Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: BugTraq: EFS Win 2000 flaw
From: Ryan Russell <ryan () SECURITYFOCUS COM>
Date: Mon, 22 Jan 2001 16:13:55 -0800

On Fri, 19 Jan 2001, Russ wrote:

To the best of my knowledge, Peter Guttman(sp?) has demonstrated for years
now that there is no form of over-writing which makes any substantial
difference to the ability to recover previously written data from a computer
hard disk.

My understanding of current "high security" standards wrt the re-use of
disks which previously contained classified materials is that they only be
re-used in similarly classified systems, or, are destroyed beyond any form
of molecular reconstruction (e.g. melted).

I see a big difference in being able to recover some files by simply
booting to a different OS vs. having to break out the electron microscope
and manually piece bits together.  I could boot DOS or Linux to read a
deleted file... I don't think I'd be able to find someone who could read
the bits from 3 writes ago off of a physical disk surface for me... unless
you gave me a huge amount of time and money.

If the problem does exist as described... the possibility that a
government forensics lab might recover some data is no exucse for not
handling temp files properly for EFS.

                                                Ryan


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]