Single-pass wipe sufficient?

What I always difficult to understand is that if a disk has to be wriiten 35 times, how can you be sure that your recovery is from previous overwritting 23, or only previous 14?

35 times has ALWAYS been considered crazy 😯 , in the words of the Author of the paper that started it all, Peter Guttman

In the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques. As a result, they advocate applying the voodoo to PRML and EPRML drives even though it will have no more effect than a simple scrubbing with random data. In fact performing the full 35-pass overwrite is pointless for any drive since it targets a blend of scenarios involving all types of (normally-used) encoding technology, which covers everything back to 30+-year-old MFM methods (if you don't understand that statement, re-read the paper). If you're using a drive which uses encoding technology X, you only need to perform the passes specific to X, and you never need to perform all 35 passes. For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do. As the paper says, "A good scrubbing with random data will do about as well as can be expected". This was true in 1996, and is still true now.

jaclaz

The full paper is here http//www.springerlink.com/content/408263ql11460147/?p=650ee5e3e45d4e1e845e2bfe8a959f1a&pi=20

But it is behind a paywall, so it is not redistributable. But it a really good read, going to much greater detail, and illustrating what was on the disk and what they were able to recover after a single wipe - and the recovered text is just pretty much gibberish.

Here is what they recovered from a pristine drive with a single wipe

‰
‘cKræ}d8OEeti²n•of0daÊI0Ptr0G§tWÇíï_¼Á1u960eb8tÈñutW00000Dç•Ã#Ì0
Hf$00¦000%£z0\0ã0000á0áä«it|tþÛ0u³e•Ffºi™%|eàsinqTyøîopÚ”Ëi†aze0
®Mcryption0sîÙtems?DKtA""cÐÏ0+¢sinOE0toK–ai2z÷c(ns~0tü0;e
½iti)e""daÆa>s0foôce¸ÑtÒÍl2o–

I find it hard to believe they got anything but the data that was used to wipe with. Did they detail how they recovered this data, and what they did to wipe the drive in the first place?

As to wiping drives to prevent magical future tech from recovering it, that doesn't seem to have worked for the Watergate Tapes.

I find it hard to believe they got anything but the data that was used to wipe with. Did they detail how they recovered this data, and what they did to wipe the drive in the first place?

As to wiping drives to prevent magical future tech from recovering it, that doesn't seem to have worked for the Watergate Tapes.

OK, the paper is very technical, dealing with magnetic flux and the like, but here the Reader's Digest/Dr. Science condensed version. When a bit is written to a drive, it is stored as a magnetic fluxuation. But a 1 may not always be a 1.0000 - it might have a magnetic fluxuation potential between .90 and 1.1 - but because that is very close to a 1, it is considered a 1 when it is read from the hard drive. The researchers discovered that the magnetic flux density will vary based on the data that was overwritten - so that when a 1 is written over a 0, or a 0 is written over a 1, it shows a somewhat consistent trend that can be measured. However, other factors - such as temperature, humidity, as well as the number of times data was written - can impact the density of the magnetic flux, which means that the results degrade very quickly. They found the best results were from a pristine drive - but it is unlikely that you encounter one of these in the field.

Try to think of it this way - if you have an orginal clean copy of a printed letter and OCR it, the results should be very good. But if we make a photocopy of a photocopy, of a photocopy, etc… the continuing degradation of the letter will start to render the OCR worthless. Well in this case, we are typing a new document over a photocopy of the original document. Since the orginal document is now slightly faded, and the new text is stronger, for some of the individual letters, we might still be able to see the letter beneath, an X written over an O for example. But for others, an O written over a Q, or an T written over an I, it would be much harder to determine which came first, if it could be seen at all, and the OCR would be worthless.

And to show you the difficulty in retrieving the little they did, they state, "the acquisition time for 1 byte is about 4 minutes"… so trying to recover a 10k file would take about a month. They also note that on a used drive, a single bit recovery "has only a marginally better chance of any recovery than tossing a coin." So after a month, you would have recovered a 10k file filled with complete rubbish.

But hey I could be wrong…

bj

I've posted this before http//16systems.com/zero/ One year on and still no one has taken the challenge. I believe it is a pristine drive aswell.

Another site worth a read as it shows the results in a rather more digestible format http//sansforensics.wordpress.com/2009/01/15/overwriting-hard-drive-data/

Wipe a drive with one pass and open the physical disk in x-ways or whatever hex editor you want. See any data? Only if the wiping software somehow missed it.

With this other technology that was mentioned in some of the articles it seems it was possible to maybe determine what value a bit was beforehand.

Even if that is the case, the OS fragments files, writes data all over the place. Maybe you'll get a few bytes here and there that you can look at in plaintext and see some random word or a few letters. I bet most of the time you can't even get a true nibble. You would need 4 consecutive and correct bit recoveries in a row. If one bit is incorrect what you can interpret from the data is worthless.

Unfortunately, while I was going through classes where people would talk about this stuff, many people who felt they were competent in their knowledge were under the impression that you needed at least 3 wipes plus to be safe. This included instructors.

I find it hard to believe they got anything but the data that was used to wipe with. Did they detail how they recovered this data, and what they did to wipe the drive in the first place?

As to wiping drives to prevent magical future tech from recovering it, that doesn't seem to have worked for the Watergate Tapes.

OK, the paper is very technical, dealing with magnetic flux and the like, but here the Reader's Digest/Dr. Science condensed version. When a bit is written to a drive, it is stored as a magnetic fluxuation. But a 1 may not always be a 1.0000 - it might have a magnetic fluxuation potential between .90 and 1.1 - but because that is very close to a 1, it is considered a 1 when it is read from the hard drive.
<SNIP>

Okay, nothing new there then. I still don't see how they could recover what they say they did. The method described has never been shown to work on new drive technology (less than a decade old or so) as far as I know, and even on old gear it was no better than chance. How this manages to recover partially readable data is beyond me still - the odds seem very unlikely. It's not like you are seeing a partial 1 or 0 when you look at magnetic domains on a drive. A 1 or 0 is recorded using a long sequence of magnetic domains and how they change, after all.

I'm still doubtful of the technique they used giving them the output described.

as far as I know, and even on old gear it was no better than chance.

Read my earlier post - we used to recover complete sectors on older drives by reading the side of the track.

Just for the record a 1 is not a Magnetic North and vice versa for a South - even before PRML and Vertical recording a 1 was usually denoted by a transition for North to South OR South to North, i.e. a flux reversal. a zero was the absence of a flux reversal. RLL and MFM allowed for cases when a string of zeros were to be recorded by inserting a clock bit between each data bit, this further complicates things by ensuring that every byte of data is made up of a combination of clock and data.

However things were simplified by the inclusion of Error Correcting Codes (ECC's a sort of enhanced CRC) that a) allowed for small amounts of corruption to be correct and b) allowed you to verify that the data you recovered was OK. As these are applied at a sector level you KNOW when you have recovered a complete sector correctly.

as far as I know, and even on old gear it was no better than chance.

Read my earlier post - we used to recover complete sectors on older drives by reading the side of the track.

Overwriten data should not be confused with misregistration.

Modern hard disks may employ Zone Bit Recording (ZBR) to maximise the data storage capacity and read write speeds of the hard disk. When a bad area of the disk is discovered, its data may be mapped out to a new zone. The disk controller keeps a record of this and therefore anyone who can bypass the said controller could access the mapped out zone and recover data. Therefore any number of wipes performed on a physical disk will have no bearing on the mapped out zones.

When a bad area of the disk is discovered, its data may be mapped out to a new zone.

Hi Neddy,

Are these zones on the same physical disk? It's my understanding that they are. Each track/combination of tracks are split into a number of zones, with a larger number of zones being found as you move towards the outer edge of the disk

Therefore any number of wipes performed on a physical disk will have no bearing on the mapped out zones.

Pre-empting the response to the above question, if the zone is on the same physical disk and you zero pass the physical disk I would say the zone would get wiped as well?

If the zone is on another disk then this is not the same as saying you can recover data from a drive that has been wiped. You merely recover the data from a drive that is intact but has no reference to the data (without the controller).

Ronan