Securely Erasing Hard Drives With Single Swipe Research - Win and Fail
Monday, January 19, 2009
Heise Security, SecurityFocus, and Slashdot, are all reporting on new research from SANS Forensics Blog that comes to the conclusion that it's unnecessary to perform multiple pass erase methods on a hard drive to make sure that data is forensically unrecoverable. In fact it recommends that simply overwriting data with all zeros or all ones will do the trick.
From the research:
Although there is a good chance of recovery for any individual bit from a drive, the chances of recovery of any amount of data from a drive using an electron microscope are negligible...
What about DoD 5220.22-M and Gutman
This sounded pretty shocking to me as that I've wasted countless hours wiping hard drives up to 35 times (Gutman) when all it would have taken would be 1 swipe. But is it true? Peter Gutmann, yes _the_ Peter Gutmann, claims that the testing methodology is incorrect but the conclusions are correct.
the article confuses two totally unrelated techniques. One is the use of an MFM[Magnetic Force Microscope] to recover offtrack data... The other is the use of an error-cancelling read ... to recover overwritten data. ...Given that these are totally different techniques exploiting completely unrelated phenomena, it's not surprising that trying to use one to do the other didn't work.
Gutmann goes on to concede that it's impossible to recover any useful amount of data on any modern hard drive no matter if you wipe it with all zeros one time, or use an erasing method with multiple passes:
Any modern drive [recovery] will most likely be a hopeless task, what with ultra-high densities and use of perpendicular recording...
NIST backs up this comment in a special report entitled Special Publication 800-88 which states
Studies have shown that most of today's media can be effectively cleared by one overwrite
For Posterity
So if nothing else, the argument made me go look up what each of those erase methods do and the differences between Gutmann, pseudorandom overwrites, and 5220-22.M erase methods. It seems to be the common consensus that hard drives cannot be recovered once they have been overwritten by data but if you want to burn through a day wiping hard drives still, I'm sure you could convince an unknowing boss otherwise.
Insecure Methods
There are still insecure ways of erasing hard drives. One of those is the Windows "Quick Erase" that you see when you're loading up the OS. This is an NTFS trick that deletes the reference to the Inode making the data hidden to the OS, but still available to forensic analysis. You should always choose "Full Format" unless you really need that extra twenty minutes of your life.
Gutmann
The most (in?)famous method of erasing and definitely the most interesting is Peter Gutmann's method. This is defined by a 35 pass wipe to include some pseudorandom, some specific statics(e.g. 01100110011), and some just all 0's and 1's. The reason for this was older hard drives used different encoding methods so this way of erasing data would cover everything. The Windows tool aptly named "Eraser" is thankfully open source so that we can have an example:
Pseudorandom
This is a tried and true method of simply generating random data to cover the entire drive. Apparently a single swipe of this is still a good means of cleaning off a hard drive. Here's one way to do it using the linux dd command:
DoD 5220-22.M
Slightly more interesting than others, this is the DoD 5220-22.M which actually isn't a specification. I have yet to find the original document that states this procedure but again, Eraser source code as an example:
NSA Method
Probably the most paranoid and comical is the NSA instructions which insist that the drive be degaussed and/or destroyed. My favorite method is Hack-A-Day's Thermite destruction:
External Links
http://www.heise-online.co.uk/security/Secure-deletion-a-single-overwrite-will-do-it--/news/112432 - Heise Security article discussing the subject
http://www.securityfocus.com/brief/888 - SecurityFocus discussion on the subject
http://hardware.slashdot.org/article.pl?sid=09%2F01%2F19%2F1422246
http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
http://en.wikipedia.org/wiki/Data_erasure#Full_disk_overwriting - Good article on Wikipedia about this kind of stuff.
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf
Labels: forensics, Gutmann, hard drive, SANS, storage
Heise Security, SecurityFocus, and Slashdot, are all reporting on new research from SANS Forensics Blog that comes to the conclusion that it's unnecessary to perform multiple pass erase methods on a hard drive to make sure that data is forensically unrecoverable. In fact it recommends that simply overwriting data with all zeros or all ones will do the trick.
From the research:
Although there is a good chance of recovery for any individual bit from a drive, the chances of recovery of any amount of data from a drive using an electron microscope are negligible...
What about DoD 5220.22-M and Gutman
This sounded pretty shocking to me as that I've wasted countless hours wiping hard drives up to 35 times (Gutman) when all it would have taken would be 1 swipe. But is it true? Peter Gutmann, yes _the_ Peter Gutmann, claims that the testing methodology is incorrect but the conclusions are correct.
the article confuses two totally unrelated techniques. One is the use of an MFM[Magnetic Force Microscope] to recover offtrack data... The other is the use of an error-cancelling read ... to recover overwritten data. ...Given that these are totally different techniques exploiting completely unrelated phenomena, it's not surprising that trying to use one to do the other didn't work.
Gutmann goes on to concede that it's impossible to recover any useful amount of data on any modern hard drive no matter if you wipe it with all zeros one time, or use an erasing method with multiple passes:
Any modern drive [recovery] will most likely be a hopeless task, what with ultra-high densities and use of perpendicular recording...
NIST backs up this comment in a special report entitled Special Publication 800-88 which states
Studies have shown that most of today's media can be effectively cleared by one overwrite
For Posterity
So if nothing else, the argument made me go look up what each of those erase methods do and the differences between Gutmann, pseudorandom overwrites, and 5220-22.M erase methods. It seems to be the common consensus that hard drives cannot be recovered once they have been overwritten by data but if you want to burn through a day wiping hard drives still, I'm sure you could convince an unknowing boss otherwise.Insecure Methods
There are still insecure ways of erasing hard drives. One of those is the Windows "Quick Erase" that you see when you're loading up the OS. This is an NTFS trick that deletes the reference to the Inode making the data hidden to the OS, but still available to forensic analysis. You should always choose "Full Format" unless you really need that extra twenty minutes of your life.
Gutmann
The most (in?)famous method of erasing and definitely the most interesting is Peter Gutmann's method. This is defined by a 35 pass wipe to include some pseudorandom, some specific statics(e.g. 01100110011), and some just all 0's and 1's. The reason for this was older hard drives used different encoding methods so this way of erasing data would cover everything. The Windows tool aptly named "Eraser" is thankfully open source so that we can have an example:Pseudorandom
This is a tried and true method of simply generating random data to cover the entire drive. Apparently a single swipe of this is still a good means of cleaning off a hard drive. Here's one way to do it using the linux dd command:
DoD 5220-22.M
Slightly more interesting than others, this is the DoD 5220-22.M which actually isn't a specification. I have yet to find the original document that states this procedure but again, Eraser source code as an example:NSA Method
Probably the most paranoid and comical is the NSA instructions which insist that the drive be degaussed and/or destroyed. My favorite method is Hack-A-Day's Thermite destruction:
External Links
http://www.heise-online.co.uk/security/Secure-deletion-a-single-overwrite-will-do-it--/news/112432 - Heise Security article discussing the subject
http://www.securityfocus.com/brief/888 - SecurityFocus discussion on the subject
http://hardware.slashdot.org/article.pl?sid=09%2F01%2F19%2F1422246
http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
http://en.wikipedia.org/wiki/Data_erasure#Full_disk_overwriting - Good article on Wikipedia about this kind of stuff.
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf
Labels: forensics, Gutmann, hard drive, SANS, storage