[unisog] Wiping hard drives before computer transfer
feenberg at nber.org
Mon Jan 27 14:00:18 GMT 2003
On Mon, 27 Jan 2003 Valdis.Kletnieks at vt.edu wrote:
> On Sun, 26 Jan 2003 13:49:04 EST, Ben Compton <Ben.Compton at sw.edu> said:
> > I've had data recovery people tell me that they know of nothing that will
> > recover the data (within reason of course). Have I been fed a line on this
> > or have I figured out a good way to take care of my old drives?
> This depends on what "within reason" means.
> One pass of all-zeros *will* stop any casual recovery of the data by just
> popping it into a PC and seeing what you read back.
> It however will probably be possible with a bit of hardware and access to
> a clean room - I've seen quotes of as low as $5,000 in hardware to do it.
> And I've heard of case-modders who have modded disk drives by using a bathroom
> as a clean room by running a *cold* shower for 15 mins beforehand to knock
> the dust down. This *is* well within the range of "basement tech".
This is an extraordinary claim, and as such it requires extraordinary
proof. The proof usually given is an article by Gutmann, who was
mentioned earlier in this thread as on expert on this topic.
Thanks to an afternoon at the Harvard School of Applied Science library I
have had a chance to examine the references in the original paper:
Gutmann explains that when a 1 bit is written over a zero bit, the "actual
effect is closer to obtaining a .95 when a zero is overwritten with a one,
and a 1.05 when a one is overwritten with a zero". Given that, given a
read head 20 times as sensitive as the one in the drive, and given the
pattern of overwrite bits one could recover the under-data. This
immediately suggests that if random (not pseudo-random) data is used to
overwrite the sensitive information there will be no possibility of
retreival since the overwrite must be known to calculate the overwritten
The references Gutmann provides suggest that his piece is much
overwrought. None of the references lead to examples of sensitive
information being disclosed. Rather, they refer to experiments where STM
microscopy was used to examine individual bits, and some evidence of
previously written bits was found.
There is a large literature on the use of Magnetic force scanning
tunneling microscopy (STM) to image bits recorded on magnetic media. The
apparent point of this literature is not to retrieve overwritten data, but
to test and improve the design of drive heads. Two of the references
 had pictures of overwritten bits, showing parts of the original
data clearly visible in the micro-photograph. The total number of bits
was 6 in one photo and 8 in the other. Neither case was a total success,
because in one case only transitions from one to zero were visible, and
in the other one of the transitions was ambiguous. Nevertheless, I accept
that overwritten bits might be observable under certain circumstances.
So, while I can't say for sure that no one is reading overwritten data, I
can say that Gutmann doesn't cite anyone who claims to be doing so, nor
does he cite any articles suggesting that ordinary wipe-disk programs
(with multiple passes) wouldn't be completely effective.
I should qualify that last paragraph a "bit". I was not able to locate a
copy of the masters thesis with the tantalizing title "Detection of
Digital Information from Erased Magnetic Disks" by Venugopal Veeravalli.
However a brief visit to his web page shows that this was never published,
he has never published on this or a related topic (his field is security
of mobile communications) and his other work does not suggest familiarity
with STM microscopes. So I am fairly sure he didn't design a machine to
read under-data with an "unwrite" system call.
Gutmann claims that "Intelligence organisations have a lot of expertise
in recovering these palimpsestuous images." but there is no reference for
that statement. There are 18 references in the paper, but none of the ones
I was able to locate even referred to that possibility.
In one section of the paper Gutmann suggests overwriting with 4 passes of
random data. That is apparently because he anticipates using pseudo-random
data that would be known to the investigator.
I repeat my statement: "Extraordinary claims require extraordinary proof".
Otherwise this is just an urban legend.
More information about the unisog