What You Donít See On Your Hard Drive - Page 2
Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 33

Thread: What You Donít See On Your Hard Drive

  1. #11
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Well... no... at least not with software utilities. There are "de-magnetisers" machines (degausser) that are used for disabling drives that have contained top-secret data, and these cost a bundle. However, only using software, you can only have the drive read or write data. The drive heads cannot just "scatter magnetic charges"... how would a head that is designed to read and write individual bits (in block), ie precisely, be able to do that?. Besides, if it were the case, the drive would either need a low level format after that or be filled with bad clusters, ie: be just plain dead.

    Here's an extract of DoD 5220.22-M shredding guidlines:
    (http://www.dss.mil/isec/chapter8.htm)
    a. Degauss with a Type I degausser

    b. Degauss with a Type II degausser.

    c. Overwrite all addressable locations with a single character.

    d. Overwrite all addressable locations with a character, its complement, then a random character and verify. THIS METHOD IS NOT APPROVED FOR SANITIZING MEDIA THAT CONTAINS TOP SECRET INFORMATION.
    Also, a comparaison of software "shredders" can be found here:
    http://www.fortunecity.com/skyscrape..._Shredders.htm
    (Check the "Overwrite algorithm" row for wiping technique)


    Ammo
    Credit travels up, blame travels down -- The Boss

  2. #12
    I did a Low Level Format a while back on my Maxtor drive with the utility found on their website.
    Does this really destroy the actual data ?

    And a friend of mine told me a low level format under linux is really simple.
    I don't know the exact syntax but it had something to do with /dev=NULL.
    Does this destroy data or is it stil 'readable' after doing this.

    Furthermore a nice informative thread.

  3. #13
    Senior Member
    Join Date
    Oct 2001
    Posts
    114

    Exclamation

    Originally posted here by firestarter5
    A question then: You have a partitioned drive. C drive is 5G and D drive is 10G. You go to Kazaa and download 9.9G of mp3's on your D drive (this is a hypothetical situation). You write down a list of all these mp3's then delete them! Your PC says you have 10G of available space on your D drive again. Back to Kazaa you go and download another 9.9G of mp3's. Does this mean that your 10G D drive is actually holding 19.8G of mp3's? Or is the info from those origianl mp3's now actually overwritten and unable to be retrieved?
    Long time back i made a presentation on data hiding in diffrent kinds of RAM's (DRAM,SDRAM etc.) .. this was the paper that i used as an intro to this topic but.. as u will see this paper deals mostly with data on magnetic media.....the author at some points strongly hints that data once overwritten can also be retrieved...... !!!!

    so firestarter we can actually find ur previous 9.9 GB's ... but this is quite difficult, will require highly advanced equipments (i think so) but is possible ( probably not all the mp3's but still......)

    heres the link

    http://www.cs.auckland.ac.nz/~pgut00...ecure_del.html

    enjoy.
    Better Laugh At Your Own Problems..
    Coz...The World Laughs At Them

  4. #14
    Member
    Join Date
    Nov 2002
    Posts
    97
    Originally posted here by coolnads
    the author at some points strongly hints that data once overwritten can also be retrieved...... !!!!

    so firestarter we can actually find ur previous 9.9 GB's ... but this is quite difficult, will require highly advanced equipments (i think so) but is possible ( probably not all the mp3's but still......)
    actually, i'm pretty sure that it's completely infeasible to get overwritten data. think of it this way:

    you have a closet full of empty Coke cans. you've documented how many Coke cans you have in there.

    so, for now, a Coke can is data, and your little documentation would be your file allocation table.

    now, you want to get rid of some Coke cans. initially, you just erase a few numbers off the documentation, and, as far as you're concerned, you've got more room in your closet. let's say you erase the entire documentation, and now you want to fill the closet with beer cans. because there's not enough physical room to store more than a couple of beer cans, you toss a bunch of Coke cans in to the hall, then place the beer cans in there and document that.

    now there is no way to look in the closet and find Coke cans. before you say "you can retrieve them by going in the hall and picking them up", keep in mind that the HDD doesn't have a hallway it can toss its empty Coke cans in to
    i will shoot you so hard.

  5. #15
    Junior Member
    Join Date
    Aug 2002
    Posts
    3
    Very nice, this newb is starting to learn and thanks you people
    \"It grips me slowly, It stains me wholely, It hates me only, It knows me souly, UNTIL IT SLEEPS\"

  6. #16
    Member
    Join Date
    Oct 2002
    Posts
    56
    Good post, I remember learning about this a long time ago. And I forgot heh, thanks for bringing me back up to speed

    -gunder

  7. #17
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Originally posted here by spyrul


    actually, i'm pretty sure that it's completely infeasible to get overwritten data. think of it this way:

    you have a closet full of empty Coke cans. you've documented how many Coke cans you have in there.

    so, for now, a Coke can is data, and your little documentation would be your file allocation table.

    now, you want to get rid of some Coke cans. initially, you just erase a few numbers off the documentation, and, as far as you're concerned, you've got more room in your closet. let's say you erase the entire documentation, and now you want to fill the closet with beer cans. because there's not enough physical room to store more than a couple of beer cans, you toss a bunch of Coke cans in to the hall, then place the beer cans in there and document that.

    now there is no way to look in the closet and find Coke cans. before you say "you can retrieve them by going in the hall and picking them up", keep in mind that the HDD doesn't have a hallway it can toss its empty Coke cans in to
    Well, no, IT IS possible:

    Overwriting data on disk isn't like filling a closet, it's like writing over used paper... What happens is that when the disk heads write on the platter, it re-aligns magnetite (or whatever magnetic compound they use) in a diffrent direction. However, a single write doesn't manage to get all magnetite (or whatever) particuls re-alligned. So while the majority of particuls will have change directions, there will be a few residual ones that will still be oriented in the previous direction.

    So finding out what data was there before means using a more sensible device that can distinguish or detect variations in the magnetic field or such... (That's why whiping software will make multiple writing passes, sometimes with randomized caracter, in order to try and re-allign all particuls). Of course this is hard to do and pretty expensive, but people with enough money and resources (think FBI, CIA, NSA...) could and do have the means to do it. In fact, I remember reading somewhere that it was rumored the NSA (I think) was able to recover data after 27 passes!

    Ammo
    Credit travels up, blame travels down -- The Boss

  8. #18
    Senior Member
    Join Date
    Oct 2002
    Posts
    112
    Spyrul,

    actually, i'm pretty sure that it's completely infeasible to get overwritten data. think of it this way
    You are correct with this statement regarding simple undelete utilities such as Norton Unerase, but there is a high probability of recovering the data if it has only been overwritten one or two times, but it requires specialized equipment.

    When data is written to magnetic media it is written to a magnetic domain. This domain consists of a number of magnetic bits (not to be confused with a data bit 0 or 1) which receive the magnetic charge. Not all of the bits in the magnetic domain will change when the head passes over during the write operation and will retain the magnetic properties from a previous operation. Does this mean that a magnetic domain can contain magnetic bits that are set to a zero and magnetic bits that are set to a one? It certainly does, but if the write operation was setting the bit to a one then the majority are set to a one, strongest at the center of the domain weaker at the edges.

    Remember in grade school when you put metal filings on a piece of paper and ran a magnet underneath. Most of the filings lined up and pointed in the same direction, but the ones at the edges didn't all point with the others. The same thing is happening when you write to the hard disk.

    Is it easy to peel back these layers to determine what was overwritten? With modern hard disks this is a difficult, costly, and time consuming process but portions of overwritten data can be recovered if it was overwritten or wiped with a single pass process. The minimum process that should be involved in a wipe would be a three pass write. A three pass will make one pass writing 00 followed by it's complement which is an FF and a final pass of random data. It is still possible to recover some data after a 3 pass wipe, but whoever does will want that data very badly and have the $$ to attempt the recovery. Generally a 7 pass wipe will make it near impossible to recover the data and I have never heard of any data being recovered after a Guttman 35 pass wipe. (Disclaimer.. Doesn't mean that those agencies with 3 letter names can't do it but they would really want you bad to go to the expense involved)

    Here is a link to a document that describes the process required to dispose of unclassifed DoD computer hard drives.

    http://www.c3i.osd.mil/org/sio/ia/di...memo060401.pdf

    Edit:

    I was too slow, I see that ammo posted a response as I was writing this Ammo, do you remember where you saw the information on the 27 pass recovery?
    If you receive something that says \'Send this to everyone you know,\' pretend you don\'t know me.

  9. #19
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Unfortunately, I really don't remember where I read that, and can't find it either searching on google and others... :/

    I do believe it was a either comp security or comp news site site though (not that that really helps!)...

    Ammo
    Credit travels up, blame travels down -- The Boss

  10. #20
    Member
    Join Date
    Nov 2002
    Posts
    97
    ah. last time i read about this, i was under the impression that it would realign all the magnetic charges, or some data would just be incomplete.

    looks like i have to brush up on harddrives


    heh, i got owned.
    i will shoot you so hard.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides