Overwriting once is enough

General discussion about data forensics.

Moderators: Eraser DevTeam, Eraser Moderators

Overwriting once is enough

Postby Walda » Sat Feb 14, 2009 10:20 pm

http://www.heise.de/security/Sicheres-L ... ung/121855 (in German)
http://www.heise-online.co.uk/news/Secu ... t--/112432 (in English)

They concluded that, after a single overwrite of the data on a drive, whether it be an old 1-gigabyte disk or a current model (at the time of the study), the likelihood of still being able to reconstruct anything is practically zero. Well, OK, not quite: a single bit whose precise location is known can in fact be correctly reconstructed with 56 per cent probability (in one of the quoted examples). To recover a byte, however, correct head positioning would have to be precisely repeated eight times, and the probability of that is only 0.97 per cent. Recovering anything beyond a single byte is even less likely.


http://www.springerlink.com/content/408263ql11460147/ (Paper in English)

Often we hear controversial opinions in digital forensics on the required or desired number of passes to utilize for properly overwriting, sometimes referred to as wiping or erasing, a modern hard drive. The controversy has caused much misconception, with persons commonly quoting that data can be recovered if it has only been overwritten once or twice. Moreover, referencing that it actually takes up to ten, and even as many as 35 (referred to as the Gutmann scheme because of the 1996 Secure Deletion of Data from Magnetic and Solid-State Memory published paper by Peter Gutmann) passes to securely overwrite the previous data. One of the chief controversies is that if a head positioning system is not exact enough, new data written to a drive may not be written back to the precise location of the original data. We demonstrate that the controversy surrounding this topic is unfounded.
Walda
 
Posts: 8
Joined: Sat Feb 14, 2009 9:27 pm

Re: Overwriting once is enough

Postby Joel » Mon Feb 16, 2009 4:58 am

Thanks for the post!

Joel
Be sure to read the FAQ before posting. If you found this application useful, please contribute to Eraser's development.

I develop Eraser but I am not an employee of Heidi Computers Ltd. My views do not represent those of Heidi Computers Ltd.
Don't PM or Email me questions: they won't be answered any faster than on the forum and knowledge won't be accessible by all.
User avatar
Joel
Eraser DevTeam
 
Posts: 3688
Joined: Sat Aug 19, 2006 12:16 am
Location: Singapore

Re: Overwriting once is enough

Postby Snoogins » Mon Jan 25, 2010 6:36 pm

This is good info.
It's easy to delve headfirst into a hard disk wearing 35 pass overwrite hoping you are now completely secure.
Always suspected that a proper overwrite didn't require more than a few passes, it surprises me none the less that a single pass is enough.

Cheers
Snoogins
 
Posts: 1
Joined: Mon Jan 25, 2010 6:22 pm

Re: Overwriting once is enough

Postby matthewsheeran » Sat Feb 13, 2010 2:01 pm

Good article. I knew this But technically one overwrite in software is (either) not good enough (or unnecessary if you use the right hard drive ... further follows)!

An ATA Secure Erase should performed which erases those mapped out dud and flakey sectors dynamically mapped out by the HDD controller that might just accidentally have had your banking etc PIN on it that you typed into a txt file and forgot lest you would forget your PIN too and could get mapped back in again if they turn good or under appropriate instructions to the controller... :-)

If you use a FDE (Full Drive Encryption drive using AES (like those from Seagate and my next and permanent future upgrades) then provided your password is complex enough they shouldn't be readily cracked and the contents of your should appear necessarily - for the encryption to be any good - pseudo-random -: you therefore never need ever erase the drive before re-purposing it -: just reset your password to nothing and the drive may then be re-used by and all and sundry and nothing to worry about... :-)

Message me and I will provide links to info if anyone really doesn't believe or cannot find more the info for themselves...

So you can see why my next drive(s) will be FDE that work transparently with the BIOS HDD Power-On Password support (that I already use anyway even though it is crackable by experts with a regular non-FDE drive).

Cheers and thanks for the articles anyway although I personally don't need em. :-D
(Mind you I am thorough little bugger so I will come back and skim em - thanks...)
Regards all...
matthew
matthewsheeran
 
Posts: 2
Joined: Sat Feb 13, 2010 1:41 pm

Re: Overwriting once is enough

Postby matthewsheeran » Sat Feb 13, 2010 2:26 pm

Old habits die hard though so I reckon I would do either an ATA Secure (H/W) Erase first or a single pass of pseudo-random bytes (S/W Erase) so the non-zero mapped out sectors that might get or be mappable back in again don't stick out like dogs balls amongst alternatively zero-ed sectors even on an FDE drive! Mind you, zero writes to the sectors in the latter case wont be zero's if this is done while any password is still set on an FDE drive, although, if done while the password (and therefore) encryption is off (i.e. may be blank password etc depending upon the exact mechanism) there will be so little mapped out and hidden area data left over to process for decrypt-analysis purposes that perhaps cracking even a lousy password might be a very low risk and difficult scenario indeed when the bulk of the data you want to process has already been zero-ed out!

Finished finally,
Matthew
matthewsheeran
 
Posts: 2
Joined: Sat Feb 13, 2010 1:41 pm

Re: Overwriting once is enough

Postby Joel » Mon Feb 15, 2010 11:17 pm

matthewsheeran wrote:An ATA Secure Erase should performed which erases those mapped out dud and flakey sectors dynamically mapped out by the HDD controller that might just accidentally have had your banking etc PIN on it that you typed into a txt file and forgot lest you would forget your PIN too and could get mapped back in again if they turn good or under appropriate instructions to the controller... :-)
Agreed, and that is a very real problem when erasing under User mode (and even DBAN too) but most modern drives have a relatively low remap count, and if you are using those spare sectors then you probably should be getting a new drive (and mechanically destroy the old drive.) Sectors almost never become "good" from "bad" as far as I know.

matthewsheeran wrote:If you use a FDE (Full Drive Encryption drive using AES (like those from Seagate and my next and permanent future upgrades) then provided your password is complex enough they shouldn't be readily cracked and the contents of your should appear necessarily - for the encryption to be any good - pseudo-random -: you therefore never need ever erase the drive before re-purposing it -: just reset your password to nothing and the drive may then be re-used by and all and sundry and nothing to worry about... :-)
There's always the possibility of a key compromise, and the remote possibility that AES is broken tomorrow -- go figure :P
Be sure to read the FAQ before posting. If you found this application useful, please contribute to Eraser's development.

I develop Eraser but I am not an employee of Heidi Computers Ltd. My views do not represent those of Heidi Computers Ltd.
Don't PM or Email me questions: they won't be answered any faster than on the forum and knowledge won't be accessible by all.
User avatar
Joel
Eraser DevTeam
 
Posts: 3688
Joined: Sat Aug 19, 2006 12:16 am
Location: Singapore

Re: Overwriting once is enough

Postby Joel » Mon Feb 15, 2010 11:19 pm

matthewsheeran wrote:if done while the password (and therefore) encryption is off (i.e. may be blank password etc depending upon the exact mechanism) there will be so little mapped out and hidden area data left over to process for decrypt-analysis purposes that perhaps cracking even a lousy password might be a very low risk and difficult scenario indeed when the bulk of the data you want to process has already been zero-ed out!
That also applies to regular user-level erasures -- if only a minute amount of data remains, then it is highly unlikely that it would b recoverable.
Be sure to read the FAQ before posting. If you found this application useful, please contribute to Eraser's development.

I develop Eraser but I am not an employee of Heidi Computers Ltd. My views do not represent those of Heidi Computers Ltd.
Don't PM or Email me questions: they won't be answered any faster than on the forum and knowledge won't be accessible by all.
User avatar
Joel
Eraser DevTeam
 
Posts: 3688
Joined: Sat Aug 19, 2006 12:16 am
Location: Singapore


Return to Data Forensics

Who is online

Users browsing this forum: No registered users and 2 guests