Friday, March 27, 2009
How to stop worrying and trust your "secure delete" command
Computer users who store porn photos on the office computer or the details of their money-laundering escapades at home are frequently fired or hauled off to jail when the evidence is discovered on their hard drive either inadvertently by a computer technician or intentionally through a search warrant.
In many cases the miscreant may think he has erased the files when in fact they continue to reside on the hard disk. That's because most operating systems (OS) change only a few bytes of data when a file is deleted. Those bytes are there to remind the OS that the file has been officially deleted and that this area of the hard drive can be overwritten if the need arises.
But if the content of the file is not overwritten with new data, the old data can be easily recovered. So applications and operating systems nowadays feature some sort of "secure delete" command that not only changes the file header but overwrites the entire file.
But those users sophisticated enough to know the difference between "delete" and "secure delete" may still worry—and not just from a guilty conscience. A paper published in 1997 by Peter Guttmann described methods for recovering overwritten data from a hard drive. To defeat these methods up to 35 overwrites would be required. This came to be known as a "Guttman Wipe."
Now comes forensic computer examiner Craig Ball to assure the legal community that this is no longer true. He writes,
In the years since Gutmann's article, the amount of data that can be packed onto a hard drive (its "areal density") has increased 10,000 fold.
So, hoary notions of data remanence like "offtrack persistence" and "additive and subtractive voltage thresholds" hold no hope of resurrecting overwritten data.
... All the anecdotal wiped data recovery stuff we've heard about is completely bogus. So stop folks when they say, "I know a guy who has a cousin who recovered overwritten data using EnCase by tweaking the frazzle setting and putting the drive in the freezer." It just ain't so.
You only need one complete pass to eviscerate the data (unless your work requires slavish compliance with obsolete parts of Department of Defense Directive 5220.22-M and you make two more passes for good measure).
No tool and no technique extant today can recover overwritten data on 21st century hard drives. Nada. Zip. Zilch.
This should come as good news to former members of the Bush administration.
Ball does warn of two other security mistakes—
The most egregious is the assumption that formatting a hard drive is the same as wiping its contents. In fact, formatting obliterates almost none of a drive's contents. Any eBay purchaser of a formatted drive can easily restore its contents.
Second, and principally of interest to three-letter agency types and paranoiacs, user data resides in areas of a hard drive that no wiping tool can reach: the so-called G-List sectors.
But if you're worried about the G-spot on your disks, don't. The contents of it are supremely uninteresting.
Remarkably, nearly all hard drives manufactured after 2001 incorporate the ability to rapidly and securely self-erase everything, including the G List; but, drive and computer manufacturers are so petrified you'll mess that up, they don't offer an easy way to initiate a self-destruct sequence.
I know these reassurances won't satisfy all paranoiacs everywhere. So if you're still worried about data security, take the advice of "raptor_pa" of the Tech Support Forum—
Open up your old drive, remove the platters, take some good course sandpaper or a grinder to all the platter surfaces, then place all platters into a taped-up stack in cloth bag, run a drill though the platters a couple of times, then take a large hammer and reduce the platters to as small pieces as possible. Alternatively soak platters overnight in some good strong acid.
That should do it.
Cracking your 256-bit encryption (3/28/05)