Anonymous Iran

TheONE · 06-20-2009

I have not seen this mentioned yet...

Darik's Boot And Nuke | Hard Drive Disk Wipe

Quote:

Darik's Boot and Nuke ("DBAN") is a self-contained boot disk that securely wipes the hard disks of most computers. DBAN will automatically and completely delete the contents of any hard disk that it can detect, which makes it an appropriate utility for bulk or emergency data destruction.

DBAN is a means of ensuring due diligence in computer recycling, a way of preventing identity theft if you want to sell a computer, and a good way to totally clean a Microsoft Windows installation of viruses and spyware. DBAN prevents or thoroughly hinders all known techniques of hard disk forensic analysis.

FYI: A single overwrite pass will make the data unrecoverable on a hard disk - However I would suggest if you have the time to use 3 pass's just to be safe.

Ver Greeneyes · 06-20-2009

Even several wipes can still leave magnetic traces that a determined expert can recover, so run as many passes as you have time for/the data is worth.

TheONE · 06-20-2009

Data Wiping Myth Put to Rest - A single complete overwrite pass is enough - Softpedia

Disk Wiping - One Pass is Enough | Anti-Forensics

Disk Wiping - One Pass is Enough - Part 2 (this time with screenshots) | Anti-Forensics

Ver Greeneyes · 06-20-2009

Thank you for the sources.

TheONE · 06-20-2009

Not a problem.

06-20-2009

Single erase is absolutely not enough for data destruction. Any HDD wtih data just deleted can be recovered pretty fast (minutes or even seconds). Also a large capacity HDD requires alot of time to be erased fully (not just the FAT, NTFS or other file system but all the bits on that disk). The only good data destruction method using software methods is multiple rewriting with random bites so after about 20-30 passes no one will be able to recover any meaningful data from this HDD. The other destruction method is physical. But this requires some tools to open the HDD. Then you will need some torch to literally burn the disks. They are made of thin metal so some pocket gas torch is able to transform the disk/s into some shapeless piece of metal which doesn't contain data anymore. For large capacity HDDs may be the physical method is faster.

06-20-2009

The upper post is not true for flash drives where a single full erase is really enough. I forgot to mention this, sorry.

06-20-2009

Quote:

Originally Posted by Unregistered

Single erase is absolutely not enough for data destruction. Any HDD wtih data just deleted can be recovered pretty fast (minutes or even seconds). Also a large capacity HDD requires alot of time to be erased fully (not just the FAT, NTFS or other file system but all the bits on that disk). The only good data destruction method using software methods is multiple rewriting with random bites so after about 20-30 passes no one will be able to recover any meaningful data from this HDD. The other destruction method is physical. But this requires some tools to open the HDD. Then you will need some torch to literally burn the disks. They are made of thin metal so some pocket gas torch is able to transform the disk/s into some shapeless piece of metal which doesn't contain data anymore. For large capacity HDDs may be the physical method is faster.

20-30 passes is completely ridiculous by any standards. Even the DoD only does what, 3 passes?

06-20-2009

Quote:

Originally Posted by Unregistered

The upper post is not true for flash drives where a single full erase is really enough. I forgot to mention this, sorry.

I am the owner of the anti-forensics.com domain above and work in computer forensics dealing with hard disk (and other storage media) wiping on a daily basis.

You cannot recover data from a modern hard drive which has been wiped just once. It is the equivalent of this:

We'll represent some data in binary first:
1000101

This is equal to "69" in decimal, a human readable format which you might see in a text document or anywhere really.

Disk wiping software will go through a storage medium randomly writing one's and zero's (or all zero's or custom patterns, basically whatever it is programmed to do).

So if you were to just "zero" out the storage media then you would be left with a drive filled with zero's. Your data "69" would now be:
00000000

Which in decimal is: 0

You cannot recover the previous contents of this data, it is now gone. There is a technique called Magnetic Force Microscopy which uses a device to "detect" the previous value of a bit (1 or 0). Modern hard disks are far too efficient for this method to yield accurate results.

This method may recover 1 bit correctly (extremely slim chance), but it then has to recover seven more bits correctly to recover the original decimal value "69" (which is a byte). Documents are normally made up of several kilobytes. The chances of recovering a single bit are very slim. The chances of recovering a document in its original form (not coming out as random letters and numbers) is pretty much 0%. If even a single bit is different in a byte, then the bytes value is not equal to what it was originally.

Apply this to other file formats such encrypted files, even if you have the password, the encrypted container is now corrupt and destroyed. Open a picture in a hex editor and change some bytes, watch colors change. Do the same with other files and documents.

Currently there is about a 0% chance of data being recovered after a single wipe.

Hope this helps.

06-20-2009

I also should mention that many of you are probably confusing normal deletion of data with a single pass disk wipe.

Normal deletion of data on most operating systems is really the equivalent of tearing out sections of the table of contents of a book.

Think in terms of this:

You can only read a book by first looking up the page number in the table of contents. So if that entry is torn out you can no longer return to those pages to read the content. The content on a storage medium still exists but it has been marked as "unallocated" and can now be used by the operating system as a place to write data. So it will eventually be over-written, however, in the mean time it can still be recovered with specialized software which can scan through a storage medium to identify these files.

When you wipe a drive, you are essentially replacing every page from cover to cover.

06-20-2009	#3 (permalink)
TheONE Junior Member Join Date: Jun 2009 Location: 127.0.0.1 Posts: 28	Data Wiping Myth Put to Rest - A single complete overwrite pass is enough - Softpedia Disk Wiping - One Pass is Enough \| Anti-Forensics Disk Wiping - One Pass is Enough - Part 2 (this time with screenshots) \| Anti-Forensics __________________ The1 CCIE / MCSE

06-20-2009	#5 (permalink)
TheONE Junior Member Join Date: Jun 2009 Location: 127.0.0.1 Posts: 28	Not a problem. __________________ The1 CCIE / MCSE

06-20-2009	#10 (permalink)
Yar from Anti-Forensics Guest Posts: n/a	Also I also should mention that many of you are probably confusing normal deletion of data with a single pass disk wipe. Normal deletion of data on most operating systems is really the equivalent of tearing out sections of the table of contents of a book. Think in terms of this: You can only read a book by first looking up the page number in the table of contents. So if that entry is torn out you can no longer return to those pages to read the content. The content on a storage medium still exists but it has been marked as "unallocated" and can now be used by the operating system as a place to write data. So it will eventually be over-written, however, in the mean time it can still be recovered with specialized software which can scan through a storage medium to identify these files. When you wipe a drive, you are essentially replacing every page from cover to cover.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

06-20-2009	#2 (permalink)
Ver Greeneyes Member Join Date: Jun 2009 Location: The Netherlands Posts: 41	Even several wipes can still leave magnetic traces that a determined expert can recover, so run as many passes as you have time for/the data is worth.

06-20-2009	#4 (permalink)
Ver Greeneyes Member Join Date: Jun 2009 Location: The Netherlands Posts: 41	Thank you for the sources.

06-20-2009	#6 (permalink)
Unregistered Guest Posts: n/a	Single erase is absolutely not enough for data destruction. Any HDD wtih data just deleted can be recovered pretty fast (minutes or even seconds). Also a large capacity HDD requires alot of time to be erased fully (not just the FAT, NTFS or other file system but all the bits on that disk). The only good data destruction method using software methods is multiple rewriting with random bites so after about 20-30 passes no one will be able to recover any meaningful data from this HDD. The other destruction method is physical. But this requires some tools to open the HDD. Then you will need some torch to literally burn the disks. They are made of thin metal so some pocket gas torch is able to transform the disk/s into some shapeless piece of metal which doesn't contain data anymore. For large capacity HDDs may be the physical method is faster.

06-20-2009	#7 (permalink)
Unregistered Guest Posts: n/a	The upper post is not true for flash drives where a single full erase is really enough. I forgot to mention this, sorry.

Anonymous Iran

DBAN - Emergency data destruction