Thanks jaclz,
Yes I did figure out the second field, I'm already doing that by comparing real max sectors and the result from hexdump.
Yes it was the Wei paper, so is it a reality that data can be recovered that way?
I will try and do some experimenting at work today regarding Secure Erase and the reallocated sectors.
Yes it was the Wei paper, so is it a reality that data can be recovered that way?
Hard to say, your mileage may greatly vary.
IMHO the paper is now a bit dated, and more or less revolves around the single idea that a number of SSD manufacturers - at the time and on some models - did not implement (or did not implement correctly) the ATA Secure Erase command
We tested ATA commands for sanitizing an entire
SSD, software techniques to do the same, and software
techniques for sanitizing individual files. We find that
while most implementations of the ATA commands are
correct, others contain serious bugs that can, in some
cases, result in all the data remaining intact on the drive.
and later they did not test the (if provided) manufacturers' tools to erase
In addition to the standard commands, several drive
manufacturers also provide special utilities that issue
non-standard erasure commands. We did not test these
commands, but we expect that results would be similar
to those for the ATA commands most would work cor-
rectly but some may be buggy.
As a personal side note, the 3.2.3 paragraph about degaussing and eddy currents made at the time (and still makes today) my "common sense" tingle, hence I recommend the SH-1 degausser in cases where the non-recoverability of data is needed
http//
The overall scope of the paper was I believe (and it had success in that) to raise the attention on the issue, but from that to actually recover actual data (not a "fingerprint") there still remains a loong way.
In any case, after 2010/2011, manufacturers (hopefully) started providing effective methods, example
https://
and even the specifications changed/evolved (at the time of the Wei article ACS-2 were still in development and now we are at ACS-4, with ACS-5 in development), the node about this (or that) manufacturer actually implementing (and implementing properly) the command however remains.
BTW there is another version (most probably an earlier implementation) of what essentially is the same article
https://
Cross-reading and comparing the two articles may prove of interest.
jaclaz
Lot's of good answers here, I just wanted to throw in my few cents.
The old bug-a-boo about multiple pass wipes and magnetic force microscopes had some minimal basis in reality back in the days when hard drives were measured in "megabytes". It's completely unrealistic today at any price.
That said there are still a few potential, albeit unlikely, concerns.
A vanilla wipe, such as dd with zeroes, may not account for DCO (Device Configuration Overlay) or HPA (Host Protected Area).
Similarly Bad Blocks on the drive may not be wiped. Of course this assumes the bad blocks can be resurrected and have useful content.
There are a few tracks outside of normal ATA access that contain manufacturers control and geometry structures for the drive. Custom manufacturer commands are required to get to them and they generally have very small unused areas that could hold a little bit of data if someone went to the trouble.
Finally degausing is not viable if you expect to reuse the drive. Degausing will wipe the geomtry structures and the drive will become useless. It's easier just to physically destroy it if that's the objective.
Sorry I got busy and forgot to respond on here. Thanks for watching watcher!
Awesome reply, it made me think of the original question I had before I started rambling. I verify that the drive is zeroed out and I check for HPA/DCO's, so I think I'm covered. I do remember reading about hiding data in a drive on a manufacture accessible only area once. I do like to be thorough but it wouldn't be practical for me check every drive that way, I'm sure it's not easy.
So with that, we end up selling a drive that has no HPA or DCO and is filled with zeroes. Am I safe to say that there is no way to recover data from this drive? Unless like watcher said, there are bad blocks and those bad blocks are recoverable and they hold useful information. And since he worded it that way I don't think I'm too concerned about letting drives go that have a lot of reallocated sectors.
To the forensic professionals, what do you do if you have a drive that is zeroed out with no hidden areas?
Statistically, those mapped out bad parts would most likely contain program files or nothing - and not user data. User data is a relatively small part of the drive, and larger formats such as movies require a constant stream of data to be readable.
For example in Mpeg you have an initial frame, progressive, progressive, bidirectional, progressive (and on). Without the initial frame, all you get is unintelligible junk that cannot be read by any software.
The drive just slowly shrinks in size as faults are detected. The parts that are mapped out as bad are not readable by normal data recovery software either, you have to do some pretty deep dives with specialist tools to be able to get it - and even then assuming the part is readable and don't produce random crap.
And most people do not hide data in the HPA/DCO parts so i wouldn't worry about it.
I do remember reading about hiding data in a drive on a manufacture accessible only area once. I do like to be thorough but it wouldn't be practical for me check every drive that way, I'm sure it's not easy.
It's a matter of damage management. If you *do* let a disk with personal data in HPA through, and it is discovered, and ends up in the news, … what damage does that do?
It seems that the question if this is a probable situation only changes the expected/average damage per unit, but it does nothing to the maximum damage when it, however rarely, actually happens.
To the forensic professionals, what do you do if you have a drive that is zeroed out with no hidden areas?
Depends on future use. If none, shredding.
Otherwise, I look for the latest NIST recommendation (NIST SP 800-88 rev. 1, as of today), and go to the Minimum Sanitization Recommendation, and look for the entries on xATA or SCSI drives. (These separate usecases Clear and Purge – Purge is "applies physical or logical techniques that render Target Data recovery infeasible using state of the art laboratory techniques", which probably is what you want ) That means using one of
1. Use one of the ATA Sanitize Device feature set command
2. Use the ATA Security feature set’s SECURE ERASE UNIT command, if support, in Enhanced Erase mode.
3. Cryptographic Erase through the Trusted Computing Group (TCG) Opal Security Subsystem Class (SSC) or Enterprise SSC interface
4. Degauss
(though I'm not sure about 4 – it may make the drive unusuable.)
Read the report it's bureaucratese, but does give a fairly good background to what options there are and what failure points there are.
We are only required by NAID to verify 10% of the drive to pass it, which I think is ridiculous.
By ridiculous, do you mean 'too few' or 'too many'?
I suspect that might be based on a statistical argument. Given N sectors presumed to be erased, how many random(?) samples do you have to reach the degree of confidence that you want?
My math. stat. skills are close to zero, so don't trust this if you have a 2 TB drive (i.e. 488281250 sectors of size 4kbyte), erase all of those sectors with 0, and want to know how many random sectors you need to check to be sure that the entire disk is zero with a confidence level of 99% and an error of +-1, you need to check something like 16700 sectors. Which is nowhere near 10%. (Perhaps NAID have added some security margin. Or assume disks are smaller?)
(I'm largely trusting an internet sampling calculator, so … yeah.)
I'd want to test the first and last M sectors as well, and probably sectors around some internal 'binary edge cases' as well, as that's where I suspect software bugs may happen, and those are probably not well covered by pure math. modelling of fails, which I suspect is rectangular.
But I need erase-by-zero or something equally stable. erase-by-random won't do.
4. Degauss
(though I'm not sure about 4 – it may make the drive unusuable.)
Rest assured, a degaussed drive will be unusable and can only be re-sold as a doorstop or similar.
Besides the possible damages the strong degaussing magnetic field may make to the heads, and voice coil magnets, modern hard disks have servo data written to platters and with degaussing that will be gone poof anyway.
jaclaz
authulin, thank you for your response, in regards to the 10% I think it's ridiculous that it's so small. Checking only 10% of a drive seems like too little to me. It would be too easy for data to slip by which leads me to your other question.
"It's a matter of damage management. If you *do* let a disk with personal data in HPA through, and it is discovered, and ends up in the news, … what damage does that do?"
As an ITAD company we assume all risk of our clients, meaning that if a bank or hospital transfers custody of their drives to us, we now assume all risk of a data breach. So if I slip up and a drive gets by me that has ePHI and hits the news, we're on the hook for the same fines that they would incur, and that would probably put us out of business. So I like to make sure I'm doing my job right which is why I value you and everybody elses opinion.
I decided to hit up this forum because I've been on it for a few years now and I've learned a lot. I can Google the same questions about deleting data and data recovery but it always seems to lead to the same answers and the same papers and there's never anything new or original.
We are a NAID facility so we follow all of their guidelines which do point to the NIST guidelines as well. There is no SSD sanction for NAID yet but it looks like next month they will finally have a process in place. I'm happy using Secure Erase on an SSD and then verifying it but others want to do Secure Erase and then run DD over it as well. I get the same result either way, but I've heard DD on an SSD can wear it out.
I just made this debate up in my head but is there any kind of legal precedence between using Secure Erase vs a vendor specific erase? So let's say that data was found on a drive and I Secure Erased it, if I had used the vendors tool to erase the drive would it have mattered? I only ask because I've thought about only using vendor specific tools to wipe SSD's.
I've rambled again, thank you guys.
So let's say that data was found on a drive and I Secure Erased it, if I had used the vendors tool to erase the drive would it have mattered? I only ask because I've thought about only using vendor specific tools to wipe SSD's.
I've rambled again, thank you guys.
Yes and No.
Yes. (meaning you are rambling).
No. (meaning let's NOT say that data was found)
For all we know it is entirely possible that by analyzing with the single, only mega-para-super-hyper-spectro-quantum-photometer existing in the world (which surely lies in a secure cellar under the headquarters of one three or more letter secret agancy or in the middle of nowhere in a secret facility in the middle of a desert) the air trapped inside the SSD and around the chips a trained technician may be able to recover the string "Mickey" from a Secure Erased SSD.
You should not be trying to avoid the risk that those guys can read the data, you want to avoid the risk that the average user that buys the SSD second hand, even if he/she is a highly specialized technician in data recovery and has lots of time at hand cannot read the data.
If you want to be 100% sure, you physically destroy the device, optionally sending the pieces to random addresses in China [1]
So
You run a Secure Erase (or whatever vendors' procedure/tool).
You verify that all data is 00 through "normal" means (the SSD controller and the OS).
You want some validation of the method?
Then you wait until you have - say - 50 SSD's of a given make/model, you wipe and verify all of them with the above method, then you take three of them randomly, do a chip off and verify that also the chips are wiped with a reader *like* the Ming the Merciless in the Wei article.
If all the chosen SSD's are wiped, then you validate the method, exclusively for the specific make/model of the SSD.
Next batch of 50 SSD's (of the exact same make/model) you can do the same on only one random sample and call it "quality control".
This validation and quality control procedure will add at least a 5% to the costs of your operations.
You simply cannot do more than this (again short of physically destroying the device).
jaclaz
[1] see here
https://www.forensicfocus.com/Forums/viewtopic/t=9682/