[ale] Need an iso to wipe hard drives.

Greg Freemyer greg.freemyer at gmail.com
Wed Apr 21 13:22:06 EDT 2010 

I just remembered, there's decent size prize available to anyone that
can successfully do a recover after a one pass wipe of a modern era
drive.

I think it was $250K or so.

If anyone is interested, I'll try to find the details again.

Greg

On Fri, Apr 16, 2010 at 2:35 PM, Greg Freemyer <greg.freemyer at gmail.com> wrote:
> Scott,
>
> If you can find a well documented case of recovery after a single wipe
> of a 20GB or larger drive even by guys in white suits, I'd love to
> know about it.  Hell, you can be published in a well respected journal
> I'm sure.
>
> I pay pretty close attention to that world, and there are lots of
> theories about it being possible, but no reality that I've ever seen.
> Apparently is was fairly easily done with drives made in the 80's
> because the bits were so physically big on the platter that there were
> remnants you could find in the lab.
>
> And as I said, NSA published an internal doc about their attempts to
> recover data from a modern drive.  Unfortunately that doc is not
> available to the public from what I can tell, but it was solid enough
> that NIST now only requires a single wipe for confidential data.
>
> For top secret, I believe physical destruction down to sand sized
> chunks is required.  ie. no chunk can hold a full sector of data, and
> sectors are pretty small.
>
> Greg
>
> On Fri, Apr 16, 2010 at 2:12 PM, scott <scott at sboss.net> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> the wipe she used was the DBAN wipe tool using a single wipe.
>>
>> And I know others on a single pass wipe, have recovered their disks (not them personally but the guys in the white suits).  Now once it went over 7 passes (7 or more) then the chance of any data recovery went down to a number really really small that is very close to 0.  I would call it zero but then someone will get a file and I would be a liar.
>>
>> Personally (at my home) I do a 7 pass on all disks unless it has PCI/HIPPA type data then I do 35 pass. I know the PCI/HIPPA rules due to work.
>>
>>
>> On Apr 16, 2010, at 2:00 PM, Greg Freemyer wrote:
>>
>>> fyi: I whole heartedly agree, the mac wipe failure sounds like a
>>> process failure, not a technology failure.
>>>
>>> As to:  $1/MB ????????  for recovery
>>>
>>> You must not be telling the whole story.  Or maybe you meant $1/GB.
>>>
>>> That most expensive I'm aware of is a raid array failure.  That can be
>>> $5K/drive or so, but that is still way below $1/MB.
>>>
>>> Or maybe you just needed a few relatively small files recovered.  It
>>> is still a lot of work to search the whole drive for a few fragments
>>> and try to rebuild things.
>>>
>>> I could see us charging $1K or even $2K to recover a specific deleted
>>> file that was a real challenge to rebuild.  And if it was only 50 MB
>>> or so, you might say that worked out to $20/MB, but that's not really
>>> a fair to describe the price.
>>>
>>> Greg
>>>
>>> On Fri, Apr 16, 2010 at 12:44 PM, Jim Kinney <jim.kinney at gmail.com> wrote:
>>>> sounds like the wipe tool on that Mac was crap and just did a delete. Drive
>>>> recovery is $$$$$$$$$!!!!
>>>> The last one I ran for a client was $1/MB.
>>>>
>>>> On Fri, Apr 16, 2010 at 12:24 PM, scott boss <scott at sboss.net> wrote:
>>>>>
>>>>> A friend of mines wife wiped her mac laptop HD.  Not the govt 35pass
>>>>> but a single pass wipe.  He sent it off to one of those disk recovery
>>>>> companies and he got 99% of the disk back and the HD was much larger
>>>>> than 20g.  She had over 20g of photos alone.
>>>>>
>>>>> Ymwv!!
>>>>>
>>>>> Sent from my mobile...
>>>>>
>>>>> On Apr 16, 2010, at 12:04, Brian Pitts <brian at polibyte.com> wrote:
>>>>>
>>>>>> On 04/16/2010 11:31 AM, Greg Freemyer wrote:
>>>>>>>
>>>>>>> NIST has a sanitation paper that says disk drives of 20GB or larger
>>>>>>> capacity are not recoverable even via laboratory means after a single
>>>>>>> wipe with zero's.
>>>>>>>
>>>>>>> So your just wasting cpu cycles using /dev/urandom.  Just use
>>>>>>> /dev/zero.  And just do it once.
>>>>>>
>>>>>> The link you shared to a discussion of that paper a while back is
>>>>>> dead.
>>>>>> Do you know of any more sources? I'd really like to have something to
>>>>>> wave at the "you must wipe it 27 times" people.
>>>>>>
>>>>>>> Also, ext2/3 reserves x% of the drive for root, so if your doing the
>>>>>>> above as a normal user, your missing that x%.  I think x% is 5%,
>>>>>>> but I
>>>>>>> don't recall for sure.  And 5% of 1TB is 50GB, so it is a big deal.
>>>>>>
>>>>>> At Free IT Athens, we run sfill and sswap from the secure-delete suite
>>>>>> of tools as a post-install action to securely erase all unused space
>>>>>> on
>>>>>> a system being refurbished. sfill sipes the disk space and inode
>>>>>> space,
>>>>>> and sswap takes care of the swap partition.
>>>>>>
>>>>>> --
>>>>>> All the best,
>>>>>> Brian Pitts
>>>>>> _______________________________________________
>>>>>> Ale mailing list
>>>>>> Ale at ale.org
>>>>>> http://mail.ale.org/mailman/listinfo/ale
>>>>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>>>>> http://mail.ale.org/mailman/listinfo
>>>>> _______________________________________________
>>>>> Ale mailing list
>>>>> Ale at ale.org
>>>>> http://mail.ale.org/mailman/listinfo/ale
>>>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>>>> http://mail.ale.org/mailman/listinfo
>>>>
>>>>
>>>>
>>>> --
>>>> --
>>>> James P. Kinney III
>>>> Actively in pursuit of Life, Liberty and Happiness
>>>>
>>>>
>>>> _______________________________________________
>>>> Ale mailing list
>>>> Ale at ale.org
>>>> http://mail.ale.org/mailman/listinfo/ale
>>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>>> http://mail.ale.org/mailman/listinfo
>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> Greg Freemyer
>>> Head of EDD Tape Extraction and Processing team
>>> Litigation Triage Solutions Specialist
>>> http://www.linkedin.com/in/gregfreemyer
>>> CNN/TruTV Aired Forensic Imaging Demo -
>>>   http://insession.blogs.cnn.com/2010/03/23/how-computer-evidence-gets-retrieved/
>>>
>>> The Norcross Group
>>> The Intersection of Evidence & Technology
>>> http://www.norcrossgroup.com
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG/MacGPG2 v2.0.12 (Darwin)
>>
>> iQIcBAEBCgAGBQJLyKh7AAoJEF51inK7SsNsnhIP/1a7jCIDJBhxqkOcKjzVASML
>> RkKTn0OCMr/P6XJgeRWUJ75oBc6be5AbgAJ3BT7nsa6nevYe1tbM6mKc/wDkgUEC
>> dGAf1Q+yfZASaJs4r9PoKPzpTolqxPN89DEn2pBFYfvNuYmtcGDp5X62epx4GycX
>> OUnlykxvferJaKy9VvMeFsE8lx66qDk1uU8Y2GltaTTWrU1OmwDxALgXu6H/rc+J
>> NVGWm9fj9GCxZeu4/y/r+a/7fGbOjWcXOk3yLNi6gZKtjt6oSexEITHQwftaYFrw
>> W4Uwu68VoomPwVnvqQV+u9PM/47rbam+6rDjtHc/TmTnyYzHHPiaaj/VBpjNNg/9
>> 8LnVHFm3bDM+M1LilpOA4LvyOFX8XBmqs/aTmvZv1aZVc8IvX/80aL7wX8M0/Vmh
>> udXp5zNa1xwerJmOg7ogl47IN4RwaVLc3UWkcoMID2AhdvCgg35FLRnVXcuI3WHV
>> vyoBXoHOqbx9M/7HrF5RtYkB6bYYK1Lsuep8ujuS3wCxMoe5JjZB7fpiTiFcSD8m
>> 8O31fxKbCfwzc3ZATQF+N0tBu5nw6BvlHUkybdaU3wpn8ikTlTNd4mG/bPdEHztN
>> dYxhyJck5AbeQnAG2iYX6mqGWD5g7JdQJqRNIYbZN40GMJ1CGPQerW5dSb/WMiIa
>> MkU485uRdqSiHXJb1lDY
>> =/RZh
>> -----END PGP SIGNATURE-----
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
>
>
> --
> Greg Freemyer
> Head of EDD Tape Extraction and Processing team
> Litigation Triage Solutions Specialist
> http://www.linkedin.com/in/gregfreemyer
> CNN/TruTV Aired Forensic Imaging Demo -
>   http://insession.blogs.cnn.com/2010/03/23/how-computer-evidence-gets-retrieved/
>
> The Norcross Group
> The Intersection of Evidence & Technology
> http://www.norcrossgroup.com
>



-- 
Greg Freemyer
Head of EDD Tape Extraction and Processing team
Litigation Triage Solutions Specialist
http://www.linkedin.com/in/gregfreemyer
CNN/TruTV Aired Forensic Imaging Demo -
   http://insession.blogs.cnn.com/2010/03/23/how-computer-evidence-gets-retrieved/

The Norcross Group
The Intersection of Evidence & Technology
http://www.norcrossgroup.com

More information about the Ale mailing list