I agree with most of what you say, and the general idea is valid. However, the specifics of > then a full reformat is quite enough to cause them to move on > to the next > machine - they're not going to have the motivation or > equipment to delve > into a randomly selected disk. is a dangerously naïve approach. With point-and-click easy to use freeware tools under windows, I can do almost 100% retrieval of files after a full reformat, and even after reloading the OS and using it for a while, the simple point-and-click freeware tools can retieve an awful lot of stuff. And if I have the skills to use more powerful, complex tools, I can do even better, without needing a lot of money, time, or even strong motivation. Even for a home user, I'd recommend using a program that securely deletes stuff by actively over-writing with multiple passes of random data (sdelete and DBAN are a couple of my favorites). A format is *not* enough. Your general idea (that it depends on the motivation and resources available to the attacker) is good, just that your level of paranoia should maybe be turned up a notch :) I'm not positive which Gutmann piece the OP was referring to, but if it's the one I'm thinking of, it's a bit dated -- his methods were briefly really popular as a shortcut to secure deletion, but if they're the ones I think he's referring to, then they don't work with more modern file systems, so simple random passes are better, though more costly to implement. > -----Original Message----- > From: Jeremy Epstein [mailto:jeremy.epstein@xxxxxxxxxxxxxx] > Sent: Thursday, July 21, 2005 2:01 PM > To: Jared Johnson; focus-ms@xxxxxxxxxxxxxxxxx > Cc: bugtraq@xxxxxxxxxxxxxxxxx > Subject: RE: Peter Gutmann data deletion theaory? > > Like anything in security, "it depends". In particular, it > depends on what > the assumed adversary motivations and capabilities are. If > the adversary is > a nation-state with electron microscopes and other expensive > devices, and > the disk is believed to have held highly classified information, it's > clearly true that the only way to destroy the data is to burn > the disk (and > in the right way). If, on the other hand, the adversary is > someone who's > randomly buying used computers in hopes of finding carelessly > deleted files, > then a full reformat is quite enough to cause them to move on > to the next > machine - they're not going to have the motivation or > equipment to delve > into a randomly selected disk. > > Where in between these two extremes it's necessary to burn > the disk is an > exercise left to the reader ;-) You really have to do a risk > analysis... If > it's cheaper / easier / less dangerous for the adversary to > dumpster dive to > get hardcopies or bribe someone or hack into the system, then > destroying the > hardware is putting the effort in the wrong place. For a lot > of classified > systems, the assumption is that obtaining used disks is a low > cost attack, > so it's cost effective to use destruction. > > --Jeremy > > > -----Original Message----- > > From: Jared Johnson [mailto:jaredsjazz@xxxxxxxxx] > > Sent: Wednesday, July 20, 2005 7:49 PM > > To: focus-ms@xxxxxxxxxxxxxxxxx > > Cc: bugtraq@xxxxxxxxxxxxxxxxx > > Subject: Peter Gutmann data deletion theaory? > > > > All, > > > > Do you all agree with Peter Gutman's conclusion on his theory > > that data can never really be erased, as noted in his quote below: > > > > "Data overwritten once or twice may be recovered by > > subtracting what is expected to be read from a storage > > location from what is actually read. Data which is > > overwritten an arbitrarily large number of times can still be > > recovered provided that the new data isn't written to the > > same location as the original data (for magnetic media), or > > that the recovery attempt is carried out fairly soon after > > the new data was written (for RAM). For this reason it is > > effectively impossible to sanitise storage locations by > > simple overwriting them, no matter how many overwrite passes > > are made or what data patterns are written. However by using > > the relatively simple methods presented in this paper the > > task of an attacker can be made significantly more difficult, > > if not prohibitively expensive." > > > > It seems that the perhaps the only real way to rid your Hard > > Drives of data is to burn them. > > > > I'd love to hear some thoughts on this from security and data > > experts out there. > > > > > > >
