delete deleted data

On 04/01/2008, at 8:19 AM, Brad Tilley wrote:

> One pass from /dev/zero is more than enough for all cases.

I agree that after a single pass of zeroes, getting anything but  
zeroes from a fully working, unaltered drive is not going to happen.

But if you remove the digital logic which masks residual signals via  
thresholds used to determine at what point a 1 is considered a 1 and a  
0 a 0, then perhaps 1's and 0's could be restored from some drives.  
Through the use of a replacement device that samples each bit with a  
bit depth greater than 1, allowing analysis to interpret what I would  
have thought would not be constant uniform samples.


I think more importantly, if it is comparatively very cheap to erase a  
drive in a paranoid manner and the leaking of that data could cost a  
fortune, then the comparatively small cost of paranoid erasure could  
be a risk worth taking.


Shane

On 04/01/2008, at 12:21 PM, Harpalus a Como wrote:

I agree. Most computer forensics people I have worked with, tended to  
stick to what they considered to be "standard procedures" with  
"standard forensics software". They were mostly ex-police with  
computing training. I personally managed to get results which other  
forensics teams could not (or would not), which I believe was because  
I was willing to use some creative techniques that they wouldn't dare  
come to court with.


As far as the data recovery industry goes, I think there are more  
frauds than experts advertising such services.


Shane

Okay, someone touched on this so I'll follow it a little further.

Say you pull the platter(s) out of the drive and now start analysing the
data as analog voltage levels and not highs/lows with threshold.  Also,
get the data off the platter(s) by driving a head across it in different
directions.  Now start doing signal processing on the data set(s) you've
acquired.

Any EE worth their weight in salt understands signal processing.  I do
believe a lot of younger engineers have grown up in the 1 & 0 digital
world and forget about analog.

g.day

diana

On 06/01/2008, at 1:57 AM, Diana Eichert wrote:
>
> Any EE worth their weight in salt understands signal processing.  I  
> do believe a lot of younger engineers have grown up in the 1 & 0  
> digital world and forget about analog.

I think the first computers I witnessed in a work place, were actually  
analog computers (Navy).

Where a mix of humans, transistors, valves, gears and three-phase  
motors/sensors, got the job done.    ;-)


Shane

It was shareware/trialware and I am looking for the name of it...
usually it is right on my Wiki when I make notes.. but I can't find it
there yet.

L505



Kasper Revsbech wrote:

On Sun, 6 Jan 2008, Shane J Pearson wrote:
SNIP
> Where a mix of humans, transistors, valves, gears and three-phase
> motors/sensors, got the job done.    ;-)
>
> Shane

No coal and steam?

I had to say it.

diana

On Jan 5, 2008, at 8:06 AM, Shane J Pearson wrote:
>
> I think the first computers I witnessed in a work place, were  
> actually analog computers (Navy).
>
> Where a mix of humans, transistors, valves, gears and three-phase  
> motors/sensors, got the job done.    ;-)

They're still in use as of the late 90s.

On Saturday 05 January 2008 09:57:54 Diana Eichert wrote:
Yeah, analog stuff is sorely lacking, as if RF stuff today.

My only comment about data resurrection is that I'll bet that good
analog data from the disk varies with the density.  Getting data off
an 800M to couple G disk?  Absolutely.  But I wonder far more about
a 1T disk.  I'm not saying it can't be done; logic says that disks of
the modern era should still be destroyed, but I'd love to know how
much data gets garbled when sniffing really high density disks.

--STeve Andre'

L wrote:

> One thing I found was that some undelete tools are not nearly as good

> as others.  I thought many of them used similar algorithms.. but some

> of them really worked much better and completely differently

>

> L505



Restoring files from FAT partitions is easy.. I use fatback(http://sf.net/projects/fatback)...



But either way, no such utility exists to restore data that has been overwritten.. regardless of the "algorithms" used.



-Nix Fan.

On Sat, Jan 05, 2008 at 12:09:08PM -0700, Diana Eichert wrote:
What do you think generates the three-phase power on a ship at sea;
extension cord to the dock?  :)

I wonder what media they use for data asternment?  

I hear that U.S. Navy S.E.a.L.'s use Flash(-Bang)s. :)

Doug.

Unix Fan wrote:
> L wrote:
>
>  
> Restoring files from FAT partitions is easy.. I use fatback(http://sf.net/projects/fatback)...
>
>
>  
I will check that one out..

> But either way, no such utility exists to restore data that has been overwritten.. regardless of the "algorithms" used.
>
>
>  

Unless there was a magnetic offline hardware utility of some sort that
scanned magnetic fields?

L wrote:
http://www.actionfront.com/ts_dataremoval.aspx

"It has been suggested that an electron microscope could be used to read
and interpret any patterns that were not fully *overwritten* by the
process." ....*
<snip>*

"Electron microscopes have been used to detect and identify *magnetic*
regions smaller than the fluxes used to represent data on a 200 megabyte
*disk* *drive*. Unfortunately, at best, this type of process could be
accomplished at a rate of perhaps 1 bit per second. Furthermore, since
virtually every *drive* in production today records two or more
*magnetic* fluxes (due to R.L.L. recording) to represent each bit the
actual rate could be considerably slower."

On Sat, 5 Jan 2008 14:25:37 +1100, "Sunnz" <sunnzy@...> said:
> 2008/1/5, Jon <hypermails@...>:
> > rm -P wont work... I looking to clean up deleted data ... not securely
> > delete a file.
> >
> >
>
> Just create a file and filling it with /dev/zero until it takes up all
> the free spaces, then rm -P that file.

But from his original post he wants to make sure everything is cleanly
deleted without affecting the existing OS. In this case I don't think
what you are trying to do is possible, but it also depends on how
securely you are trying to make your deletes. Do you want to hide
it from the schmo you are taking in to service your computer or are
you trying to hide it from the FBI?

2008/1/6, Eric Furman <ericfurman@...>:
> On Sat, 5 Jan 2008 14:25:37 +1100, "Sunnz" <sunnzy@...> said:
> >
> > Just create a file and filling it with /dev/zero until it takes up all
> > the free spaces, then rm -P that file.
>
> But from his original post he wants to make sure everything is cleanly
> deleted without affecting the existing OS. In this case I don't think
> what you are trying to do is possible, but it also depends on how

So what problem is? Affecting the OS? Or that it won't be 100% 'clean'?

As far as I am aware, the file system would only allow you to fill it
up till it has 5% free space remaining... when it has reach that point
you can even boot up in single user mode to do a rm -P.

> securely you are trying to make your deletes. Do you want to hide
> it from the schmo you are taking in to service your computer or are
> you trying to hide it from the FBI?
>

If he is asking this on a public mailing list, it is probably the
former and rm -P is adequate for that case... otherwise I think he
would have taken the grinder advice!!! :p


--
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

Notwithstanding the mentioned 5% issue, in context and for the purposes
of secure wipes, is it not better to use

/dev/arandom (or /dev/srandom) vs. /dev/zero

as in

dd if=/dev/arandom ...

/S
-----Original Message-----
From: Sunnz <sunnzy@...>
Reply-To: sunnzy+gnu@...
To: Eric Furman <ericfurman@...>
Cc: Jon <hypermails@...>, OpenBSD Misc <misc@...>
Subject: Re: delete deleted data
Date: Sun, 6 Jan 2008 21:13:42 +1100
Delivered-To: 8f27e956@...

2008/1/6, Eric Furman <ericfurman@...>:
> On Sat, 5 Jan 2008 14:25:37 +1100, "Sunnz" <sunnzy@...> said:
> >
> > Just create a file and filling it with /dev/zero until it takes up all
> > the free spaces, then rm -P that file.

2008/1/6, scott <8f27e956@...>:
Well rm -P is going to overwrite the file 3 times anyway right?

arandom is perhaps theoretically 'better', and we know that there are
5% unerased free space... but I think it is up to the reader to decide
if this is enough for them.

--
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

new_guy wrote:

Marco S Hyman wrote:

"Brad Tilley" writes:
 > performed from the OpenBSD 4.2 install CD. I'll send it to the one
 > 'ISO Certified' company that agreed to examine it. If they cannot

You keep throwing around the 'ISO Certified' tag as if it had some
special meaning.  Certified to what standard?  

I'm just parroting the *one* data recover company's marketing hype that agreed to take the drive. They make this claim:

"ISO 9001 - 2000 certified"

I'm working on putting a website up now where I'll fully disclose the details. Lots of pictures and details. I will attribute the dd used to OpenBSD (the best OS on the planet bar none... although the dd on the install CD did not support the conv option... I would have liked to have done conv=noerror,sync). I plan to ship the drive off tomorrow. I plan to put this myth to rest... where it belongs.

The Great Zero Challenge - "It is noble and just to dispel myths, falsehoods and untruths."
http://16systems.com/zero/index.html