[unisog] Wiping hard drives before computer transfer

Daniel Feenberg feenberg at nber.org
Mon Jan 27 14:00:18 GMT 2003



On Mon, 27 Jan 2003 Valdis.Kletnieks at vt.edu wrote:

> On Sun, 26 Jan 2003 13:49:04 EST, Ben Compton <Ben.Compton at sw.edu>  said:
> > I've had data recovery people tell me that they know of nothing that will
> > recover the data (within reason of course).  Have I been fed a line on this
> > or have I figured out a good way to take care of my old drives?
> 
> This depends on what "within reason" means.
> 
> One pass of all-zeros *will* stop any casual recovery of the data by just
> popping it into a PC and seeing what you read back.
> 
> It however will probably be possible with a bit of hardware and access to
> a clean room - I've seen quotes of as low as $5,000 in hardware to do it.
> And I've heard of case-modders who have modded disk drives by using a bathroom
> as a clean room by running a *cold* shower for 15 mins beforehand to knock
> the dust down. This *is* well within the range of "basement tech".
> 


 This is an extraordinary claim, and as such it requires extraordinary
 proof. The proof usually given is an article by Gutmann, who was
 mentioned earlier in this thread as on expert on this topic. 
 
 Thanks to an afternoon at the Harvard School of Applied Science library I
 have had a chance to examine the references in the original paper:
 
 http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/index.html
 
 Gutmann explains that when a 1 bit is written over a zero bit, the "actual
 effect is closer to obtaining a .95 when a zero is overwritten with a one,
 and a 1.05 when a one is overwritten with a zero". Given that, given a
 read head 20 times as sensitive as the one in the drive, and given the
 pattern of overwrite bits one could recover the under-data. This
 immediately suggests that if random (not pseudo-random) data is used to
 overwrite the sensitive information there will be no possibility of
 retreival since the overwrite must be known to calculate the overwritten
 bits.
 
 The references Gutmann provides suggest that his piece is much
 overwrought. None of the references lead to examples of sensitive
 information being disclosed. Rather, they refer to experiments where STM
 microscopy was used to examine individual bits, and some evidence of
 previously written bits was found.
 
 There is a large literature on the use of Magnetic force scanning
 tunneling microscopy (STM) to image bits recorded on magnetic media. The
 apparent point of this literature is not to retrieve overwritten data, but
 to test and improve the design of drive heads. Two of the references 
 [4][7] had pictures of overwritten bits, showing parts of the original
 data clearly visible in the micro-photograph. The total number of bits
 was 6 in one photo and 8 in the other. Neither case was a total success,
 because in one case only transitions from one to zero were visible, and
 in the other one of the transitions was ambiguous. Nevertheless, I accept
 that overwritten bits might be observable under certain circumstances.
 
 So, while I can't say for sure that no one is reading overwritten data, I
 can say that Gutmann doesn't cite anyone who claims to be doing so, nor
 does he cite any articles suggesting that ordinary wipe-disk programs
 (with multiple passes) wouldn't be completely effective.
 
 I should qualify that last paragraph a "bit". I was not able to locate a
 copy of the masters thesis with the tantalizing title "Detection of
 Digital Information from Erased Magnetic Disks" by Venugopal Veeravalli.
 However a brief visit to his web page shows that this was never published,
 he has never published on this or a related topic (his field is security
 of mobile communications) and his other work does not suggest familiarity
 with STM microscopes. So I am fairly sure he didn't design a machine to
 read under-data with an "unwrite" system call.
 
 Gutmann claims that "Intelligence organisations have a lot of expertise
 in recovering these palimpsestuous images." but there is no reference for
 that statement. There are 18 references in the paper, but none of the ones
 I was able to locate even referred to that possibility. 
 
 In one section of the paper Gutmann suggests overwriting with 4 passes of
 random data. That is apparently because he anticipates using pseudo-random
 data that would be known to the investigator.
 
 I repeat my statement: "Extraordinary claims require extraordinary proof".
 Otherwise this is just an urban legend.

 
Daniel Feenberg






More information about the unisog mailing list