Recovery of Data After Secure Erase

Rasputin

New Member
A local TV reporter in Kansas City did a storey entitled “Your Computer Never Forgets”

He said that no matter how many times the data can still be recovered.

I would like to know if this is true.

Can any one cite a verifiable source in which a program like Eraser was used and the data was still recovered?

My own view is that if a person uses whole disc encryption from day one and never creates a plain text file then secure deletion is unnecessary and the data should be secure.
 

jackjack

Member
Rasputin said:
Can any one cite a verifiable source in which a program like Eraser was used and the data was still recovered?
I've yet to see a verified case in many years. That's not to say it can't be done but no one is openly admitting it.


Rasputin said:
My own view is that if a person uses whole disc encryption from day one and never creates a plain text file then secure deletion is unnecessary and the data should be secure.
Not really, encryption always has the potential to be cracked, so you should always treat it as such and securely delete files and securely wipe free space. Also once the computer is booted the files and filesystem are accessible by all.
 

Rasputin

New Member
JackJack said, "Not really, encryption always has the potential to be cracked, so you should always treat it as such and securely delete files and securely wipe free space. Also once the computer is booted the files and filesystem are accessible by all."


I agree that encryption always has the potential to be cracked.

It is true that once the system is booted then the encrypted system is available to all if you are using XP Pro's implementation of AES 256 or Bitlocker.

It is not true if you are using TrueCrypt which requires a second log on after the system is booted and can be set to require presentation of Keyfiles which serve as additional authentication. The keyfiles can be kept on a jump drive that you can carry with you.

Booting can be prevented by moving windows start up keys to a upc memory stick.

I use Eraser on all files and wipe the free space regularly.
I also removed the drive after I nuke it, take it out to the garage, lay it on a concrete floor and beat on it with a sledge hammer until it is dificult to tell what it was.



My problem is that I am trying to find evidence to refute the News story that once data is written to a hard drive it can always be recovered.
 

jackjack

Member
Rasputin said:
It is not true if you are using TrueCrypt which requires a second log on after the system is booted and can be set to require presentation of Keyfiles which serve as additional authentication. The keyfiles can be kept on a jump drive that you can carry with you.
If it is mounted it can be accessed. You also have to assume that the crypto will never be computationally cracked,which will more than likely happen, could be tomorrow, could be next year, could be in 100's of years time. Key files can be beaten out of you ;) (yes I am aware of plausible deniability).

Rasputin said:
I also removed the drive after I nuke it, take it out to the garage, lay it on a concrete floor and beat on it with a sledge hammer until it is difficult to tell what it was.
Nothing like a healthy dose of paranoia :)

Rasputin said:
My problem is that I am trying to find evidence to refute the News story that once data is written to a hard drive it can always be recovered.
The onus shouldn't be on you you prove something can't be done, it should be on them to show it can be. To me it sounds like they are spreading FUD or are misinformed. Call them out and ask them to recover a file from a disk you supply to them.

A similar challenge is currently running here - http://16systems.com/zero/index.html

On an aside, I wouldn't mind seeing the news piece, is it online anywhere?
 

jackjack

Member
Rasputin said:
Good lord, for such a short clip they sure did manage to pack a lot of FUD in. One think, if I understood correctly, was that Stephen 'Cut the sides don't touch the back' Bright never actually referred to secure file erasing until the very end, he does mention over writing but I don't think that was what he means, I could be wrong though. With regards to suggesting people pay for secure file deletion, what's the bets his company supply this service....

If you are in the same area as this company, Rasputin, how about giving them a call and challenging them to recover data, or even point them to this thread ;)
 

Rasputin

New Member
Rasputin said:
f you are in the same area as this company, Rasputin, how about giving them a call and challenging them to recover data, or even point them to this thread ;)
I may consider this at some time in the future.

Jeff Vaughn, the newsman, has not acknowledged my last email I sent him.

I am sure that some where there is some definitive information in engineering journals or court records where data recovery efforts after secure deletion have either been successful or have failed.

I sent Hedi Computers an email through their web portal and have no response.

I would think that they would have an interest in defending the product since the piece suggests that secure deletion is not effective.
 

jackjack

Member
Rasputin said:
I have found what looks like an authoritative paper on the subject as follows:

Secure File Deletion: Fact or Fiction?
http://www.sans.org/reading_room/whitep ... nt/631.php
It's interesting on where he was going but there are a few issues. The paper was written in 2006 and mention the Gutmann method as well as quoting Gutmann from his paper (written in 1996) saying "it is effectively impossible to sanitize storage locations by simple overwriting them....". What he didn't mention was that seveal years before Mallery authored his paper, Gutmann had stated that his wipe method was over kill on modern drives and a one pass wipe should suffice in most cases. Mallery then goes on to mention the oft bandied about magnetic force microscopy (MFM) and how it can recover data, but nicely sidesteps the gory details.

So here are some basics of MFM:


This pains taking process takes several months, and when it is finished these pictures have to be stitched together.

Consider that a 20GB hard drive consists of 160, 000, 000, 000 bits. Including overheads that could rise to around 300, 000, 000, 000 bits, with each individual bit represented by a magnetic flux change. Since each MFM picture displaying this flux change uses around 100 bytes, the result is 40 Terabytes of data to be analyzed. Data recovery by this means can cost 100, 000s of Dollars, but it can recover data where no other method can.


If you take into account the above example was only using a 20GB hdd and that modern drives are typically 12 - 50 times that size the whole recovery process becomes a lot harder. No data recovery company is going to shell out hundreds of thousand of dollars and months / years of work to recover someone's deleted files.

I think Simple Nomad, at this years ShmooCon, said it best. (paraphrasing)A 3 pass DoD standard wipe* will be secure enough for any one. If data is recovered from your hard drive after this you have bigger problems as you are already going to be in Guantanamo...

Rasputin said:
Looks like the reporter may have been right.
Theoretically yes, but they were not discussing MFM in any way shape or form in the video. You can be sure that his source, Stephen Bright, is incapable of that. So one can assume that his claim of 99.9% success rate mean that they only deal with very basic data recover that does not involve secure deletion.

* The 7 pass as it turns out is not a standard, just a requirement by one specific US Mil department if SN is to be believed.
 

Rasputin

New Member
Thank you for your analysis.

I now have formed the belief that eraser is safe to use against any reasonably anticipated threat.

Any organization with virtually unlimited resources like the CIA, the FBI or Microsoft can probably recover data over written with it.

I am not trying to hide data from the government.

I want the computer to be made safe to give away and to protect data in the event of theft.

Before retirement I had a third party medical records, legal correspondence and summaries of evidence including evidentiary photographs of vehicles, intersections and building defects to protect.

In retirement the data is personal but important to me.

I have noted your comments on the fact that modern ciphers may be broken in the future.
They may have been broken already. Any party who breaks the ciphers has a tremendous advantage in keeping the fact that they have broken them a secret.

In our choices to defend our data we are limited to tools that are available.

High grade ciphers and secure deletion may not be perfect but they are still effective defense measures and should not be abandoned just because they may not be perfect.

You appear to be well educated in the matters and I appreciate your insightful response.

If you or any one else present finds any definitive articles on these issues I would appreciate their being posted.

Articles from peer reviewed journals would have the highest value.

Next in the order of importance would be verifiable cases of success or failure in data recovery and secure deletion. Verdict reports and court records would be of interest.
 

jackjack

Member
Rasputin said:
If you or any one else present finds any definitive articles on these issues I would appreciate their being posted.

Articles from peer reviewed journals would have the highest value.

Next in the order of importance would be verifiable cases of success or failure in data recovery and secure deletion. Verdict reports and court records would be of interest.
It's unfortunately an area where getting hard and fast data proves quite difficult. The time and resources to do the testing are very high so it keeps most hobbyists out of the running and those that can probably don't want others knowing. The last worth while research I remember reading was by Kurt Seifried back in 2001/2002, in which he discovered issues with a number of programs, including I believe eraser, and how they handled meta data (or not as the case was).

Most countries have their own sanitization standards but taking the US as an example NISTSP800-88 (2006) outlines current sanitization practices for US Govt. There are 4 types


* Disposal is defined as the act of discarding media with no other sanitization considerations. Examples of Disposal include discarding paper in a recycling container, deleting electronic documents using standard file deletion methods and discarding electronic storage media in a standard trash receptacle.

* Clearing is defined as a level of sanitization that renders media unreadable through normal means. Clearing is typically accomplished through an overwriting process that replaces actual data with 0’s or random characters. Clearing prevents data from being recovered using standard disk and file recovery utilities.

* Purging is defined as a more advanced level of sanitization that renders media unreadable even through an advanced laboratory attack. In traditional thinking, Purging consists of using specialized utilities that repeatedly overwrite data; however, with advancements in electronic storage media, the definitions of Clearing and Purging are converging. For example, Purging a hard drive manufactured after 2001 only requires a single overwrite. For the purpose of this Guideline, Clearing and Purging will be considered the same. Degaussing is also an acceptable method of Purging electronic storage media; however, this typically renders the media unusable in the future.

* Destroying is defined as rendering media unusable. Destruction techniques include but are not limited to disintegration, incineration, pulverizing, shredding and melting. This is a common sanitization method for single-write storage media such as a CD or DVD for which other sanitization methods would be ineffective. This is also a common practice when permanently discarding hard drives.


Clearing is generally regarded as safe enough for everything but Top Secret material. In table 2.1 on page 8 of NISTSP800-88 it states that Studies have shown that most of today’s media can be effectively cleared by one overwrite followed by verification* for drives from 2001 onwards, drives older than 2001 should have multiple passes.

* interestingly here Eraser while using the oft bandied about DoD 5220.22-M (chapter 8 section 3.06)(1995) standard they use a method ( /e ) does not meet the US Govt standards for purging data as eraser does not verify after wiping (/d). (There is a verify.exe with eraser but it only allows you to verify deletion of one file at a time and not free space). Eraser does go above and beyond for "clearing" a drive giving a 3 pass option instead of the recommended 1.
 

jackjack

Member
jackjack said:
Rasputin said:
If you or any one else present finds any definitive articles on these issues I would appreciate their being posted.

Articles from peer reviewed journals would have the highest value.

Next in the order of importance would be verifiable cases of success or failure in data recovery and secure deletion. Verdict reports and court records would be of interest.
It's unfortunately an area where getting hard and fast data proves quite difficult. The time and resources to do the testing are very high so it keeps most hobbyists out of the running and those that can probably don't want others knowing. The last worth while research I remember reading was by Kurt Seifried back in 2001/2002, in which he discovered issues with a number of programs, including I believe eraser, and how they handled meta data (or not as the case was).

Most countries have their own sanitization standards but taking the US as an example NISTSP800-88 (2006) outlines current sanitization practices for US Govt. There are 4 types


* Disposal is defined as the act of discarding media with no other sanitization considerations. Examples of Disposal include discarding paper in a recycling container, deleting electronic documents using standard file deletion methods and discarding electronic storage media in a standard trash receptacle.

* Clearing is defined as a level of sanitization that renders media unreadable through normal means. Clearing is typically accomplished through an overwriting process that replaces actual data with 0’s or random characters. Clearing prevents data from being recovered using standard disk and file recovery utilities.

* Purging is defined as a more advanced level of sanitization that renders media unreadable even through an advanced laboratory attack. In traditional thinking, Purging consists of using specialized utilities that repeatedly overwrite data; however, with advancements in electronic storage media, the definitions of Clearing and Purging are converging. For example, Purging a hard drive manufactured after 2001 only requires a single overwrite. For the purpose of this Guideline, Clearing and Purging will be considered the same. Degaussing is also an acceptable method of Purging electronic storage media; however, this typically renders the media unusable in the future.

* Destroying is defined as rendering media unusable. Destruction techniques include but are not limited to disintegration, incineration, pulverizing, shredding and melting. This is a common sanitization method for single-write storage media such as a CD or DVD for which other sanitization methods would be ineffective. This is also a common practice when permanently discarding hard drives.


Clearing is generally regarded as safe enough for everything but Top Secret material. In table 2.1 on page 8 of NISTSP800-88 it states that Studies have shown that most of today’s media can be effectively cleared by one overwrite followed by verification* for drives from 2001 onwards, drives older than 2001 should have multiple passes.

* interestingly here Eraser while using the oft bandied about DoD 5220.22-M (chapter 8 section 3.06)(1995) standard they use a method ( /e ) does not meet the US Govt standards for purging data as eraser does not verify after wiping (/d). (There is a verify.exe with eraser but it only allows you to verify deletion of one file at a time and not free space). Eraser does go above and beyond for "clearing" a drive giving a 3 pass option instead of the recommended 1.

To finish off, I'd be pretty confident that your use of FDE (or containers) along with secure erasing is good enough to prevent all casual attacks and at least slow down any determined (read Govt) attacks (assuming your keys are strong).
 
Top