Hard Drive Secure Deletion/Wipe

[James_A]

+1 for debunking the myth.

However, I do wish that people who refer to Peter Gutmann would at least spell his name correctly. <cough> nber.org <cough>.

I use DBAN (see above) to security wipe drives, but the first thing I do is to turn off all that PRNG and multi-pass crap. I want to wipe the drive, not test it to destruction.

Incidentally, CMRR is one of the few places in the world that could recover anything at all from the current generation of drives after just one pass.

[jaclaz]

However, I do wish that people who refer to Peter Gutmann would at least spell his name correctly.

Spelling corrected in my post.

Incidentally, CMRR is one of the few places in the world that could recover anything at all from the current generation of drives after just one pass.

Can I see however an actual report?

Particularly, I would be interested in how they (or anyoone else) can UNIVOCALLY get data from:

the very low level distorted remnant data remains after an overwrite

Remember that the original Gutmann's paper talks about "probabilities"...

jaclaz

Edited November 12, 2008 by jaclaz

[jaclaz]

A newish article definitely debunking the myth :

http://sansforensics.wordpress.com/2009/01...ard-drive-data/

The probabilities have been found to drop quickly to LESS than 50%, thus a simple coin toss would give accuracy comparable to using a Magnetic Force Microscope.

In other words, though several passes can make the data "more" unrecoverable, a single 00 pass is ENOUGH to make data unrecoverable.

What this means

The other overwrite patterns actually produced results as low as 36.08% (+/- 0.24). Being that the distribution is based on a binomial choice, the chance of guessing the prior value is 50%. That is, if you toss a coin, you have a 50% chance of correctly choosing the value. In many instances, using a MFM to determine the prior value written to the hard drive was less successful than a simple coin toss.

The purpose of this paper was a categorical settlement to the controversy surrounding the misconceptions involving the belief that data can be recovered following a wipe procedure. This study has demonstrated that correctly wiped data cannot reasonably be retrieved even if it is of a small size or found only over small parts of the hard drive. Not even with the use of a MFM or other known methods. The belief that a tool can be developed to retrieve gigabytes or terabytes of information from a wiped drive is in error.

Although there is a good chance of recovery for any individual bit from a drive, the chances of recovery of any amount of data from a drive using an electron microscope are negligible. Even speculating on the possible recovery of an old drive, there is no likelihood that any data would be recoverable from the drive. The forensic recovery of data using electron microscopy is infeasible. This was true both on old drives and has become more difficult over time. Further, there is a need for the data to have been written and then wiped on a raw unused drive for there to be any hope of any level of recovery even at the bit level, which does not reflect real situations. It is unlikely that a recovered drive will have not been used for a period of time and the interaction of defragmentation, file copies and general use that overwrites data areas negates any chance of data recovery. The fallacy that data can be forensically recovered using an electron microscope or related means needs to be put to rest.

...quod erat demonstrandum...

http://en.wikipedia.org/wiki/Q.E.D.

jaclaz

[James_A]

Peter Gutmann has added a second epilogue to his original paper criticising the article by Craig Wright.

If you read both of the papers, it doesn't help matters to find that the acronym MFM now has TWO meanings: Modified FM (Frequency Modulation) and now Magnetic Force Microscope. Wright seems to confuse the two with a heading giving the second meaning, closely followed by a diagram using the first meaning. Gutmann also uses both meanings, but in the context in his paper it is clear which means which.

That doesn't mean that Gutmann disagrees with Wright. On the contrary, Gutmann says:

Any modern drive will most likely be a hopeless task, what with ultra-high densities and use of perpendicular recording I don't see how MFM would even get a usable image ...

A comment at SecurityFocus has pointed out that an MFM does not have sufficient resolution to read anything off a modern HDD: the HDD bit density is twice as high as the MFM resolution. This supports Gutmann's last comment.

I agree with jaclaz: the myth is thoroughly debunked and can now be regarded as 100% fact-free.

.