Do we really need the multiple passes for overwritting?

General discussion about data forensics.

Moderators: Eraser DevTeam, Eraser Moderators

Do we really need the multiple passes for overwritting?

Postby pli » Thu Apr 05, 2012 8:42 pm

Hi, expert,

I read this from help file for Eraser and it is very good and offers some insight about why we need multiple passes:
The main purpose of overwriting is to alter the magnetic polarity of each domain on the disk platter as much as possible so it will be extremely hard to determine their previous state.

If the data was written directly to the disk, files could simply be overwritten with patterns consisting only of ones or zeros. However, various run-length limited encoding algorithms are used in hard disks to prevent read/write head from losing its position and therefore, only limited amount of adjacent ones or zeros will be written to the disk. This is why different encoding schemes must be taken into account when selecting overwriting patterns.

In his paper Secure Deletion of Data from Magnetic and Solid-State Memory, Peter Gutmann has discussed the subject further. In chapter Erasure of Data stored on Magnetic Media he suggests a 35 pass overwriting method which should erase the data despite the drive encoding and this method is used as the default overwriting method for Eraser.


However from this wiki page: http://en.wikipedia.org/wiki/Data_erasu ... tes_needed, it said:
Data on floppy disks can sometimes be recovered by forensic analysis even after the disks have been overwritten once with zeros (or random zeros and ones).[21] This is not the case with modern hard drives:

According to the 2006 NIST Special Publication 800-88 Section 2.3 (p. 6): "Basically the change in track density and the related changes in the storage medium have created a situation where the acts of clearing and purging the media have converged. That is, for ATA disk drives manufactured after 2001 (over 15 GB) clearing by overwriting the media once is adequate to protect the media from both keyboard and laboratory attack


I would assume that most of computer has the modern hard disk and it would mean that single pass is sufficient which would make the erase much quicker. Am I missing sth here?
pli
 
Posts: 38
Joined: Tue Apr 03, 2012 8:23 pm

Re: Do we really need the multiple passes for overwritting?

Postby DavidHB » Thu Apr 05, 2012 11:10 pm

No, you are not missing anything, and your understanding is correct.

Incidentally, Peter Gutmann long ago said, in pretty forthright language, that the 35 pass method he devised had been completely misunderstood and had quite wrongly been represented as some sort of gold standard. The point of the 35 passes was that they would remove residual data artefacts on all the drive types in use when Gutmann wrote his original article (1996). No one drive type needed all 35 passes (but most users would not know which drive type they were using and which passes they needed to run). Once drive types became more standardised and data densities increased, researchers found that a single pass was sufficient to make recovery of erased data impractical, even though some artefacts did remain after the data had been erased. This means that increasing the number of passes does not materially add to the certainty of erasure.

Joel has said that he made the Gutmann method the default for file and folder erasing in Eraser 6 because users had come to expect it. This is understandable, and I agree with Joel's assessment that if the user us erasing small quantities of files and folders, the erasing process is still completed quickly even with the Gutmann method. Of course, when users start to erase many gigabytes of data at one go, they rapidly find that erase times become unacceptably long with 35 passes. Personally, I use a 3 pass method for file/folder erasing (hopefully to reduce the number of artefacts that remain) and a single pass (which is also the program default) for free space erasing.

The wild card in all of this is that we just don't know whether some security agency or another has discovered a means of reconstructing erased data from the residual artefacts, and (for obvious reasons) is keeping that fact quiet. If that has happened (and I guess that it has not), said agency would only be able to use the knowledge infrequently and on high value targets, or the fact that it had the knowledge would quite quickly leak out. Ordinary individuals whose activities do not, at least in democratic countries, interest the security organs of the state are not likely to find themselves at risk from capabilities that security services wish to keep secret.

David
I am not an Eraser programmer, but a long-time user; my views may not be the same as those of the Eraser programming team.
Before posting, please read the top 4 topics in the Eraser FAQ, which already provide many of the answers users need.
DavidHB
Eraser Wizard
 
Posts: 2166
Joined: Sat Jan 23, 2010 8:10 pm
Location: Isle of Wight, UK

Re: Do we really need the multiple passes for overwritting?

Postby pli » Fri Apr 06, 2012 3:28 pm

Thanks for detailed explanation, David. It makes sense to me now.
pli
 
Posts: 38
Joined: Tue Apr 03, 2012 8:23 pm

Re: Do we really need the multiple passes for overwritting?

Postby neilart » Tue May 01, 2012 7:01 pm

Thanks DavidHB. I wish I had come to this forum sooner, i just recently have been tinkering with eraser's settings and ended up settling on the exact setup you described. Could have saved me some time! Thanks for giving some background.
neilart
 
Posts: 1
Joined: Tue May 01, 2012 6:57 pm

Re: Do we really need the multiple passes for overwritting?

Postby DavidHB » Wed May 02, 2012 3:33 pm

@neilart

You are very welcome (in both senses!). If you haven't done so already, I suggest that you read the 'sticky' topics at the top of the FAQ, which taken together, provide a good grounding in how to use Eraser and related issues.

David
I am not an Eraser programmer, but a long-time user; my views may not be the same as those of the Eraser programming team.
Before posting, please read the top 4 topics in the Eraser FAQ, which already provide many of the answers users need.
DavidHB
Eraser Wizard
 
Posts: 2166
Joined: Sat Jan 23, 2010 8:10 pm
Location: Isle of Wight, UK

Re: Do we really need the multiple passes for overwritting?

Postby H4rry 4lph4 » Mon Aug 13, 2012 11:19 am

If users really can't escape the feeling (founded on some rational!) that a large multiple of passes are required, can the program operate such that it does one pass on everything, then goes back to the first file for the second ...

This way, I'm thinking, for a large file-set it securely wipes the largest number of files as quickly as possible. Instead of securely wiping one file, then the next ... which means that a potentially large number of files are left for some considerable time.

Or does it operate this way already? :oops:

Cheers. 8)
H4rry 4lph4
 
Posts: 1
Joined: Mon Aug 13, 2012 11:07 am

Re: Do we really need the multiple passes for overwritting?

Postby DavidHB » Mon Aug 13, 2012 7:31 pm

H4rry 4lph4 wrote:Or does it operate this way already?

For file and folder erasing, Eraser deals with each file/folder in turn. It has to do this to operate with one file stream at a time; I would guess that any other approach would be impossibly complex to code.

Free space erasing is done by writing files to empty space and then deleting them, so your question does not really apply in that case.

I believe that the best form of user 'education' would be to set, say, a three pass method as the default for file and folder erasing. A few years ago, this might have provoked a great deal of complaint, because the Gutmann method was (wrongly) regarded as a form of gold standard. A three pass default would be more defensible now.

David
I am not an Eraser programmer, but a long-time user; my views may not be the same as those of the Eraser programming team.
Before posting, please read the top 4 topics in the Eraser FAQ, which already provide many of the answers users need.
DavidHB
Eraser Wizard
 
Posts: 2166
Joined: Sat Jan 23, 2010 8:10 pm
Location: Isle of Wight, UK


Return to Data Forensics

Who is online

Users browsing this forum: No registered users and 1 guest

cron