full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Disk wiping -- An alte

Re: [Full-disclosure] Disk wiping -- An alternate approach?

From: Tracy Reed <treed_at_nospam>
Date: Tue Jan 26 2010 - 04:32:35 GMT
To: "E. Prom" <e3prom@gmail.com>


On Tue, Jan 26, 2010 at 04:26:08AM +0100, E. Prom spake thusly:
> The point is that they never get a hard-drive full of zeroes or random
> numbers, but a hard-drive that have pieces of other data under the
> zeroes or random numbers. That's why programs like "wipe" fills more
> than 20 times the hard-drive with data. But filling 20 times a whole
> disk can be very, very long, expecially if it's a 2TB USB drive. A
> "quick" wipe filling a drive only 4 times, is often enouth, but...

Fortunately, so many rewrites are not necessary and have not been for a long time. I destroy drives containing credit card and other personal data with just one wipe (assuming the drive is operational) and if not I drill a few holes in it.

While investigating how to best destroy such data I happened across some postings with some actual experimental results from trying recover overwritten data:

http://blogs.sans.org/computer-forensics/2009/01/15/overwriting-hard-drive-data/

And some analysis of modern techniques for recovering data and their effectiveness:

https://blogs.sans.org/computer-forensics/2009/01/28/spin-stand-microscopy-of-hard-disk-data/

Executive summary: Data overwritten once is unrecoverable on any drive made in the last 10 years. So do a single write pass from /dev/random on working drives.

For non-functional drives or where overwriting is not possible drilling holes is very sufficient for any business and personal data.

For top secret data wanted by an enemy with millions to spend and you cannot overwrite the data just once then recovery via Spin Stand Microscopy from undamaged areas of the platter is possible at great expense and weeks of constant work. Shattering the platter makes this technique much harder rendering perhaps 80% of the data unrecoverable. You are still best off with a cheap one time write of the whole drive.

And as far as data recovery from failed drives goes this is rather amusing:

http://blogs.sans.org/computer-forensics/2009/09/30/the-failed-hard-drive-the-toaster-oven-and-a-little-faith/ -- Tracy Reed http://tracyreed.org

_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/