Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why 'rm -R star' Isn't Enough

Posted by timothy on from the clear-your-cache dept.

zdburke writes: "Short but interesting article in the New York Times (free reg req'd) about how difficult it is to cover your digital tracks because electronic documents are so well distributed -- on your lap top, on your workstation, on the server... Yes there are tools to thoroughly delete files on your computer, rather than just unlinking them when they're put in the trash, but it's the distributed nature of content these days that poses a special problem to the Ollie North's of the world."

4 of 396 comments (clear)

  1. PGP wipe does a very poor job. (See this link) by SomethingOrOther · · Score: 5, Interesting

    PGP is a brillient tool for encryption (esp. e-mail) and PGP disk or Scramdisk are great for secure archiving on windoze machines. However the PGP wipe isn't very good. This link explains why and gives good alterantives for windoze users.

    Linux users already have encrypted filesystems and secure file wipeing as standard in all(?) common distro's. (I know that SuSE even lets you overwite the wiped files with zeros to hide its very existance)

    --
    Anyone quoted by a reporter knows how little they understand
    Don't believe what you read is the truth.
  2. Some old BugTRAQ posts on this subject by Effugas · · Score: 4, Interesting

    Bit busy -- finishing up The Book(TM) -- but I wrote a bit about this subject some time ago. Head over to: http://www.doxpara.com/read.php/security/secure_de letion.html

    There's a Part 2, and some other stuff over there too. yeah, the site needs to be updated desperately. Wait till feb.

    There's one piece of information that's very new and very, very cool: Apparently, some company has been going around the WTC crash site, picking out hard drives from crushed servers, and (though I can't imagine this) actually recovering data from the drives through all the crush damage and dust. I mean, yes, the concept that a non-portable, super expensive, very labor intensive read head would be able to recover significantly more data redundancy than some mass produced mag-head is unsurprising, but...damn.

    --Dan

  3. Re:Mirrors by SuiteSisterMary · · Score: 4, Interesting

    That's why you make it stated policy to delete ANYTHING AND EVERYTHING with 'youcannotseemeehahahahaha'. Then, it's not incriminating, it's standard practice. This is why companies have 'document retention' policies; if you don't, but you've destroyed documents that a court wants, you're in trouble. If you DO, and you've destroyed documents the court wants, too bad, you're following the published policies of your company. The corallary to that is, I believe, that you need to follow your policy religiously, or it's not a viable defense.

    --
    Vintage computer games and RPG books available. Email me if you're interested.
  4. Re:Electron Microscope by WNight · · Score: 4, Interesting

    Well, it appears to be somewhat true.

    First, it's difficult. It involves removing the platters from the drive and mounting them in a machine designed to read from that platter density.

    Then, the machine can read from 0 to N generations of older data. This is dependent on the quality of the medium (I guess, better drives are less secure in this fashion) and the repeatability of the data used for overwrites.

    If you overwrite something with all zeros (or ones), it's almost guaranteed to still be there later because all you did was weaken (strengthen) the signal, the variation between two signals with the same current value represents the original value.

    This is why the idea is many secure overwrites. Perhaps all zeros once or twice, but interspersed with "secure" random noise. As soon as they lose track of layer N, they can't get N+1.

    However, the task usually doesn't depend on getting the contents of the whole disk back, usually they can still read the meta data and know what to concentrate on (and if they can't, they know where the meta data sits, so they concentrate on that) and then they go after certain files likely to be the most useful.

    Most common "secure delete" utils use low-grade PRNGs and non-random seeds. If you can figure out the output of these and then deduce the seed, you can figure out the data used for any portion of the overwrite and from that, have a pretty good chance of recovering the data.

    Now, this is what I've heard, from people in the field, so don't take it as gospel. The one thing they all agreed upon though is that this level of analysis is hideously expensive. Not $500 / hour like "normal" data recovery, more like $500k up front and then $5k / hour... It involves cryptanalysis to crack the "random" overwrites and a host of other professionals. It also wouldn't be used to bust a kiddy pornographer (is that a kid who makes porn, or ...) or the logs of a mob boss. It'd be used in espionage type issues, where there's more than money on the line.

    It's almost always destructive analysis too; they destroy the media getting the data and they don't get 100% so they can't put it on a new drive and put it back in the computer. If this happens you're gonna know it, at best they'd substitute a different drive to make it look like yours crashed. (Maybe that's why so many potential spies were sold the IBM 75GXP series drives - plausible crashes... :)