My impression of this article is a non-expert piece aimed at consumer-level
users with little knowledge of sophistication in computers. The cases he cites
are all simple slack-space or unallocated-space recovery after simple file
operations. It has nothing to do with "disk erasing programs". The one
researcher who claims to have read data did so after the drive was overwritten
with zero-bits.
A program executing a DoD 7-pass wipe (or a Gutman 35-pass if you're paranoid)
of the data, bit-for-bit, is likely impossible to recover from, even using the
STM methods. As Gutman says in his paper, it is impossible to determine if a
sector's data was overwritten before or after the original data and a 7-pass
structured overwrite is unlikely to leave significant magnetic or visual traces
of the original data. Even if it does, it is unlikely you will be able to
determine which of the 8-10 possible data bits you retrieve are actually the
real data.
The only interesting comments in this article revolve around the bad sector
remapping. The DoD erase standards do not cover this topic, thought a number
of discussions have revolved around it and some utilities are available to do
random-data multi-pass secure deletion including g-list sectors.
http://www.storagenetworking.org/Discussion/forum_posts.asp?TID=59&PN=1
http://www.morgud.com/reviews/software/MES.asp
http://cmrr.ucsd.edu/Hughes/SecureErase.html
UCSD has some recent research that suggests, while a single-pass zero-bit
overwrite may be recoverable with specialized hardware, a multi-pass, randome
overwrite with data is not. The researcher producing some of these papers can
be found here:
http://cmrr.ucsd.edu/Hughes/subpgset.htm
Interesting information to be found, but mostly in the realm of science-fiction.
Frankly, from my reading, it's probably less secure to use a sledgehammer than
to use a good secure deletion program. Now something like a blast furnace, or
a a thermite cap..... that would be secure....
Eric
-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com]On Behalf Of Russell Aspinwall
Sent: Thursday, October 26, 2006 2:20 AM
To: forensics@securityfocus.com
Subject: Data Recovery
In response to data recovery after 57+ formats query
The UK magazine Computer Shopper carried a feature article "Recovery
Position" in its March 2006 issue, which can be found here
http://www.computershopper.co.uk and search for Recovery Position. It
appears that disk erasing programs do not delete the data, if you have
the right tools for recovery; however a hammer does work.
--
Regards
Russell
Email: russell dot aspinwall at flomerics dot co dot uk
Network and Systems Administrator Flomerics Ltd
Telephone: 020-8941-8810 x3116 81 Bridge Road
Facsimile: 020-8941-8730 Hampton Court
Surrey, KT8 9HH
United Kingdom
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
Flomerics Group plc, Registered Office 81 Bridge Road, Hampton Court, Surrey,
KT8 9HH. Registered No. 2327348. This e-mail is confidential and intended
solely for the use of the individual to whom it is addressed. Any views or
opinions presented are solely those of the author and do not necessarily
represent those of Flomerics Group plc or its subsidiaries. If you are not the
intended recipient of this e-mail you may not copy, use, forward or disclose
its contents to any other person ; please notify our Computer Service Desk on
+44 (0)20 8487 3000 and destroy and delete the message and attachments from
your system.
For more information on Flomerics visit our web site at www.flomerics.com
