SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Just one thing, to prevent visitors from having a wrong idea.
A single pass of zeroes does no suffice.
A file that has been zeroed once can be recovered with "basic" techniqes. The remanent magnetism can be detected by a reader which is sensible enough, so they don't need that well know "magnetic microscopes" techniqe (that is said to be effective to recover up to three overwrittings).
I have been told that recovering one pass of zeroes costs only 5000$
By the way, those in the dd if=/dev/urandom world should have a look at /dev/frandom. Frandom is an ultra-fast random data generator that works 10 times as fast as urandom, while keeping a good entropy quality. At least, is good for disk wiping.
Last edited by BlackRider; 08-12-2011 at 08:34 AM.
I would like to see links to controlled studies/experiments that provide evidence of what works and what does not. I'm inclined to believe a single pass of zeroes or random data will suffice to delete files or wipe disk space. I'm ready to change my mind but I need evidence.
I won't pretend to be a forensics expert or even close to one. I'm just being practical about what most people need consider.
The focus of my original post was how to perform four basic tasks on a stock Slackware.
There are limits to the usefulness of these actions. A point of diminishing returns. The truly paranoid person, whether that paranoia is justified or imagined, is going to implement extreme measures to protect data and systems. None of those measures are going to apply to most users. Even if there is evidence that a single pass of zeroes is insufficient, such a remedy will suffice for most users because most users need only worry about the thugs and script kiddies, not people with millions of dollars of support and the bleeding edge in state of the art forensic equipment. Perceived risk vs. perceived benefit.
For daily usage of a computer I don't believe any of the four tasks offer practical value other than the technical challenge of learning how to perform them. I see some practical use when wanting to retire, sell, or swap hard drives with other people. Destroying the data in such events is sensible. Wiping free disk space and swap space or performing secure file deletions is something most users never need worry about on a daily basis. Wiping RAM is a technical challenge, but few people in the world need think about that kind of protection.
I think encrypting hard drive data provides more protection than any of the four mentioned tasks.
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541
Rep:
Quote:
Originally Posted by H_TeXMeX_H
I don't believe that. I don't see any evidence to suggest that even zeroed drives can be carved for files.
I can't point to a document right at the moment but (and this was back in 1987-'88ish) I was told that the reason disk platters had to have the magnetic surface ground off and the substrate chopped into little pieces (like with a nibbler) was that there would be a reside charge (yeah, even in aluminum, I did question that) that could be detected. Something about aligning atoms and the like.
Dunno if they were lying to me (I doubt that) but that's the jist of what I was told and, since, I recall reading some stuff somewhere or other about long-term retention in a metallic substrate. Can't remember where that was (it would have been a science or engineering magazine), but... who knows.
I would like to see links to controlled studies/experiments that provide evidence of what works and what does not. I'm inclined to believe a single pass of zeroes or random data will suffice to delete files or wipe disk space. I'm ready to change my mind but I need evidence.
No need: you are almost certainly correct.
Quote:
According to the 2006 NIST Special Publication 800-88 Section 2.3 (p. 6): "Basically the change in track density and the related changes in the storage medium have created a situation where the acts of clearing and purging the media have converged. That is, for ATA disk drives manufactured after 2001 (over 15GB) clearing by overwriting the media once is adequate to protect the media from both keyboard and laboratory attack."
Quote:
According to the 2006 CMRR Tutorial on Disk Drive Data Sanitization Document (p. 8): "Secure erase does a single on-track erasure of the data on the disk drive. The U.S. National Security Agency published an Information Assurance Approval of single pass overwrite, after technical testing at CMRR showed that multiple on-track overwrite passes gave no additional erasure."[22] "Secure erase" is a utility built into modern ATA hard drives that overwrites all data on a disk, including remapped (error) sectors.
So on one hand, one pass of zeroes is probably enough. On the other hand, the OS does not have access to the entire drive, so if you want to be super duper sure, you use the built-in secure erase. There is no standard OS utility for wiping drives: in order to be effective, the eraser has to bypass both OS and BIOS. Only the drive itself has sufficient access.
I don't think that the parts of the HDD that you cannot read are storing any important info. If you think otherwise use the: http://www.ultimatebootcd.com/
HDDerase utility, as this uses the drive internal secure erase command.
The following words are related to drives made before 2001, more or less:
Quote:
In conventional terms, when a one is written to disk the media records a one, and when a zero is written the media records a zero. However the actual effect is closer to obtaining a 0.95 when a zero is overwritten with a one, and a 1.05 when a one is overwritten with a one. Normal disk circuitry is set up so that both these values are read as ones, but using specialised circuitry it is possible to work out what previous "layers" contained. The recovery of at least one or two layers of overwritten data isn't too hard to perform by reading the signal from the analog head electronics with a high-quality digital sampling oscilloscope, downloading the sampled waveform to a PC, and analysing it in software to recover the previously recorded signal.
The following refers to modern drives:
Quote:
Any modern drive will most likely be a hopeless task, what with ultra-high densities and use of perpendicular recording I don't see how MFM would even get a usable image, and then the use of EPRML will mean that even if you could magically transfer some sort of image into a file, the ability to decode that to recover the original data would be quite challenging.
I tend to agree that one single pass is enough in most scenarios, if you are able to overide the actual data. However, I know many people using pre-2000 drives, so I asume they will do well owerwriting their data more than once. I was thinking mainly in this guys, sorry if I was not clear. I had to erase a very old drive recently in order to donate it to a ONG, so excuse me if I decided to take no risks and wiped it 7 times :-)
To be fair, my main concern while destroying the data is leaving something not overwritten. If you try to overwrite an isolated file, you could leave traces in the filesystem journal (that is why it's better to kill the whole filesystem). You know too, that you could have sensitive data in a bunch of bad sectors and be unable to erase it by usual means (ie: using shred). I don't know about you, but I don't have a drive demagnetizer in my house to avoid such a trouble...
What I usually do with my drives is to use encryption with them. To destroy the data, you only have to apply dd if=/dev/frandom to the LUKS header. It takes more time to type the command than to actually destroy the data. You could also remove the last key slot, but destroying the whole header is more funny.
Last edited by BlackRider; 08-12-2011 at 02:05 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
