Single Drive Wipe Protects Data

ALF-nl writes "A forensics expert claims that wiping your hard drives with just one pass already makes it next to impossible to recover the data with an electron microscope." But that's not accounting for the super secret machines that the government has, man.

Why are we still discussing this?!

[MartinG]

Just use encryption (of your whole drive or partition) and forget about wiping it.

It's not that hard. For example, several modern Linux distros support encrypting your entire installation out of the box.

Re:Why are we still discussing this?!

[dmdavis]

You encrypt it, and someone can still potentially get it, even if the probability is miniscule. Maybe the algorithm is discovered to be flawed, or they see you type your password, or they install a hardware key-logger, or while it would theoretically take thousands of years to brute force it, random chance has them guess the right sequence on the first try (it could happen). You wipe the data though, and there is no chance for anyone to get it.

Encrypting it is definitely a good idea, but not as a replacement for wiping it.

Re:Why are we still discussing this?!

[dmdavis]

Sure, but they won't know if they data they guessed is right. If they guess the password correctly, it successfully decrypts the data, and you know it was right.

Re:Why are we still discussing this?!

[kj_kabaje]

Child after nap?? No--if you want destruction, better child *before* nap.

Re:Why are we still discussing this?!

random chance has them guess the right sequence on the first try (it could happen).

It COULD happen, yes. It also COULD happen that after you smash your hard drive with a sledge hammer, the pieces will be blown about by a local mini-tornado and reassembled into a fully functional drive again by pure coincidence.

I think you really have no idea how unlikely the events we're talking about here really are and how big key spaces really are.

If it 'snot good enough for the feds...

[davidwr]

1) next to impossible != impossible
2) if the feds require multi-pass wipes for non-classified data and media destruction for classified data, why should I settle for anything less?

OK, maybe this guy is right and maybe the feds are behind the times, but I'd like to see multiple independent studies come out and say this before I'm getting rid of my drive sanitizers. I mean, we all know what happens to societies when they get rid of their equipment sanitizers, don't we?

Re:If it 'snot good enough for the feds...

[Talderas]

Unless you work for the government or military, no one would be interested enough in the data on your drives to go through the effort and cost of doing the forensic investigation to find out what was on your hard drive before the wipe.

For those of you in Rio Linda, nobody cares about you, or your data, unless you work for the government or military.

Re:If it 'snot good enough for the feds...

[Gorshkov]

if the feds require multi-pass wipes for non-classified data and media destruction for classified data, why should I settle for anything less?

Yes, because we are all so fully aware that the US government only ever worries about REAL security, and not security theatre.

Re:If it 'snot good enough for the feds...

[holychicken]

The government overdoing something based on a popular misconception? I am shocked and appalled!

Re:If it 'snot good enough for the feds...

[arminw]

.....why should I settle for anything less......

because as a /. member it is highly unlikely that your deep dark secret data is worth the effort it takes to recover it after a single pass wipe. Anyone who posts on /. has, by definition, no data the NSA, KGB, Gestapo or any other such entity could possibly be interested in.

Re:If it 'snot good enough for the feds...

[Thaelon]

1) next to impossible != impossible
2) if the feds require multi-pass wipes for non-classified data and media destruction for classified data, why should I settle for anything less?

Because the government is rife with paranoid, bureaucratic nitwits with more motivation to be "safe" than is scientifically prudent, and far more motivation to further their own careers?

And I add bureaucratic for very pointed reasons. In the beginning, suppose they had a competent CS guy deciding the policies for HD erasure, he probably figures a single zeroing is sufficient. And at the time (perhaps now too) he's correct. Then his successor wants to make in impression and put some bullet points on his resume, so he makes a big stink about "increasing security through a continuing commitment to data erasure" or some buzzword nonsense. Let's say this guy was a friend or relative of the previous guy - and not necessarily as competent. Now this did fuck all for actually making the data any harder to get at, but it furthered his career just a tiny bit. Now add 3-4 repetitions of this to the mix and you can see how the policies got to be so ridiculous. Now I am making all this up, but to me, this seems far more plausible than recovering overwritten data on a hard drive. How many times have you had trouble with your drive accidentally reading previous data from it? You know, with a drive head that was designed, redesigned, and improved over 50 years to read data from that disk.

I don't get why people often think that the US government has super awesome technology that borders on magic in the field of computer science. In my experience they were 30+ years behind the times in some areas. Some better, some worse.

The government is just made up of people. Like everyone else, so there's lots of human error. And since they get paid through taxes and don't have to worry about profits, they have little to no motivation to do a good job if their superior doesn't make them. It's why the government is into contracting these days, they get the job done quicker and better for less money because (in most cases) they have competition.

Re:If it 'snot good enough for the feds...

Multipass wipes are an artifact from a time when multiple wipes were needed. Like everything else in gov't, these rules take a long time to change too.

Re:If it 'snot good enough for the feds...

[Lehk228]

three pass 0, three pass alternating, or three pass PRNG?

Re:Data destruction advice of the week

[tuffy]

It's the difference between what slashdotters enjoy doing to old hard drives and what's actually required to securely destroy the data on them.

Just one layer of paint

Writing random numbers would be more sufficient than just zeros.
For example painting a wall with one layer of white paint could still show the outlines of a gratify underneath that layer.
But if you would use various colors all over the place it would become very hard to identify any shape beneath it even if you where using just one layer.

Re:Just one layer of paint

WHOOSH

One Wipe...pppphfhtpt!

[necro81]

A forensics expert claims that wiping your hard drives with just one pass already makes it next to impossible to recover the data with an electron microscope.

[pulls tinfoil hat tighter over head]

Sure, that's just what they want you to think.

Define next to impossible

[chord.wav]

Even if it isn't deleted, try to recover a simple 10Mb jpg using an electron microscope... I guess it is as close to the "next to impossible" as if the file was deleted.

Re:Define next to impossible

[coolsnowmen]

Define next to impossible

The researcher did. From TFA:

Recovering a single byte of data, for example, on a used drive is successful less than one percent of the time, he found. Accurately recovering four bytes, or 32 bits, of data only works nine times out of each million tries.

So, 1 specific byte of data could be recovered 1% of the time, 4 bytes -> .0009%.
Extrapolating to 10Mb is about 1/10^(10^6 / 8)=0% according to my calculator which keeps goes to 10^-324. So, I think 'next to impossible' is a pretty accurate term.

Makes perfect sense

[jspenguin1]

If there were a reliable way to read the previous value of a bit written to a drive, the drive manufacturers would already be using it to increase density -- effectively storing two bits in the space of one. This is similar to the basic principle of MLC flash drives.

Which, of course, would still make it impossible to recover data that has been overwritten, since each "bit" would be overwritten twice.

Depends on your crime

[mlwmohawk]

It seriously depends on your crime as to how far police will go to obtain data from a hard disk.

If, for instance, to kill no more than three people in cold blood. They won't even look.

If, you have a few ounces of pot, the DEA will use the FBI forensics labs.

If you have a history of violence and have beaten countless women, they won't even look.

If you've given more than a few hundred bucks to an Islamic charity, the NSA will step in.

If you bilk hundreds or thousands of people out of millions of dollars, they won't even look.

if you are accused of fighting on the train in San Fransisco, they'll just hold you down and shoot you in the back. Fuck the computer.

Re:Depends on your crime

[mlwmohawk]

Police do pursue murders by computer forensics
The Boston Globe just had a section on how police aren't solving homicides very well.

the DEA doesn't spend an inordinate amount of time on "a few ounces of pot",

Yea, tell that to all the people pursued and convicted in CA after the medical marijuana law passed.

a history of violence against women is not a crime in itself,
no but "beating countless women" is.

some Islamic charities are known to support terrorism,

yes, but the vast majority of charities do not fund terrorism. Why not go after irish catholic charities? Some of those helped the IRA.

bilking millions of dollars is also not necessarily a crime

The term "bilk" absolutely describes fraud.

lastly the incident in San Francisco you referenced was not at all typical.

Yea? Well, how many cops do you know. You can find stories like this on a regular basis.

Re:some subject

[txoof]

DD is probably the best bet for discarded/ebay'ed drives. I can't think of anyone who has the time or resources to dig up my data. If you're a fortune 500 company, or an international drug/arms/people/whatever smuggler, then you probably want to just go ahead and shred the drive. That way you don't have to worry about Joe skipping out early on Friday and forgetting to wipe the out-going CEO's drive.

For the rest of us, just think about the economics of it; what criminal organization has access to a lab full of electron microscopes and has the time and money to search discarded drives for credit card information? Perhaps a large government has access to these resources, but once again, unless you're really up to no good or have a large company, why would anybody bother?

Thank goodness for a suddenoutbreakofcommonsense here.

"Less successful than a coin toss"??

[Sun]

From the article:

"In many instances, using a MFM (magnetic force microscope) to determine the prior value written to the hard drive was less successful than a simple coin toss."

A coin toss is usually referenced as the worst way to try and predict a 50:50 chance event. Disregarding all of the obvious problems (i.e. - that the bits on a hard disk do not have a 50:50 distribution (unless compressed or encrypted), and that a coin is not necessarily the most random thing, I'm still left with a puzzler

If his methods have less chance of prediction than a coin toss, all he has to do is add a "not" gate at the end of his prediction algorithm, and he'll have better chance than a coin toss.

To take this to an extreme, assuming random incoming data, a coin toss has 50% chance of a hit for the next bit. If you find a method that has a 0% chance of a hit, then just flip its output and you'll get a 100% chance of a hit. Lower chances than a coin toss actually mean a good prediction ability

Shachar

But zeroing is so easy.

[spaceturtle]

To me a more valid concern is the following linear time algorithm to break encryption:
1) Invest $1000.
2) Making use of Moore's law, wait until $1000 is enough to buy a machine that can break that now old outdated encryption.
3) Profit!
It seems to me that zeroing or /dev/randing a hdd is so easy that if you are paranoid to encrypt your whole hdd, including swap and filenames, then you might as well erase you hdd just to be on the safe side.

Re:bullshit

[Stray7Xi]

I've sent a drive in for data recovery before and was asked which operating system to recover: solaris or Windows NT....

A reinstall is not a drive wipe in regards to forensics. While IT may call it a wipe and refresh the data is easily recovered. It's this confusion between delete, reinstall, format, and wipe that starts unfounded rumors. Not to mention the differences between different file systems.

A wipe is a writing data to EVERY sector. A format does not wipe, a deletion does not wipe and wiping is not common practice. With the size of drives today, you'd practically have to leave it going overnight. Most drives go their whole life without ever once being wiped.

Re:One wipe is not enough.

[Crudely_Indecent]

Like the Lemur King Julian said in the movie Madagascar:

"Who wipes?"

Seriously though, anyone sufficiently interested in protecting data can do it in numerous ways.

I used a script to sanitize drives used in forensic collection. First pass writes from /dev/urandom, second pass writes from /dev/zero.

When drives died or became unuseable they would meet a sledgehammer moving at high velocity.

Re:If you are able to do it

[John+Hasler]

> which is surely worth the time and effort involved in something like this.

Hardly. I think that you'll find that the machines required rent for more than $500/hour.

Conflict of interests in article

[xant]

The guy's a forensics expert. Of course he's going to tell you one wipe is enough. If you do more than that, he might be out of a job.

I'm surprised he didn't say "It's cool man, just write 'DELETED' in sharpie on the case and your drive will never function again. *snicker*"

Re:If you are able to do it

There's a reason no one has accepted this challenge. At the very bottom: "You also must publicly disclose in a reproducible manner the method(s) used to win the challenge"

No self-respecting data recovery firm is going to take this challenge. My guess is that most places CAN recover the data, but they're under NDA not to disclose how. If this challenge was open to just anyone, I'd take it in a heart beat. My process would be:

Take drive to Ontrack
Pay $100
-wait-
take file list to challenge sponsor

But alas I cannot do that, so as curious as I am, I'm not willing to spend $100 to find out.

Re:Tag this "itsatrap"

[piranha(jpl)]

$500! Hot damn. That sure is a pretty penny to pay for something as EXOTIC AND EXPENSIVE as magnetic force microscopy.

Re:Go for physical destruction. You'll sleep bette

[swordgeek]

Nice theory, but totally full of shit.

I've done contracting for the government, and worked on a proposal which would have required "Secret" clearance for all staff involved. I have also worked with medical records for the local health authority. Finally, I've worked for oil companies that have both liability of both customer records and planned exploration/acquisition to keep private.

You're making the mistake that everyone else on /. is just like you, huddled at home, worried about their pr0n collection. However, some of us are actually computing professionals, working in sensitive areas. Hopefully none of us are using /. as their sole source of useful information, but it's definitely not a bad tertiary source of input.

DoD Science

[Valdrax]

That's why the DoD has lowered their standards to a single fixed wipe and to prove it is going to send all of their super secret hard drives to china to be proven that the data is unreadable.

Because the DoD makes ALL its decisions based on sound science. That's why the Air Force took over the CIA's sponsorship of remote viewing in 70s, why the Navy funded research into cold fusion and anti-grav, and why we're buying hand-held polygraphs for troops in Afghanistan.

I mean, I had the same knee jerk suspicion, but I'm not going to hold up the DoD's standards as proof of anything but potentially reasonable paranoia. The Pentagon has a long-demonstrated sweet tooth for junk science.

only $500?

[pikine]

If anyone can recover data from a dd if=/dev/zero of=/dev/sda hard drive, I suspect $500 isn't enough financial incentive for that person to reveal his/her ability to do it. $500,000, then we're talking.