New scientific data on wiping HDDS

A

Arno Wagner

There finally is some scientific evidence that one or a very low
number of overwrites is enough to wipe a drive in most situations. The
paper "Overwriting Hard Drive Data: The Great Wiping Controversy" by
Craig Wright, Dave Kleiman and Shyaam Sundhar R.S. looks at the issue
using magnetic microscopy and both older PRML and newer ePRML
HDDs. The full paper is available from Springer, but costs 25 USD.
An extended abstract is here:

http://sansforensics.wordpress.com/2009/01/15/overwriting-hard-drive-data/

It suggests that one factor is how often a drive area has been
written to previously. The authors give probabilities how
likely successful recovery of overwtitten data is, depending
on data lenght.
 
M

mscotgrove

There finally is some scientific evidence that one or a very low
number of overwrites is enough to wipe a drive in most situations. The
paper "Overwriting Hard Drive Data: The Great Wiping Controversy" by
Craig Wright, Dave Kleiman and Shyaam Sundhar R.S. looks at the issue
using magnetic microscopy and both older PRML and newer ePRML
HDDs. The full paper is available from Springer, but costs 25 USD.
An extended abstract is here:

http://sansforensics.wordpress.com/2009/01/15/overwriting-hard-drive-...

It suggests that one factor is how often a drive area has been
written to previously. The authors give probabilities how
likely successful recovery of overwtitten data is, depending
on data lenght.
Click to expand...

I'll stick to a single overwrite. Apart from anything else, to find
critical data on a sector, you also have to decode the disk structure/
directory to know where the critical sector is.

I could write next weeks lottery numbers on a used disk, then a do
complete, single erase. To find the numbers, first you will have to
work out from maybe 200,000 MFT entries, where the sector on my 500GB
drive is. Then find and decode the sector. I think it will be quicker
and cheaper to go an buy 14,000,000 lottery tickets. (This would also
take care of the fact I might be lying about knowing next weeks
numbers).

Michael
 
A

Arno Wagner

I'll stick to a single overwrite. Apart from anything else, to find
critical data on a sector, you also have to decode the disk structure/
directory to know where the critical sector is.
Click to expand...

Agreed. And you have to know that there is something wothwhile
on the disk in the first place.
I could write next weeks lottery numbers on a used disk, then a do
complete, single erase. To find the numbers, first you will have to
work out from maybe 200,000 MFT entries, where the sector on my 500GB
drive is. Then find and decode the sector. I think it will be quicker
and cheaper to go an buy 14,000,000 lottery tickets. (This would also
take care of the fact I might be lying about knowing next weeks
numbers).
Click to expand...

Indeed.

Arno
 
Y

Yousuf Khan

Arno said:
It suggests that one factor is how often a drive area has been
written to previously. The authors give probabilities how
likely successful recovery of overwtitten data is, depending
on data lenght.
Click to expand...

So is it suggesting that an area that has had a lot of writes to it is
more likely to require more passes, or the opposite?

Yousuf Khan
 
A

Arno Wagner

So is it suggesting that an area that has had a lot of writes to it is
more likely to require more passes, or the opposite?
Click to expand...

It suggests that an area that was written to once and then overwritten
once is easier to recover than an area that had data in it before
the data to be recoverd (and one overwrite) were put there.

This would mean that overwriting a disk several times with random
data before using it makes it even harder to recover anything.

If I understand the physics right, all data layer previous to the
last one sort of blend together.

However when you look at the numbers, even shorter data parts are
very, very hard to recover. I would say that maybe it may be possible
to prove a certain file was on a drive after one overwrite, but
only if you know the file beforehand. And it will be expensive. But
if this is a concern, best do several overwrites.

Side note: Anoter conclusion would be that physical destruction
done wrong is far less ecure than one overwrite.

Arno
 
Top