±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36312
New Yesterday: 7 Visitors: 203

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Is all the "several passes" an Guttman theory a kind of hoax

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

jaclaz
Senior Member
 

Is all the "several passes" an Guttman theory a kind of hoax

Post Posted: Dec 01, 07 03:37

I am in no way a "professional", and not even "forensically oriented", I am just an amateur with a liking for filesystems and data recovery, so pardon me if the following seems in any way naive or improper.

Reading the (fun, or seen the other way round tragical) story about the "seven passes" to get rid of a virus, I remembered this old thread (on another board) about it:
www.boot-land.net/foru...topic=2683

I am still convinced of what I wrote in my post there, has anyone direct knowledge about this?

Which means either:
1) that he actually recovered ANY data after a single wiping pass without using a MFM microscope
or:
2) that he actually recovered any data using a MFM microscope, and if yes, after how many passes
and:
3) if he succeeded, was the "probabilistic" data recovered accepted in a Court?

Thanks in advance for any contributions and ideas.

jaclaz  
 
  

azrael
Senior Member
 

Re: Is all the "several passes" an Guttman theory a kind of

Post Posted: Dec 01, 07 13:35

The paper in question is here : "Secure Deletion of Data from Magnetic and Solid-State Memory" www.cs.auckland.ac.nz/...e_del.html and from images that I have seen elsewhere confirm that it is definately technically accurate - there is a shot in "Forensic Discovery" by Dan Farmer and Wietse Venema. I believe from other references that he did recover data from a 300Mb disk.

A "military gentleman" I spoke to, what must be 5 years ago now, said that for disposal of sensitive hard disks, they shred them, then incinerate the bits...
_________________
--
Azrael
-- 
 
  

chris2792
Member
 

Re: Is all the "several passes" an Guttman theory a kind of

Post Posted: Dec 01, 07 16:19

As far as I know when you overwrite the content of a file (every single sector containing data from that file) only once by whatever pattern you like (fill it just with zeros, that will do the job) there is NO way to recover the data using software.

I think the whole story that it needs 7, 15 or 30 passes to really destroy data is only related to physical recovery (open the drive in a clean room and access the surface directly).

But that's just my opinion, perhaps somebody out there has more information and can shed some light on that...  
 
  

AWTLPI
Senior Member
 

Re: Is all the "several passes" an Guttman theory a kind of

Post Posted: Dec 01, 07 20:14

A couple observations:

1. I have been able to recover data from a one-pass-of-zeros wipe, bit NOT from two or more passes. (Using the versions of dd and FTK on the Helix CD.) I suspect, but have not confirmed, that a single pass of pseudo-random characters would sufficiently "confuse" recovery efforts.

2. Gutmann's paper points out that the number of passes necessary to do the job varies with the encoding scheme used on the drive. Not every form of media needs 35 passes or even seven.

3. According to a 28 June 2007 document from the US Defense Security Service,
There is currently no overwriting product or process that has been evaluated in accordance with the NIAP Common Criteria Evaluation and Validation Scheme (CCEVS).... Effective immediately, DSS will no longer approve overwriting procedures for the sanitization or downgrading... of IS storage devices (e.g., hard drives) used for classified processing.
[emphasis added, edited for clarity]

So... get out your sledgehammers and wood-chippers folks if you really want that data to disappear!

-Austin  
 
  

ddow
Senior Member
 

Re: Is all the "several passes" an Guttman theory a kind of

Post Posted: Dec 02, 07 00:10

- AWTLPI
I have been able to recover data from a one-pass-of-zeros wipe, bit NOT from two or more passes. (Using the versions of dd and FTK on the Helix CD.)


Austin, I'd love to hear more. Have you published anything? Could you share what you did?
_________________
Dennis 
 
  

jaclaz
Senior Member
 

Re: Is all the "several passes" an Guttman theory a kind of

Post Posted: Dec 02, 07 00:25

Sorry, some of the links on boot-land had become incorrect after a "stupid" board software update, I just re-edited them and they are all now correct.

This is the article:
www.nber.org/sys-admin...ttman.html
that confutes Guttmann theory.

DO also check the linked .pdf's, please.

jaclaz  
 
  

AWTLPI
Senior Member
 

Re: Is all the "several passes" an Guttman theory a kind of

Post Posted: Dec 02, 07 01:58

- ddow
- AWTLPI
I have been able to recover data from a one-pass-of-zeros wipe, bit NOT from two or more passes. (Using the versions of dd and FTK on the Helix CD.)


Austin, I'd love to hear more. Have you published anything? Could you share what you did?


No, I haven't published anything on this particular topic. Basically, I was playing around for "giggles and grins" and wanted to see if a single pass of zeros was sufficient to forensically wipe a drive. I was hoping to reduce the time required, as I have a client who sends me quite a number of decommissioned drives that require "sanitizing," in addition to my own needs for forensically clean drives.

Dennis, you've given me an idea for a research project.... Wink I'll try and repeat or refute my results. I'll take a standard IDE hard drive of recent vintage, overwrite the drive with ONE PASS of zeros, then see if recovery tools see anything. I'll try the same procedure using one pass of ones and then repeat using pseudo-random characters. Stay tuned for the results....

(NB: Since I'm not an academic, anyone who wishes to beat me to publication may feel free to do so. I ask only that you kindly give me an acknowledgment in your paper. Very Happy )


- jaclaz
This is the article:
www.nber.org/sys-admin...ttman.html
that confutes Guttmann theory.


Interesting article, however, I found the author somewhat guilty of the same thing he accuses Dr. Gutmann of: no relevant corroborating references.

-Austin  
 

Page 1 of 3
Page 1, 2, 3  Next