From: SMTP%"everhart@mail09.mitre.org" 23-JAN-1998 13:09:33.74 To: everhart@gce.com (everhart@gce.com) CC: Subj: FWD: RE: [NTSEC] Wiping hard drives - paper reference --===_tgate3_58662_96708698_=== Content-Type: text/plain; charset="us-ascii" ----- Forwarded message follows ----- Delivered-To: nt-out-link@iss.net Delivered-To: nt-out@iss.net From: Doug Hughes Date: Thu, 22 Jan 98 15:49:48 -0500 Subject: RE: [NTSEC] Wiping hard drives To: In-Reply-To: <6D1199B25C89D111A99500A024DEE5D7032D5B@locutus.dimen.com> Precedence: bulk Reply-To: Doug Hughes X-Loop: ntsecurity X-Comment: TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net X-Comment: DO NOT send subscribe/unsubscribe messages to ntsecurity@iss.net TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net Contact ntsecurity-owner@iss.net for help with any problems! --------------------------------------------------------------------------- >> >> I don't think many would question that acid baths, shredders, and >> other methods of totally destroying a hard drive can make data >> unrecoverable. >> >> The debate is whether erased data can be recovered. I'm not >> talking about "c:\delete *.*" -- I'm talking about wiping every bit >> of data on the drive with 1's, 0's, random numbers, etc. multiple >> times. >> >> I've seen computer techs, electrical engineers, DoD employees, >> particle physicists, and everyone else state that due to the >> inexact nature of hard drive heads that residual magnetic signals >> from previous writes are left on hard drives. >> >> I don't doubt this either. >> >> Many of these same people then go on to say that someone they knew >> (or knew of) was able to use various techniques to distinguish these >> phantom bits from others on the drive and recover usable data. >> >> Never once have I been seen a reference documenting this having >> actually been done. I've seen a lot of stuff on the theory, but >> not on application. >> >> I imagine it *could* be done -- within limits. But for once I'd >> like reasonable proof that it has been done. >> >> Once again, I'm not putting down the practice of totally annihilating >> storage media to ensure the data is not recoverable -- better safe >> than >> sorry, right? I'm just not convinced that data *cannot* be safely >> erased with software. >> >> Can anyone 'fess up? >> >> -- Geoff > You want references? You got 'em. See: 'Secure Deletion of Magnetic and Solid-State Memory' Peter Gutman - Department of COmputer Science - University of Auckland as published in 6th USENIX Security Symposium proceedings. Also available online from Usenix site (with membership number) Summary - using MFM (Magnetic Force Microscopy), even for relatively inexperienced users, the time to start getting images of the data on a drive platter is 5 minutes. The problem is that write heads are not able to write in exactly the same place every time. So data gets a layered look when writing, and you can use differences to extract previous layers. PRML recording technology makes the data much harder to recover, but not impossible. Even using DC current is not a guarantee of erasure. You'd need a current that is a multiple of times the media coercivity. It boils down to a set of 22 consecutive writes to a drives surface using special bit patterns of alternating ones and zeros (special, because it has to deal with timing, and run-length encoding). You also need cryptographically random patterns between write patterns. If they aren't cryptographic and your opponent can predict which pattern is next, he may be able to recover the data. You also have to disable buffering and tag command queueing. Forget about degaussers. While they will make your disk not be able to read data accurrately, it can still be read with MFM. Even the most powerful degaussers can't do 4MM tape, and newer disks have a higher Coercivity. (keep in mind - this is 1996 material - but it's probably still accurate) Since degaussing makes the drive unusable anyway, you might as well have physically destroyed it in the first place. Anecdote from the paper - Apparently the Navy has a 2.5MW research magnet that they used to degauss a 14" drive for 1 1/2 minutes. It bent the platters, and probably erased the data. :) There's also a section on recovering data from RAM. Think powering off your computer is enough? Not hardly.. Depending on how long that data has been sitting in your memory, residual information may be available for hours or days (depending on ambient temperature) If you're interested at all in this stuff, read the paper, there are lots and lots and lots of caveats and twists you have to deal with when trying to erase data. Almost nothing short of physical destruction will serve (meaning burning, melting, or otherwise totally vaporizing the media) -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu ----- End of forwarded message ----- --===_tgate3_58662_96708698_===-- ================== RFC 822 Headers ================== Return-Path: everhart@mail09.mitre.org Received: by norlmn.gce.com (UCX X4.2-14, OpenVMS E7.1-1H1 Alpha); Fri, 23 Jan 1998 13:07:25 -0500 Received: from mbunix.mitre.org (mbunix.mitre.org [129.83.20.100]) by mercury.mv.net (8.8.8/mem-971025) with ESMTP id HAA03856 for ; Fri, 23 Jan 1998 07:27:53 -0500 (EST) Received: from TGATE3 (tgate3.mitre.org [129.83.20.27]) by mbunix.mitre.org (8.8.8/8.8.8/mitre.0) with ESMTP id HAA23509 for ; Fri, 23 Jan 1998 07:31:39 -0500 (EST) Received: from mail09.mitre.org (unverified [129.83.20.43]) by tgate3.mitre.org (EMWAC SMTPRS 0.83) with SMTP id ; Fri, 23 Jan 1998 07:31:35 -0500 Received: by mail09.mitre.org; (5.65v3.2/1.1.8.2/22Jun94-0628PM) id AA21666; Fri, 23 Jan 1998 07:31:30 -0500 Subject: FWD: RE: [NTSEC] Wiping hard drives - paper reference From: everhart@mail09.mitre.org (Glenn C. Everhart) To: everhart@gce.com (everhart@gce.com) Message-Id: <980123073128.31233@mail09.mitre.org.0> Date: Fri, 23 Jan 98 07:31:29 -0500 X-Mailer: MailWorks 2.0-4 Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===_tgate3_58662_96708698_==="