Debate between Lawyers and Programmer on Data wiping on Hard drive- who's right?

A

azneinstein

Gawd
Joined
Feb 25, 2005
Messages
784
Hey guys,
So a discussion between my friends, a VERY knowledgeable programmer/techie and two lawyers.

Example Scenario: I have a 100gb hard drive that I use for *illegal content* or *IC*, but later on wipe the drive with something else. No special programs, just format and re-use. We know all that an imprint is left on there despite files deleted.

Lawyers claims that, unless you're destroying the physical disk into obliteration that with latest tech and forensics- they can still obtain data that has been wiped off covered. So everything that's been on a HD will leave an imprint.

Tech friend says that after you wipe it, the only imprint left will be the last thing deleted since sectors are replaced by other sectors.

Both parties have years of experience, and unsurprisingly, both are very stubborn and adamant in their positions.
 
You could google this, but here goes...

Just deleting files generally just deletes the link to that file. Only when that storage space is used again are the file written over. So if you just delete files and empty your trash can (or however your OS does it) then the files are still there and aren't actually deleted.

If you're worried about someone reading your files you can use a program to rewrite the data. One rewrite should be sufficient but 7 are commonly recommended. Magnetic Microscopes could conceivable be used to read overwritten data. But in practice, it would be infeasible (unless maybe the density of the media is low and someone with tons of time & money wants it really badly).

Here's some info on that:
http://en.wikipedia.org/wiki/Magnetic_force_microscope#Static_.28DC.29_mode
http://computer-forensics.sans.org/blog/2009/01/28/spin-stand-microscopy-of-hard-disk-data/

I don't know why you'd take the lawyers seriously to begin with tbh.

So yeah, if you just delete your files normally (like 99% of people) then sure, a forensic expert could recover them. But they aren't doing any crazy CSI stuff to do that. So if you put a little more effort into it you should make it impossible to recover the data (barring any crazy technology breakthoughs).
 
It depends on how you define some of these terms like "wipe". A hard drive platter consists of a magnetic media coating on a non-magnetic but conductive substrate, and on modern drives the field is applied to the media perpendicularly. Due to the increasing storage density of hard drives, the magnetic charge that defines a bit is getting weaker and weaker.

We all know that data can be recovered from a drive that has merely been formatted and had the file table wiped, as the data technically still exists on the drive. It can even be recovered somewhat easily from a drive that has been formatted and put back into use, particularly if the sectors have not been re-written. The substance of the matter comes down to recovering data that had been previously written to sectors that have since been written over. From a physics perspective this comes down to how much magnetic "residue" remains from the original data that you are attempting to recover.

I have heard of data recovery operations that have specialized hardware that they can put a platter into and read previous-generation magnetic residue, and again, things like this were easier back when sectors were physically larger and had a more robust field.

As far as wiping goes, I have heard people say that even a single-pass random write is enough to ensure that data isn't recoverable, and this is probably fairly accurate. The department of defense used to specify in their procedures exactly how many passes were required for a drive to be considered "safe", and as far as I know this is no longer done, because it is generally considered a better practice to just destroy the drive entirely. However, if I were to go about doing this myself, I would not be content with less than several (3-4) random write passes, especially with an older hard drive...
 
Just format the drive (and do not select QUICK format). In Vista / Windows 7, the OS will write zeros to every part of the drive. This gives you nearly unrecoverable data (would be incredibly expensive to recover it), and requires no special tools on your part.

The only reason you get into situations like the OP mentioned is because people are lazy and choose quick format.
 
defaultluser said:
Just format the drive (and do not select QUICK format). In Vista / Windows 7, the OS will write zeros to every part of the drive. This gives you nearly unrecoverable data (would be incredibly expensive to recover it), and requires no special tools on your part.

The only reason you get into situations like the OP mentioned is because people are lazy and choose quick format.
Click to expand...

Don't forget it might be the fed investigating. They don't really care about cost when trying to get a win.

There is a reason there are guidelines for government and private discarding of drives. Like Andrew_carr said, 6-7 passes of a wiping tool is minimum, if the drive isn't going to be destroyed.
 
The lawyers are correct in that the data is there on some level after a format, however security is really about risk vs reward. It comes down to how badly someone wants to recover the contents of the drive. The more steps you take towards wiping the data, the more expensive it becomes to recover the data.

In this case, *IC* can mean different things. Local law enforcement is probably not willing to invest large sums of money to crack down on someone's stash of pirated music and videos. Federal agencies, however, may be willing to pay to see what was erased if we are talking about 'national security' scenarios. If you have any doubt, just ask Jack Bauer. :D

Google's datacenter procedure for end-of-life drives involves:
  1. Wiping and overwriting the existing data.
  2. Phsycially deforming the disc/platters with "The Crusher".
  3. Physically shred the disc into pieces.
  4. Recycle the materials.

Jump to 2m 40s in the video.
[ame="http://www.youtube.com/watch?v=1SCZzgfdTBo"]Google uses a 3-step method[/ame]
 
defaultluser said:
Just format the drive (and do not select QUICK format). In Vista / Windows 7, the OS will write zeros to every part of the drive. This gives you nearly unrecoverable data (would be incredibly expensive to recover it), and requires no special tools on your part.

The only reason you get into situations like the OP mentioned is because people are lazy and choose quick format.
Click to expand...

Given today's high density hard drives, I've seen it argued that the simple format is essentially completely unrecoverable - the magnetic fields are so low and the density is so high it is impossible to get usable data back, although I haven't seen any actual test results on that.

That being said, they'd have to really, really want the data to recover it.
 
It's pretty simple. If the law says the data shall be recovered, then the data will be recovered, laws of physics be damned.

Fingerprints work exactly the same way. The law says they shall be a unique identifier, so they are a unique identifier. If you publish anything that suggests otherwise, you just get ignored + federally defunded for life.
 
Data persistence and data remanence are the key words here, even overwriting can leave recoverable traces of files, however the number of overwrites and methods are key to the ability to recover. Of course if you just format (even the standard format in windows, not the quick one) data is easy to recover as it is never overwritten, even GetDataBack will rebuild every bit of this data. Now zeroing a drive becomes quite a bit harder, to the point it starts to take special hardware to rebuild this data, a forensic lab would have no trouble with this but the casual user with recovery tools would have marginal luck at best. But if you make the wiping significantly better like I do, with dban and the ISAAC PRNG stream method with 8 passes, you can pretty much forget about data recovery short of a very skilled technician going over each sector by hand with a magnetic probe and interpreting each bit and reassembling data, even then I think the chances of any meaningful recovery are slim to nil. Of course physical destruction is the only guarantee.
 
azneinstein said:
Lawyers claims that, unless you're destroying the physical disk into obliteration that with latest tech and forensics- they can still obtain data that has been wiped off covered. So everything that's been on a HD will leave an imprint.
Click to expand...

physical destruction is done as a backup, not because overwriting isn't enough. (it doesn't destroy the data any more, it just increases your confidence the data has been destroyed)
 
At my old job there was a guy in the warehouse section that threw together a machine that you put the hdd in one side and it would fly thru and be (de-?)magnetized. He would feed each drive through 2-3 times and then stick it into a second machine that would use a hydraulic press to push 3 rods into the platters of the hdd and lock up and thus immobilize/destroy the platters.

Some may argue that they should open and shred the platters too but really, who is gonna be spending the cash to see your files.

At home, I personally keep all my harddrives, but if I'm leaving one in a laptop I'm selling I'll run 7 passes on it doing random writes.
 
Just keep all of the data on a RAID 0 or similar. To dispose of the hard drives just remove them from the computer. That is enough protection to make the cost of recovery prohibitive.
 
GeorgeHR said:
Just keep all of the data on a RAID 0 or similar. To dispose of the hard drives just remove them from the computer. That is enough protection to make the cost of recovery prohibitive.
Click to expand...

That is not true. I have recovered a lot of data from 2/3 of a striped array, I can definitely recover it all from 3/3!
 
defaultluser said:
Just format the drive (and do not select QUICK format). In Vista / Windows 7, the OS will write zeros to every part of the drive. This gives you nearly unrecoverable data (would be incredibly expensive to recover it), and requires no special tools on your part.

The only reason you get into situations like the OP mentioned is because people are lazy and choose quick format.
Click to expand...

This is not true, a non-quick windows format READS the full disk, it does not write anything more than a quick one.

As for wiping, one full overwrite, random or not, is enough.

As mentioned above, merely formatting and using it does not guarantee overwriting, unless you filled the disk fully up.

The idea of using a magnetic microscope is nothing but a theory, that has never actually been performed. But if you're worried about spy stuff, you can probably afford a new disk.
 
The platters did not seem to take any visual damage from the re-entry so presumably they could just drop them into a new housing and read the data without much trouble.
 
Its not illegal or against forum rules to tell you how to wipe your disk of illegal content. I assume you are going to be cleaning your act up.

I would recommend Acronis Diskcleanser or whatever its called. You can download the Ultimate Boot CD and it has all kind of Wipe tools on it. You want to probably use the Dept of Defense 5520 or whatever the hell its called. Its government approved and they use it to gaurantee a full complete data destruction.
 
illegal doesn't necessarily mean afoul of laws in his country.

for instance it is illegal to import encryption software under certain circumstances. he could be seeking to wipe this from a system being transported across national boundaries.
it could be religious texts banned by certain fundy countries, etc.
 
Drive's that use PRML or ePRML (any drive from the last 10-15 years) record so weak a magnetic field that the drive actually has to make an educated guess based on the other fields it's detected to know what's actually recorded. Perpendicular recording drives are even harder to see residual magnetic fields because the each bit it so close to another one, and the recording goes deep into the media. Overwriting with random data one time is enough to prevent anyone from recovering your data.

Even the guy who sparked off the whole "gotta wipe 37 times with these patterns" craze said he was misunderstood and that his paper doesn't apply to high data density drives.
 
DoD had a standard 7-pass wipe that was good for wiping data up to Top Secret (but not including). The short version was a 3-pass wipe that wrote a data pattern across each sector, then that pattern's complement, and then finally a random pattern.

I can't imagine it's a standard that's still in use, much more cost effective to just destroy the drive. However, the short pass version is what I use for wiping drives before sale. I don't imagine you could read any data off a drive with the short version, certainly not the long version.

Darik's Boot & Nuke does all this, available a bootable disc.
 
dd if=/dev/urandom of=/dev/sd(to be wiped)
Bake till golden brown.
Enjoy with Heinz brand ketchup.
 
Last edited:
Varg said:
This is not true, a non-quick windows format READS the full disk, it does not write anything more than a quick one.
Click to expand...

http://support.microsoft.com/kb/941961

Remember, I said FOR VISTA AND WINDOWS 7.

Windows XP and earlier just does a read to verify the integrity of every sector.

As for wiping, one full overwrite, random or not, is enough.
Click to expand...

Then the discussion is over because that's exactly what a full format in Vista / Windows 7 does. And as I claimed before, one overwrite of zeroes is enough to secure you from anything.
 
Just format the drive (and do not select QUICK format). In Vista / Windows 7, the OS will write zeros to every part of the drive.
Click to expand...

You are very much so incorrect. A quick format only writes a new FAT. A full format does a surface scan then afterwards writes a FAT.
 
drescherjm said:
That will do it. Although /dev/urandom is slow (or at least is was slow the last time I wanted GBs of random data). A 4 pass badblocks destructive read/write also will do the job.
Click to expand...

I was going to say the same thing about urandom being slow:

Code: 
$ dd if=/dev/urandom of=/dev/null bs=1M count=100
100+0 records in
100+0 records out
104857600 bytes (105 MB) copied, 14.274 s, 7.3 MB/s

I also agree that badblocks would another way to do it. Note that badblocks has a -t random flag that can be used:

badblocks -b 4096 -p 4 -s -t random -v -w /dev/sd_

However, badblocks would waste time reading the blocks.

If it is important to write random data, something like this could be used for a single pass:

$ dd if=/dev/urandom of=/tmp/rdata bs=16M count=1
$ (while true; do cat /tmp/rdata; done) | dd of=/dev/sd_
 
Last edited:
I don't see anything wasteful about their drive management practice. Any of the big-4 consultancies will recommend proper destruction of storage devices that contain PII data (personally identifiable information), which is basically what google deals with right?. Any large company should be following similar protocols to avoid data leakage resulting in reputational damage.

In the end they recycle the resulting materials.
 
This will work too: [ame="http://www.youtube.com/watch?v=sQYPCPB1g3o&feature=channel_video_title"]‪SSI's Shred of the Month: E-Scrap - Hard Drives Shredding (Q)‬‏ - YouTube[/ame]

or this: [ame="http://www.youtube.com/watch?v=j1_uvM-5xKs&feature=relmfu"]‪SSI's Shred of the Month: E-Scrap - Computers/Printers Shredding (D)‬‏ - YouTube[/ame]
 
agheno said:
I don't see anything wasteful about their drive management practice. Any of the big-4 consultancies will recommend proper destruction of storage devices that contain PII data (personally identifiable information), which is basically what google deals with right?. Any large company should be following similar protocols to avoid data leakage resulting in reputational damage.

In the end they recycle the resulting materials.
Click to expand...

If the drives are dead, yeah... no waste. But if they're still working, wipe and sell em. The way today's hard drives record data, what's considered a 1 in one place, may be considered a 0 in another depending on the data surrounding it. So reading the bare platters without knowing what all the previous surrounding data was is impossible. And if you already knew what all the surrounding data was, you wouldn't need to recover the data from the drive.
 
ryan_975 said:
If the drives are dead, yeah... no waste. But if they're still working, wipe and sell em. The way today's hard drives record data, what's considered a 1 in one place, may be considered a 0 in another depending on the data surrounding it. So reading the bare platters without knowing what all the previous surrounding data was is impossible. And if you already knew what all the surrounding data was, you wouldn't need to recover the data from the drive.
Click to expand...

They do say that they only destroy the drives whenever they don't pass their functionality tests
 
defaultluser said:
http://support.microsoft.com/kb/941961

Remember, I said FOR VISTA AND WINDOWS 7.

Windows XP and earlier just does a read to verify the integrity of every sector.



Then the discussion is over because that's exactly what a full format in Vista / Windows 7 does. And as I claimed before, one overwrite of zeroes is enough to secure you from anything.
Click to expand...

Thanks, I was not aware this behaviour was changed.
 
You must log in or register to reply here.
Back
Top