Fwd: wiping disks with /dev/zero
Kristian Erik Hermansen
kristian.hermansen-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Tue Jan 22 22:40:10 UTC 2008
An entire conversation with Simson Garfinkel, it all it's glory :-) This
obviously does not include the in-class discussion we had at our University,
and where he had given the talk...
Forwarded conversation
Subject: wiping disks with /dev/zero
------------------------
From: *Kristian Hermansen* <kristian.hermansen-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>
Date: Feb 16, 2006 4:35 AM
To: kevinfu-bjBJFzlPIWP2fBVCVOL8/A at public.gmane.org
Yesterday you told me after the lecture that overwriting a disk with
/dev/zero would kill all the data. I queried about the DoD standard
for writing up to 7 times over the original data. You said this only
pertains to tapes. However, is there not some way to physically
remove the disk platter and inspect it in such a way that if you know
the current bit is a zero, you can gain more information about the
possibility of a previously written bit on the disk? For instance,
does a disk write change the state of an on-disk bit completely? Is
there 100% loss of information in this change? According to various
sources via google, some professional, it is possible to recover these
"previous bits" using physical platter inspection techniques...
--
Kristian Hermansen
----------
From: * Kristian Hermansen* <kristian.hermansen-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>
Date: Feb 16, 2006 4:54 AM
To: kevinfu-bjBJFzlPIWP2fBVCVOL8/A at public.gmane.org
Here is some more data to back up my claim that recovering data after
a /dev/zero overwrite is possible. Surely you will trust the USENIX
source, as you seem to be affiliated with this group :-)
http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/
The paper explicitly applies this method to hard disks as well as
other magnetic media storage devices...
"3. Erasure of Data stored on Magnetic Media
The general concept behind an overwriting scheme is to flip each
magnetic domain on the disk back and forth as much as possible (this
is the basic idea behind degaussing) without writing the same pattern
twice in a row. If the data was encoded directly, we could simply
choose the desired overwrite pattern of ones and zeroes and write it
repeatedly. However, disks generally use some form of run-length
limited (RLL) encoding, so that the adjacent ones won't be written.
This encoding is used to ensure that transitions aren't placed too
closely together, or too far apart, which would mean the drive would
lose track of where it was in the data.
To erase magnetic media, we need to overwrite it many times with
alternating patterns in order to expose it to a magnetic field
oscillating fast enough that it does the desired flipping of the
magnetic domains in a reasonable amount of time. Unfortunately, there
is a complication in that we need to saturate the disk surface to the
greatest depth possible, and very high frequency signals only "scratch
the surface" of the magnetic medium. Disk drive manufacturers, in
trying to achieve ever-higher densities, use the highest possible
frequencies, whereas we really require the lowest frequency a disk
drive can produce. Even this is still rather high. The best we can do
is to use the lowest frequency possible for overwrites, to penetrate
as deeply as possible into the recording medium.
The write frequency also determines how effectively previous data can
be overwritten due to the dependence of the field needed to cause
magnetic switching on the length of time the field is applied. Tests
on a number of typical disk drive heads have shown a difference of up
to 20 dB in overwrite performance when data recorded at 40 kFCI (flux
changes per inch), typical of recent disk drives, is overwritten with
a signal varying from 0 to 100 kFCI. The best average performance for
the various heads appears to be with an overwrite signal of around 10
kFCI, with the worst performance being at 100 kFCI [12]. The track
write width is also affected by the write frequency - as the frequency
increases, the write width decreases for both MR and TFI heads. In
[13] there was a decrease in write width of around 20% as the write
frequency was increased from 1 to 40 kFCI, with the decrease being
most marked at the high end of the frequency range. However, the
decrease in write width is balanced by a corresponding increase in the
two side- erase bands so that the sum of the two remains nearly
constant with frequency and equal to the DC erase width for the head.
The media coercivity also affects the width of the write and erase
bands, with their width dropping as the coercivity increases (this is
one of the explanations for the ever-increasing coercivity of newer,
higher-density drives).
To try to write the lowest possible frequency we must determine what
decoded data to write to produce a low-frequency encoded signal."
--
Kristian Hermansen
----------
From: *Kevin Fu* <kevinfu-bjBJFzlPIWP2fBVCVOL8/A at public.gmane.org>
Date: Feb 16, 2006 6:34 AM
To: Kristian Hermansen < kristian.hermansen-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>
Cc: Simson Garfinkel <simsong-ee4meeAH724 at public.gmane.org>
Actually, this is the exact paper that Simson says is wrong. It's
not clear to me who's right, but don't believe everything you read...
----------
From: *Kristian Hermansen* < kristian.hermansen-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>
Date: Feb 16, 2006 6:47 AM
To: Kevin Fu <kevinfu-bjBJFzlPIWP2fBVCVOL8/A at public.gmane.org>
Cc: Simson Garfinkel < simsong-ee4meeAH724 at public.gmane.org>
I'd be interested to find out *why* the paper is not true. By the
paper's claims, it seems that they may exist special custom platter
reading devices to get "old data" from the drive. Maybe Simson can
link me to a counter-paper on this claim? Thanks for the info...
--
Kristian Hermansen
----------
From: *Simson Garfinkel* <simsong-ee4meeAH724 at public.gmane.org>
Date: Feb 16, 2006 6:57 AM
To: Kristian Hermansen < kristian.hermansen-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>
Cc: Kevin Fu <kevinfu-bjBJFzlPIWP2fBVCVOL8/A at public.gmane.org>
Well, you might start by reading the whole paper. Did you read it an
actually understand it?
Then read the postscript on the author's own web page.
----------
From: *Kevin Fu* < kevinfu-bjBJFzlPIWP2fBVCVOL8/A at public.gmane.org>
Date: Feb 16, 2006 7:25 AM
To: Kristian Hermansen <kristian.hermansen-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>
mind if I forward these messages to the cs591d class mailing list for
discussion?
----------
From: *Kristian Hermansen* <kristian.hermansen-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org >
Date: Feb 16, 2006 9:59 AM
To: Simson Garfinkel <simsong-ee4meeAH724 at public.gmane.org>
Cc: Kevin Fu <kevinfu-bjBJFzlPIWP2fBVCVOL8/A at public.gmane.org>
No, I did not read the entire paper. Some of the topics he mentioned
were outside of my scope of knowledge (I am an undergrad with some
security knowledge). I too, wonder how having a more
sophisticated/sensitive device would pick up this data. However, I
would not dare claim knowing more than a forensic specialist...of
course ;-) I don't know how that device would really work. So, I wish
that I did not have a class at your meeting time so I could have
attended the discussion.
Since I cannot seem to grasp the technical details of the the original
author, is there a layman's paper on the subject as to why this is not
possible from your view? I attended the Grugq forensic talk at
BlackHat 2005 (same event as Mike Lynn's infamous cisco ios exploit)
last summer and he to told the audience that most forensic
"specialists" in law enforcement are not well-grounded in terms of
technical expertise. He mentioned something about data recovery on
overwritten drives as well...
--
Kristian Hermansen
----------
From: *Simson Garfinkel* <simsong-ee4meeAH724 at public.gmane.org>
Date: Feb 16, 2006 11:00 AM
To: Kristian Hermansen <kristian.hermansen-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org >
Cc: Kevin Fu <kevinfu-bjBJFzlPIWP2fBVCVOL8/A at public.gmane.org>
Dear Kristian,
I strongly recommend that you read the entire paper before making
claims about what the paper says and does not say. It really is a
waste of my time for me to painstakingly write you what is in the
paper. You are in a graduate program; if you do not understand the
information that's presented in a program, you should do research and
figure out what you do not know, rather than rely on simply asking
others by email. You are no longer a layman.
In general, I would be much more receptive to your email if you had
actually read the paper in its entirity and wanted to discuss it. You
seem to want me to do your work for you.
The point that I've been hoping that you would realize is that the
paper is largely a discussion about hard drives that use a particular
type of encoding standard that was popular in the 1980s and early
1990s. In the 1990s new coding techniques were adopted by hard drive
vendors. It is unlikely hard drive manufactured post-1995 would work.
For further information, please see:
http://www.forensicswiki.org/index.php/Recovering_Overwritten_Data
If you feel that I have mistated what the Gutmann paper says, you are
welcome to prove me wrong by attempting to recover overwritten data
yourself. But please do not speculate.
----------
From: *Kevin Fu* <kevinfu-bjBJFzlPIWP2fBVCVOL8/A at public.gmane.org >
Date: Feb 16, 2006 11:04 AM
To: Kristian Hermansen <kristian.hermansen-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>
Simson has some strong opinions, but I think you raise some good
questions.
----------
From: *Kristian Hermansen* <kristian.hermansen-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>
Date: Feb 16, 2006 2:43 PM
To: Simson Garfinkel <simsong-ee4meeAH724 at public.gmane.org>
Cc: Kevin Fu <kevinfu-bjBJFzlPIWP2fBVCVOL8/A at public.gmane.org>
Yes, and I totally agree with you. It is not helpful for me to rely
on other's academic research and opinions without investigating it
thoroughly myself. I am a fan of Feynman, and his teachings tell us
not to trust other sources without verifying them for yourself and
forming one's own opinion. So I agree totally.
However, I did state before that I am an undergraduate -- not a
graduate student. I just happen to be interested in the security
field as a passive interest. I would be very interested in pursuing
graduate study after I complete my undergrad CS degree...
Simson, thanks again for the input. I really am grateful that you
took the time to respond to my naive questions, because I am very
interested in it.
Kevin, thanks for your coments as well :-)
--
Kristian Hermansen
----------
From: *Simson Garfinkel* <simsong-ee4meeAH724 at public.gmane.org>
Date: Feb 16, 2006 5:00 PM
To: Kristian Hermansen <kristian.hermansen-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>
Cc: Kevin Fu <kevinfu-bjBJFzlPIWP2fBVCVOL8/A at public.gmane.org>
GREAT!
Oh. I misunderstood. I wouldn't have been so hard on you if I had
known that.
I'm happy to answer more questions. I just want you to be well
prepared. I'm quite generous with my time, but I expect you to do
your part.
What do you think of the Wiki?
----------
From: *Kristian Hermansen* <kristian.hermansen-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org >
Date: Feb 17, 2006 5:49 AM
To: Simson Garfinkel <simsong-ee4meeAH724 at public.gmane.org>
Cc: Kevin Fu <kevinfu-bjBJFzlPIWP2fBVCVOL8/A at public.gmane.org>
The wiki was helpful for my layman's view, so thanks! Maybe if I am
accepted into graduate school, I will have the resources/time to
investigate topics like this further :-) I do security research on my
own time, but I tend to deal more with software. Now I just have to
look around for a graduate school that will accept my 3.3 GPA...but
grades aren't everything, right? Thanks again for the help...
http://www.kristianhermansen.com/wordpress/?p=31
--
Kristian Hermansen
----------
From: *Simson Garfinkel* <simsong-ee4meeAH724 at public.gmane.org>
Date: Feb 18, 2006 7:13 AM
To: Kristian Hermansen < kristian.hermansen-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>
Cc: Kevin Fu <kevinfu-bjBJFzlPIWP2fBVCVOL8/A at public.gmane.org>
Grades aren't everything, but they are important. Also important is
published papers. I would recommend that you see if you can work with
others and get out some publications --- they help a lot where
graduate school is concerned.
----------
From: *Kristian Hermansen* <kristian.hermansen-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>
Date: Feb 19, 2006 8:11 AM
To: brian levine < brian-bjBJFzlPIWP2fBVCVOL8/A at public.gmane.org>
:-)
--
Kristian Hermansen
--
Kristian Erik Hermansen
"Know something about everything and everything about something."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20080122/8916e3fd/attachment.html>
More information about the Legacy
mailing list