This is the tip of the iceberg. Another concern is NTFS filesystems, data can be stored in the MFT if it is small enough (i.e. under 1 or 4k depending on how your drive got formatted). I also found that when using alternate data streams: cat "this_is_a_string_of_text" > somefile.txt:an_ads_stream that the string was then found on the HD twice immediately afterwards. Wiping the file (with tools that wiped alternate data streams properly) got rid of one copy, but you had to do a wipe free space to get rid of the other. Not sure if this was a journaling issue or what, but if you want to get rid of alternate data streams make sure you wipe free space. There are other hardware/software issues too: IDE/scsi bad block mapping at the device level bad block mapping at the OS level (although intelligent software might be able to deal with this) RAID arrays, I haven't yet experimented much with wiping data on RAID 0 or 5 arrays for example but I suspect the results will be interesting. Increasing reliance on network storage Disk defragmentation, your data just got copied around, possibly more then once (ever watch the soothing patterns in Win98 defrag =). I did a presentation on data deletion and wiping at Hivercon, the presentation is available in PowerPoint at: http://www.hivercon.com/hc02/speaker-seifried.htm The next version should manage to be even more depressing. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/
