[lug] drive free space "wiper" recommendation

Anthony Foiani tkil at scrye.com
Mon Oct 11 22:56:09 MDT 2010 

Paul E Condon <pecondon at mesanetworks.net> writes:

> Claims made at the web site where the tool is offered for download
> cannot be simply trusted, IMHO. How does one test a disk wipe to
> verify that it has worked correctly?

Well, at least one of the sites (Dan's Boot-n-Nuke, but I might be
mis-remembering) has links to papers on the topic.

And I wasn't being blind; I read through a dozen or more sites to find
the two I recommended.

> It seems to me that in the limited situation where there is no
> reason to preserve any data on the HD, then dd would do a pretty
> fair job, or maybe two passes of dd with ones and zeros. What more
> could a 'better' tool offer? 

The history of "secure erase", so far as I know it:

* Various OS's (at least back to MS-DOS in the 1980s) discovered it
  was faster to just zero out a directory entry, rather than zeroing
  out every sector that held data for the given file.  This allowed
  for various "undelete" utilities, but is obviously insecure.

* Various programmers filled the need for a secure delete by offering
  tools that would first write various patterns into the used sectors,
  then do the actual delete.

* Patterns are used because sufficiently-motivated labs (think 100k$
  attack cost) can find traces of previous written values on the
  media.  That is, if you write "10101010", and then later write
  "11110000" to the same location, a trace of the original pattern
  remains.  That trace can be detected with sufficiently advanced
  gear.

  + This is the origin of the old "37 passes" approach; the idea is
    that sufficient passes of 1s and 0s would put down so many
    residual traces, the original would no longer be recoverable.

* Recent (2000-ish to current) hard drives don't really write
  individual, identifiable bits anymore.  They use various coding
  systems (much as 56k modems used more than two symbols: they were
  really only 4800 baud ["symbols per second"] devices, but used 30+
  symbols to provide 56 kbps throughput).  This means that changing
  your "10101010" to "11110000" might only affect two locations, and
  might change that location from symbol "C" to symbol "Q".  (As well
  as likely causing the entire sector to be rewritten; I don't know
  that detail.)

* On top of all that, hard drives have been remapping sectors since
  the 1990s at the latest.  That means sensitive data might be left in
  a "bad" sector, which could potentially be recovered if the
  adversary spends enough effort to do so.

> (This sounds like a rhetorical question, but I really am just
> asking. Security issues puzzle me because there is always the
> possibility yet another level of deception.)

I strongly recommend _Practical Security_ (aka _Security Engineering)
by Bruce Schneier and Neils Ferguson:

  http://www.schneier.com/book-practical.html

The most important lesson is that you need to first determine what
you're protecting, then what/whom you're protecting against, and
finally you need to decide how much you're willing to "pay" for that
protection.

Short version: security is a trade-off between cost, ease-of-use, and
many other factors.  (Would you like a shell that prompted for your
password before executing every command?  That'd be more secure, but
very much a P.I.T.A...)

In this case, you want to determine what level of threat you're
protecting against.  In this particular case, I see:

1. Consumer / hobbyist / low-end tech support person.

   If you're selling a drive on eBay, or taking your laptop in for
   service, this is the level of attack.  Most likely will only be
   attempted through standard interface, so remapped sectors are not
   an issue.

   Myself, if I had anything I really worried about on that hard
   drive, I'd do my best to replace it with a scratch drive before
   sending in the device.  (This also has the advantage of eliminating
   the hard drive or software as the culprit.)

2. Local law enforcement, low-end data recovery services.

   These can likely get to the remapped sectors, at the very least.

3. National law enforcement, hard drive manufacturers, high-end data
   recovery services.

   These can scan the platter "manually" and reconstruct the primary
   data, as well as potentially recovering traces of previous data.

If you're really worried about #2 and #3 ... the right answer is
probably to keep the drive in your physical possession; if you need to
discard it, disassemble the drive and melt the platters.

My own level of paranoia is such that I've got about 50 drives of
various vintages sitting in a box... (remember when a 640MB 'bigfoot'
5.25" drive was awesome?  :)

HTH,
t.

More information about the LUG mailing list