On-Call-IT Assists In Government Data Destruction

covaro writes "Seems those on-site computer services may be helping to cover up government dirty deeds these days. The Wall Street Journal reports: 'Investigators learned that [Office of Special Counsel head Scott Bloch, who has been under investigation since 2005] erased all the files on his office personal computer late last year. They are now trying to determine whether the deletions were improper or part of a cover-up, lawyers close to the case said ... Bypassing his agency's computer technicians, Mr. Bloch phoned for Geeks on Call, the mobile PC-help service ... Bloch had his computer's hard disk completely cleansed using a "seven-level" wipe: a thorough scrubbing that conforms to Defense Department data-security standards. The process makes it nearly impossible for forensics experts to restore the data later.'"

Hire someone???

[pla]

Bloch had his computer's hard disk completely cleansed using a "seven-level" wipe: a thorough scrubbing that conforms to Defense Department data-security standards.

You have to wonder - For those who can't do such things themselves, wouldn't it cost less to just buy a new HDD, and take a sledgehammer (or thermite, where readily available) to the old one?

Sure, for most Slashdotters who can do their own "seven level wipe" (or whatever number the current rumors claim works infallably), saving a few hundred

Re:

[mh1997]

You have to wonder - For those who can't do such things themselves, wouldn't it cost less to just buy a new HDD, and take a sledgehammer (or thermite, where readily available) to the old one?

My DoD owned computer at work has the serial numbers recorded for all hardware installed inside the case.

Replace the HDD and somebody somewhere would know and think I stole the disk or data, wipe it and I just say I was removing porn. Porn would get me fired, stealing the HDD or data would get me fired and thrown in

Two words...

[Aphrika]

...plausible deniability...

Taking a hammer (or thermite) to a hard drive is considerably more suspicious than saying you "wiped your drive because you thought you had a virus". In todays security-conscious environment, an overzealous old guy wiping his drive in such a manner can easily be spun into something done with a good conscience... or if you're feeling brave, stupidity...

How about Hanlon's Razor; "never attribute to malice, what can be attributed to stupidity".

And that's your perfect answer "Oops

Re:Two words...

[ScrappyLaptop]

but...he also had them wipe the drives of several underling's laptops as well...and if he really had a virus, why not just call his own IT (the one's that said, "we don't do a level-7 for viruses we just reimage")...?

Thirty years ago, there was a huge uproar about some guy erasing a few minutes of tape. Nowadays, politicians get away with destroying evidence while under investigation...and the media doesn't even raise a stink. He who controls the media, indeed.

Re:

[ScrappyLaptop]

...Except that there are very clear procedures that said lawyer is supposed to follow as an employee of the United Stated Government, plenty of which deal with things such as turnover of staff, virus infections, etc. He wasn't operating in a vaccuum. In fact, he should be at the very least *reprimanded* for not following said procedures. Allowing a private party access to those laptops, I was under the impression, is strictly prohibited unless they have a contract to do so...and the company representativ

Re:Two words...

[apparently]

and that's your perfect answer "Oops I'm sorry, I wanted to make sure my virus had gone.

That's the polar opposite of the perfect answer. This is a government computer we're talking about. End-users aren't to be performing maintenance, contracting out maintenance, or any other such notion. The idea of "oops, I must've got a virus" complete bullshit: any IT department worth its paycheck has ensured their systems are virus-proof. In the event that a virus did manage to make its way through, mandatory SOP would be for the in-house shop to determine how security was compromise, the extent of the damage, and ensure that the issue has been resolved properly. Now take that up a notch for government systems, and "oops!" is far from a perfect excuse.

This fucker needs to be investigated.

Re:

[mrchaotica]

This fucker needs to be investigated.

No, this fucker's superiors need to be investigated. This fucker should now be presumed guilty and immediately punished!

Re:

[couchslug]

I'd just dban the drive, then turn in the computer with the complaint it no workee. New comp shows up, old hd is destroyed, computer goes away to govliquidation.com on a pallet.

Re:

[TheSpoom]

Seriously. And it's not like it's that hard, either. It's not seven-level wipe (actually three level, which from my research suggests nobody could undo even examining every bit in an electron microscope), but all you have to do on a Windows system is run cipher /w C:\ [microsoft.com] after deleting any files you don't want someone to find.

1. You don't end up with a highly suspicious wipe and reinstall.
2. You don't have to download extra, suspicious software to do the wipe for you as cipher.exe is included with Win2K and

Re:

[TheSpoom]

Yes, but Win2K also had EFS. I don't have documentation on-hand but I can almost guarantee it was in there too.

Ah, there it is, cipher.exe was included in a hotfix. [microsoft.com]

Re:

[gweihir]

You have to wonder - For those who can't do such things themselves, wouldn't it cost less to just buy a new HDD, and take a sledgehammer (or thermite, where readily available) to the old one?

Sure, for most Slashdotters who can do their own "seven level wipe" (or whatever number the current rumors claim works infallably), saving a few hundred bucks for "good enough" makes sense. But if you plan to spend the money either on a drive or an "expert", why not just physically trash the drive?

Physically trashing th

Re:

[gweihir]

I can't say this with certainly, but with the type of advanced hardware they use to extract data, I imagine you could still extract information from a bent or cracked platter. And if they were 'monitoring' the fellow, that's something they probably would have picked out of the trash.

If he uses his own trash. As to bent or broken: Yes, data can be recoverd. At great cost and very slowly. Think 10's of millions and months to years. The one destruction you cannot recover from (besides a simple, complete overwr

Re:

[ultranova]

The one destruction you cannot recover from (besides a simple, complete overwrite) is heating the platters up past the Curie-point. A standard-issue blowtorch does that fine, especially on a notbook platter.

Forget Curie point and just melt the sucker. Find an ironworks and throw the drive to a steel converter. Good luck getting data back from a railroad track which used to be a disk :).

If you don't have ironworks, take a welding equipment over every point of the surface of the disk until it physically

Re:

[gweihir]

Forget Curie point and just melt the sucker. Find an ironworks and throw the drive to a steel converter. Good luck getting data back from a railroad track which used to be a disk :).

I doubt very much you will be allowed to do that.

If you don't have ironworks, take a welding equipment over every point of the surface of the disk until it physically deforms. For extra credit, use an electric welder.
Sometimes the surest solution is good old-fashioned brute force.

Sounds more like good old-fashioned stupidity to

Re:

[ultranova]

The Curie-point is exactly as good or bad as melting a drive.

You can tell with a glance whether or not a drive has been melted. You can't tell with a glance whether or not a drive has been subjected to Curie point temperature on every point of the disk surface, just that it has been subjected to lots of heat. Melting the drive therefore ensures that no un-treated ones get thrown out by accident.

Furthermore, can you guarantee that the magnetic fields are the only mark left to the disk by writing ? Mayb

Re:

[gweihir]

Maybe somey three-letter agency might be able to use a scanning electron microscope to read the drive contents from the tiny deformations on the disk surface left by the long-standing magnetic fields.

Nonsense. No such effect exits.

Melting the drive makes it completely unrecoverable for any technology short of reversing entropy.

As does exceeding the Curie-temperature. As to determining the Curie-Temperature, a simple literature-seach does that. Temperature can be stimated by glow-color very easily. As a rul

Re:

[ultranova]

Nonsense. No such effect exits.

To the best of your or my knowledge, no. Why take a risk that that knowledge is incomplete ? It seems to me that the one common factor in most breaches of security is that someone got overconfident at some point.

As a rule of thumb, a nice oragne-red is enough for allmost all meterials. However melting a drive is a dangerous operation or requires equipment not available in the average hardware store.

Welding equipment is sufficient to melt steel; that's what welding is

Re:

[steeviant]

Uh... Open VMS is not a variant of Unix.

He's done nothing wrong

[Anonymous Coward]

This is a Rove smear, he is investigating Rove, and Rove always tries to smear anyone who tries to uncover his dirty lies.

Re:

[account_deleted]

Comment removed based on user account deletion

Sounds like

[Provocateur]

a resounding recommendation for Geeks on Call.

Unless they happen to be ex-DoD IT employees, trying to make ends meet.

Re:

[rudeboy1]

Meh. I'm not terribly impressed. I'm guessing all the guy did was show up, ran a copy of DBan [sourceforge.net] charged him $300 (because it's a government job), then left. Not that he did anything wrong. At least he knew the difference between formatting a drive and securely wiping it.

Exactly as I suspected

[GoofyBoy]

"The process makes it nearly impossible for forensics experts to restore the data later."

Notice the wording: _nearly_ impossible. But not impossible, huh?

Lessoned learned: don't trust a seven-pass DOD 5220.22-M. Use a 35 pass ( http://en.wikipedia.org/wiki/Gutmann_method [wikipedia.org] ) because you never know who wants your private collection of pr0n.

Re:

[bhima]

Not that I have a better idea but I was under the impression that this method was obsolete.
Also I wonder if this does not hasten the death of the drives it is used on.

Re:

[bogie]

Gutmann method was only meant for drives from like 20 years ago. I believe he later stated that a few wipes of random data were about the best you could do.

Re:

[Vellmont]

Notice the wording: _nearly_ impossible. But not impossible, huh?

I'm not sure if you're joking or not, but in case you aren't, do you really trust the some dumb WSJ journalist over what HD experts have been saying for years? What likely happened is said dumb WSJ journalist asked the local tech guy about wipes, he said "yah, if you do it right it can't be recovered..", so that became "nearly impossible".

HD technology isn't secret. There may be some techniques the HD makers don't like to share, but the tech

Re:

[a_nonamiss]

Really, a single wipe with random data would *almost* do it. It would render the system unrecoverable, but my guess as to why the DOD requires 3 wipes is that if you're talking about nuclear launch codes, you'd only need to recover a few bytes of information to get very, very valuable data. If you knew exactly where to look, and knew exactly what you were looking for, it's conceivable that you could re-create the missing data based on residual magnetic signatures and complex mathematical analysis of the exa

Re:

[myxiplx]

I actually read something about being able to detect many additional magnetic fields on a drive if you really need to recover data. The trick is to dismantle it instead of using it's own read/write head. I think it was using a scanning electron microscope.

The gist of the article was that when data's stored for a long time, it has a detectable effect on the surrounding areas. So, no matter how many times you overwrite the data, the signature of the original is still detectable if you have sufficient resou

Re:

[a_nonamiss]

Very interesting, and again, if you're talking about a 10 digit nuclear launch code, or (more realistically) 256-bit cryptographic keys used by government computers, it's probably worth the effort to make sure the thing's gone. They wouldn't have to or need to recover the entire key, for example. If you recovered some of the bits, you could brute force the remaining bits more easily. Not knowing which bits, if any, were correct would slow the process, but it would offer a huge advantage over random brute fo

Re:

[GoofyBoy]

http://en.wikipedia.org/wiki/Data_remanence [wikipedia.org]

I wonder what is the theory erasing solid-state memory....

Re:

[ultranova]

Really, a single wipe with random data would *almost* do it. It would render the system unrecoverable, but my guess as to why the DOD requires 3 wipes is that if you're talking about nuclear launch codes, you'd only need to recover a few bytes of information to get very, very valuable data.

If you're talking about nuclear launch codes or other truly valuable data, don't wipe the disk, destroy it by melting it to slag and get a new one. They only cost $100 dollars apiece, after all.

Re:

[gweihir]

Notice the wording: _nearly_ impossible. But not impossible, huh?

This is likely just incompetent journalism. There is zero evidence that anybody can recover data after one overwrite with zeros on a modern drive.

Re:

[flyingfsck]

There is a delete utility built into all drives that actually does work. Most people don't know this and still waste money on erase utilities that don't actually work...

See this: http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml [ucsd.edu]

So that's how the WH lost 50,000 emails!

[romanval]

They just called a geek squad to cover their tracks!

It's strange how there's no outrage over these kinds of things. The need for transparent government is seriously overlooked.

Re:

[argiedot]

Considering the other Slashdot article talking about how those techs copy whatever they find interesting, this may not be the smartest thing for a DoD man to do. Unless, of course, he was actually supervising the whole thing.

Re:

[Ougarou]

Appart from that, I can't see why the IT department doesn't make backup copies, for when people do stupid things like this. Isn't there a weekly image they pull that can be restored?

Surely after all these years, you would expect governments to have some kind of backup system or plan. They should start using thin-clients, NFS (or any better thing) and do full backups weekly.

Re:

[spikedvodka]

Weekly backups? Damn, I'm wasting tapes then. Small public school and we make nightly backups of *EVERYTHING*
our rotation goes like this:
2 sets of Monday - Thursday tapes, that rotate.
5 sets of Friday tapes, Friday 1 is always the first Friday of the month, Friday 2, the second, etc.

That we we always have 2 weeks worth of full back-ups, 1 months worth of weekly backups, and the Friday 5 tape only gets used once a quarter. On top of that student records and financial data is all backed up separately as well

Re:

[totally bogus dude]

Does your *EVERYTHING* include every single desktop and lapop used by staff? Most organisations (like ours) don't do any backups of individual PCs, because most of the data is unimportant (on the disc image used to build the system in the first place), and there's no guarantee that the system will be on when the backups run.

That does sometimes mean people lose data when their disc drive fails (saving on the desktop or My Docs), but that's their own fault; everyone is told that if they can't afford to lose

Re:

[spikedvodka]

for the most part yes. Our desktops and laptops are set to use the file server for most storage. I know there's some stuff we miss, but we do what we can

So who will stand up for his Rights?

[capnkr]

Assuming, of course, (like most /.ers will), that this guy is automatically completely Guilty (well, the magical word "Rove" was invoked, so he must be, by association...), then I wonder who among those screaming for his head will accept that if he *is* guilty, he has the Right not incriminate himself.

Then again, the Inquisitors won't need the data, they can just torture whatever information they need out of him, in order to help prove that the current Administration is devil-spawn, while the promises of th

Re:

[StrawberryFrog]

Assuming that this guy is automatically completely Guilty (well, the magical word "Rove" was invoked, so he must be

Um, he's "The head of the federal agency investigating Karl Rove's White House political operation" (first line of TFA).

So the message is: In Bush's America, if you investigate the administration, and someone will investigate YOU.

Re:

[capnkr]

From OP: "Think about it, before reacting, for once."

From parent: "In Bush's America..."

So your kneejerk reaction is to criticize the current administration. While completely ignoring the fact that a Clinton Administration is completely capable of doing the exact same BS, for the exact same reasons. In fact, they have, and will - it is well known that the one thing you *don't* want to do is to cross The Hillary, not if you want to keep your sack intact. We saw what happens to folks back when Bill was Prez.

Re:

[Akaihiryuu]

I can envision this hidden back room, where Republicans and Democrats cast off their pretentions of being "different" and laugh about all this. "Hey Bob, I've been in power for 8 years now, people are demanding change...so why don't you go out there and show how bad I am and how good you are. They'll vote for you, and we can still keep the same power structure where we both benefit!"

Re:

[moxley]

Until people can get over the two party scam; (the false parameters perpetrated onto the people of this country and constantly reinforced by the media); until people can get over that, see it for what it is, and look past it - we can't even begin to think about truly reforming things.

Unfortunately I think it's too late to reform the elections system and false two part (opposite sides of the same coin) system. I hope it's not, but I am being realistic. Whether you believe it or not, the US government is bein

Re:

[capnkr]

From parent: "I take your point, but I simply don't believe that previous administrations were "just as bad". They weren't; the trend has been downward for a while."

Not so, for what it's worth, despite (or more probably, *because of*) what you might see/hear "reported".

I know some insiders, including a good friend in the Secret Service, and I've heard the stories first-hand. Much of the truth about politicians in general, and in this case, the Clintons in particular, *never* gets close to being reported tru

No need to waste money...

[mwilliamson]

Don't bother hiring IT services to wipe drives, just use DBAN [sourceforge.net].

Two words that fuck up your plan.

[Chas]

Government
Official

Most of the mouth-breathers who work for the government (especially the fogeys in the upper echelons) count themselves lucky if they know how to breath and spread bullshit at the same time.

Computers? That's like, magic or something...

In short, can you smell the Lud?

Dban also doesn't work

[flyingfsck]

This does work: http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml [ucsd.edu]

hope someone's still got the backups

[petes_PoV]

Wiping your disk is fine. But if you work in any sort of competant organisation (does that include government?) someone will be taking regular backups of your data.

All that remains is to find the tapes ...

business in destructable drives

[cinnamon colbert]

sounds like there is a business selling physically destructable drives - a drive witha an easy open case, and a method to physcially damage the platter

when i was a kid, an older geek guy told me, with admiration in his voice, about collins radio, and the manual that went with its equpiment for the military.
the 1st page of hte manual said something to the effect, if this equipment is about to be captured by the enemey, here is one thing you can do in 1 min to render the equiment unusable....

Re:

[c6gunner]

That's not just the radio. Military weapons systems generally include instructions for destruction. Even machineguns are expected to be destroyed in order to prevent them falling into enemy hands, and as such there is are "suggested methods" for destroying them, such as blowing out the barrel and breech using a pull-cord, disassembling them and scattering the working parts, etc.

In other words, those instructions weren't there because the radio is so special, but rather because the military is so paranoid

Re:

[Vellmont]

sounds like there is a business selling physically destructable drives - a drive witha an easy open case, and a method to physcially damage the platter

Why do that? Just buy a large amount of flash ram. It can be erased rather quickly, and isn't recoverable. If you want to be "extra paranoid", do the 7 pass thing.

If you have a HD, just download, boot, and run dban [sourceforge.net] on it. It's not all that difficult, even for a neophyte.

Re:

[Vellmont]

i guess the question is how are you sure - like in bet a months salary sure ?

Depends on what the conditions are. Recovering a single bit on the whole hard drive sure? No. Recover anything meaningful? Sure. (BTW, with shredding the harddrive, A determined attacker would most certainly be able to recover something meaningful). Those bits are packed tight.

software methods always leave a doubt

It seems like this attitude persists, but I've never heard of anyone recovering anything after a full wipe.

Re:

[mcrbids]

sounds like there is a business selling physically destructable drives - a drive witha an easy open case, and a method to physcially damage the platter

Actually, they already exist. They require an accessory that costs about $50. [homedepot.com]

He should have used a Mac

[MichaelCrawford]

Launch Disk Utility from /Applications/Utilities. If you want to erase your boot drive, you'll have to boot off an OS X installer CD then run Disk Utility from the installer.

Select your hard drive from the list on the left. Note that you can erase either a whole drive, or just a selected partition.

Click on the Erase tab, then on the Security Options button.

Click on the 7-Pass Erase radio button. On Tiger (10.4) it says this provides a "highly secure erasure" of the drive; on Leopard it names the MI

Somewhat off topic...MOD down if you must.

[rindeee]

I just have a little gripe. It seems to me that we /. types and the public in general are obsessed with portraying anything the government of (insert western country here) does in a negative light. I think we've lost sight of the fact that the vast majority of people working in the public service sector are hard working neighbors of ours that go to work every day and do their part in an attempt to make society better. This isn't to say that the bureaucracy doesn't often screw up, create inefficiencies and from time to time do shady things, but more often than not these problems are the effect of a handful of idiots that have enough power to make things happen. Just like in a neighborhood, any large entity will have all types of people; good, bad, honest, dishonest, etc. Constant unending criticism from the general public neither productive or effective. It simply serves to cheapen the efficacy of justified criticism when it is in fact needed. What this guy did is without question 'shady' (not to mention illegal) but it doesn't reflect on the leadership as a whole. We have many good, hard working leaders, and many more working behind the scenes to make ours some of the best living in the world. Don't lose sight of that. Just my two cents.

Re:

[redelm]

It is the American way to be mistrustful of all governments, even/especially our own. This is common among all parties, although the Dems worry about different govt actions than the Rs. And the Libs and others worry about still different ones.

This is a major latent difference between Americans and the English and much of RoW who accept the legitimacy of government even though they frequently complain about certain implementation details and effects.

Re:

[Allicorn]

This is a major latent difference between Americans and the English

I don't think "latent" was quite what you meant there.

Nor was "English".

In any case, your point is rather muddy. You describe Americans "worrying about" the actions of their government whilst the Brits "complain about implemention and effects". This would seem to amount to pretty much the same thing; I'm either concerned about what my government does and how it impacts upon me, or I'm not?

In terms of "illegitimacy" Americans have plenty to gripe about due to controversies over the last couple presidential

Re:

[redelm]

Actually, I used both latent and English after some thought: Latent because the different attitudes towards government are present but not directly visible.

English because I don't believe the Scots, Welsh nor Manx have the trait to the same extent. At least not more than the French. The N.Irish do and are more like the English.

I may well have been unclear: everybody worries about the actions of their governments. Americans doubt the legitimacy of their own govt. And this is not new with G.Bush but has

Re:

[symbolic]

I agree with you - but your assessment unfortunately doesn't apply to most people that aren't in "leadership" positions. You know, the ones we elect from time to time - the ones that are supposed to be directly accountable to their constituency. The ones that seem to perpetuate this pronounced disconnect between what they say, and what they do.

Re:

[h4rm0ny]

I think we've lost sight of the fact that the vast majority of people working in the public service sector are hard working neighbors of ours that go to work every day and do their part in an attempt to make society better.

People can be good people and still be ordered to do bad things. Some will resign or risk firing, more will complain and protest, but many will mainly reassure themselves that it's not their responsibility, obey orders and feel bad about the people affected. It takes a lot to stand up a

I am proud ...

[Anonymous Coward]

... that they overcharged the shit out of this guy. $1100 to run a utility? Score.

Speaking on behalf of this guy...

[GoofyBoy]

... $1100 for a tech guy or at least ten times that amount for a lawyer explaining what was on the hard-drive. Score.

Policy

[unenviabletask]

Why is there no policy in the government that means his use of another company to remove data from his system was an automatic breach with serious consequences. I have implemented that policy in my company, namely don't install unapproved software or attempt to change any setting at all without IT approval.

Most new HDDs have intenral "secure wipe" function

[Anonymous Coward]

which can be accessed with Secure Erase [ucsd.edu], a free disk wiping utility.

Takes a few minutes, and is allegedly more secure than DBAN but still not as secure as physical destruction.

You're welcome.

I broke the cardinal rule...

[stormguard2099]

and actually RTFA. The article's focus is not on how they are paying too much to get rid of their tracks like half of the comments are about. the real issue is that a higher-up called a private business to handle it for him instead of using his own IT department. Yes, they ran a 7-level wipe on it but he claims he wasn't trying to remove data. His reason for the call was a virus, or so he claims. Suspicious? Sure, it's possible that something like that is required by regulations for his department but I would think there would be something against people using private IT businesses for company machinery, especially considering the hefty pricetag (charged as a business expense no less)

He also directed Geeks on Call to erase laptop computers that had been used by his two top political deputies, who had recently left the agency.

Jeff Phelps, who runs Washington's Geeks on Call franchise, declined to talk about specific clients, but said calls placed directly by government officials are unusual. He also said erasing a drive is an unusual virus treatment. "We don't do a seven-level wipe for a virus," he said.

Those just puts the icing on the cake as far as suspicious activities in my book.

Re:

[Bios_Hakr]

It isn't unusual to wipe hard drives of employees that leave. We do that all the time. This ensures that the "next guy" can't claim the files on his drive came from his predecessor.

Any "work product" should be kept on the servers. Within about a month, if no one asks for "missing report B", we do a thorough wipe and re-image.

This could have been a case of "while you guys are waiting for this wipe, can you look at something else".

Re:

[Ffakr]

Your post really glosses over the facts in this case.

Mr. Bloch was appointed to an office charged with providing oversight for the administration. The irony was, Bloch was appointed by George Bush but that position does not serve 'at the pleasure of the President'. The person in that position has a 5 year term and can not be removed except through disciplinary means. Theoretically, Bloch was independent from the WH and above partisan politics.

Bloch was charged with investigating whether or not the Whiteh

Simple answer

[billcopc]

Let's suppose for a moment that whatever was on that hard drive would prove him guilty of all charges; the penalty for that would be severe, like a stiff fine and jail time.

Now let's suppose he did a good job of destroying all the evidence, now he can only be tried for destroying evidence, which is pretty bad, but perhaps not as bad as whatever it is he actually did.

If you were wanted for heinous crimes against humanity (I don't know uhh... biological warfare!), and the only person with any proof winds up dead at your hands, you just need to defend yourself against the murder charge.

Security depends on attack capabilities

[redelm]

Whether a 7 pass or 35 pass wipe is good enough has to depend on exactly how data can be recovered. Does anyone have a good reference on current technological capabilities?

I suspect that even after a single zero pass, the disk has to be mounted in some sort of electron microscope. Maybe it can stay mounted but the heads have to have analog circuitry attached. In either case, the question is over magnetism remaining after overwriting. I suspect that three good [uncracked] pseudorandom passes is more tha

Re:Security depends on attack capabilities

[boa13]

This paper provides a great explanation of the current state of the data recovery industry. How modern hard drives work, how they fail, how they can be recovered, myths and realities.

[PDF] Recovering Unrecoverable Data [actionfront.com]

Unless the company has made great advances in the product they advertise at the end of the paper, you can be sure that two passes are more than enough to prevent anyone from recovering your data. Intelligence agencies are more likely to kidnap and torture you than invest the extraordinary time and money to get your bits back.

Re:

[Psarchasm]

Sure. The answer, on any drive > 15GB, is 1-Pass.

Stunning eh? I'll challenge anyone to prove that it is possible to recover anything from a modern hard disk that has been overwritten once with anything other than a magnetic microscope. And even that is questionable.

Modern drives are so dense that drive makers have a hard enough time getting data back off of them after its been written.

But you asked for documentation:

NIST Guidelines for Media Sanitization
http://csrc.nist.gov/publications/nistpubs/800-8 [nist.gov]

He should have used a Mac

[alchemist68]

Mac OS X uses the 7 & 35-pass Gutmann method for securely deleting files. Deleting files is not wrong, that's why we delete them! Incidentally, both President Bill Clinton and George W. Bush use Apple Macintoshes for their personal and profession computers. Probably for this and other reasons.

Seven-level wipe?

[bluefoxlucid]

The DoD standard calls for inverting all bits (i.e. each byte ~0xff), then all 1, then all 0, then verify. In reality, a single overwrite with random data will keep forensics experts from finding the data itself; they can MFM the drive but the hardware takes years and years to run and can't reconstruct the data accurately really (it's statistical, you have either 1.001 or 0.001 after writing, but you've done this so many times you have like 1.037 or 0.049 etc, the numbers go up and down...).

Forensics exper

Re:

[CodeBuster]

but you can only tell that bones were there, and not what kind or shape or size.

Not if you wipe all the freespace (non-file or empty sectors) as well, which any good secure delete tool (like the open source Eraser) will do for you. Just give it eight (8) pases of pseudorandom and the whole drive is either intact files or psuedorandom background noise. About the only thing that an investigator can tell you then is that a secure deletion tool has been used, not what was deleted or even where it existed on

Re:

[bluefoxlucid]

As I said, one pass of wipe is more than enough to get good deletion on a used drive. Recovering overwritten data is non-trivial and a multi-billion dollar process taking years to complete. Your 8 passes are excessive, even the DoD spec gives 3 passes for SECRET data.

An investigator can tell you that there was data on the drive at various locations that got freespace wiped. He can tell you subsiquent files were securely deleted at various locations, and in what likely order. The secure deletion scribble

Couldn't do it himself... but many can.

[binaryspiral]

Laptops are rarely backed up. Even if they are its typically only what the user wants to backup. Archiving files at the server level (email, web, and ftp proxies) would be the better choice.

And why didn't this guy just do a simple google search and use a DBAN boot disk? Moron had to call for help...

Backups?

[PPH]

Unless this is one of those ancient 20th Century operations, its quite possible that periodic backups have been performed on all systems data.

Oh, wait. This is a gov't operation. Never mind.

Nearly impossible????

[gweihir]

This is nonsense. There is very good indication that a single overwrite with zeros on modern drives makes recovery completely impossible. And don't cite Gutman at me, read his addendums first. He agrees.

A seven times overwrite of a modern disk with some random passes in between cannot be recoverd from by any means in this universe, that has to read the data from disk. The disk cannot hold 7 times as many data. It is not a question of reading equipment, but a coating material limitations. Magnetic microscopy

Plausible Deniability

[Greyfox]

He should have wiped it first, THEN chucked it in the microwave for a couple of minutes, THEN reported to his boss that a power surge has destroyed his hard drive. You may also need to take a stun gun to the rest of the machine for that to hold up...

Happens all the time

[cerberusss]

Bypassing his agency's computer technicians, Mr. Bloch phoned for

Regardless of whether there was ill intent, I'd just wanted to mention this bypassing happens all the time. I knew a business manager once who said that when wishing for a simple application, he would run into their internal department who were used to big projects. So instead of starting building (or even analyzing) with said app, they'd respond with giving him forms for access to new servers, allocating helpdesk people, assigning a project

Nothing weird here

[JeffTL]

For me, standard decommissioning procedure for any computer is the 7-pass option on the Mac OS X Disk Utility if it's an Apple, or Derek's Boot and Nuke if it's not. Not sure how DBAN would come up in routine maintenance, but in a secure government situation I could imagine a standard procedure of scrambling the drive whenever it needs a format, just in case you wind up replacing the disk instead.

Re:

[pipatron]

And what to do with the old one? Throw away and let some scavenger hunter find the data? Wiping a drive like this sounds like the easiest way to get rid of it, compared to the alternatives.

Re:

[pla]

And what to do with the old one? Throw away and let some scavenger hunter find the data?

Sledge hammer applied repeatedly.

Industrial shredder.

Thermite.

Persistant application of a grinding wheel.

Personally tossing in a large crucible of molten steel.

Fuming sulfuric acid.

We may not all have the resources to do all of the above, but I'd bet most of us can find a way to physically reduce a HDD to very very small chunks, if not completely dissolving/melting it at a molecular level.

Re:Why not just by a new hard disc

[cab15625]

Or a screw-driver followed by steel wool on the platters.

BTW, nitric acid would likely be more effective than sulphuric. And a mix of nitric and hydrochloric (commonly known as aqua regia) will probably do an even better job. The nitric acts as an oxidizing agent while the hydrochloric can help complex some of the resulting metal ions making the mixture more effective. Sulphuric would probably just get rid of some of the organic coatings in the time that it would take the aqua regia to chew through all the metals.

COVERUP - My Rejected Submission

[Jeremiah Cornelius]

A U.S. official overseeing a probe of former Bush aide Karl Rove yesterday refused to give federal investigators copies of "personal files" he deleted from his office computer [theregister.co.uk], after it was discovered he hired a private computer-help company to erase all the hard drives belonging to him and two deputies. Special Counsel Scott J. Bloch [osc.gov] hired a firm to perform a DoD-wipe, guaranteeing the files could never be restored. Bloch said he suspected his computer was infected by a virus - an unorthodox remedy. The

Re:

[jonbryce]

I tried destroying an old 1.2GB hdd with about 700MB of bad clusters using a sledgehammer. It was actually surprisingly robust under the blows from the hammer.

Just in case you are wondering what I was trying to hide, it was bank account details from about ten years ago.

Re:

[Kadin2048]

I tried that once, too, and won't try it again. Just boring a few holes through it with a drill press is a lot easier. While it's perhaps not quite as destructive as actually scrubbing the platters or shredding them, it does enough for most purposes. It also makes the drive obviously un-usable, which I figure means it's more likely to stay in the trash than one that looks functional.

For the most fun, though, nothing beats shooting them. (I'm a fan of 5.56mm at about 100 yards, since it keeps you well away f

Re:

[Gordonjcp]

Or just fill it with data and delete a few times. Once you're certain that every sector has been overwritten, you're clear.

No, you cannot read data back once it's been overwritten. Not even if you're the NSA. Not with modern drives, anyway, modern being "any drive made in the last ten years".

"Overwriting Everything" is surprisingly hard

[billstewart]

It's usually pretty easy to overwrite most of the data on a disk. But the operating system, disk controller, and various drivers make it hard to get absolutely everything, so depending on what you're trying to hide, you may not want to risk that.

• Bad Block Remapping - Once a block goes bad enough to not be reliably writeable, or reliably readable, it'll get mapped out and replaced by another block, and after that, nothing's going to erase it. Normal tools aren't going to be able to access it, but foren

Re:

[Gordonjcp]

Ok, so you've got a mapped-out bad block. Really really clever software, possibly including replacing the firmware in the drive, will then be able to read 512 bytes of data, assuming it can be read from the bad block at all. You know, on account of it being bad, and all...

These days, drives don't use simple "on/off" transitions to mark data. It's a gross oversimplification to say it's an analogue signal that gets recorded to the disk, but that's essentially what it is. The idea of detecting vague afteri

Re:

[mbone]

>And what to do with the old one?

Take it to a service and have it shredded. In fact, since a lot of forensic data recovery is done with scratch files, etc., that may be stored separately, take the whole computer to a service and have it shredded. (Yes, at least here in DC, there are such services.)

Since this wasn't his computer, but his employeers' computer, I expect that he may find that his easure wasn't as effective as he would of liked, and that he may now be in a lot of trouble.

Re:

[Anonymous Coward]

? Throwing your old hard disc on the fire is highly effective and free regardless of your level of technical knowledge and does not require paying someone to repeatable wipe your old one or for you to trust they are competent enough to have done it correctly.

Re:

[Torvaun]

There are plenty of places out there that do data recovery, and some of them can retrieve quite a lot of data from hard drives that have been through house fires and the like. If your fire doesn't leave the platters in a molten pool of metal, it's not good enough.

Re:

[Nullav]

What, hard drives are indestructible? Goodbye, bricks!

Three little words

[Corgha]

And what to do with the old one? Throw away and let some scavenger hunter find the data?

I think what we really need to ask is: Will It Blend? [youtube.com]

(Sadly, that's just a video of an iPhone -- couldn't find one of a hard drive.)

Re:

[dcollins]

Most people don't know what a hard disk is, what one looks like, how to get it out of their case, or what their options are. They call the tech guy and say "trash my data so no one can get it back". And the tech guy does that literally.

Re:

[jacquesm]

hey, it's only *nearly* impossible, that means it is certainly possible.

Re:

[Fnord666]

2. Should I be upset that this guy needed to use my tax money to hire an outside company to do something when my tax money goes for a goverment IT person making $100K+ that could do it or that the person could have used the theoretical $700 hammer to get the job done?

Because the in-house IT guy probably knows that a nice, clean backup of the drive prior to wiping is his ticket to an early retirement. For the less cynical of you, he is a lot more likely to know that this is a no-no and call someone about

Re:

[subterfuge]

"Well, in his defense employees should have the right to permanently remove personal data from their work stations such as emails, web surfing history, porn or whatever other private data a person might collect...reasonable level of privacy."

There is no such thing as a reasonable level of privacy for the things you list [regardless of gov/corp status]. An employee has no right to use the employer's equipment/services for personal purposes, that includes "emails, web surfing history, porn or whatever o