Notifications
Clear all

Is all the "several passes" an Guttman theory a kind of hoax

19 Posts
8 Users
0 Likes
1,483 Views
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
Topic starter
 

I am in no way a "professional", and not even "forensically oriented", I am just an amateur with a liking for filesystems and data recovery, so pardon me if the following seems in any way naive or improper.

Reading the (fun, or seen the other way round tragical) story about the "seven passes" to get rid of a virus, I remembered this old thread (on another board) about it
http//www.boot-land.net/forums/index.php?showtopic=2683

I am still convinced of what I wrote in my post there, has anyone direct knowledge about this?

Which means either
1) that he actually recovered ANY data after a single wiping pass without using a MFM microscope
or
2) that he actually recovered any data using a MFM microscope, and if yes, after how many passes
and
3) if he succeeded, was the "probabilistic" data recovered accepted in a Court?

Thanks in advance for any contributions and ideas.

jaclaz

 
Posted : 01/12/2007 3:37 am
azrael
(@azrael)
Posts: 656
Honorable Member
 

The paper in question is here "Secure Deletion of Data from Magnetic and Solid-State Memory" http//www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html and from images that I have seen elsewhere confirm that it is definately technically accurate - there is a shot in "Forensic Discovery" by Dan Farmer and Wietse Venema. I believe from other references that he did recover data from a 300Mb disk.

A "military gentleman" I spoke to, what must be 5 years ago now, said that for disposal of sensitive hard disks, they shred them, then incinerate the bits…

 
Posted : 01/12/2007 1:35 pm
(@chris2792)
Posts: 33
Eminent Member
 

As far as I know when you overwrite the content of a file (every single sector containing data from that file) only once by whatever pattern you like (fill it just with zeros, that will do the job) there is NO way to recover the data using software.

I think the whole story that it needs 7, 15 or 30 passes to really destroy data is only related to physical recovery (open the drive in a clean room and access the surface directly).

But that's just my opinion, perhaps somebody out there has more information and can shed some light on that…

 
Posted : 01/12/2007 4:19 pm
(@Anonymous)
Posts: 0
Guest
 

A couple observations

1. I have been able to recover data from a one-pass-of-zeros wipe, bit NOT from two or more passes. (Using the versions of dd and FTK on the Helix CD.) I suspect, but have not confirmed, that a single pass of pseudo-random characters would sufficiently "confuse" recovery efforts.

2. Gutmann's paper points out that the number of passes necessary to do the job varies with the encoding scheme used on the drive. Not every form of media needs 35 passes or even seven.

3. According to a 28 June 2007 document from the US Defense Security Service,

There is currently no overwriting product or process that has been evaluated in accordance with the NIAP Common Criteria Evaluation and Validation Scheme (CCEVS)…. Effective immediately, DSS will no longer approve overwriting procedures for the sanitization or downgrading… of IS storage devices (e.g., hard drives) used for classified processing.

[emphasis added, edited for clarity]

So… get out your sledgehammers and wood-chippers folks if you really want that data to disappear!

-Austin

 
Posted : 01/12/2007 8:14 pm
 ddow
(@ddow)
Posts: 278
Reputable Member
 

I have been able to recover data from a one-pass-of-zeros wipe, bit NOT from two or more passes. (Using the versions of dd and FTK on the Helix CD.)

Austin, I'd love to hear more. Have you published anything? Could you share what you did?

 
Posted : 02/12/2007 12:10 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
Topic starter
 

Sorry, some of the links on boot-land had become incorrect after a "stupid" board software update, I just re-edited them and they are all now correct.

This is the article
http//www.nber.org/sys-admin/overwritten-data-guttman.html
that confutes Guttmann theory.

DO also check the linked .pdf's, please.

jaclaz

 
Posted : 02/12/2007 12:25 am
(@Anonymous)
Posts: 0
Guest
 

I have been able to recover data from a one-pass-of-zeros wipe, bit NOT from two or more passes. (Using the versions of dd and FTK on the Helix CD.)

Austin, I'd love to hear more. Have you published anything? Could you share what you did?

No, I haven't published anything on this particular topic. Basically, I was playing around for "giggles and grins" and wanted to see if a single pass of zeros was sufficient to forensically wipe a drive. I was hoping to reduce the time required, as I have a client who sends me quite a number of decommissioned drives that require "sanitizing," in addition to my own needs for forensically clean drives.

Dennis, you've given me an idea for a research project…. wink I'll try and repeat or refute my results. I'll take a standard IDE hard drive of recent vintage, overwrite the drive with ONE PASS of zeros, then see if recovery tools see anything. I'll try the same procedure using one pass of ones and then repeat using pseudo-random characters. Stay tuned for the results….

(NB Since I'm not an academic, anyone who wishes to beat me to publication may feel free to do so. I ask only that you kindly give me an acknowledgment in your paper. D )

This is the article
www.nber.org/sys-admin...ttman.html
that confutes Guttmann theory.

Interesting article, however, I found the author somewhat guilty of the same thing he accuses Dr. Gutmann of no relevant corroborating references.

-Austin

 
Posted : 02/12/2007 1:58 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
Topic starter
 

@AWLTPI
Yours is exactly the kind of experiment of which I would like to see results. )

About the Guttmann's article and it's confutation, I am an engineer by trade, so I am maybe a bit more pragmatic of the average user, and, not being much expert on this field, I have to use logic to analyze both and rate them according to the overall "reasonableness" of their claims.

I don't doubt in the least the validity of Mr. Guttmann arguments, the whole point is whether his theoretical approach can work and if it can work in a reasonable time. and how affordable can be the semi-probabilistic data he can extract.

Another point is how this seemingly "inoffensive" article, was hyped by media and security professionals in such a manner that thousands of hours of computing power and human time were wasted doing unneeded several passes as routine "secure" wiping.

I do not even doubt that a selected number of Intelligence Agencies around the world possess a number of advanced technologies that we "only mortals" cannot even dream of.

Safes, I mean common mechanical safes, are categorized by grades, determined on the amount of time needed to open one of them, no safe is considered absolutely unopenable.

One needs to buy a safe which opening time is comparable to the reasonable amount of time that might be needed to get it open by the average thief that might be interested in the contents you plan to put into the safe.

But I would consider the probability of a "normal" PC user or business firm of being prosecuted or spied by one of the Intelligence Agencies that have these advanced means to be very, very low.

If, as you stated, you were able to recover data after one single 00 pass (something, with all due respect wink , that I would like to see confirmed by your planned experiment and would also like to replicate personally), but nothing could be made after two passes, it means, as I see it, that two passes are the needed amount, and that the further 7-2=5 up to 35-2=33 passes are simply wasted time.

The above would mean giving just TWO grades to HD wiping
Grade 2, that would be everything needed by ANY PC user or business firm, safe enough from data recovery from anyone but the said few Intelligence Agencies, consisting in a single (as I thought till today) or, at the most, in a double 00 pass, or even more probably, in a single pass with random data
and
Grade 1, reserved to real sensitive data, reserved to a handful of businesses and to the military, that would need the 7 to 35 passes, and that, in the end could simply carried on by the simple physical destruction of the HD and of its platters, by either exposing to strong magnetic fields, extreme heat or good ol' sledgehammer work, solution that might be undoubtedly faster and most probably less expensive.

The above would cover all possible scenarios and debunk this theory, as I see it unneededly promoted for several years by security people.

Just as a provocation 😯 , I would like to cite the recent Linus Torvald's accusation

The fact is, security people *are* insane. You just argue all the time,
instead fo doing anything productive. So please don't include me in the Cc
on your insane arguments - instead do something productive and I'm
interested.

http//kerneltrap.org/mailarchive/linux-kernel/2007/10/19/348762

jaclaz

 
Posted : 02/12/2007 8:46 pm
 ddow
(@ddow)
Posts: 278
Reputable Member
 

jaclaz, I too will look forward to additional information from Austin for the same purposes that you do.

As a defense of my fellow security folks, we claim (generally) to be paranoid, not insane. It's only insanity if there is no one out go get you, but it doesn't take much to realize there are people who are. ) We also take exception to the Fear, Uncertainty, and Doubt (FUD) sales attempts by marketing people.

 
Posted : 02/12/2007 10:11 pm
(@chris2792)
Posts: 33
Eminent Member
 

If, as you stated, you were able to recover data after one single 00 pass (something, with all due respect Wink , that I would like to see confirmed by your planned experiment and would also like to replicate personally),

Me too I would like to get some confirmation about that. After having wiped a drive with zeros (1 pass) I was never able to see anything other than zeros by using different software products I had access to (FTK, EnCase or just a Hexeditor).

BTW if it wouldn't be like that something would be really wrong. How would it work that one software writes zeros to a certain sector and another software reads other data from that location that was on that sector before ? If that would work the implication would be that we never could trust any write operation on a hard drive…

 
Posted : 02/12/2007 10:45 pm
Page 1 / 2
Share: