Secure Delete - PGP?

OSR_Community_User · May 12, 2006, 7:28am

Hello Folks,

Why do applications that offer secure delete (like PGP’s Disk Wipe) have
to make multiple passes when encrypting un-used sectors?

Is this due solely to temp files and cache? The reason I ask is I was
watching one of those Forensic Files’ shows, and they indicated
that the FBI was able to recover a file off a drive that had been
previously OVERWRITTEN. Did the narrator get it wrong, or when
a file is over-written, is there a faint magnetic charge that remains on
the plate of the old file that can be recovered?

Are these multiple overwrite passes due too OS/FileSystem factors; or is
there a physical magnetic sector issue here?

m

OSR_Community_User · May 12, 2006, 8:16am

MM wrote:

Is this due solely to temp files and cache? The reason I ask is I was
watching one of those Forensic Files’ shows, and they indicated
that the FBI was able to recover a file off a drive that had been
previously OVERWRITTEN. Did the narrator get it wrong, or when
a file is over-written, is there a faint magnetic charge that remains on
the plate of the old file that can be recovered?

In theory you can recover a few generations back… basically when a
hard disk head writes to a disk it doesn’t always write into the same
place - there are microscopic differences. It’s these differences that
makes it theoretically possible to recover the data.

The theory also goes that if you write random data 10-20 times across
the disk it makes it impossible to get the original back.

For most purposes it’s complete overkill of course - few people have
access to the kind of equipment that can recover data in that way, and
where it’s not overkill - military use - their standards involve
complete destruction of the disk platters anyway.

99% of ‘secure delete’ apps are simply snake oil.

Tony

OSR_Community_User · May 12, 2006, 10:05am

Tony, thanks for the explanation.

In theory you can recover a few generations back… basically when a
hard disk head writes to a disk it doesn’t always write into the same
place - there are microscopic differences. It’s these differences
that makes it theoretically possible to recover the data.

Well, a few generations back - thats scary.

The theory also goes that if you write random data 10-20 times across
the disk it makes it impossible to get the original back.

For most purposes it’s complete overkill of course - few people have
access to the kind of equipment that can recover data in that way, and
where it’s not overkill - military use - their standards involve
complete destruction of the disk platters anyway.

Yeah, the show I was watching the FBI pulled this off; that would
defiantly be one group of people that had the right kind of equipment…

99% of ‘secure delete’ apps are simply snake oil.

Have you ever messed around with the free version of PGP, in your
estimation, would you consider it’s disk wipe utility to be pure crap?
I do believe most are ‘snake oil’ as you said, fortunately these apps
are no longer the spam rage… Do you believe it is possible to wipe a
disk via software only?

Sorry for going so off-topic here, didn’t mean to end up here.

m

Tony

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · May 12, 2006, 10:34am

MM wrote:

Have you ever messed around with the free version of PGP, in your
estimation, would you consider it’s disk wipe utility to be pure crap?

It will do the job… for free that’s a reasonable deal. I just wouldn’t pay
for one…

I do believe most are ‘snake oil’ as you said, fortunately these apps
are no longer the spam rage… Do you believe it is possible to wipe a
disk via software only?

It comes down to how important is your data. If it’s just normal ‘company
confidential’ important a single wipe with zeros (or better, random data) is
normally enough… people really aren’t going to be going to the expense of
low level analysis of the disks just to get at it (that’s assuming they could
get hold of the disks in the first place, which normal security measures
should prevent).

If it’s a military secret… before you let the disk out of your sight pull it
apart and shatter the platters then throw the bits into a furnace.

I you’re trying to cover up your criminal past… I’d recommend that latter
route

Now if you could just write and FSD to do the random writing (assuming
arranging for total destruction is difficult even in kernel space) we could
even keep this thread ontopic!

Tony

OSR_Community_User · May 12, 2006, 11:20am

At the risk of going way down into an OT rat hole, here’s a brief (and
oversimplified) explanation of how that works:

Magnetic media is really analog, we just force it into discrete 1s and 0s.
When a disk is manufactured, the magnetic domains that make up the bits
are unaligned, and have an approximate analog value of 0.5. When you
write a value to a particular bit, it is reduced to an analog value of
*approximately* 1 or 0, and it can be “less than 0”, or “more than 1”,
because those are just specific analog levels coming out of the read
channel. The more times it is changed in a short period of time, the more
it converges on the ideal values of 1 and 0. Over time, those analog
values tend to drift toward 0.5. IF you have access to the analog values,
you can subtract the ideal values from them and see, to a high
probability, what the previously stored value was. Then you can subtract
that ideal value and see what the second generation previous values were.
It does require specialized equipment, but it’s not TLA-named governmental
entity kind of equipment, just “highly motivated party” kind of equipment.

I’m told there are commercial entities in Russia that do this, though I
have no first-hand knowledge of that.

Phil

Philip D. Barila
Seagate Technology LLC
(720) 684-1842

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@comcast.net
Sent: Friday, May 12, 2006 5:25 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Secure Delete - PGP?

Hello Folks,

Why do applications that offer secure delete (like PGP’s Disk Wipe) have
to make multiple passes when encrypting un-used sectors?

Is this due solely to temp files and cache? The reason I ask is I was
watching one of those Forensic Files’ shows, and they indicated
that the FBI was able to recover a file off a drive that had been
previously OVERWRITTEN. Did the narrator get it wrong, or when
a file is over-written, is there a faint magnetic charge that remains on
the plate of the old file that can be recovered?

Are these multiple overwrite passes due too OS/FileSystem factors; or is
there a physical magnetic sector issue here?

m

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@seagate.com
To unsubscribe send a blank email to xxxxx@lists.osr.com