Home page logo

basics logo Security Basics mailing list archives

RE: Interesting One
From: "Holmes, Ben" <Ben.Holmes () getronics com>
Date: Fri, 1 Nov 2002 19:38:30 +1100

Magnetic force microscopy and other such things could (and do) indeed
read past data from a hard drive that has been wiped many times (I have
heard many conflicting and often wild claims about the exact number).  A
single pass can defeat anything the drive circuitry can grab from the
disk and if you bypass the circuitry and connect the right equipment
directly to the drives heads, you would be able to read remapped sectors
such as grown defects, a full overwrite (on pass again) on most modern
drives even eliminates this if it can access these areas.

MFM involves pulling the hard disk apart and doing a physical analysis.
There is a place in Australia that does it and at least 2 in the US and
1 in New Zealand I have heard of.  A doctor one of our techs knows tried
to get data back from a HDD that had NO overwriting, just a very bad
head crash.  He was charged AU$1600 and they recovered ONE file.  It was
a part of the OS.

Remember that a modern hard disks store data in very advanced ways and
VERY tightly packed together... I am not sure how fast you could
manually recover data using a highly advanced (and very expensive)
microscope, but if you recover an average of 8 BITS per second of REAL
DATA (and there is no doubt a lot of hamming code written for the sake
of data integrity), it would take you about 17 minutes for a kilobyte.
It would take you about 83333 DAYS (approx 228 YEARS) working 10 HOURS A
DAY FULL TIME WITH NO BREAKS to recover a standard 3Gb data set.  

To quote some experts: 
"Magnetic Media Microscopy (MMM) is used in cases where data has been
overwritten. MMM is a lengthy process that involves examining each bit
of data at a magnetic level to determine that bit's previous state.
Recovering just a floppy disk using this technology can take days or
weeks. MMM is rarely used because of the cost factor." - ESS Data

Lets say you knew the exact location of the data (or at least the
filename because you could find where you want to go, lets say the SAM
in WinNT), you would have to recover the boot sector (to find the $MFT),
the $MFT to find the $DATA stream of the directory entry for WINNT..
etc.. then finally when you find the exact offset of the disk the SAM is
on, you would have to go the right amount of bytes into the SAM and
recover the encrypted password... still it is very daunting and would
cost money.  

Data recovery is always much easier if everything is defragmented
properly... just imagine the pain if it was part of a striped RAID

The DoD standard is very paranoid and doesn't always work because mapped
out bad sectors are not always wiped (look up "Grown Defect List" on
Google).  If you really want the data gone, incineration is the best
method, then buy a new drive... Degaussing will also work (but you have
to use a very strong degausser and for quite a long time) but it also
renders the drive just as completely inoperable as it will wipe the
sector marks and everything (but at least it still LOOKS intact).  If
you want it so NO SOFTWARE IN THE ENTIRE WORLD can get it off (because
the drive's heads cannot detect overwritten data and the firmware will
therefore not translate it),  a standard one pass wipe with "FORMAT /U"
and I bet you can't get anything meaningful off it! (Note a standard
format without the "U" option doesn't actually do any wipe passes).

Still, all that said and when government bodies ask for a contract, you
will win easier if you quote a standard and do what it says, no matter
how silly it all is.

has a little article that you may also find interesting but it doesn't
have much of a conclusion.

If you want a better read into MFM look here...

In conclusion, in theory wiping it a lot means it is more secure, random
data passes would make MFM rally hard, but in practice, who are you
trying to kid, if your data is THAT valuable (I am talking many many
dollars here), the cost of completely incinerating the drive and buying
a new one is far cheaper than the paying for someone that is trusted to
handle that drives data to sit there and wipe it seven, nine or even
5000 times... and far, far more secure.

-- Benjamin Holmes

-----Original Message-----
From: Vlad [mailto:vlad () verat net]
Sent: Thursday, October 31, 2002 6:10 AM
To: maillist
Subject: Re: Interesting One

U.S. DoD - seven pass extended character rotation wiping [DoD 
And for the sake of argument the program i use has a limit of 
100 passes.
----- Original Message -----
From: "maillist" <maillist () avoiderman com>
To: <security-basics () security-focus com>
Sent: Wednesday, October 30, 2002 7:45 AM
Subject: RE: Interesting One

I disagree with you both - the NSA standard for a drive that will be
recycled is a nine-pass wipe ... involving pseudo-random 
data, 0s and 1s
preferably in a non-predictable order ...

Reading after thirty overwrites is just scare mongering.  
Depending on the
media it might just be possible on some drives (where the 
heads have moved
over time) ... but the kit to read from drives after just a 
couple of
is expensive, and usually just the provision of government types ...


-----Original Message-----
From: Nero, Nick [mailto:Nick.Nero () disney com]
Sent: 29 October 2002 17:30
To: Dave Adams; security-basics () security-focus com
Subject: RE: Interesting One

Well, the NSA standard I believe is that zero-filling a 
drive (writing
all 0's to the platter) will make the data impossible to 
recover, but I
am sure there are some instances when this isn't the 
cause depending on
how retentive the media is and all that.  If is 
degaussed for an extended period of time, I can't imagine 
anything could
recover the data.

Nick Nero, CISSP

-----Original Message-----
From: Dave Adams [mailto:dadams () johncrowley co uk]
Sent: Monday, October 28, 2002 5:06 PM
To: security-basics () security-focus com
Subject: Interesting One

Greetings Folks,

I had an interesting conversation today with someone from FAST
(Federation Against Software Theft) They pretend not to 
be a snitch wing
of the BSA. Anyway, to get to the point, the guy that 
came to see me
said that their forensics guys could read data off a hard 
drive that had
been written over up to thirty times. I find this very 
hard to believe
and told him I thought he was mistaken but the guy was 
adamant that it
could be done. My question is, does anyone have any views 
on this, or,
can anyone point me to a source of information where I 
can get the facts
on exactly how much data can be retrieved off a hard 
drive and under
what conditions etc etc.


Dave Adams

Attachment: smime.p7s

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]