"Robert Thompson Jr." <rthompson@columbiabank.com> wrote:
If you have ever done any form of data recovery, you will see how much
information is recoverable, with just basic tools off of the internet.
It's just that way, if you don't take any care deleting your data.
with a free demo and take a hard drive, catalog it, format it (after
backing up what you need of course) then recover it. Watch how much
information you retrieve. Should be all of it, and then some.
This is not the case, if you follow a proper procedure. The effect of
"formatting" a harddisk is grossly overestimated by the average user -
probably due to its historic effect on floppy disks.
The same is true for "deleting".
Both operations usually only change a very small part of the harddisk.
For efficiency reasons. Formatting usually only deletes tables of free
blocks, root directory and some management information.
Deleting usually only removes the directory linkage and evetually frees
up the disk space, if no hardlinks are present, but doesn't touch the
data itself.
However, while it is pretty hard to securely delete data on modern
filesystems, if the filesystems were not designed to do this themselves,
it is relatively easy to destroy almost any data when wiping entire
drives.
Try your above experiment after you have not merely "formatted" the
disk, but rather wiped it with even a single pass of
dd if=/dev/zero of=/dev/[harddiskdevice]
This will render almost any attempt of software recovery useless. The
only data that should be recoverable by software tools is old weak data
from mapped out sectors and the like. This requires specialized software
that talks to the drives on a pretty low level, but is doable. Of
course, only very small amounts of data should be recoverable.
Just look at the mapped out sector counts from the SMART data of old
harddisks. You'd be lucky, if you find a few hundred sectors.
I recall the first time I ever did a recovery from a hard drive that had
something off happen to it. I pulled up information on that drive from
back when it was first used. YEARS before...
Sure. But that data was never deleted in a secure manner.
With wiping/sanitizing of your hard drives, you have elimiated having to
worry about any mediocre programs doing any data recovery, but "good"
programs or hardware recovery is still an option.
Any software recovery of a properly wiped drive will only have very
limited success.
Now imagine what a hardware based recovery could pull off?
IMHO: Not so much more. Modern harddisks have such a high density, that
those "off track reading" and "remanent magnetism" arguments don't quite
hold. If the signal from there were useable with a reasonable amount
of hardware cost, it would be used to put more data on the media.
Are there any public studies about what commercial data recovery providers
can achieve after a harddisk was overwritten with a single sweep of
zeroes?
I would recommend using the sanitizing products as they will help keep
the people that don't have the time or money from locating anything on
your box, but for those out there that have the money or have the time,
they will be able to get just about anything off of your disk.
I doubt that, but if you think your data is valueable enough to make
such an attack feasible, I'd rather not recommend your choices:
To keep your drives completely secure, you have two choices: either
don't use them, ever... OR physically destroy them when you are
finished.
but recommend to encrypt your sensitive data.
Reason: If you data is valueable enough to spend a few thousand dollars
to pull it off a discarded harddrive, it is almost certain, that
you need to spend less and gain more by getting the drive right from
your office while it is still in use and no deletion has been attempted.
Kind regards,
Andreas Beck
--
Andreas Beck
http://www.bedatec.de/
