Usr6 Posted August 25, 2011 Report Posted August 25, 2011 (edited) Many people are under the impression that hard drives need to be wiped with multiple passes to prevent recovery of data. This is simply untrue with modern hard drives. According to the National Institute for Standards and Technology, “Studies have shown that most of today’s media can be effectively cleared by one overwrite.”You may be confused between disk wiping and file wiping and deletion. Wiping a hard drive involves using software or a hardware device to completely write over every bit of a hard drive. This will prevent the recovery of nearly all data on that hard drive. There are methods to “recover” some things which I will explain in a bit.File wiping involves using software to completely write over the contents of a file. The entry for that file in areas such as the file allocation table is usually removed as well. Wiping files is better than pressing the delete key on your keyboard but remnants of these now wiped files can still be found in other places on the hard drive. This is especially true if the file is copied back and forth between volumes, has been cached to the disk from RAM and numerous other operations done by the operating system.Regular file deletion does not really delete the contents of a file. On a Windows XP system this includes choosing a file and pressing the delete key to move it to the recycle bin. As well as the files emptied from the recycle bin and files deleted by holding down shift while pressing delete to bypass the recycle bin. Think of your hard drive as a book. The book has a table of contents with chapters which represent files. The only way to find chapters (data) is through the table of contents. When a file is deleted its entry in the table of contents is removed, leaving the data in that chapter in the book but no actual reference to where it is in the table of contents. In reality, something similar happens on the hard drive. Those leftover contents will eventually be written over as the space they take up is needed.So why are there so many recommendations for multiple passes during disk wiping?Some recommend physically destroying a hard drive or writing to it 3, 7 and even 25 times as the only reliable methods of getting rid of data. This really is not the case. Data is stored magnetically and are represented by 1?s and 0?s. In older hard drives it is possible to view previous states that these magnetic areas existed in. Such as a 1 used to be a 0. This is done with an electron microscope in the examples that I’m aware of. Even though this is possible, it would still be nearly impossible to get enough correct readings to put together a document, picture or anything else. There is currently no public example of this method actually returning any useful results.Modern hard drives are even more efficient, making it harder to read what state bits were previously in.Data Destruction MethodsThe simplest form of data destruction is simple overwriting of the entire hard drive. As mentioned above, wiping a modern hard disk once is enough to prevent recovery of data.Another simple method of data “destruction” is encryption. Encrypting a hard disk with full disk encryption will effectively render that data unreadable as if it had been overwritten with random characters.Degaussing is one of the best but most expensive methods. It involves using hardware which renders previous data on a hard disk unreadable by changing the magnetic alignment of areas of the hard disk.Another sure-fire method is physical destruction to the platters inside of the hard drive. This can be done by smashing, grinding and shredding them. You can burn them and dip them in corrosive acid as well. Essentially, anything that can cause total destruction to the platters will destroy the data on them.If you’re in the habit of hording copyrighted material that does not belong to you on opitical storage media such as CDs and DVDs then the quickest way to destroy this data is in the microwave. In today’s world, there is really no need to horde pirated data on optical media.It is much easier and safer to store it on encrypted hard disks. However, if you ever find yourself in a situation that involves federal agents beating down your door, you may want to throw your stash in the microwave. However, there’s always that awkward situation where you have to explain why you have fifty microwaved DVDs and CDs in your microwave.Disk Wiping SoftwareI’m sure you’ve heard of DBAN or Darik’s Boot and Nuke. Most people who work in IT have. This is because it works and it is very effective. You can pop the CD in, go through a few menu’s and then leave the machine running while DBAN does all the work. It can wipe every hard disk connected to the system in succession. There are options to do more than one pass, which you should avoid unless you don’t mind waisting your time.Another method I use quite a bit is to just hook a drive up to a Linux system or pop a bootable Live CD in the machine and boot into a Linux environment to use the “DD” command. It can be as simple as this: dd if=/dev/zero of=/dev/[DISK HERE]Remember to read the man page on DD if you plan on using it. There is also DCFLDD which can perform the same actions and more. DCFLDD has been geared towards computer forensics and security.For file level wiping I’m a fan a Jetico’s BCWipe. The software is highly customizable and different wiping options can be setup to run at different times. It can wipe free space or unallocated space on a hard disk which is where older “deleted” files reside. This will prevent recovery of data using forensics and data recovery software from unallocated space. It will also wipe file slack. Data is split between clusters on the hard disk. Files are rarely the perfect size to always fill every cluster up, so what is leftover after the end of that file in a cluster is file slack. It can contain remnents of previous files. It can also wipe and clean old file entries, the swap file, recently used file lists and many other things including custom locations. Lets just say that if BCWipe is used correctly, it can really make a computer forensics examination a pain in the ass and probably render any examination of the drive irrelevant depending on the type of evidence that needs to be collected.Don’t limit yourself to just this software. There is a lot of file level wiping software out there. Some free and some not so much. The reason I have listed BCWipe is that I personally use it and find it very reliable and effective. Another bit of free software that I find useful is CCleaner, which is very similar to BCWipe. You must turn on actual overwriting of files manually within the settings of the program. I use it alongside BCWipe to cover a larger area of temp files, recent file lists and other areas history and artifacts may be lurking.A great method of confirming that your hard drive has been fully wiped is to open the physical disk with a hex editor like WinHex and confirm that the wiping pattern matches what you’ve chosen. I personally just use zero’s.I’ve outlined the entire process in the steps below. Basically what I’ve done is wiped a thumb drive with a single pass and then reformatted the thumb drive with the FAT32 file system. I then created a text document, documenting the sectors it was located in. I then re-wiped the thumb drive with a single pass and documented the results.This was all done with EnCase Forensic, WinHex and the Hard Disk Wipe Tool.Step 1Using the Hard Disk Wipe Tool 2.35.1178 I have wiped my 1GB thumb drive.Essentially what this software is doing is “writing zeros” to the storage media. This is done with one single pass, not multiple passes. Meaning it goes from start to end, zeroing every sector on the media.fullThumb Drive Being WipedStep 2I then verified that the thumb drive was wiped. See the screenshot.fullSector 0 After Wipe - WinHexThis first screenshot is a view of the start of the thumb drive with WinHex. You can see that this portion is entirely zero’d out. No filesystem, no files, no data period exists on this thumb drive any longer. The rest of the drive (every sector) is completely zero’d as well.Step 3I then formatted the thumb drive with the FAT32 file system using Windows XP.fullAfter clicking yes I then filled out the options to do a normal format of the media with FAT32.After formatting the media I then proceeded to view the first sector of the disk with EnCase Forensic software as seen in the next screenshot. Notice that it has been formatted with the FAT32 filesystem.fullSector 0 After FormattingStep 4I then proceeded to create a text document on the media using Windows Explorer. The text document is named “JUSTATEXTDOCUMENT.txt” and you can see the title and file entry on the disk in this next screenshot.Notice the “name” of the thumb drive is “ANTIFOR” and you can also see the 8.3 file naming standard format of the file as well.fullSector 4032 After Text File CreationStep 5A few sectors more and you can see the start of the text document which consists of the phrase, “I am just a text document.” copypasta’d quite a few times.You are seeing screenshots of all of this from actual professional computer forensics software. One of the most used computer forensics software in the world which carries a hefty price tag of right around $3,000 USD per license/dongle.fullSector 4040 After Text File CreationStep 6I then re-ran the Hard Disk Wipe Tool 2.35.1178 and have re-wiped my 1GB thumb drive.This first screenshot shows the first sector of the thumb drive where you previously saw data for the FAT32 file system.fullSector 0 After WipingNotice that there is now no data at this sector.In this next screenshot you will see sector 4032 which previously had the file entry where you could see the filename for the document.fullSector 4032 After WipingNotice that there is nothing there anymore. The single pass has completely wiped out file information for the text document.Let’s look at the contents of the text document now in sector 4040.Need I say more about this screenshot?fullSector 4040 After WipingThe fact is, nothing exists on this thumb drive anymore that can be recovered with any data recovery software or computer forensics software.What about magnetic force microscopy?There has been some confusion about magnetic force microscopy and what I’ve done (probably because my writing skills are a bit lacking). Magnetic force microscopes move across magnetic based storage mediums such as a modern hard disk drive. It then creates images based off of the previous values of bits in these sections. I of course have not used one and instead will base my information off of the sources at the end of this article.Previous comments suggested that by using magnetic force microscopy data could be retrieved. To summarize and use plain english, this method determines the state a bit was in before it was changed. So if a bit were a 1 and now it is a zero, this method is supposed to be able to detect that previous state. It is said that in older disk media it is easier to do this and harder with newer media.It will take many months to actually image a small hard drive using this method.Lets try and understand this process though. First, human readable data is made up of many bits. A single human readable ASCII character is equal to 8 bits or a single byte. If even one of these bits is recovered incorrectly, then the byte is a completely different value and our human readable ASCII representation of those groups of bits is completely different.For example, take the ASCII word “anti.” The binary equivelant of this word is: 01100001011011100111010001101001Lets say using a MFM the last bit was read incorrectly as a zero when it used to be a 1, what do we have now?The word: anthThis word is completely different. Now apply this to compound files such as databases, archives, or other files like encrypted containers. If one bit is recovered incorrectly it can negate all of the results and provide corrupted data.I think I’m making it sound like magnetic force microscopy is only sometimes incorrect when imaging platters. This method is very unreliable, costly and time consuming. Right now, don’t count on this method really being utilized on modern hard drives.Sans Computer Forensics on Magnetic Force Microscopy“The basis of this belief that data can be recovered from a wiped drive is based on a presupposition that when a one (1) is written to disk the actual effect is closer to obtaining a 0.95 when a zero (0) is overwritten with one (1), and a 1.05 when one (1) is overwritten with one (1).This can be demonstrated to be false.”“In many instances, using a MFM (magnetic force microscope) to determine the prior value written to the hard drive was less successful than a simple coin toss.”Secure Deletion of Data from Magnetic and Solid-State Memory by Peter Gutmann (35 pass wipe originated from Mr. Gutmann)“Any modern drive will most likely be a hopeless task, what with ultra-high densities and use of perpendicular recording I don’t see how MFM would even get a usable image, and then the use of EPRML will mean that even if you could magically transfer some sort of image into a file, the ability to decode that to recover the original data would be quite challenging.”Sursa:P1P2 Edited August 25, 2011 by Usr6 Quote
