A New Technique to Quickly Erase Hard Drives 458
RockDoctor writes "Stories about 'wiped' hard drives appearing on eBay (and other channels) and being stuffed with personably-identifiable data are legion; rarer are spy planes having to land on enemy territory, but it happened in 2001 to a US spy plane over an un-declared enemy (China, and that's a topic in itself). Dark Reading reports the development of a technique to securely wipe a hard drive in seconds, and which is safe for flying. (The safe for flying criterion rules out things like fun with packing the drives in thermite. Also thermiting the drives may not erase the platters to the standard required, which is moderately interesting itself."
Joe does it (Score:5, Interesting)
Now if it's just some random joe with an undelete program he got for $19.99 at the local shop then a single pass is often enough, more sophisticated software only tools might get past a few, but with hardware equipment (probably not used often below the fbi/pro forensics places) you might want to do something a bit more secure.
With good knowledge of how the data is actually stored on the disk you can figure out patterns that tend to degausse the bits being wiped and help eleminate the residual images left by the micro imperfection in head positioning (which are shrinking to almost nothing these days) and simular effects a trully sophisticated data recovery effort might use.
Peter Gutman put out a paper about this that can be read at http://www.cs.auckland.ac.nz/~pgut001/pubs/secure
that explains it better.
Though with remapping and newer recording techniques things change and software only erasure becomes more and more problematic. At the highest levels of secrecy I believe most governments require over-kill levels of outright hardware destruction.
What a crock... (Score:5, Interesting)
What a crock of crap. That and the rest of the story.
I worked in the military long enough to know that they would have encrypted sensitive data as a requirement (destroy or erase a security token, in the use of a combined token/passphrase crypto system and the data is safe) and that the military already use storage devices which can be erased in seconds with a function specifically built just for that.
This story sounds like it is just trying to inject some life into the stock price of some crap company that provides too little, too late.
Erasing, not Voodoo (Score:5, Interesting)
You DO NOT have to overwrite a file 35 times to be "safe". This number originates from a misunderstanding of a paper [auckland.ac.nz] about secure file erasure, written by Gutmann.
The 35 patterns/passes in the table in the paper are for all different hard disk encodings used in the 90:s. A single drive only use one type of encoding, so the extra passes for another encoding has no effect at all. The 35 passes are maybe useful for drives where the encoding is unknown though.
For new 2000-era drives, simply overwriting with random bytes is sufficient.
Here's an epilogue by Gutmann for the original paper:
Re:First question: (Score:2, Interesting)
Seriously, this is a fricking no-brainer. Make the key 4096 bits of random data, load it into battery-backed RAM from a storage device kept at the air field. When you run in to a problem you have 4K of data in RAM to destroy instead of GBs of data on disk with the added benefit that if you ever get the disk back to the air field you still get your data. Unless the Air Force doesn't have access to unbreakable encryption...
Not really new (Score:3, Interesting)
Re:New technique? (Score:3, Interesting)
Forget the secret information (Score:2, Interesting)
Re:What a crock... (Score:1, Interesting)
Re:Drill+Thermite? (Score:3, Interesting)
I know by itself thermite and similar methods have difficulty penetrating the outer case reliably, but I would think drill+thermite injection to fill the internal cavity of the system would be effective..
Takes too long to drill the disks and insert the thermite, while your spy plane is spiralling down.
And anyway, if the themite didn't fully destroy the disks [chalmers.se], you weren't using enough [chalmers.se] of it. See? [chalmers.se]Re:Erasing, not Voodoo (Score:4, Interesting)
That's not what the text you quoted said, nor is it correct. It's true that overwriting 35 times doesn't accomplish anything more, though. The quote said:
For new 2000-era drives, simply overwriting with random bytes is the best you can do [from software / without breaking the drive]. That's because the firmware makes it almost impossible to 'securely' erase data from the drives, so you just can't do any better. It's nowhere near 'sufficient'; in fact it's almost useless against any modern hardware analysis. (The best you can do, if you don't want to keep the drive, is to heat the platters until they melt; that is guaranteed to destroy the data, but almost everything else isn't).
The other important part of the quote is:
This is true, but more commonly you've got several Gb of sensitive data, and the 'enemy' manages to recover some percentage of it. There are companies who do this stuff on the open market - you send them your drive, pay a figure on the order of several thousand dollars, and a while later they send you back most of your data. Their customers tend to be law enforcement, divorce lawyers, private detectives, and companies who are big enough to afford it but not big enough to have a proper backup system in place for their laptop hard drives. They don't need to recover 100% of the porn that has been in your browser cache, just a few pages from some of the sites.
Read the article more closely! (Score:4, Interesting)
How do you read a thermited platter? (Score:5, Interesting)
Besides, shouldn't all the data vanish due to the reaction bringing the surface above the Curie temperature?
Re:Erasing, not Voodoo (Score:5, Interesting)
That may be true at some point in the future but it currently is not, and won't be without radical changes in the storage method. There must be a certain amount of tolerance in the current systems in order to compensate for drifting effects. The problem is that if you magnetise a surface such that there are two fields with opposing polarities next to each other, they will over time drift together and kinda-sorta cancel each other out (or at least, you will no longer be able to tell which one was where). So that hard drives keep their data for some number of years, the fields have to be sufficiently strong and spaced out for the drive head to still be able to identify them after they have sat there for a year. That means the head is writing strong, clear fields, and then after a few months it reads back a weaker, fuzzier field.
Now, if the head then writes a strong, clear field over the top of the fuzzy one... then there will be residual traces of the fuzziness in the space between the clear fields. Forensic analysis can use a far more expensive and accurate device to read the fields, and so it can spot several generations of this stuff - it's like a buildup of sediment.
That's not the only possible technique (I don't know which one the professional data recovery companies use), but it's one that drives based around the current methods will always suffer, simply because they must have those tolerances. You can't build a drive where the residuals are completely unreadable, because it means your data will be unreadable after a few months - you have to allow enough for the data to be readable, and that means that residuals can be readable too. Anywhere that you have tolerances like this, you can build a device with a finer tolerance and discover more data.
Re:Degaussing Technique (Score:5, Interesting)
It wouldn't, but you're nearly right. Simply placing a conductive object inside a magnetic field does nothing at all. In order for something to happen there must be motion. When you're using a coil powered from regular mains AC, the power resembles a sine wave, so the field is oscillating back and forth - this is sufficient to have a small effect, but you really want to move the object relative to the coil or you're mostly wasting power (and unlikely to stop the media from working, using a little coil like that). Specifically, the object needs to move across the direction of the field, not along it. A regular coil has field lines that move out from the top of the coil, move around it in a circle, and meet again at the bottom of the coil - so the overall shape in three dimensions is like a torus, with the hole going down the centre of the coil. So you want to move the object repeatedly towards and away from the side of the coil; that cuts the field at 90 degrees, which is where you'll get the maximum effect.
Powering down the coil slowly accomplishes nothing directly - it's not about changing power levels. If you want to make the coil have a stronger effect without moving anything, you need to oscillate it faster, but that's impractical. Just move the media towards and away from the coil, in close proximity, a few times. Speed doesn't matter much, but the power developed by the coil and the length of time you spend doing it does. Moving the media towards the end of the coil (where the hole is) does very little; moving it towards the side is best. However, if you want to actually *remove* all traces of magnetism from something, then you do want to gradually reduce the power level - you see this most often in a monitor's degaussing coil. This may be necessary for tapes and floppies, if the drive can't handle media that has been randomly magnetised and you want to use the media again, but it's not required if you just want to wipe the data before disposal.
Re:Erasing, not Voodoo (Score:5, Interesting)
The big problem is that the firmware can remap the physical layout in any way it likes. There's no guarantee that the sector 5 you just wrote to is the same sector 5 you wrote to six months ago - the only guarantee is that if you write some data to sector 5, and then later you ask for sector 5 back again, you get back the data you wrote. Successive writes aren't necessarily placed in the same location. Flash memory is notable for rarely putting two writes in the same place, but hard drives do it too (just not so often). So far as I know, the current desktop drives only remap for reliability and not for performance... but that's quite bad enough (and it seems likely that they'll start doing it for performance sooner or later).
A secondary problem is that secure erasing requires knowledge of the physical layout (to know what sectors and pattern to write in - you may need to overwrite the adjacent sectors in both directions, depending on how the disk is laid out, but which ones are they?) and the firmware hides that information.
There may be others, those are just the ones I'm aware of.
Re:New technique? (Score:2, Interesting)
Re:Why not use flash memory? (Score:3, Interesting)
Waste of money (Score:3, Interesting)
I have a solution, with the total weight being under 5 lbs and total cost being under $130 (not counting any logic/switching required to enable it).
Keep in mind:
- the aircraft is disabled
- flight instrument interference is a non-issue
- The HDD not only does not have to be usable, it is intended to be unusable after this process
- 12V, 24V, and 48V taps should all be readily available in the aircraft (NiMH batteries would suffice)
Ready?
Here are the required components:
- a heavy-duty consumer-level inverter costing under $100 in bulk
- a Radio Trash (or generic) degausser costing well under $30 in bulk.
Total weight: under 5 lbs. Renders a hard drive unusable in a couple of seconds.
Thermite should work... (Score:3, Interesting)
If I needed to destroy a the data on a drive in seconds I would simply heat it well above the curie temperature [wikipedia.org] for the magnetic material being used. If you are feeling really paranoid add a variable field strength magnet as well - once above the curie temperature you wouldn't need much of a magnet to make sure things were well scrambled.
Re:Joe does it (Score:1, Interesting)
Re:the product is stupid (Score:4, Interesting)
Re:China?? (Score:2, Interesting)
How exactly do you govern more than a billion people? I don't know, do you? But don't trust any "facts" from China.
Re:the product is stupid (Score:4, Interesting)
My parents worked at (met at) a secret radar research site (the misleadingly named TRE - Telecommunications Research Establishment) during WW-II. My mom once mentioned that since it was known that in case of lost aircraft there was a real danger of some of the equipment falling into enemy hands, it was routine practise to include dummy circuitry and sometimes wholly bogus equipment just to add to the confusion. Sometimes such equipment was deliberately allowed to be "captured".
A slight weight penalty, but deemed worth it.
Why not use sand (Score:2, Interesting)
"erase" is ambiguous; four kinds of erase (Score:2, Interesting)
"delete file" erasure: tell the OS that that part of a file system doesn't have any current ownership,
and that the filename doesn't exist, i. e. doesn't point to any data.
"overwrite sectors" erasure: direct the hard disk drive to put new, noninformative, data into the
spaces formerly occupied by a file's data (and maybe metadata, like the file's icon and such)
"multiple remagnetize" erasure: direct the hard disk drive to put all (in binary terms, both) physical
magnetizitions onto the data area, so that data's remnant traces are not informative
"whole-disk multiple" erasure: ensure that all areas on the hard disk and all other data-holding parts (flash ROM)
are multiply rewritten. This would make the bad-block list disappear, might even make the
original format (how many tracks and sectors) unknowable to an investigator.
After "delete file", unerase software can bring much data to light
by scanning the drive through the normal hardware. Because EVERYONE KNOWS THIS, there
are 'secure erase' options in many disk tools (Norton "Wipe File", Mac OS X "Secure Empty Trash" etc.)
Those secure erase tools do multiple "write-over-sector", but there are some
regulations that require "multiple remagnetize" erasure, and even 'dd
guaranteed there; you gotta pay money for a tool certified for that use. Here's why:
What everyone DOESN'T know, is that "write-over-sector" leaves behind some small regions
(magnetic domains) in places the read/write heads cannot access, which can be sensed by
exotic techniques (optical rotation, neutron scattering, electron beam microprobing). The
erase-35-times and DOD (military) multiple-erase requirements are aimed at this kind of
exotic stuff. Nothing you can do in software would get data back from "write-over-sector"
erasure.
The modern disk drive compacts the data into a serial bit stream of known bandwidth and
containing parity/error correcting code information, and DOES NOT put ones down on the
disk when ones are in the data (MFM, RLL, and suchlike encoding schemes are in use on ALL
media I'm aware of). This embedded-clock-and-data stream is hard to predict (what does
Hitachi use on sATA drives this week? I don't know. Does anyone?), but WITH KNOWLEDGE
of the encoding scheme, there are different recommended patterns for ensuring
erasure to the standard of 'put ones on every spot, then zeros on every spot' . The use of
software with ones in the DATA INPUT is not going to cause ones in the MAGNETIZED PATTERN,
but you can come up with a set of data inputs that DOES effectively hit every bit of the surface.
The famous paper on erasure has thirty-five scenarios for the encoding on the disk,
and attempts to give a full remagnetize (with 'dd
kinds of operations).
So, that's a third kind of erase, intended to remagnetize all portions of the disk surface.
The formal requirement to remagnetize the surface is ridiculously strict, becaue the exotic techniques
DON'T KNOW HISTORY. Those random little domains can be left over from the manufacturer's
bad-block scan, or from last December's diagnostic reformat, or from the camera run from last
week, or from this week's most sensitive information, or can be a combination of all of those.
Or, it could be a bit of cosmic ray induced damage. The exotic reconstruction technique
doesn't have any noise margin, it doesn't ignore the insignificant; noise is guaranteed.