On Tue, Apr 26, 2011 at 10:54 AM, Aaron Toponce <aaron.topo...@gmail.com> wrote: > On Tue, Apr 26, 2011 at 10:32:28AM -0600, Nicholas Leippe wrote: >> Well, it only takes a single 0 pass to sufficiently make the data >> unrecoverable w/o extremely expensive forensics (you will have to use >> a microscope directly on the platter and attempt to read residual >> signal levels--which will be complicated by the drive's internal >> signal encoding scheme. But, on 1TB it will still take a few hours >> even for that first pass. > > I would like to see evidence that, given todays drive densities and > recording techniques, someone or some company have successfully recovered > data after a single pass of zeros on the disk level.
Such evidence may never be publicly available--it may not be a capability you would readily advertise. I have no doubt that some agency, somewhere, has put some effort into at least trying. Whether anyone has ever succeeded is anyone's guess. > > Suppose it is possible. Then the speed at which to recover 1TB of > single-pass, overwritten data would take ages, not a few hours like you > presume. Consider the following snippet from [1] using an MFM: I never said that you could *recover* the overwritten-data in a few hours--I said that *writing* a single 0s pass over 1TB takes at least a few hours. Recovering that data, if even possible at all, would be a monumental task--thus the cost would have to be justified. The paper you linked highlights much of the difficulty of such an endeavor. I do know a little bit about secure data deletion--I produced commercial deletion software and have read many of the published studies on the matter. It is my opinion currently that a single 0s pass is for all intents and purposes sufficient to delete data from modern rotating magnetic media. However, there are still other issues to consider--such as retired sectors which are no longer user-addressable. In order to clear these you must presently rely upon the firmware supporting the (optional) ATA Secure Erase Enhanced command--not just the Secure Erase command which is only required to erase user-addressable sectors. However, accessing the data on those retired sectors would again require some expensive expertise and equipment--such as the company whose white paper you linked: > 1: http://goo.gl/mIwFr (PDF) > [snip] > > The fact of the matter is, getting data off a disk that HASN'T been > overwritten is daunting in and of itself, as that paper I have linkd to > confirms. Funnily enough the white paper you linked is essentially an advertisement from a company that claims to have just this capability. It details how they do it, and yes, it is a very daunting task. They outline how recovering data from *failed* drives can be very difficult to impossible depending on the nature of the failure. However, their solution should work quite well for drives that have merely been incapacitated in any manner that leaves the platters in-tact, provided that recovery is not further impeded by inaccessible unit-specific calibration parameters. IOW if the drive was healthy before the user in a fit of panic damages the servo, PCB, connector, or whatever but leaves the platters in-tact, these guys might still successfully extract the data. Also, with their solution scanning remapped sectors is a non-issue (although they may be damaged and thus partially or completely unreadable, of course). > And you want to get at overwritten data, yet you think that if you didn't do > the 35 Gutmann pass, it's not good enough. Accessing overwritten data is an even bigger task. It depends on the ability of the tool to distinguish residual signals in the guard band. The paper you linked expresses that this is clearly possible, and that successfully imaging a drive including the guard band contents has even been demonstrated, but that extracting actual data from the guard band of such imaging has not been demonstrated yet--as you mentioned. It would require considerable resources to do so--lots of disc for the resulting image, and lots of CPU power for the image processing. Difficult, yes. Possible, yes. Demonstrated commercially yet, no. Done anywhere yet, who's to say. My conclusion is that if your data is so valuable that whoever, if anyone, has this capability would be willing to use it to get your data, then, and only then is a single 0s pass insufficient to destroy your data while leaving the drive in-tact. Because if you happen to have data that is that valuable, you aren't going to be deleting drives to protect it anyways--you are going to be physically destroying the drives. Thus, unless you're a super secret spy or a super nasty arch-villain-of-the-world, a single 0s pass is enough. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
