now. Overwriting the same physical area of the disk that
    held the data a sufficient number of times will make it difficult to perhaps
    impossible to recover what was written _to_that_spot_in_the_past_ (but note
    the qualifiers).

    "perhaps impossible" because this is a mechanical process of positioning
    the head over the place where the data was. If you drive a car over the
    same tracks that you drove before (think driving in the snow as an
    illustration), the chances of you _exactly_ lining up is quite low. You
    can try repeating the attempt - with a car trying to obliterate a track,
    perhaps doing this ten times may finally eliminate all traces of the
    original track because some time, you'll miss to the left, sometimes to
    the right, and so on. But what happens if you continually miss to the

    "what was written _to_that_spot_in_the_past_" refers to the fact that
    modern hard drives can detect when the media is failing at one particular
    spot (called a "bad block") and make a "best effort" copy of the data that
    _was_ at that spot some place else, then mark that section of the disk as
    being unusable. This is transparent to the operating system (never mind
    to the user), and things are fine until the disk runs out of spare blocks
    (at which time, the operating system gets informed, and may mark subsequent
    blocks as bad) but not having spares, this reduces the available size of
    the disk. (Disk manufacturers allocate a tiny percentage of the disk as
    spares - you don't have access to them until this or that block gets swapped
    in/out. This gives a consistent disk size, but allows for minor bad spots
    in the manufacturing process.) The problem occurs when some of that
    sensitive data you want to eliminate had been occupying a block that was
    later determined to be faulty - and silently copied elsewhere. Even though
    the disk says it can't access the old stuff on that bad block - IT'S STILL
    THERE, and it's possible using low level techniques of disk access to read
    some or all of the data.
    You are playing with random chance here - and maybe not even random. The
    defragmentation process puts data on the disk in consecutive blocks,
    starting from the rim edge, and working inwards. Let's say your secret data
    was written to disk after you installed the operating system but before you
    installed the applications. The data might be located a third of the way in
    on the disk. Then you added applications, which get written further in on
    the platter (think how you normally write on a piece of paper - starting
    at the top, then writing the next line, then the next, and so on). Finally
    you create additional data - maybe saving pictures, or Usenet articles, I
    have no idea what you are doing. The data is still being written one line
    after another. Oh, wait - get rid of that picture!!! That's the same as
    erasing a few lines on that piece of paper. Now, do a defrag, and what
    happens. The stuff at the bottom gets moved up (overwriting the place that
    held the picture). Did this have any effect with the stuff stored out near
    the rim of the disk (the top of the sheet of paper)? No, the defrag has no
    effect. Now, a bit of a stretch - when you write data, you write to a
    complete line. If it takes a line and a half to hold things, the extra
    half line is untouched. This is sometimes called 'slack space'. Anything
    that _had_ been written there before is untouched. See the problem?
    Not familiar with the program - can't say one way or the other. This
    sounds like a b0rken program, and you may want to try something else.
    What's on the disk? How much effort do you think someone is going to
    make to recover the data that is/was there? The (US) DoD standard for
    this is DOD 5220.22-M for the re-use/disposal of media containing data
    classified as Confidential or Secret (basically, wipe the entire disk
    multiple times with ones, zeros, and random data). If the disk had data
    that was classified as Top Secret (or higher), the required solution is
    degaussing, followed by the total physical destruction (melting, or
    dissolving). Now if you have government classified data - you should
    be talking to them and doing EXACTLY what they require. Is this data
    relating to your violation of federal/state/provincial laws? I'd strongly
    recommend physical destruction. Local laws, love letters from some one
    other than the "Significant Other"? Wipe the entire disk with one of
    dozens of available programs, and reinstall. Are you getting ready to
    sell/give-away the disk/computer? Wipe the disk - reinstalling is optional.
    Worrying about mommy or the "Significant Other" finding something, but
    their computer skill levels are not even as good as yours? A deletion,
    followed by a defrag might be enough. One last thought - how much would
    it cost to replace the drive? A day or two worth of labor? Destroy the
    drive, and replace it with something bigger. Take the old disk apart (a
    screwdriver - maybe a hammer and chisel) and take the platters out. They
    could be a ceramic, or aluminum disk, coated with a thin magnetic material.
    A hammer or some shears will prevent most people from ever getting data off
    the platter - or if your fire/air-quality regulations permit, melt it to
    slag using a gas torch. Problem solved - no?

    Old guy
    Moe Trin, Aug 31, 2006
  7. Geoff

    ArtDent Guest

    If you are talking about a hard drive in a computer that you are trading
    in / giving away / throwing away, the 'best' method is to physically
    destroy the platter(s).
    Stick in freezer for a few hours, then take out and whack with hammer and
    distribute the tiny pieces in many places.
    Drop in sulfuric acid.
    I hear microwaves do a fair job of messing them up too.

    If you want to be able to re-use the drive, then one of those programs of
    the 'super-shredder' type _may_ be good enough, but you need to do _at
    least_ seven 'wipes' (or so I have heard, don't remember where). The
    shredder program should write random 1's and 0's. Yes, it will take a
    very long time.
    Should you bother? Just how illegal is the info that is there? Up to you
    whether you should 'bother' or not. If it is just a pirated Windows
    Office suite, probably not. If it is child porn, or instructions from
    your terrorist cell's leader, or emails from your mistress, well....
    ArtDent, Aug 31, 2006
  8. From: "Geoff" <>

    | Hello,.
    | I have spent time on & off trying to understand the abilitie(s) of Defrag
    | and file wiping.
    | My question is simple, ( well at least in typing it) Does or does not
    | defragging eventually cleanse a hard-drive to the extent that nothing
    | could be recovered?
    | I have heard that if a drive is defragged often enough not even military
    | software can rebuild or identify anything the hard-drive may have had
    | on it.
    | I personally have a program called "super-shredder"., but if I feed it
    | anything larger than a 'meg' it seems to balk....... should I even
    | bother with this?
    | Thanks for reply.

    I describe defragging thusly...

    Say you are reading a newspaper and you find an interesting article on Page 1. After a
    couple of paragraphs it directs you to Page 32. You again ead a few paragraphs but now are
    directed to page 17. Now you read a few more paragraphs and the article ends.

    Wouldn't it have been better to have just read the entire article on Page 1 ? That's
    defragging. Files get framented and broken up all over the hard disk. Defragging makes the
    files contiguous and that makes accessing the disk faster and more efficient.

    Defragging has NOTHING to do with removing data from a media such that forensics can NOT be
    used successfully.

    Wiping a drive (aka; sanatizing a drive) consists of witing alteernating patters repetively
    over the data of the hard disk such athet the magnetic poles of the media no longer has any
    memory of the data that was once stored on that media.

    US DoD standrads for sanatizing a hard disk consists of witing an 8 bit pattern for every
    bytre of data such as 10101010. Then wring its complement 010101010 then writing another
    pattern such as 11110000. That process is repeating 6 times for each byte of data.
    David H. Lipman, Aug 31, 2006
  9. Geoff

    melic Guest

    melic, Sep 1, 2006
  10. Geoff

    Todd H. Guest


    Reformating the whole thing and even writing all ones and all 0's
    won't keep it from someone determined enough and an electron

    There are disk wiping tools out there and there are secure delete
    programs out there as well which are effective to the point of forcing
    someone to pull out the heavy machinery to get at your data. You
    can even get it for your own disks at ontrack in case of a crash, but
    get out your wallet.

    Whether there are people that interested in your data is determined by
    large part of what you're up to, and who those folks are.

    Best Regards,
    Todd H., Sep 1, 2006
  11. Geoff

    Inquirer Guest

    ....then I hope and pray that law enforcement will get a hold of the
    drive immediatedly and use the data to successfully prosecute this

    ....then stop violating your marriage vows and start facing and trying
    to deal with whatever the problems in your marriage may be.
    Inquirer, Sep 3, 2006
  12. Geoff

    JB Guest

    Security Services have a three or four level deletion process the last
    of which entails reducing the actual drive to a fine metallic powder.
    Recover that..!! :)
    JB, Sep 15, 2006
  13. Geoff

    Admins Guest

    No it doesn't
    We have a program called eraser in our software section, you can download
    it for free and you'll find it's excellent, regards


    * (No Logs Internet Surfing)
    * Anonymous Secure Offshore SSH-2 Surfing Tunnels
    Admins, Sep 15, 2006
  14. Geoff

    Inquirer Guest

    Why do they bother with the first two or three then?
    Inquirer, Sep 15, 2006
  15. Geoff

    Moe Trin Guest

    On Fri, 15 Sep 2006, in the Usenet newsgroup, in article

    Do you have a citation for that?
    Start with the paper of Peter Gutmann of the University of Auckland from
    1996, ( even
    though it's quite dated now.

    Then look at the paper by Gordon F. Hughes of the UC San Diego Center for
    Magnetic Recording Research in October 2004
    ( which notes
    that in 2004, a disk fragment that contains a single 512-byte record block
    in size (about 1/125" or 0.20 mm) can be read in about an hour. Given the
    then common disk size of (perhaps) 10 Gigabytes, the problem of finding the
    "right" disk block (or disk fragment) becomes apparent.

    Then look at the NISPOM (DoD 5220.22M), and see what it _requires_ for
    the "sanitizing" of media that held (officially) classified material. Up
    to (US) Secret, it's just a triple wipe (ones, zeros, random). Above that,
    it's (basically) to slag the media. The idea is to first destroy the
    magnetic media (either by using an extremely strong magnet, or raising
    the temperature of the media above the Curie temperature for a long
    enough period in hours to demagnetize it), and then to make sure of the
    results, melting/dissolving the remains (which involves much higher
    temperatures or down-right dangerous chemicals). The residue is then
    buried in a secure land-fill, but I'm not sure this isn't a requirement
    of the results of the dangerous materials used.

    The average home user is rarely able to find a magnet of the required
    strength (we're well into the 8-10,000 Oersted range now - several orders
    of magnitude more than that refrigerator magnet produces), and the Curie
    temperatures are generally in excess of what mummy's oven is capable of.
    Finding and actually obtaining suitable chemicals is rather difficult,
    never mind the hazards of using them and disposing of the results.

    Thus, you're stuck with sanding the media off the platters (use 600 or
    "Ultra Fine" silicon carbide grit), or chucking the platters in a drill
    press (using a large bolt and nut) and using a fine file to grind the
    platter to a powder with a grain size less than 0.001 inch or 0.025 mm.
    Not entirely practical, and you should wear a breathing (dust) mask and
    safety glasses for either method.

    The fairly common urban legend cited by posers everywhere is to stick the
    drive (or even just the platters themselves) in a microwave oven. While the
    sparks may look impressive, this causes far more damage to the microwave
    oven than to the disk drive or platters. The similar idea of passing it
    through the metal detector or X-ray machines at the airport is equally

    But then, if you are in England, all this is unnecessary. A recent post to
    the Usenet newsgroup "" (the original posting was
    to "uk.misc") has a cheap and perfect solution:

    Post them to yourself via City Link to destroy them, and then post
    them again via Parcel Force for disposal.
    Moe Trin, Sep 16, 2006
  16. Geoff

    John Hyde Guest

    Late to the thread, but what the hell
    Why not bury the platters in a sufficient quantity of thermite & Ignite?
    There will be an explosion when the platters flash to vapor, but at
    least the data will be unrecoverable. You definitely don't want to try
    this in mummy's kitchen!
    John Hyde, Sep 29, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.