NAVIGATION
CATEGORIES
REFERRENCE
LINKS
Wiping data from drive question
29 answers - 340 bytes -
A co-worker made a statement that data is recoverable from a hard drive even
after you write zeros to all sectors of the hard drive. I was always under
the impression that once you wrote zeros to all sectors that any data that
was there is impossible to recover. Does anyone have any thoughts on this?
Thanks!No.1 | | 681 bytes |
| 
There are techniques where you can retrieve some data because if a place on
the disk had a "1" for a long period of time, theoretically, then changed
to a "0" (you wiped the disk) there would be a "shadow" of a "1" left. You
have to write a combo of zeros and ones many, many times say 10,000
times
Imhotep
Doofus McFly wrote:
A co-worker made a statement that data is recoverable from a hard drive
even after you write zeros to all sectors of the hard drive. I was always
under the impression that once you wrote zeros to all sectors that any
data that was there is impossible to recover. Does anyone have any
thoughts on this? Thanks!No.2 | | 467 bytes |
| Doofus McFly wrote:
A co-worker made a statement that data is recoverable from a hard drive even
after you write zeros to all sectors of the hard drive. I was always under
the impression that once you wrote zeros to all sectors that any data that
was there is impossible to recover. Does anyone have any thoughts on this?
Thanks!
Your co worker is correct. These techniques usually require specialized
hardware,
however.No.3 | | 644 bytes |
| <paulmd@efn.orgwrote in message
news:1150249756.490404.238680@
Doofus McFly wrote:
>A co-worker made a statement that data is recoverable from a hard drive
>even
>after you write zeros to all sectors of the hard drive. I was always
>under
>the impression that once you wrote zeros to all sectors that any data
>that
>was there is impossible to recover. Does anyone have any thoughts on
>this?
>Thanks!
>
>
Your co worker is correct. These techniques usually require specialized
hardware,
however.
expensive specialized hardwareNo.4 | | 968 bytes |
| Tue, 13 Jun 2006 18:30:08 -0700, "Doofus McFly"
<DMcFly@aol.comwrote:
>A co-worker made a statement that data is recoverable from a hard drive even
>after you write zeros to all sectors of the hard drive. I was always under
>the impression that once you wrote zeros to all sectors that any data that
>was there is impossible to recover. Does anyone have any thoughts on this?
>Thanks!
Merely overwriting it once with the same digit will allow a
professional with specialized equipment to recover "some" if
not all of the data, at great cost (computer repair shop or
the like could not do it).
Random overwriting with a couple of passes makes it MUCH
more difficult, practically impossible. The prior poster is
incorrect about 10,000 passes, a couple of random passes is
sufficient but prudence with sensitive data would suggest at
least 3 or 4 passes.No.5 | | 1242 bytes |
| Not impossible but very unlikely without access to the proper equipment and
having the necessary skills. It may take a little longer but it is a good
idea to erase to DD standards or better which most erase programs will
allow you to do. With XP Pro or Windows 2003 you can use cipher /w to do a
decent quick job of overwriting data. A sledge hammer and bucket of
sulphuric acid is probably the most secure solution for permanent
destruction of data but should not be attempted by amateurs. What I find
shocking is the lack of simple security procedures being used such as the
idiot that had a disk with sensitive data on all military retires at his
home unsecured with no encryption. Steve
"Doofus McFly" <DMcFly@aol.comwrote in message
news:e5URTI1jGHA.1324@TK2MSFTNGP04.phx.gbl
>A co-worker made a statement that data is recoverable from a hard drive
>even after you write zeros to all sectors of the hard drive. I was always
>under the impression that once you wrote zeros to all sectors that any data
>that was there is impossible to recover. Does anyone have any thoughts on
>this? Thanks!
>
>
>
>No.6 | | 375 bytes |
| kony wrote:
Random overwriting with a couple of passes makes it MUCH
more difficult, practically impossible. The prior poster is
incorrect about 10,000 passes, a couple of random passes is
sufficient but prudence with sensitive data would suggest at
least 3 or 4 passes.
The randomness isn't needed either. Zeros will do as well.No.7 | | 965 bytes |
| Steven L Umbach wrote:
It may take a little longer but it is a good
idea to erase to DD standards or better which most erase programs will
allow you to do. With XP Pro or Windows 2003 you can use cipher /w to do a
decent quick job of overwriting data.
If you read the documentation on how the SDelete utility from
Sysinternals works (same applies to the utility Eraser), then you might
understand that file system cache, harddrive cache, journaling (which is
common on NTFS) and data relocation pose a very real threat to such
simple methods, making them fail so blatantly when not carefully considered.
And even then you should be aware of bad sector relocations of your
harddrive. At least SCSI 2 always and SATA optionally, but not IDE
allows you to retrieve a list of bad sectors that are normally hidden
from the view. Still you won't be able to see their data content or to
overwrite them.No.8 | | 824 bytes |
| paulmd@efn.org wrote:
>The randomness isn't needed either. Zeros will do as well.
>
The randomness IS necessary. If the recovery specialist knows that the
data was zeroed, then he has a better chance of getting recoverable
data. The ones would make themselves known. But if the pattern is
random, the task becomes much harder.
The new data has no significant, if any influence on how its noise
cancels out rest signals of old data. Actually in modern harddisks
there's hardly any difference between zeros and ones without knowing the
context, doing a very careful signal estimation and utilizing a lot of
error correction codes - a short glimpse at the signal would essentially
show you no difference to a noisy sinus wave.No.9 | | 763 bytes |
|
Frank Saunders, MS-MVP E wrote:
<paulmd@efn.orgwrote in message
news:1150249756.490404.238680@
Doofus McFly wrote:
>A co-worker made a statement that data is recoverable from a hard drive
>even
>after you write zeros to all sectors of the hard drive. I was always
>under
>the impression that once you wrote zeros to all sectors that any data
>that
>was there is impossible to recover. Does anyone have any thoughts on
>this?
>Thanks!
>
>
Your co worker is correct. These techniques usually require specialized
hardware,
however.
--
expensive specialized hardware
Starting with the clean room and maintance of same.No.10 | | 669 bytes |
| Sebastian Gottschalk wrote:
kony wrote:
Random overwriting with a couple of passes makes it MUCH
more difficult, practically impossible. The prior poster is
incorrect about 10,000 passes, a couple of random passes is
sufficient but prudence with sensitive data would suggest at
least 3 or 4 passes.
The randomness isn't needed either. Zeros will do as well.
The randomness IS necessary. If the recovery specialist knows that the
data was zeroed, then he has a better chance of getting recoverable
data. The ones would make themselves known. But if the pattern is
random, the task becomes much harder.No.11 | | 583 bytes |
| G'day:
<paulmd@efn.orgwrote in message
news:1150268867.058901.177560@
Frank Saunders, MS-MVP E wrote:
>expensive specialized hardware
>
Starting with the clean room and maintance of same.
Has anyone in this group seen data recovered from a disk that was wiped
using single-pass zero writing?
Five passes - ones*2, zeroes*2, random - officially do the trick. But I
think in reality there is very little that one can recover after a single
pass, and much less so if the single pass israndom bits.No.12 | | 1829 bytes |
| Hi Slav, I hope you have been fine . . .
I am also curious what the experience may be from those that
have done this, have access to the technology for this.
I recall an article in a scientific journal many years back (the disk
plate technologies have without doubt changed a number of times
since then) which looked at reading the data with pattern matches
with microscope images of the coating material and let me with
the concept that a bandsaw, crusher, acid bath was the secure
way to be certain no data leakage would happen.
While I basically agree with your post, I find it may be on a shaky
grounding for some readers due to two reasons.
1. as another mentioned in this thread, there is the bad sectors issue
2. "officially" was used. Now this may be an Aussy-fication <gbut
to a US English-native speaker that implies someone "official",
some authoritative agency, has made that recommendation.
Perhaps "practically" would have been better ?
Roger
"S. Pidgorny <MVP>" <slavickp@yahoo.comwrote in message
news:u28pHF5jGHA.4508@TK2MSFTNGP05.phx.gbl
G'day:
<paulmd@efn.orgwrote in message
news:1150268867.058901.177560@
>>
>Frank Saunders, MS-MVP E wrote:
expensive specialized hardware
>>
>Starting with the clean room and maintance of same.
>
Has anyone in this group seen data recovered from a disk that was wiped
using single-pass zero writing?
Five passes - ones*2, zeroes*2, random - officially do the trick. But I
think in reality there is very little that one can recover after a single
pass, and much less so if the single pass israndom bits.No.13 | | 1017 bytes |
| Wed, 14 Jun 2006 07:47:45 +0200, Sebastian Gottschalk
<seppi@seppig.dewrote:
>kony wrote:
>
>Random overwriting with a couple of passes makes it MUCH
>more difficult, practically impossible. The prior poster is
>incorrect about 10,000 passes, a couple of random passes is
>sufficient but prudence with sensitive data would suggest at
>least 3 or 4 passes.
>
>The randomness isn't needed either. Zeros will do as well.
No, 0 or 1 is only an absolute based on a threshold. If one
doesn't "round off" to a threshold but takes absolute values
the signature from a same-bit fill can distinguish the prior
data.
Now, if you were to continually overwrite the same areas,
over and over again with zeros, this would work better, but
not ideally, and why would one want to do that several more
times than it would take to write randomly? There would be
no reason to do it.No.14 | | 1175 bytes |
| Wed, 14 Jun 2006 10:05:30 +0200, Sebastian Gottschalk
<seppi@seppig.dewrote:
>paulmd@efn.org wrote:
>
The randomness isn't needed either. Zeros will do as well.
>>
>The randomness IS necessary. If the recovery specialist knows that the
>data was zeroed, then he has a better chance of getting recoverable
>data. The ones would make themselves known. But if the pattern is
>random, the task becomes much harder.
>
>The new data has no significant, if any influence on how its noise
>cancels out rest signals of old data. Actually in modern harddisks
>there's hardly any difference between zeros and ones without knowing the
>context, doing a very careful signal estimation and utilizing a lot of
>error correction codes - a short glimpse at the signal would essentially
>show you no difference to a noisy sinus wave.
We're not talking about a short glimpse, rather someone who
is experienced and _trying_ to recover the data with the
correct equipment.No.15 | | 393 bytes |
| kony wrote:
We're not talking about a short glimpse, rather someone who
is experienced and _trying_ to recover the data with the
correct equipment.
You may or may not notice that just signal evaluation in a normal read
process today is just about recover. If there were any significant
redundancies left, we'd exploit them to store more data.No.16 | | 481 bytes |
| kony wrote:
Now, if you were to continually overwrite the same areas,
over and over again with zeros, this would work better, but
not ideally, and why would one want to do that several more
times than it would take to write randomly? There would be
no reason to do it.
This is just bull**** argumentation.
As the rest signal is independent from the new data, there's essentially
no difference with what exactly you overwrite.No.17 | | 1552 bytes |
| Tue, 13 Jun 2006 22:06:43 -0500, "Steven L Umbach"
<n9rou@n0-spam-for-me-comcast.netwrote:
>Not impossible but very unlikely without access to the proper equipment and
>having the necessary skills. It may take a little longer but it is a good
>idea to erase to DD standards or better which most erase programs will
>allow you to do. With XP Pro or Windows 2003 you can use cipher /w to do a
>decent quick job of overwriting data. A sledge hammer and bucket of
>sulphuric acid is probably the most secure solution for permanent
>destruction of data but should not be attempted by amateurs.
I often hear of these excessive methods and just pass it off
as overkill but effective.
It isn't really effective at all. If one has done the
random-overwrite the data is already gone- end of story.
If one has not done the random overwrite and intends to
remove the drive for later destruction, it is only
subjecting the drive to more potential for it to fall into
the wrong hands, hands that would obviously be willing to go
to extremes to get it if they're a problem making
ultimate destruction of data important in the first place.
Attended and immediate multiplass overwrite at the moment
the data is wished destroyed is the most safe method. Any
extra time spent physically destroying the medium is
probably better spent just standing around, watching those
around you for suspicious activity.No.18 | | 724 bytes |
| Thu, 15 Jun 2006 02:06:09 +0200, Sebastian Gottschalk
<seppi@seppig.dewrote:
>kony wrote:
>
>Now, if you were to continually overwrite the same areas,
>over and over again with zeros, this would work better, but
>not ideally, and why would one want to do that several more
>times than it would take to write randomly? There would be
>no reason to do it.
>
>This is just bull**** argumentation.
>
>As the rest signal is independent from the new data, there's essentially
>no difference with what exactly you overwrite.
Every single article on the subject disagrees with you.
Read a few.No.19 | | 719 bytes |
| Thu, 15 Jun 2006 02:04:17 +0200, Sebastian Gottschalk
<seppi@seppig.dewrote:
>kony wrote:
>
>We're not talking about a short glimpse, rather someone who
>is experienced and _trying_ to recover the data with the
>correct equipment.
>
>You may or may not notice that just signal evaluation in a normal read
>process today is just about recover. If there were any significant
>redundancies left, we'd exploit them to store more data.
In a cheap-to-make, mass produced drive this would be true.
In a spare-no-expense, recover-valuable-data scenerio, the
minor differences are what is important.No.20 | | 539 bytes |
| In article <4fcduuF1ikm0fU1@news.dfncis.de>, seppi@seppig.de says
kony wrote:
>
>As the rest signal is independent from the new data, there's essentially
>no difference with what exactly you overwrite.
>
Every single article on the subject disagrees with you.
Read a few.
Strange enough Mr. Gutmanm fully agrees with me. I haven't found any
scientific article disagreeing. Can you point me to one?
I would suggest that you both read the following:No.21 | | 968 bytes |
| kony wrote:
Thu, 15 Jun 2006 02:04:17 +0200, Sebastian Gottschalk
<seppi@seppig.dewrote:
>
>kony wrote:
>>
We're not talking about a short glimpse, rather someone who
is experienced and _trying_ to recover the data with the
correct equipment.
>You may or may not notice that just signal evaluation in a normal read
>process today is just about recover. If there were any significant
>redundancies left, we'd exploit them to store more data.
>
>
In a cheap-to-make, mass produced drive this would be true.
In a spare-no-expense, recover-valuable-data scenerio, the
minor differences are what is important.
A very optimistic estimation gives that you can recover bits with a
median certainty of 50.4% correctly. And random overwrites don't change
anything about that,No.22 | | 418 bytes |
| kony wrote:
>As the rest signal is independent from the new data, there's essentially
>no difference with what exactly you overwrite.
>
Every single article on the subject disagrees with you.
Read a few.
Strange enough Mr. Gutmanm fully agrees with me. I haven't found any
scientific article disagreeing. Can you point me to one?No.23 | | 1179 bytes |
| kony wrote:
It is well known, the WHLE PURPSE of the random overwrite strategy
used countless times by anyone, anywhere (everywhere).
It is well known to the uninitiated, but not in any scientific context.
I suppose you mean Peter Gutman, but are you referring to his work a
decade ago (when HDD densities were a fraction of what they are now)
or something more recent?
Read Gutman's article and try to understand the content. He told that
his ideas exactly apply to any modern drives and about any future drive
with the same technology, and that only special cases of old, really
low-density drives must be considered carefully.
You need to provide a specific quote, WITH the context, if you want
to claim Gutman is in agreement with what you claim TDAY because
back then he was of the opinion that the goal was to flip the bits
back and forth unpredictably, in a random pattern, not pseudo-random
and NT all zeros as you suggest.
No. He was the opinion that doing so is absolutely unnecessary and just
added for safety, which also applies to the large number of passes. Now
RTFA.No.24 | | 1318 bytes |
| Thu, 15 Jun 2006 08:44:23 +0200, Sebastian Gottschalk
<seppi@seppig.dewrote:
>kony wrote:
>
As the rest signal is independent from the new data, there's essentially
no difference with what exactly you overwrite.
>>
>Every single article on the subject disagrees with you.
>Read a few.
>
>Strange enough Mr. Gutmanm fully agrees with me. I haven't found any
>scientific article disagreeing. Can you point me to one?
You don't bother to reference this "Gutmanm" and yet I am
supposed to find articles for you? It is well known, the
WHLE PURPSE of the random overwrite strategy used
countless times by anyone, anywhere (everywhere).
I suppose you mean Peter Gutman, but are you referring to
his work a decade ago (when HDD densities were a fraction of
what they are now) or something more recent? You need to
provide a specific quote, WITH the context, if you want to
claim Gutman is in agreement with what you claim TDAY
because back then he was of the opinion that the goal was to
flip the bits back and forth unpredictably, in a random
pattern, not pseudo-random and NT all zeros as you suggest.No.25 | | 307 bytes |
| In article <4fcnniF1hojevU1@news.dfncis.de>, seppi@seppig.de says
No. He was the opinion that doing so is absolutely unnecessary and just
added for safety, which also applies to the large number of passes. Now
RTFA.
It appears that the DD and NSA don't agree with you or him then.No.26 | | 1112 bytes |
| Thu, 15 Jun 2006 13:20:04 GMT, Leythos <void@nowhere.lan>
wrote:
>In article <4fcnniF1hojevU1@news.dfncis.de>, seppi@seppig.de says
>No. He was the opinion that doing so is absolutely unnecessary and just
>added for safety, which also applies to the large number of passes. Now
>RTFA.
>
>It appears that the DD and NSA don't agree with you or him then.
It is always the case that we are re-inventing the wheel it
seems. There has always been the acknowledgement that only
overwriting the same digit (0 or 1) leaves a remnant, the
signature of the prior bit. This has actually been shown
detectable. AFAIK, it has never been shown that any data
was recoverable after a very few passes of (true) random
write.
Can the DD go overboard? course, who can't? Far easier
to suggest that someone else goes to extra trouble do to
the unknown there was a time when sailors thought they
might sail off the edge of the earth too but later we
realized it was round, not flat.No.27 | | 1236 bytes |
| kony wrote:
Tue, 13 Jun 2006 18:30:08 -0700, "Doofus McFly"
<DMcFly@aol.comwrote:
>
>>A co-worker made a statement that data is recoverable from a hard drive
>>even after you write zeros to all sectors of the hard drive. I was always
>>under the impression that once you wrote zeros to all sectors that any
>>data that was there is impossible to recover. Does anyone have any
>>thoughts on this? Thanks!
>
>
Merely overwriting it once with the same digit will allow a
professional with specialized equipment to recover "some" if
not all of the data, at great cost (computer repair shop or
the like could not do it).
Random overwriting with a couple of passes makes it MUCH
more difficult, practically impossible. The prior poster is
incorrect about 10,000 passes, a couple of random passes is
sufficient but prudence with sensitive data would suggest at
least 3 or 4 passes.
No. Supposedly, as I have never checked, there could be a "shadow" if, for
example, a "1" had existed for some time. it with a "0" once
would not remove 100% of the "shadow"
ImhotepNo.28 | | 377 bytes |
| Hi Roger,
I'm aware of certain connotations of the words "official", "certifiable" and
such. In this case, I was explaying - in simple words - the U.S. Department
of Defense recommendations DoD 5200.28-STD for data wiping (which many
utilities implement). I admit that my description of the five-pass process
doesn't capture all the details though.No.29 | | 494 bytes |
| "Doofus McFly" <DMcFly@aol.comwrites:
>A co-worker made a statement that data is recoverable from a hard drive even
>after you write zeros to all sectors of the hard drive. I was always under
>the impression that once you wrote zeros to all sectors that any data that
>was there is impossible to recover. Does anyone have any thoughts on this?
>Thanks!
A useful collection of links on this topic is:
Be sure and read:
QUESTION ON "Security"
- SPYWARE AND TROJANS THREATS ON RISE (MICROSOFT ONLY)
- google labs: online spreadsheet
- Defeat for net neutrality backers (but what does that mean)
- Search Encryption
- Email Cryptosystem
- Defeat for net neutrality backers (but what does it mean?)
- can encrypted file be encrypted and then encrypted?
- Microsoft June Advance Notification Multiple Vulnerabilities
- Microsoft NetMeeting Remote Memory Corruption Denial of Service Vulnerability
- HPSBMA02121 SSRT061157 rev.2 - HP OpenView Storage Data Protector Remote Arbitrary Command
- How to enforce "user cannot invoke any programs without first logging on to the system"
- Microsoft Misrepresenting WGA's Functionality?
- CDE source code?
- can encrypted file be encrypted and then encrypted?
- how secure / insecure is a wireless ISP?
- Picky passwd for GNU/Linux
- Secure VPN Gateway a new solution to InterNet Security
- /etc/master.passwd: No such file or directory
- Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability
- all-in-one server