[ale] Need an iso to wipe hard drives.

Greg Freemyer greg.freemyer at gmail.com
Fri Apr 16 14:35:28 EDT 2010


Scott,

If you can find a well documented case of recovery after a single wipe
of a 20GB or larger drive even by guys in white suits, I'd love to
know about it.  Hell, you can be published in a well respected journal
I'm sure.

I pay pretty close attention to that world, and there are lots of
theories about it being possible, but no reality that I've ever seen.
Apparently is was fairly easily done with drives made in the 80's
because the bits were so physically big on the platter that there were
remnants you could find in the lab.

And as I said, NSA published an internal doc about their attempts to
recover data from a modern drive.  Unfortunately that doc is not
available to the public from what I can tell, but it was solid enough
that NIST now only requires a single wipe for confidential data.

For top secret, I believe physical destruction down to sand sized
chunks is required.  ie. no chunk can hold a full sector of data, and
sectors are pretty small.

Greg

On Fri, Apr 16, 2010 at 2:12 PM, scott <scott at sboss.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> the wipe she used was the DBAN wipe tool using a single wipe.
>
> And I know others on a single pass wipe, have recovered their disks (not them personally but the guys in the white suits).  Now once it went over 7 passes (7 or more) then the chance of any data recovery went down to a number really really small that is very close to 0.  I would call it zero but then someone will get a file and I would be a liar.
>
> Personally (at my home) I do a 7 pass on all disks unless it has PCI/HIPPA type data then I do 35 pass. I know the PCI/HIPPA rules due to work.
>
>
> On Apr 16, 2010, at 2:00 PM, Greg Freemyer wrote:
>
>> fyi: I whole heartedly agree, the mac wipe failure sounds like a
>> process failure, not a technology failure.
>>
>> As to:  $1/MB ????????  for recovery
>>
>> You must not be telling the whole story.  Or maybe you meant $1/GB.
>>
>> That most expensive I'm aware of is a raid array failure.  That can be
>> $5K/drive or so, but that is still way below $1/MB.
>>
>> Or maybe you just needed a few relatively small files recovered.  It
>> is still a lot of work to search the whole drive for a few fragments
>> and try to rebuild things.
>>
>> I could see us charging $1K or even $2K to recover a specific deleted
>> file that was a real challenge to rebuild.  And if it was only 50 MB
>> or so, you might say that worked out to $20/MB, but that's not really
>> a fair to describe the price.
>>
>> Greg
>>
>> On Fri, Apr 16, 2010 at 12:44 PM, Jim Kinney <jim.kinney at gmail.com> wrote:
>>> sounds like the wipe tool on that Mac was crap and just did a delete. Drive
>>> recovery is $$$$$$$$$!!!!
>>> The last one I ran for a client was $1/MB.
>>>
>>> On Fri, Apr 16, 2010 at 12:24 PM, scott boss <scott at sboss.net> wrote:
>>>>
>>>> A friend of mines wife wiped her mac laptop HD.  Not the govt 35pass
>>>> but a single pass wipe.  He sent it off to one of those disk recovery
>>>> companies and he got 99% of the disk back and the HD was much larger
>>>> than 20g.  She had over 20g of photos alone.
>>>>
>>>> Ymwv!!
>>>>
>>>> Sent from my mobile...
>>>>
>>>> On Apr 16, 2010, at 12:04, Brian Pitts <brian at polibyte.com> wrote:
>>>>
>>>>> On 04/16/2010 11:31 AM, Greg Freemyer wrote:
>>>>>>
>>>>>> NIST has a sanitation paper that says disk drives of 20GB or larger
>>>>>> capacity are not recoverable even via laboratory means after a single
>>>>>> wipe with zero's.
>>>>>>
>>>>>> So your just wasting cpu cycles using /dev/urandom.  Just use
>>>>>> /dev/zero.  And just do it once.
>>>>>
>>>>> The link you shared to a discussion of that paper a while back is
>>>>> dead.
>>>>> Do you know of any more sources? I'd really like to have something to
>>>>> wave at the "you must wipe it 27 times" people.
>>>>>
>>>>>> Also, ext2/3 reserves x% of the drive for root, so if your doing the
>>>>>> above as a normal user, your missing that x%.  I think x% is 5%,
>>>>>> but I
>>>>>> don't recall for sure.  And 5% of 1TB is 50GB, so it is a big deal.
>>>>>
>>>>> At Free IT Athens, we run sfill and sswap from the secure-delete suite
>>>>> of tools as a post-install action to securely erase all unused space
>>>>> on
>>>>> a system being refurbished. sfill sipes the disk space and inode
>>>>> space,
>>>>> and sswap takes care of the swap partition.
>>>>>
>>>>> --
>>>>> All the best,
>>>>> Brian Pitts
>>>>> _______________________________________________
>>>>> Ale mailing list
>>>>> Ale at ale.org
>>>>> http://mail.ale.org/mailman/listinfo/ale
>>>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>>>> http://mail.ale.org/mailman/listinfo
>>>> _______________________________________________
>>>> Ale mailing list
>>>> Ale at ale.org
>>>> http://mail.ale.org/mailman/listinfo/ale
>>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>>> http://mail.ale.org/mailman/listinfo
>>>
>>>
>>>
>>> --
>>> --
>>> James P. Kinney III
>>> Actively in pursuit of Life, Liberty and Happiness
>>>
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
>>>
>>
>>
>>
>> --
>> Greg Freemyer
>> Head of EDD Tape Extraction and Processing team
>> Litigation Triage Solutions Specialist
>> http://www.linkedin.com/in/gregfreemyer
>> CNN/TruTV Aired Forensic Imaging Demo -
>>   http://insession.blogs.cnn.com/2010/03/23/how-computer-evidence-gets-retrieved/
>>
>> The Norcross Group
>> The Intersection of Evidence & Technology
>> http://www.norcrossgroup.com
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.12 (Darwin)
>
> iQIcBAEBCgAGBQJLyKh7AAoJEF51inK7SsNsnhIP/1a7jCIDJBhxqkOcKjzVASML
> RkKTn0OCMr/P6XJgeRWUJ75oBc6be5AbgAJ3BT7nsa6nevYe1tbM6mKc/wDkgUEC
> dGAf1Q+yfZASaJs4r9PoKPzpTolqxPN89DEn2pBFYfvNuYmtcGDp5X62epx4GycX
> OUnlykxvferJaKy9VvMeFsE8lx66qDk1uU8Y2GltaTTWrU1OmwDxALgXu6H/rc+J
> NVGWm9fj9GCxZeu4/y/r+a/7fGbOjWcXOk3yLNi6gZKtjt6oSexEITHQwftaYFrw
> W4Uwu68VoomPwVnvqQV+u9PM/47rbam+6rDjtHc/TmTnyYzHHPiaaj/VBpjNNg/9
> 8LnVHFm3bDM+M1LilpOA4LvyOFX8XBmqs/aTmvZv1aZVc8IvX/80aL7wX8M0/Vmh
> udXp5zNa1xwerJmOg7ogl47IN4RwaVLc3UWkcoMID2AhdvCgg35FLRnVXcuI3WHV
> vyoBXoHOqbx9M/7HrF5RtYkB6bYYK1Lsuep8ujuS3wCxMoe5JjZB7fpiTiFcSD8m
> 8O31fxKbCfwzc3ZATQF+N0tBu5nw6BvlHUkybdaU3wpn8ikTlTNd4mG/bPdEHztN
> dYxhyJck5AbeQnAG2iYX6mqGWD5g7JdQJqRNIYbZN40GMJ1CGPQerW5dSb/WMiIa
> MkU485uRdqSiHXJb1lDY
> =/RZh
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
Greg Freemyer
Head of EDD Tape Extraction and Processing team
Litigation Triage Solutions Specialist
http://www.linkedin.com/in/gregfreemyer
CNN/TruTV Aired Forensic Imaging Demo -
   http://insession.blogs.cnn.com/2010/03/23/how-computer-evidence-gets-retrieved/

The Norcross Group
The Intersection of Evidence & Technology
http://www.norcrossgroup.com



More information about the Ale mailing list