Forgot your password?
typodupeerror

A New Technique to Quickly Erase Hard Drives 458

Posted by CowboyNeal
from the clean-and-clear dept.
RockDoctor writes "Stories about 'wiped' hard drives appearing on eBay (and other channels) and being stuffed with personably-identifiable data are legion; rarer are spy planes having to land on enemy territory, but it happened in 2001 to a US spy plane over an un-declared enemy (China, and that's a topic in itself). Dark Reading reports the development of a technique to securely wipe a hard drive in seconds, and which is safe for flying. (The safe for flying criterion rules out things like fun with packing the drives in thermite. Also thermiting the drives may not erase the platters to the standard required, which is moderately interesting itself."
This discussion has been archived. No new comments can be posted.

A New Technique to Quickly Erase Hard Drives

Comments Filter:
  • Joe does it (Score:5, Interesting)

    by janet-on (982800) on Saturday June 17, 2006 @11:48AM (#15554918)
    Unfortunately a few passes with random data is not as effective against a sophisticated recovery effort as is often assumed.
    Now if it's just some random joe with an undelete program he got for $19.99 at the local shop then a single pass is often enough, more sophisticated software only tools might get past a few, but with hardware equipment (probably not used often below the fbi/pro forensics places) you might want to do something a bit more secure.
    With good knowledge of how the data is actually stored on the disk you can figure out patterns that tend to degausse the bits being wiped and help eleminate the residual images left by the micro imperfection in head positioning (which are shrinking to almost nothing these days) and simular effects a trully sophisticated data recovery effort might use.

    Peter Gutman put out a paper about this that can be read at http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_ del.html [auckland.ac.nz]
    that explains it better.
    Though with remapping and newer recording techniques things change and software only erasure becomes more and more problematic. At the highest levels of secrecy I believe most governments require over-kill levels of outright hardware destruction.
  • What a crock... (Score:5, Interesting)

    by Anonymous Coward on Saturday June 17, 2006 @11:58AM (#15554965)
    The Chinese eventually gained access to U.S. military secrets.

    What a crock of crap. That and the rest of the story.

    I worked in the military long enough to know that they would have encrypted sensitive data as a requirement (destroy or erase a security token, in the use of a combined token/passphrase crypto system and the data is safe) and that the military already use storage devices which can be erased in seconds with a function specifically built just for that.

    This story sounds like it is just trying to inject some life into the stock price of some crap company that provides too little, too late.
  • Erasing, not Voodoo (Score:5, Interesting)

    by Psionicist (561330) on Saturday June 17, 2006 @12:00PM (#15554978)
    I would like to take the oppertunity here to debunk a very common myth regarding hard drive erasure.

    You DO NOT have to overwrite a file 35 times to be "safe". This number originates from a misunderstanding of a paper [auckland.ac.nz] about secure file erasure, written by Gutmann.

    The 35 patterns/passes in the table in the paper are for all different hard disk encodings used in the 90:s. A single drive only use one type of encoding, so the extra passes for another encoding has no effect at all. The 35 passes are maybe useful for drives where the encoding is unknown though.

    For new 2000-era drives, simply overwriting with random bytes is sufficient.

    Here's an epilogue by Gutmann for the original paper:

    Epilogue In the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques. As a result, they advocate applying the voodoo to PRML and EPRML drives even though it will have no more effect than a simple scrubbing with random data. In fact performing the full 35-pass overwrite is pointless for any drive since it targets a blend of scenarios involving all types of (normally-used) encoding technology, which covers everything back to 30+-year-old MFM methods (if you don't understand that statement, re-read the paper). If you're using a drive which uses encoding technology X, you only need to perform the passes specific to X, and you never need to perform all 35 passes. For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do. As the paper says, "A good scrubbing with random data will do about as well as can be expected". This was true in 1996, and is still true now.

    Looking at this from the other point of view, with the ever-increasing data density on disk platters and a corresponding reduction in feature size and use of exotic techniques to record data on the medium, it's unlikely that anything can be recovered from any recent drive except perhaps one or two levels via basic error-cancelling techniques. In particular the the drives in use at the time that this paper was originally written have mostly fallen out of use, so the methods that applied specifically to the older, lower-density technology don't apply any more. Conversely, with modern high-density drives, even if you've got 10KB of sensitive data on a drive and can't erase it with 100% certainty, the chances of an adversary being able to find the erased traces of that 10KB in 80GB of other erased traces are close to zero.
  • Re:First question: (Score:2, Interesting)

    by nottestuser (166818) on Saturday June 17, 2006 @12:08PM (#15555003)
    Because the Windows 98 computers running the spy cameras don't support encrypted file systems.

    Seriously, this is a fricking no-brainer. Make the key 4096 bits of random data, load it into battery-backed RAM from a storage device kept at the air field. When you run in to a problem you have 4K of data in RAM to destroy instead of GBs of data on disk with the added benefit that if you ever get the disk back to the air field you still get your data. Unless the Air Force doesn't have access to unbreakable encryption...
  • Not really new (Score:3, Interesting)

    by Dolphinzilla (199489) on Saturday June 17, 2006 @12:16PM (#15555033) Journal
    Both M-Systems and Memtech have solid state disk drives that implement NSA and NISPOM approved methods for secure hard drive erase - and they can erase the entire drive in under a minute -
  • Re:New technique? (Score:3, Interesting)

    by Wonko the Sane (25252) * on Saturday June 17, 2006 @12:17PM (#15555038) Journal
    If you shape the magnets correctly and use AC to power them, then a magnetic field can (in theory) move any material that conducts electricity. Because a moving magnetic field will generate an electric field in the conductor, with will create a magnetic field that interacts with the original field. It may not be practical with all materials, but it is possible.
  • by sk999 (846068) on Saturday June 17, 2006 @12:27PM (#15555066)
    the researchers designed a neodymium iron-boron magnet with special pole pieces made of esoteric cobalt alloys.
    Sounds like the magnet may be worth more than the secret information it is supposed to protect.
  • Re:What a crock... (Score:1, Interesting)

    by Anonymous Coward on Saturday June 17, 2006 @12:38PM (#15555095)
    because the US have the most immaculate record when it comes to respecting foreign airspace. Francis Gary Powers anyone?
  • Re:Drill+Thermite? (Score:3, Interesting)

    by Oggust (526634) <d3august@dtek.chalmers.se> on Saturday June 17, 2006 @12:50PM (#15555140) Homepage

    I know by itself thermite and similar methods have difficulty penetrating the outer case reliably, but I would think drill+thermite injection to fill the internal cavity of the system would be effective..

    Takes too long to drill the disks and insert the thermite, while your spy plane is spiralling down.

    And anyway, if the themite didn't fully destroy the disks [chalmers.se], you weren't using enough [chalmers.se] of it. See? [chalmers.se]


    /August.

  • by asuffield (111848) <asuffield@suffields.me.uk> on Saturday June 17, 2006 @12:56PM (#15555154)
    For new 2000-era drives, simply overwriting with random bytes is sufficient.

    That's not what the text you quoted said, nor is it correct. It's true that overwriting 35 times doesn't accomplish anything more, though. The quote said:

    For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do.


    For new 2000-era drives, simply overwriting with random bytes is the best you can do [from software / without breaking the drive]. That's because the firmware makes it almost impossible to 'securely' erase data from the drives, so you just can't do any better. It's nowhere near 'sufficient'; in fact it's almost useless against any modern hardware analysis. (The best you can do, if you don't want to keep the drive, is to heat the platters until they melt; that is guaranteed to destroy the data, but almost everything else isn't).

    The other important part of the quote is:

    Conversely, with modern high-density drives, even if you've got 10KB of sensitive data on a drive and can't erase it with 100% certainty, the chances of an adversary being able to find the erased traces of that 10KB in 80GB of other erased traces are close to zero.


    This is true, but more commonly you've got several Gb of sensitive data, and the 'enemy' manages to recover some percentage of it. There are companies who do this stuff on the open market - you send them your drive, pay a figure on the order of several thousand dollars, and a while later they send you back most of your data. Their customers tend to be law enforcement, divorce lawyers, private detectives, and companies who are big enough to afford it but not big enough to have a proper backup system in place for their laptop hard drives. They don't need to recover 100% of the porn that has been in your browser cache, just a few pages from some of the sites.
  • by NixieBunny (859050) on Saturday June 17, 2006 @12:56PM (#15555156) Homepage
    With all due respect, the article doesn't describe the device as you say. It weighs 125 lbs in prototype form, which will be reduced for production, and there's only one needed per airplane, not one per drive. What they're proposing is much less bulky than a similarly useful grinder or furnace. After all, it has to be usable on many packaged drives, quickly, in emergency plane-crash conditions. In a previous life, I did some work for E-Systems on a spy plane (Rivet Joint) using big removable ESDI drives of a few hundred megabytes each capacity, and the project guy said that it took about 20 minutes for their emergency drive erase sequence to finish. Not good if you're going down in enemy airspace!
  • by vadim_t (324782) on Saturday June 17, 2006 @12:59PM (#15555165) Homepage
    Now, even assuming there's something remaining after thermite, how do you get it out of a molten platter? The head hovers at nanometers from the disk's surface. A bent disk with a huge hole through it will just instantly wreck any head trying to read it. Is it even technically possible to restore the platter to a condition where you can even try to read anything from it?

    Besides, shouldn't all the data vanish due to the reaction bringing the surface above the Curie temperature?
  • by asuffield (111848) <asuffield@suffields.me.uk> on Saturday June 17, 2006 @01:30PM (#15555263)
    Not to mention that the whole "residuum magnetism" that may actually have existed in 90s HDs isnt simply possible anymore with todays track density. Any kind of remnand from the last state would be well under the paramangetic limit and completely replaced by thermal noise.

    That may be true at some point in the future but it currently is not, and won't be without radical changes in the storage method. There must be a certain amount of tolerance in the current systems in order to compensate for drifting effects. The problem is that if you magnetise a surface such that there are two fields with opposing polarities next to each other, they will over time drift together and kinda-sorta cancel each other out (or at least, you will no longer be able to tell which one was where). So that hard drives keep their data for some number of years, the fields have to be sufficiently strong and spaced out for the drive head to still be able to identify them after they have sat there for a year. That means the head is writing strong, clear fields, and then after a few months it reads back a weaker, fuzzier field.

    Now, if the head then writes a strong, clear field over the top of the fuzzy one... then there will be residual traces of the fuzziness in the space between the clear fields. Forensic analysis can use a far more expensive and accurate device to read the fields, and so it can spot several generations of this stuff - it's like a buildup of sediment.

    That's not the only possible technique (I don't know which one the professional data recovery companies use), but it's one that drives based around the current methods will always suffer, simply because they must have those tolerances. You can't build a drive where the residuals are completely unreadable, because it means your data will be unreadable after a few months - you have to allow enough for the data to be readable, and that means that residuals can be readable too. Anywhere that you have tolerances like this, you can build a device with a finer tolerance and discover more data.
  • by asuffield (111848) <asuffield@suffields.me.uk> on Saturday June 17, 2006 @01:55PM (#15555359)
    Just holding the media next to a magnet, even an AC electromagnet, and turning the magnet on and off, doesn't erase the data as effectively as moving the media from close to the coil to far away. Or at least that's what I was always told. I suppose if you had a circuit that powered down the coil slowly, it would have much the same effect.

    It wouldn't, but you're nearly right. Simply placing a conductive object inside a magnetic field does nothing at all. In order for something to happen there must be motion. When you're using a coil powered from regular mains AC, the power resembles a sine wave, so the field is oscillating back and forth - this is sufficient to have a small effect, but you really want to move the object relative to the coil or you're mostly wasting power (and unlikely to stop the media from working, using a little coil like that). Specifically, the object needs to move across the direction of the field, not along it. A regular coil has field lines that move out from the top of the coil, move around it in a circle, and meet again at the bottom of the coil - so the overall shape in three dimensions is like a torus, with the hole going down the centre of the coil. So you want to move the object repeatedly towards and away from the side of the coil; that cuts the field at 90 degrees, which is where you'll get the maximum effect.

    Powering down the coil slowly accomplishes nothing directly - it's not about changing power levels. If you want to make the coil have a stronger effect without moving anything, you need to oscillate it faster, but that's impractical. Just move the media towards and away from the coil, in close proximity, a few times. Speed doesn't matter much, but the power developed by the coil and the length of time you spend doing it does. Moving the media towards the end of the coil (where the hole is) does very little; moving it towards the side is best. However, if you want to actually *remove* all traces of magnetism from something, then you do want to gradually reduce the power level - you see this most often in a monitor's degaussing coil. This may be necessary for tapes and floppies, if the drive can't handle media that has been randomly magnetised and you want to use the media again, but it's not required if you just want to wipe the data before disposal.
  • by asuffield (111848) <asuffield@suffields.me.uk> on Saturday June 17, 2006 @02:10PM (#15555414)
    As far as I know, the only limitation that modern firmware places on securely erasing data is smart buffering. i.e. the firmware sees 10 writes to the same sectors in the buffer and chooses to only write the last one to save time. Although that is a problem, modern erasing software ensures that all X amount of specified writes actually get written.

    The big problem is that the firmware can remap the physical layout in any way it likes. There's no guarantee that the sector 5 you just wrote to is the same sector 5 you wrote to six months ago - the only guarantee is that if you write some data to sector 5, and then later you ask for sector 5 back again, you get back the data you wrote. Successive writes aren't necessarily placed in the same location. Flash memory is notable for rarely putting two writes in the same place, but hard drives do it too (just not so often). So far as I know, the current desktop drives only remap for reliability and not for performance... but that's quite bad enough (and it seems likely that they'll start doing it for performance sooner or later).

    A secondary problem is that secure erasing requires knowledge of the physical layout (to know what sectors and pattern to write in - you may need to overwrite the adjacent sectors in both directions, depending on how the disk is laid out, but which ones are they?) and the firmware hides that information.

    There may be others, those are just the ones I'm aware of.
  • Re:New technique? (Score:2, Interesting)

    by Anonymous Coward on Saturday June 17, 2006 @02:51PM (#15555558)
    I just have to wonder aloud for the sake of curiosity what effect a (perhaps slightly modified) medical defibrillator would have. Maybe replace the conductive paddles with said electromagnets?
  • by bcmm (768152) on Saturday June 17, 2006 @03:12PM (#15555613)
    You're going to want full video of the flight, at a high resolution if possible. That's gonna take up a few GB very fast
  • Waste of money (Score:3, Interesting)

    by kimvette (919543) on Saturday June 17, 2006 @03:30PM (#15555678) Homepage Journal
    125 lbs' worth of equipment to securely scramble a hard drive? Let me guess, the contractor is going to spend time "miniaturizing" it and charge several hundred grand per unit, right?

    I have a solution, with the total weight being under 5 lbs and total cost being under $130 (not counting any logic/switching required to enable it).

    Keep in mind:

      - the aircraft is disabled
      - flight instrument interference is a non-issue
      - The HDD not only does not have to be usable, it is intended to be unusable after this process
      - 12V, 24V, and 48V taps should all be readily available in the aircraft (NiMH batteries would suffice)

    Ready?

    Here are the required components:

      - a heavy-duty consumer-level inverter costing under $100 in bulk
      - a Radio Trash (or generic) degausser costing well under $30 in bulk.

    Total weight: under 5 lbs. Renders a hard drive unusable in a couple of seconds.
  • by squoozer (730327) on Saturday June 17, 2006 @04:34PM (#15555864)

    If I needed to destroy a the data on a drive in seconds I would simply heat it well above the curie temperature [wikipedia.org] for the magnetic material being used. If you are feeling really paranoid add a variable field strength magnet as well - once above the curie temperature you wouldn't need much of a magnet to make sure things were well scrambled.

  • Re:Joe does it (Score:1, Interesting)

    by Anonymous Coward on Saturday June 17, 2006 @05:34PM (#15556049)
    Actually I would like to see a reference for that claim. To my knowledge nobody has recovered overwritten data from a current drive. People phantasize about the theoretical possibility and say that there are (unnamed) people who can do it, but I've never seen anyone claiming he's done it.
  • by FluffyG (692458) on Saturday June 17, 2006 @06:21PM (#15556217)
    I'm a LAN integrator for a mobile military communications system that is used for passing of secret and top secret material... Our manual says it takes about 3 grenades in the hummer to format all the hard drives if they need to do it quickly :)
  • Re:China?? (Score:2, Interesting)

    by Britz (170620) on Saturday June 17, 2006 @06:25PM (#15556229) Homepage
    I don't know where the CIA world factbook gets its facts, and I usually defend China on Slashdot as well. You just need to know one little thing about facts and China. Communists excel at writing their own reports. And the Chinese communists have trained rather well. I saw a nice documentary on TV about making wine in China. On a certain field one can make a certain amount of wine. That amoung was expected (and announced) in the first year of operation. The French specialists that were there to help to set it up were ignored in very imporant crop handeling issues all along and because of that and because you never get the full amount the first year anyways they predicted an amount of wine about 1/20 the amount the Chinese were expecting. They turned out to be right. So the operator just bought the wine somewhere else and put the right sticker on the bottles. After all half the financing came from the state. Failure to fulfill quotas not allowed.

    How exactly do you govern more than a billion people? I don't know, do you? But don't trust any "facts" from China.
  • by AJWM (19027) on Sunday June 18, 2006 @02:02AM (#15557385) Homepage
    I'd worry the most about antenna shapes and sizes and various analog circuitry.

    My parents worked at (met at) a secret radar research site (the misleadingly named TRE - Telecommunications Research Establishment) during WW-II. My mom once mentioned that since it was known that in case of lost aircraft there was a real danger of some of the equipment falling into enemy hands, it was routine practise to include dummy circuitry and sometimes wholly bogus equipment just to add to the confusion. Sometimes such equipment was deliberately allowed to be "captured".

    A slight weight penalty, but deemed worth it.

  • Why not use sand (Score:2, Interesting)

    by frambris (525874) on Sunday June 18, 2006 @06:52AM (#15557777) Homepage
    The raptors have a window in its housing letting one can show off the platters. Why not make that window removable and when in need to erase the drive just pour in some sand while it's spinning. That will surely sand of anything magnetic. Or make the heads lower themselves on to the platter and lathe the magnetic layer off. When the magnetic top layer is shaved off into dust the platters are nothing more than metallic frisbees.
  • by whit3 (318913) on Sunday June 18, 2006 @04:06PM (#15558925)
    To clarify things, here's several scenarios for erasure:
    "delete file" erasure: tell the OS that that part of a file system doesn't have any current ownership,
    and that the filename doesn't exist, i. e. doesn't point to any data.
    "overwrite sectors" erasure: direct the hard disk drive to put new, noninformative, data into the
    spaces formerly occupied by a file's data (and maybe metadata, like the file's icon and such)
    "multiple remagnetize" erasure: direct the hard disk drive to put all (in binary terms, both) physical
    magnetizitions onto the data area, so that data's remnant traces are not informative
    "whole-disk multiple" erasure: ensure that all areas on the hard disk and all other data-holding parts (flash ROM)
    are multiply rewritten. This would make the bad-block list disappear, might even make the
    original format (how many tracks and sectors) unknowable to an investigator.

    After "delete file", unerase software can bring much data to light
    by scanning the drive through the normal hardware. Because EVERYONE KNOWS THIS, there
    are 'secure erase' options in many disk tools (Norton "Wipe File", Mac OS X "Secure Empty Trash" etc.)

    Those secure erase tools do multiple "write-over-sector", but there are some
    regulations that require "multiple remagnetize" erasure, and even 'dd /dev/random' isn't
    guaranteed there; you gotta pay money for a tool certified for that use. Here's why:

    What everyone DOESN'T know, is that "write-over-sector" leaves behind some small regions
    (magnetic domains) in places the read/write heads cannot access, which can be sensed by
    exotic techniques (optical rotation, neutron scattering, electron beam microprobing). The
    erase-35-times and DOD (military) multiple-erase requirements are aimed at this kind of
    exotic stuff. Nothing you can do in software would get data back from "write-over-sector"
    erasure.

    The modern disk drive compacts the data into a serial bit stream of known bandwidth and
    containing parity/error correcting code information, and DOES NOT put ones down on the
    disk when ones are in the data (MFM, RLL, and suchlike encoding schemes are in use on ALL
    media I'm aware of). This embedded-clock-and-data stream is hard to predict (what does
    Hitachi use on sATA drives this week? I don't know. Does anyone?), but WITH KNOWLEDGE
    of the encoding scheme, there are different recommended patterns for ensuring
    erasure to the standard of 'put ones on every spot, then zeros on every spot' . The use of
    software with ones in the DATA INPUT is not going to cause ones in the MAGNETIZED PATTERN,
    but you can come up with a set of data inputs that DOES effectively hit every bit of the surface.
    The famous paper on erasure has thirty-five scenarios for the encoding on the disk,
    and attempts to give a full remagnetize (with 'dd /dev/pattern01' through 'dd /dev/pattern35'
    kinds of operations).

    So, that's a third kind of erase, intended to remagnetize all portions of the disk surface.
    The formal requirement to remagnetize the surface is ridiculously strict, becaue the exotic techniques
    DON'T KNOW HISTORY. Those random little domains can be left over from the manufacturer's
    bad-block scan, or from last December's diagnostic reformat, or from the camera run from last
    week, or from this week's most sensitive information, or can be a combination of all of those.

    Or, it could be a bit of cosmic ray induced damage. The exotic reconstruction technique
    doesn't have any noise margin, it doesn't ignore the insignificant; noise is guaranteed.

Fools ignore complexity. Pragmatists suffer it. Some can avoid it. Geniuses remove it. -- Perlis's Programming Proverb #58, SIGPLAN Notices, Sept. 1982

Working...