Here's an article recently published on Security Focus where a researcher (Craig White) states a single-pass wipe on a hard drive is sufficient to prevent meaningful recovery even from an electron scope.
http//
I have no experience with this approach and was curious if people on this list believe the research is true or well placed FUD to leave a backdoor for government agencies (or other entities with sufficient budget and sophistication)? I'm not a conspiracy theorist but the thought crossed my mind.
To the best of my knowledge and experience in digital forensics a single wipe is sufficient.
Further details
Jamie
I have no experience with this approach and was curious if people on this list believe the research is true or well placed FUD to leave a backdoor for government agencies (or other entities with sufficient budget and sophistication)? I'm not a conspiracy theorist but the thought crossed my mind.
While the DoD still requires multiple wipes (even on USB drives), the simple fact (as shown in this paper) is that it is virtually impossible to reliability recover data after a single wipe.
When Guttman was doing his work, he was looking at floppies and old hard drives measured in the MB ranges. Since then, on platters the same size, we now have 1.5 TB and shortly, 2TB. As such, there is much less room for drifting, misaligned heads, etc, that occured in the old days. Even Guttman, in a revised paper, indicated that it is unlikely.
While there are always going to be those who believe that data can still be recovered after a wipe, you should read about the disaster that befell journalspace.com - they were using a RAID 1 with no backups - it is believed that a disgruntled employee overwrote the drives, and even DriverSavers.com was not able to recover data. Journalspace.com was sold, and is now under new management.
But what about the CIA, NSA, FBI, etc? Some of these agencies actually farm out some of their cases to commerical data recovery firms, so they are probably not as advanced as people think. Even Scott Moulton, of http//
But hey, I could be wrong…
bj
The full paper is here http//
But it is behind a paywall, so it is not redistributable. But it a really good read, going to much greater detail, and illustrating what was on the disk and what they were able to recover after a single wipe - and the recovered text is just pretty much gibberish.
Here is what they recovered from a pristine drive with a single wipe
‰
‘cKræ}d8OEeti²n•of0daÊI0Ptr0G§tWÇíï_¼Á1u960eb8tÈñutW00000Dç•Ã#Ì0
Hf$00¦000%£z0\0ã0000á0áä«it|tþÛ0u³e•Ffºi™%|eàsinqTyøîopÚ”Ëi†aze0
®Mcryption0sîÙtems?DKtA""cÐÏ0+¢sinOE0toK–ai2z÷c(ns~0tü0;e
½iti)e""daÆa>s0foôce¸ÑtÒÍl2o–
Can you make any sense of it?
If you squint your eyes enough, you could start to make out a few characters, like part of the word "encryption", but the real challenge is to take just the recovered data and make any sense of it without the a priori information.
To quote the paper, "Although on the perfect drive some words could be recovered, there is little of forensic value." They add, "On the drive that had been wiped 3 times (prior) to the data being written and then added, the results are worse. What needs to be noted is that small errors in the calculations lead to wide discrepancies in the data that is recovered. Further, it needs to be noted that any drive recovered is not likely to be in a pristine state. The daily use of a drive reduces the chances of recovery to a level that is truly insignificant."
And to put it to rest, they state "… the chances of recovery of any amount of data from a drive using an electron microscope are negligible. Even speculating on the possible recovery of an old drive, there is no likelihood that any data would be recoverable from the drive. The forensic recovery of data using electron microscopy is infeasible."
I don't think the 3-letter agencies could do any better.
But hey, I could be wrong.
bj
p.s. Here is the sample text they used
Secure deletion of data - Peter Gutmann - 1996
Abstract
With the use of increasingly sophisticated encryption systems, an attacker
wishing to gain access to sensitive data is forced to look elsewhere for information.
@ahoog
Thanks for the link.
FYI Related
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=2065
http//
http//
Particularly this
http//
From the (few) tests I made directly, HDDerase, by using internal drive commands, appears to be the fastest way.
@bjgleas
Check the "Epilogue" in the updated Guttman paper
http//
jaclaz
Nice to see some research done - I have been arguing and posting that a single pass is enough based on work I did mid/late last century
a link to an old posting of mine that alludes to it is here
http//
although a single wipe is usually good enough, isnt the reason that government agancys and so on wipe it multilple time to reduce the chance of data recovery if anyone in the future developes technology to bring back overwritten data? I thought the idea of multiple wipes not only considers now, but incase the hdd finds its way into the wrong hands 10 years down the line and technological advanceds have improved
….however that may all be rubbish
although a single wipe is usually good enough, isnt the reason that government agancys and so on wipe it multilple time to reduce the chance of data recovery if anyone in the future developes technology to bring back overwritten data? I thought the idea of multiple wipes not only considers now, but incase the hdd finds its way into the wrong hands 10 years down the line and technological advanceds have improved
….however that may all be rubbish
Well, let's see the practical effects of such a scenario roll
Intelligence- NO application whatever, days, hours and minutes count in the business, same applies to industrial/commercial espionage
Justice/Policework - NO application whatever, most if not all felonies would be beyond prescription in the meantime
Criminal activities - NO application whatever, in the meantime your bank will have changed threefolds the account, password and whatever, besides the general idea of criminals is to make "quick money", not wait 10 years
Moreover, in 10 years time, the HD will have died and will have been littered/destroyed anyway.
The only practical use I could see in the very rare event that a drive survives this long time span are
Justice - Acquiring new evidence capable of making a condemned innocent be released - though very, very improbable
Historians - Finding data capable of better "framing" a past context, but if the actual object is something "big", i.e. something an historian may be interested in, there will be governement/military records that after a number of years will be made public, also very unlikely
jaclaz
In 10 years time who will care what was written on a drive 10 years ago.
What I always difficult to understand is that if a disk has to be wriiten 35 times, how can you be sure that your recovery is from previous overwritting 23, or only previous 14?
There are normally much easier ways to find, or recreate information.
