Slashdot Mirror
Data Still Left on Storage Devices for Sale
cluedweasel writes "According to a BBC story many people are still putting up their old PC's and storage devices for sale without taking basic precautions to ensure that confidential data is erased. The suggestion at the end of the story is to get a professional forensics firm to wipe your data or just destroy the item in question. With the low price of storage devices, the latter is probably preferable."
Darik's Boot and Nuke. Cheap, efficient, portable. Worst thing that happened using it was cleaning a PC so old its CD-ROM drivers weren't in firmware, so I had to download a boot disk off the net to reinstall them.
"Made up/misattributed quote that makes me look smart. I am on
...with something like Darik's Boot & Nuke
http://dban.sourceforge.net/
Set that up for 27 wipes and you're set.
"TK-421, why aren't you at your post?"
I seriously doubt that any magnet you can get your hands on would erase anything from a hard drive platter. Even bulk tape deguassers from five years ago won't do shit on a modern drive. It takes some seriously strong fields to erase a platter.
However, sticking a decently strong household or lab magnet against the drive housing may tense parts of the delicate mechanism inside, causing the bearing to go south or the actuator arm to cease working. It's still probably possible to pull the platters and remount them in a new housing (if the platters weren't too damaged by whatever mechanical failure you induce), and there are a few outfits that can do it for ~$3000 per drive.
Now, get real: Want to know the BIGGEST, best-kept secret in data forensics? The most effective way to forever put your data beyond the reach of cops and courts is:
dd if=/dev/zero of=/dev/hda
That's right, just a single-pass overwrite with zeros will do. Everything else you hear is either 8+ years out of date, or uninformed bullshit, or a scare story.
For any who wish to avoid such "Data Dangers", I've been using Boot & Nuke (http://dban.sourceforge.net/) for some time now. It's pretty easy to use and supposedly reaches DoD levels of secure delete. All used hard drives my shop sells get a dban scrubbing before they leave.
A lot of people, when disposing of a computer, want to keep the OS and the applications installed because they're giving it to a relative or friend or something like that If that's the case, something like Derek's Boot and Nuke obviously isn't appropriate. There are, however many tools out there that help you clean up a windows machine such as Eraserto wipe data and CCleaner to clear out temp junk.
Best Windows Freeware
I raised this issue with the manufacturer of my USB key, after it ceased to communicate. I was offered a brand-new one upon receipt of the old one, but had no way to clear the data (a CVS tree of our product). The tech said any obvious, physical damage (i.e smashing with a hammer) would void the replacement guarantee.
Apparently, a few seconds in the microwave does not qualify as obvious, physical damage.
Now, get real: Want to know the BIGGEST, best-kept secret in data forensics? The most effective way to forever put your data beyond the reach of cops and courts is:
dd if=/dev/zero of=/dev/hda
/dev/urandom is a better source... With zero, analog analysis can be used to determine the drive's prior contents. Of course, if somebody is willing to do that to recover data, they already have your house bugged...
That's right, just a single-pass overwrite with zeros will do. Everything else you hear is either 8+ years out of date, or uninformed bullshit, or a scare story.
May as well do a second pass with /dev/random, though it's not like the cops are going to send your drive in for forensic recovery unless you're a big fish.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
What if the drive wont spin up?
But you're right if they do.
I've had to pull 4 GB of rm -rf *'d data off a drive before using some tools and vi. Worked well, took hours, and I got 90% of his files back.
I also got several versions of each file, some of them dating back over a year. Scarry...
But if you dd a drive... it's gone from all the tools I had at my fingers. And I had a *lot* of tools.
I've also done the "platter swap" thing once successfully (in a shower clean room) (twice failed) and several controller swaps. There's ways. But if the platters be stuck, and data important, take em out and bake em hard.
-=fshalor
I was wondering the other day what kind of shielding a drive has to keep its own magnets from wiping itself...
From what I saw in defect drives I opened, none at all, just some centimeters distance. The "strong magnet" meme is an urban m"yth. You need far stronger static magnetic fields to damage a drive without opening it than you can buy.
In addition, if you succeeded, it would likely void the warranty anyway, so why not be sure and just decline the warranty or use an encrypted filesystem in the first place?
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
May as well do a second pass with /dev/random, though it's not like the cops are going to send your drive in for forensic recovery unless you're a big fish.
Exactly. If it's not undeleted, in the recycle bin or your internet history/cache, I find it highly unlikely that anyone will ever see it. CNET just recently ran an article that alternative browsers "impede" investigations, because detectives can't figure out where to find the files. LOL
Granted, I'm sure the NSA, DoD, and CIA have much better methods, but for most people, one pass is more than enough.
-Grym
The magnets are at a far enough distance (a cm is huge, in magnetic terms) that they offer little problems.
Second, magnetic fields of the driver magnets is orreinted almost exclusively in one axis. A normal refridgerator magnet will stick to the fridge with (almost) equal force no mater which way it was stuck (assuming, of course, it's semetric). The voice-coil driver magents are orriented heavily on a north-south pole. If you manage to pull one of these out, you'll see what I mean. If you let it stuck to the fridge on the flat side, you would not be able to pull it off. If you tried it on it's edge, it couldn't hold itself there.
... but I have personally been able to recover data from a hard drive after being zeroed.
And what drive generation/size was that? If it was an older, lower capacity drive, I have no trouble beliving you. If it was a current >= 200GB drive, I think you need to elaborate a lot.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
or just destroy the item in question
Nooo!!!
I worked as the technology re-use manager at a nonprofit organization whose mission was to get donated goodies, including computers (my responsibility), to small local charitable organizations. Our warehouse had pallet upon pallet of donated computers whose hard drives were removed as part of corporate donors' policies regarding data safety. Did we get those computers to community centers, adult education programs, inner city kids, etc? Heck no, we had to send them to the metal recycler for 2 cents per pound. Sure, per-storage unit hard drives are cheap but to get enough for a couple of hundred computers is a major expense. And yes, we applied to Maxtor, Seagate, IBM, HP and a couple of others to try to get them to donate hard drives but no dice.
The late-middle aged lady who wants to type and print the church newsletter has ABSOLUTELY no use for a computer without a hard drive and even less of an idea how to install one even if she did have budget to get one. Get a commercially available eraser program; there are plenty of titles and methods. Said church lady has NO IDEA how to extract prior data from a drive that was just plain formatted and a fresh Windows installation put on.
Strong magnets (as strong as you're likely to have at home anyways) will erase (ruin) floppy media just fine. And cassette tape media. And probably 8 tracks. I don't know what they'll do to QIC-150, 4 mm or 8 mm media. But they won't erase DLT media, and won't erase modern hard drives, probably not even if you put it right next to the platter itself.
(Now, opening the drive up and scraping the magnet over the drum, physically damaging it, that may be effective. But a non-magnetic wire brush would work as well.)
Personally, I erase my media with some variation of this --
and let that go until it's done. Repeat if you're extra paranoid. Sure, there may be some data left in sectors that have been re-allocated by the firmware. Sure, the NSA might be able to recontruct my data bit by bit with microscopes. But if I'm really worried about that, I'm not going to sell my disk -- I'm going to physically destroy it.As for warranty repair, that's a tough call. If the dd can't be done, the odds are good that the company can recover almost everything on the disk. You'll have to consider the pros (you get a new disk! free!) vs. the cons (they might be able to recover all of your data.)
To give an example, suppose a part of your drive had this pattern written on it --
and you overwrote that with 0s. So you'd expect to seeand you would, if you read the drive in the normal way. However, underneath the covers, the data on the drive would really look more like this --the exact values are just guesses, but there is a pattern here -- if a bit used to be 0, it's very close to 0 now. If the bit used to be 1, it's still close to 0 now, but a good deal further than if it was a 0.With some different firmware, one could read most of the data that was on a drive that had been erased like this.
This is why people 1) write random or semi-random patterns to the disk to erase it, and 2) do it more than once.
Still, writing 0's just once to the entire disk will stop 99% of people who might read your disk. Writing random patterns several times will probably stop even the NSA, but if they want you bad enough, they'll stick probes into your brain and extract it that way :)
Bullshit. Complete and utter bullshit.
If you go into security options from Disk Utility, there's a click box for "zero out all data", "7 times zero", and "35 times zero", depending on how sensitive your data is. It even warns you "this will take 35 times as long as a single erase.
This is where I get my recommended daily allowance of "Foot in Mouth."
Um, no. No, they can't. I used to have to explain this repeatedly to clients:
UNLESS YOU ARE DEALING WITH A VERY OLD HARD DRIVE (pre 1997, at least), YOU CANNOT RECOVER DATA THAT HAS BEEN OVERWRITTEN.
Go read the Gutmann paper from Usenix '96, and note that he never actually performs any recovery tests, nor does he cite anything other than reports of data recovery in lab situations under ideal conditions.
Also, note that he REVISED that paper in 2000 or 2001 (not quite sure) to take into account the fact that platter encoding techniques post-1997 were vastly different form the platter encoding techniques of the previous era, making the attacks he discusses irrelevant and useless.
Go ahead--I dare you to contradict me.
The big paper that started all this is here:
_ del.html
http://www.cs.auckland.ac.nz/~pgut001/pubs/secure
(sorry if the link gets tangled). The author is Peter Gutmann. The paper you see on that link is actually an updated version of the original, which was published at USENIX '96, minus the "epilogue" section at the end. That's the critical part, where Gutmann basically backs off all the important conclusions about hard drive data recovery. He's still pretty optimistic in the epilogue (he talks about recovering one or two previous write passes of data), but you have to notice that he doesn't support himself, there, and the original citations don't support him, either.
Not to speak ill of Gutmann--he's done a lot of great work in UNIX security over the years, and he's a stand-out researcher. But he doesn't prove what he's saying.
Hopefully, the Gutmann terminology will be enough to get you started if you want to research the issue further. I used to have a couple dozen pages of cites and summaries on the issue, but I lost most of it when I left my last job. It's still out there, but it took me a couple of months to do it originally.
You're right -- you aren't a physicist. An impulse of 75G is about what you get by dropping the hard drive on a concrete floor.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
Have they made some change to zero in the last 8 years that makes it less constant?
No, nothing so drastic. Hard drive technology has fundamentally changed in the last few years, and there was a huge industry-wide turnaround in methods that happened around 1997. The bulk of the changes had to do with the encoding mechanisms used to write and read data from the platter.
Even back then, these attacks were just theories, at least in public. It's possible that some spook-lab made them work, but there was never any real evidence that it was a practical technique, as opposed to a "space elevator dream". That's my opinion, at least, based on a review of the available literature.
But the changes in drive technology made it all a moot point. There aren't even any plausible theoretical methods to recover overwritten data on modern drives, let alone any evidence that it's ever been done. So if you believe that it can work, you have to also believe that the method has been kepy entirely secret from public academia and the business community, both of which would be very interested in the topic.
Magnets just don't work for erasing data. One or two passes with good pseudo-random data are all that is needed, and even the NSA would be reliably stumped with 5 or more on modern disks. Writing constant patterns is somwhat less effective because the encoding to analog on the disc prevents long strings of highs or lows being written and because any residual field from previous writes can potentially be seperated from the constant overwrite pattern.
;|
You don't need to worry about this level of security if your threat model is phishers and the like. The people selling hard drives would like you to be so paranoid you won't let others make use of your old hardware, but there is no real need for that. If someone with the resources to go over your HDD nanometer by nanometer with SQuIDs wants your data, they'll first try a sneakier, more effective way than buying your old disks.
For quick destruction of encrypted data, assuming the encryption-block size is several times the disk-block size, overwriting just one of the disk blocks for each encryption block will effectively make the data unrecoverable. Similarly, if you use an encrypted file of long, secure keys to access your other encrypted data, once that file is destroyed, everything else is effectively gone until the encryption can be brute-forced a few decades down the line.
But for sensitive data that may need to be quickly destroyed, you're better off using CD or DVD media. Five seconds in the microwave followed by a quick couple of rubs with a piece of sandpaper to remove the flakes will do more than just about anything you could do to an HDD in a similar amount of time. This also gives you an excuse to get a really fat UPS and to have your microwave on your desk. Of course you still need to find a way to get the time needed to destroy the data when your door is being broken down or if your machine is tampered with when you are away - left as an exercise for the reader.
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery?" - Patrick Henry
I had to send the DLT tapes off to a professional service to have them erased (they had to be erased for the new tape drive to make them work in the new high density mode.) The hard drive was just me seeing if I could do it :)
The tigher your cram data in there, the higher the magnetic fields needed to make changes. And modern media has it cramed VERY tightly ...
But you want your drive to be erased in less than a month, right? Use /dev/urandom. It's more than random enough. (Use /dev/random when you need small amounts of `true' randomness.)
My distribution of Linux as well as Knoppix-STD has a command called "wipe". It over writes a file (or a special block file 34 times with several different randomn patterns.
I make sure to do this with all drives I send back for warrenty.