Jolt in WikiLeaks Case Feds Found Manning-Assange Chat Logs on Laptop
http//
I would like to get clarifications on from the analyst -
Later, the operation was initiated again, but the person chose the option to overwrite the information only once — a much less secure and less thorough option.
All the data that Johnson was able to retrieve from un-allocated space came after that overwrite, he said.
Was the second attempt completed? Was the un-allocated space really over-written, yet recovered? What kind of drive was int he laptop?
Because, if zero-filled areas were recovered, then all our bah humbug about the no need for multi-wipe is out the window…
This was discussed before Christmas in the win4n6 group
http//
It sounds like the zerofill program was overwriting files and not the complete disk. Thus unallocated space still exists
The statement 'a much less secure and less thorough option' in my opinion is not valid. As discussed before Christmas, one write is extremely good and so multiple writes is probably only insiginificantly better
When Johnson says, all the data he "was able to retrieve (from unallocated space) came after that overwrite", he indicates in my eyes, that the overwrite had been successful. Maybe it's my poor English, but why shouldn't he retrieve data that "came before that overwrite" otherwise?
That a single wipe would be "much less secure", is a statement by Kim Zetter and generally a question of definition. In this context it's simply nonsense. As the article itself states, Johnson examined an "image" of Manning’s personal MacBook. However, the most effective way to derive data from a wiped harddisk would be to disassemble the drive and do a laser scan over the complete surface to determine any magnetic artifacts at the edges of the tracks. On current devices these artifacts usually aren't of any value, as they are not even extensive enough to reconstruct any logical filesystem data from the plain data that is written by the hardrive's firmware (including error correction checksums). Even if you can determine a probably consistent stream of logical data by statistical means, it would be limited to some bytes at best - representing nothing in terms of user data. You'll never get a kind of an image.
Multiple wipes are recommended by (governmental) security standards that follow a mathematical approach towards the probability that a single bit of written information can be recovered from the overwritten medium. They may not be understood as a statement about how often a disk has to be overwritten to make the information not recoverable in practical terms.
I understood the same thing. It was single pass wiped - all, including the unallocated space.
It is possible that the second pass did not complete either, or it was only ran for allocated files, neither of this is in the article.