RE: Peter Gutmann data deletion theaory?
I agree with most of what you say, and the general idea is valid. However, the
specifics of
> then a full reformat is quite enough to cause them to move on
> to the next
> machine - they're not going to have the motivation or
> equipment to delve
> into a randomly selected disk.
is a dangerously naïve approach. With point-and-click easy to use freeware
tools under windows, I can do almost 100% retrieval of files after a full
reformat, and even after reloading the OS and using it for a while, the simple
point-and-click freeware tools can retieve an awful lot of stuff. And if I
have the skills to use more powerful, complex tools, I can do even better,
without needing a lot of money, time, or even strong motivation.
Even for a home user, I'd recommend using a program that securely deletes stuff
by actively over-writing with multiple passes of random data (sdelete and DBAN
are a couple of my favorites). A format is *not* enough. Your general idea
(that it depends on the motivation and resources available to the attacker) is
good, just that your level of paranoia should maybe be turned up a notch :)
I'm not positive which Gutmann piece the OP was referring to, but if it's the
one I'm thinking of, it's a bit dated -- his methods were briefly really
popular as a shortcut to secure deletion, but if they're the ones I think he's
referring to, then they don't work with more modern file systems, so simple
random passes are better, though more costly to implement.
> -----Original Message-----
> From: Jeremy Epstein [mailto:jeremy.epstein@xxxxxxxxxxxxxx]
> Sent: Thursday, July 21, 2005 2:01 PM
> To: Jared Johnson; focus-ms@xxxxxxxxxxxxxxxxx
> Cc: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: RE: Peter Gutmann data deletion theaory?
>
> Like anything in security, "it depends". In particular, it
> depends on what
> the assumed adversary motivations and capabilities are. If
> the adversary is
> a nation-state with electron microscopes and other expensive
> devices, and
> the disk is believed to have held highly classified information, it's
> clearly true that the only way to destroy the data is to burn
> the disk (and
> in the right way). If, on the other hand, the adversary is
> someone who's
> randomly buying used computers in hopes of finding carelessly
> deleted files,
> then a full reformat is quite enough to cause them to move on
> to the next
> machine - they're not going to have the motivation or
> equipment to delve
> into a randomly selected disk.
>
> Where in between these two extremes it's necessary to burn
> the disk is an
> exercise left to the reader ;-) You really have to do a risk
> analysis... If
> it's cheaper / easier / less dangerous for the adversary to
> dumpster dive to
> get hardcopies or bribe someone or hack into the system, then
> destroying the
> hardware is putting the effort in the wrong place. For a lot
> of classified
> systems, the assumption is that obtaining used disks is a low
> cost attack,
> so it's cost effective to use destruction.
>
> --Jeremy
>
> > -----Original Message-----
> > From: Jared Johnson [mailto:jaredsjazz@xxxxxxxxx]
> > Sent: Wednesday, July 20, 2005 7:49 PM
> > To: focus-ms@xxxxxxxxxxxxxxxxx
> > Cc: bugtraq@xxxxxxxxxxxxxxxxx
> > Subject: Peter Gutmann data deletion theaory?
> >
> > All,
> >
> > Do you all agree with Peter Gutman's conclusion on his theory
> > that data can never really be erased, as noted in his quote below:
> >
> > "Data overwritten once or twice may be recovered by
> > subtracting what is expected to be read from a storage
> > location from what is actually read. Data which is
> > overwritten an arbitrarily large number of times can still be
> > recovered provided that the new data isn't written to the
> > same location as the original data (for magnetic media), or
> > that the recovery attempt is carried out fairly soon after
> > the new data was written (for RAM). For this reason it is
> > effectively impossible to sanitise storage locations by
> > simple overwriting them, no matter how many overwrite passes
> > are made or what data patterns are written. However by using
> > the relatively simple methods presented in this paper the
> > task of an attacker can be made significantly more difficult,
> > if not prohibitively expensive."
> >
> > It seems that the perhaps the only real way to rid your Hard
> > Drives of data is to burn them.
> >
> > I'd love to hear some thoughts on this from security and data
> > experts out there.
> >
> >
> >
>