Re: [Nolug] Why geeks don't wipe hard drives...

From: Lee S. Whatley <lee_at_whatley.org>
Date: Thu, 24 Mar 2011 20:15:44 -0500
Message-Id: <5F789E6E-213B-44CF-98E2-87F13782BC6F@whatley.org>

You know, all this stuff on different media types and making sure
something is deleted would make a great discussion topic at a LUG
meeting. I think UNO has some CS professors that do some digital
forensics. Maybe one of them would be willing to do a talk. Anyone
know this guy (cs.uno.edu/~golden)? I didn't go to UNO, but I read
his blog now and then.

On Mar 24, 2011, at 5:23 PM, Jimmy Hess wrote:

> On Thu, Mar 24, 2011 at 3:29 PM, Lee S. Whatley <lee@whatley.org>
> wrote:
>> On Thu, 24 Mar 2011, Ron Johnson wrote:
>> If *you* are still planning to use the drives then you don't need
>> to wipe
>> them, just do a mkfs on top of the old stuff.
>
>> If you are planning on selling them or giving them away, then a 1
>> pass wipe
>> isn't really protecting your data from anything...you're gonna
>> need to spend
>> waay more than 3 hours to do a "secure" wipe ;)
>
> If you have mechanical drives, you are fortunate. SSDs are much
> harder to ensure data is wiped irrecoverably.
> Really ensuring a HDD is wiped requires drastic measures. First do
> whatever you want to zero out all the sectors, then...
> http://www.youtube.com/watch?v=sQYPCPB1g3o
>
> Er..
>
> But seriously with mechanical disks, a 1 pass wipe with random bits
> is probably good enough
> against anyone who isn't going to use Microscopy (MFM or SPM) on your
> hard drive.
> With modern perpendicular recording, it's somewhat a miracle that you
> can reliably access the bits
> as it is, _without_ wiping.
>
> Still... I would say use ATA Secure Erase. Resort to DBAN first only
> if ATA Secure Erase is unavailable:
> https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase
>
> Just writing zeros to sectors has the drawback, that if you had bad
> sectors in the past...
> your hard drive firmware may have helped protect your data in the past
> by performing sector relocation --
>
>
> In sector reallocation, a 'bad'/unreadable sector' is deactivated,
> and its address is reassigned
> to a new physical location on the disk (from an area of 'spares');
> the zeros/random data you are
> writing get stored on a 'spare sector'....
>
> The bad sector the spare replaced becomes unaddressable (meaning
> there is no mechanism
> the OS can use to address, read, or write that bad sector which was
> silently spared out
> and removed from service).
>
>
> The OS running on the computer doesn't know that there is another copy
> of "sector XYZ",
> stored in what is now an unaddressable region of the disk; so a
> simple overwriting
> of all addressable sectors is not capable of erasing every trace.
>
>
> You run DBAN.... think all the data is gone, but there may be a few
> traces someone could recover.
>
> Through forensic analysis of the platters... and possibly analysis of
> the RAM/cache modules
> on the control board (depending on how long they'd been powered off).
>
> --
> -Jimmy
> ___________________
> Nolug mailing list
> nolug@nolug.org

___________________
Nolug mailing list
nolug@nolug.org
Received on 03/24/11

This archive was generated by hypermail 2.2.0 : 03/24/11 EDT