[unisog] Wiping hard drives before computer transfer

Daniel Feenberg feenberg at nber.org
Sat Feb 8 00:45:55 GMT 2003

On Mon, 27 Jan 2003 Valdis.Kletnieks at vt.edu wrote:

> On Mon, 27 Jan 2003 09:00:18 EST, Daniel Feenberg said:
> >  The references Gutmann provides suggest that his piece is much
> >  overwrought. None of the references lead to examples of sensitive
> >  information being disclosed. Rather, they refer to experiments where STM
> >  microscopy was used to examine individual bits, and some evidence of
> >  previously written bits was found.
> And that was 7 years ago, and now there's an entire industry doing this.
> http://www.dataclinic.co.uk/data-recovery.htm
> >  Data recovery when the required data has been overwritten
> > Accidentally ghosting an image over the top of valuable data is a
> >very common form of data loss; it's also a technique used by
> >disgruntled employees and criminals who wish to cover their tracks.
> >By physically overwriting valuable data with other 'junk' data, you
> >would think that the original data would be unrecoverable... You'd
> >be wrong. The Data Clinic are able to recover original data that has
> >been overwritten multiple times.
> I'm assuming that they're not advertising services that they are unable to
> actually provide.

They do not provide the service they seem to be promising. The word
"physical" in the passage is perhaps "overenthusiastic".

Ghosting an image does not affect sectors on the disk beyond the last
data-filled sector of the image, leaving plenty of sectors with old data
remaining. That is all they mean.

I have written Dataclinic a nice letter asking for help recovering data
from an overwritten sector, but received no reply.

> Google for "+disk +recover +overwritten +service", there's other
> companies too.

I did this and found many companies that offer to recover overwritten
files, but none mention recovering overwritten sectors. Once one
understands that "overwriting a file" means only overwriting its directory
entry, it is clear that there isn't "an entire industry" examining disks
with scanning electron microscopes to extract data. There is an entire
industry with Norton Unerase and similar capabilities. 

There isn't even a single example in the public literature of reading
overwritten sectors, although there are numerous claims that intelligence
agencies do this. But no one claims "I have done this".

> Or build your own and see if it's doable.
> http://sxm4.uni-muenster.de/introduction-en.html

There is no suggestion on this site that the STM is capable of reading
underdata on a magnetic disk. Obviously STM microscopes exist. The
question is "can they read overwritten data". It is interesting to look at
STM sites on the web. They do many wondrous things, but I don't see any
claims made by people with those devices that they can read underdata. The
claim is always made by someone else.

In conclusion...

I think the most cogent reason people have for believing this particular
urban legend is that military and intelligence agencies require that
discarded disks be physically destroyed rather than merely overwritten
with random data. 

But it isn't that the DOD believe this particular legend, but rather that
the officer given the task of confirming all classified data is destroyed
may not be sufficiently informed about partitions/slices/disks/filesystems
to know if a command

 urandom  >/dev/sa1/ad0 

really did overwrite every sector or only some of them. But he will know
if the drive has been properly smashed to bits.

> -- 
> 				Valdis Kletnieks
> 				Computer Systems Senior Engineer
> 				Virginia Tech

Daniel Feenberg

More information about the unisog mailing list