RE: Peter Gutmann data deletion theaory?

To: <focus-ms@xxxxxxxxxxxxxxxxx>
Subject: RE: Peter Gutmann data deletion theaory?
From: "Earnhart, Benjamin J" <benjamin-earnhart@xxxxxxxxx>
Date: Thu, 21 Jul 2005 17:45:21 -0500
Cc: <bugtraq@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcWOQpDSUZ+4XMBnQTCQwt6j1pbZdAAAPidg
Thread-topic: Peter Gutmann data deletion theaory?

I agree with most of what you say, and the general idea is valid.  However, the 
specifics of 

> then a full reformat is quite enough to cause them to move on 
> to the next
> machine - they're not going to have the motivation or 
> equipment to delve
> into a randomly selected disk.

is a dangerously naïve approach.  With point-and-click easy to use freeware 
tools under windows, I can do almost 100% retrieval of files after a full 
reformat, and even after reloading the OS and using it for a while, the simple 
point-and-click freeware tools can retieve an awful lot of stuff.  And if I 
have the skills to use more powerful, complex tools, I can do even better, 
without needing a lot of money, time, or even strong motivation.

Even for a home user, I'd recommend using a program that securely deletes stuff 
by actively over-writing with multiple passes of random data (sdelete and DBAN 
are a couple of my favorites).  A format is *not* enough. Your general idea 
(that it depends on the motivation and resources available to the attacker) is 
good, just that your level of paranoia should maybe be turned up a notch :)

I'm not positive which Gutmann piece the OP was referring to, but if it's the 
one I'm thinking of, it's a bit dated -- his methods were briefly really 
popular as a shortcut to secure deletion, but if they're the ones I think he's 
referring to, then they don't work with more modern file systems, so simple 
random passes are better, though more costly to implement.    


> -----Original Message-----
> From: Jeremy Epstein [mailto:jeremy.epstein@xxxxxxxxxxxxxx] 
> Sent: Thursday, July 21, 2005 2:01 PM
> To: Jared Johnson; focus-ms@xxxxxxxxxxxxxxxxx
> Cc: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: RE: Peter Gutmann data deletion theaory?
> 
> Like anything in security, "it depends".  In particular, it 
> depends on what
> the assumed adversary motivations and capabilities are.  If 
> the adversary is
> a nation-state with electron microscopes and other expensive 
> devices, and
> the disk is believed to have held highly classified information, it's
> clearly true that the only way to destroy the data is to burn 
> the disk (and
> in the right way).  If, on the other hand, the adversary is 
> someone who's
> randomly buying used computers in hopes of finding carelessly 
> deleted files,
> then a full reformat is quite enough to cause them to move on 
> to the next
> machine - they're not going to have the motivation or 
> equipment to delve
> into a randomly selected disk.
> 
> Where in between these two extremes it's necessary to burn 
> the disk is an
> exercise left to the reader ;-)  You really have to do a risk 
> analysis... If
> it's cheaper / easier / less dangerous for the adversary to 
> dumpster dive to
> get hardcopies or bribe someone or hack into the system, then 
> destroying the
> hardware is putting the effort in the wrong place.  For a lot 
> of classified
> systems, the assumption is that obtaining used disks is a low 
> cost attack,
> so it's cost effective to use destruction.
> 
> --Jeremy
> 
> > -----Original Message-----
> > From: Jared Johnson [mailto:jaredsjazz@xxxxxxxxx] 
> > Sent: Wednesday, July 20, 2005 7:49 PM
> > To: focus-ms@xxxxxxxxxxxxxxxxx
> > Cc: bugtraq@xxxxxxxxxxxxxxxxx
> > Subject: Peter Gutmann data deletion theaory?
> > 
> > All,
> > 
> > Do you all agree with Peter Gutman's conclusion on his theory 
> > that data can never really be erased, as noted in his quote below:
> > 
> > "Data overwritten once or twice may be recovered by 
> > subtracting what is expected to be read from a storage 
> > location from what is actually read. Data which is 
> > overwritten an arbitrarily large number of times can still be 
> > recovered provided that the new data isn't written to the 
> > same location as the original data (for magnetic media), or 
> > that the recovery attempt is carried out fairly soon after 
> > the new data was written (for RAM). For this reason it is 
> > effectively impossible to sanitise storage locations by 
> > simple overwriting them, no matter how many overwrite passes 
> > are made or what data patterns are written. However by using 
> > the relatively simple methods presented in this paper the 
> > task of an attacker can be made significantly more difficult, 
> > if not prohibitively expensive."
> > 
> > It seems that the perhaps the only real way to rid your Hard 
> > Drives of data is to burn them. 
> > 
> > I'd love to hear some thoughts on this from security and data 
> > experts out there.
> > 
> > 
> > 
>

Follow-Ups:
- Re: Peter Gutmann data deletion theaory?
  - From: devnull
- Re: Peter Gutmann data deletion theaory?
  - From: Casper . Dik

Prev by Date: [ GLSA 200507-20 ] Shorewall: Security policy bypass
Next by Date: Re: (ICMP attacks against TCP) (was Re: HPSBUX01137 SSRT5954
Previous by thread: Re: RE: Peter Gutmann data deletion theaory?
Next by thread: Re: Peter Gutmann data deletion theaory?
Index(es):
- Date
- Thread