Re: [Nolug] Why geeks don't wipe hard drives...

From: Jimmy Hess <mysidia_at_gmail.com>
Date: Thu, 24 Mar 2011 17:23:52 -0500
Message-ID: <AANLkTimxWMVh6oz8sKdYehf-QzOPLJRV9jtmphj92VQ7@mail.gmail.com>

On Thu, Mar 24, 2011 at 3:29 PM, Lee S. Whatley <lee@whatley.org> wrote:
> On Thu, 24 Mar 2011, Ron Johnson wrote:
> If *you* are still planning to use the drives then you don't need to wipe
> them, just do a mkfs on top of the old stuff.

> If you are planning on selling them or giving them away, then a 1 pass wipe
> isn't really protecting your data from anything...you're gonna need to spend
> waay more than 3 hours to do a "secure" wipe ;)

If you have mechanical drives, you are fortunate. SSDs are much
harder to ensure data is wiped irrecoverably.
Really ensuring a HDD is wiped requires drastic measures. First do
whatever you want to zero out all the sectors, then...
http://www.youtube.com/watch?v=sQYPCPB1g3o

Er..

But seriously with mechanical disks, a 1 pass wipe with random bits
is probably good enough
against anyone who isn't going to use Microscopy (MFM or SPM) on your
hard drive.
With modern perpendicular recording, it's somewhat a miracle that you
can reliably access the bits
as it is, _without_ wiping.

Still... I would say use ATA Secure Erase. Resort to DBAN first only
if ATA Secure Erase is unavailable:
https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

Just writing zeros to sectors has the drawback, that if you had bad
sectors in the past...
your hard drive firmware may have helped protect your data in the past
by performing sector relocation --

In sector reallocation, a 'bad'/unreadable sector' is deactivated,
and its address is reassigned
to a new physical location on the disk (from an area of 'spares');
the zeros/random data you are
writing get stored on a 'spare sector'....

The bad sector the spare replaced becomes unaddressable (meaning
there is no mechanism
the OS can use to address, read, or write that bad sector which was
silently spared out
and removed from service).

The OS running on the computer doesn't know that there is another copy
of "sector XYZ",
stored in what is now an unaddressable region of the disk; so a
simple overwriting
of all addressable sectors is not capable of erasing every trace.

You run DBAN.... think all the data is gone, but there may be a few
traces someone could recover.

Through forensic analysis of the platters... and possibly analysis of
the RAM/cache modules
on the control board (depending on how long they'd been powered off). 

--
-Jimmy
___________________
Nolug mailing list
nolug@nolug.org
Received on 03/24/11

This archive was generated by hypermail 2.2.0 : 03/24/11 EDT