Home page logo
/

basics logo Security Basics mailing list archives

Nth disk rewrite
From: "Wolf, Glenn" <glenn.wolf () we-inc com>
Date: Thu, 31 Oct 2002 16:43:12 -0800

Good point.  This leads me to a thought...

A better scheme than rewriting N times with equally-dispersed random data
(1010, then 0101, then 0110, etc.) would be to overwrite with "junk" but
pattern-filled data (i.e., data representative of a text file, mp3 file,
etc.).  Otherwise what you get is "snow" or "white noise" data evenly
written (many times) on top of real data.  Think of it like picking a faint
TV picture out of a bad signal with lots of noise.  Even though there is
lots of random data (the static or "snow") interfering with the image, the
human eye can still recognize the original picture.  If you had 30 TV
signals piled on top of one another, it would be much harder to pick out any
individual signal.

So disk space where text files were stored could be written over many times
by a random text generator.  Disk space where an mp3 file was stored could
be written over many times with mp3-like data.  And disk space where
filenames were stored (e.g., My_Secrets.doc) would be written over many
times with filename-like data (Some_File.exe, Foo_Bar.xls, etc.).  And of
course, the file locations would overlay each other enough to keep from
knowing which blocks were really in which files...  This should effectively
prevent the original file name or contents from being distinguishable from
the contents of the 4th rewrite, 8th rewrite, or 27th rewrite.

Glenn


-----Original Message-----
From: Jimmy Liang [mailto:jimmy () jimmyland com] 
Sent: Wednesday, October 30, 2002 12:41 PM
To: Dan Darden; John Orr; security-basics () security-focus com
Subject: RE: Interesting One


Interesting tho. How would the recovering software know if the data you're
retrieving comes from the 30th re-write, or the 29th? You also have to
consider that the data you're trying to recover isn't the first data written
to the disk. So even if the atoms are not all aligned the right way, you
wouldn't know if that's because of the data from the 29th re-write, or the
30th. 

-----Original Message-----
From: Dan Darden [mailto:dld2517 () yahoo com] 
Sent: Tuesday, October 29, 2002 8:35 PM
To: John Orr; security-basics () security-focus com
Subject: RE: Interesting One

John,

Think atomically.  There can be millions of atoms in a apace the size of a
pin tip.  A write head need not turn every atom in a layer of magnetic
material one way or the other.  It only needs to turn just enough 'clearly'
one way in order for the read head to pick it up again.  If we talk about a
layer of magnetic material that is just .0001" thick we are still talking
about layers upon layers upon layers (need I go on....) of atomic material.

It can be done!


Dan Darden.


-----Original Message-----
From: John Orr [mailto:JOrr () austinbank com]
Sent: Tuesday, October 29, 2002 12:15 PM
To: dadams () johncrowley co uk; security-basics () security-focus com
Subject: Re: Interesting One


  Personally, I think he is full of... hot air.

  Bits are either "on" or "off", "1" or "0".  If you change that pattern
(i.e. write over the same data area with a different sequence of bits), then
the previous state of that field would not be determinable.  Granted, there
may be some residual magnetic field left on a particular area that is now
"0" that had been "1", but the converse would not be true.  There would be
no residual field to read on an area that is now "1" that had been "0".

  Sounds like sales fluff to me.

  Anyway, that is my opinion, based on years of experience and a good
knowledge of physics.

-John

--------------------------------------
John Orr
VP/CIO
Austin Bank
903.759.3828 x2113
903.297.3094 fax
jorr () austinbank com

"Dave Adams" <dadams () johncrowley co uk> 10/28/02 04:06PM >>>
Greetings Folks,

I had an interesting conversation today with someone from FAST (Federation
Against Software Theft) They pretend not to be a snitch wing of the BSA.
Anyway, to get to the point, the guy that came to see me said that their
forensics guys could read data off a hard drive that had been written over
up to thirty times. I find this very hard to believe and told him I thought
he was mistaken but the guy was adamant that it could be done. My question
is, does anyone have any views on this, or, can anyone point me to a source
of information where I can get the facts on exactly how much data can be
retrieved off a hard drive and under what conditions etc etc.

Thanks

Dave Adams


  By Date           By Thread  

Current thread:
  • Nth disk rewrite Wolf, Glenn (Nov 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault