This is a well known fact of data forensic science and why this science flourishes at all. Overwriting data hardly obscures the data. Even when sections of data sectors are overwritten many times, changes can very often be reverse engineered. There are companies out there that make their entire revenue on just such reconstructions. In fact even de-gaussing (magnetic relignment of ions) sometimes fails to remove all residual data. The degaussing machine can fail to cover the separating bands between data. Imagine you had an eraser and managed to completely erase everything except the top parts of characters. You could probably guess what the data said. Imperfections in the media, the optical writing mechanism and the de-gaussing tools can all contribute to there being some residual data left. Bar Biszick-Lockwood (cisa, cissp, csqa) SDLC & Security Process Standards Expert GCC SOX 404 Audit and Remediation QualityIT 206-388-3333 pager message: 4252415391@xxxxxxxxxxx barbis@xxxxxxxxxxxxx RESOURCE SITE: http://www.securityprocessprofessional.com SERVICES SITE http://www.qualityit.net -----Original Message----- From: Jared Johnson [mailto:jaredsjazz@xxxxxxxxx] Sent: Wednesday, July 20, 2005 4:49 PM To: focus-ms@xxxxxxxxxxxxxxxxx Cc: bugtraq@xxxxxxxxxxxxxxxxx Subject: Peter Gutmann data deletion theaory? All, Do you all agree with Peter Gutman's conclusion on his theory that data can never really be erased, as noted in his quote below: "Data overwritten once or twice may be recovered by subtracting what is expected to be read from a storage location from what is actually read. Data which is overwritten an arbitrarily large number of times can still be recovered provided that the new data isn't written to the same location as the original data (for magnetic media), or that the recovery attempt is carried out fairly soon after the new data was written (for RAM). For this reason it is effectively impossible to sanitise storage locations by simple overwriting them, no matter how many overwrite passes are made or what data patterns are written. However by using the relatively simple methods presented in this paper the task of an attacker can be made significantly more difficult, if not prohibitively expensive." It seems that the perhaps the only real way to rid your Hard Drives of data is to burn them. I'd love to hear some thoughts on this from security and data experts out there. -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.9.2/54 - Release Date: 7/21/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.9.2/54 - Release Date: 7/21/2005
