i've heard (i think i was watching tv) that it doesn't matter what you do, people can recover information from your computer... the only thing you could do was "beat the harddrive until it was unrecognizeable and throw it in a river." my question is, couldn't you write a program, load it into ram, and write 0's to the entire harddrive? how could they recover that, eh?

That's kind of true.

I think the DoD standard is to write 0's to the drive, and then do 1's seven times. Even that, though, might not really remove the data from the drive. There's still residual magnetism from the old data still on the drive.

It takes specialized equipment and a LONG time, but the data can be recovered. Basically, the smashing it into bits and throwing it into a river is a good idea if you don't ever want the data recovered.

You can get data from any source-- memory, residual monitor glare against a wall, any microchip register that held a 1 or a 0. When the government has super-sensitive data that they want to protect, they just lock the computer away in a warehouse under guard, never to be used again. That way, nobody should be able to get ahold of it.

There are many programs that will write zeros to the drive.

I know Maxtor makes a boot floppy that you can use.

And you could also just use "dd if=/dev/null of=/dev/hda" (I think that's right) :)

That will make it much more difficult to get the data, but I don't think it's impossible.

~psi42


EDIT: Too slow... :)

if you write data onsto to a hard drive how they underlying data be recovered?if you change a 0 to a 1 and the hdd agrees then howw ould you get it to read otherwise?

Originally posted by CaptainPinko
if you write data onsto to a hard drive how they underlying data be recovered?if you change a 0 to a 1 and the hdd agrees then howw ould you get it to read otherwise?

Think physics, not computer science. :)

Originally posted by Strogian
Think physics, not computer science. :) Exactly, it's all a physical write. Hard Drives don't work like flash memory (and are a lot slower, but much cheaper) and the 1s and 0s are written to the disk using magnetic impulses (thus 'magnetinc storage device').

For recovery you can look into forensic tools like http://fire.dmzs.com/

If the drive is smashed, cracked and thrown in a river...it'll cost you a couple $1000 to get it restored, but not 100%...usually enough though if incriminating ;)

Running badblocks -svw /dev/hda several times and then microwaving the hard drive is a pretty good way to ensure that the data can never be recovered.

If, on the other hand, you simply don't want mommy to find your pr0n collection, you can use the shred command.

No offense meant, but some of you are just shooting in the dark here- data recovery and media forensics have come a looong way. Government and law enforcement officials have extremely powerful recovery tools these days, so if you're talking about keeping them from recovering data on a disk, I'd suggest dropping that disk into an acid bath ASAP.

the only thing you could do was "beat the harddrive until it was unrecognizeableBeating the drives platters into oblivion is your second-best choice (after the acid bath :p )

and throw it in a riverData has been successfully recovered fom drives which have been submerged in ocean (read: salt, corrosion) water for long periods of time

I think the DoD standard is to write 0's to the drive, and then do 1's seven times. Even that, though, might not really remove the data from the drive.Actually, the DoD (and other gov/mil departments) have a number of different specifications for approved data wiping/cleansing; the thoroughness of each varies according to the security classification of the data in question (there's even a specification for a 16-pass wipe using extremely random data patterns). As you said though, data recovery (or at least partial) is still possible in many cases.

And you could also just use "dd if=/dev/null of=/dev/hda" (I think that's right)

That will make it much more difficult to get the data, but I don't think it's impossible. More difficult for an average person, yes- but in terms of a secure wipe it's about as effective as waving a refrigerator magnet over your media.

if you write data onsto to a hard drive how they underlying data be recovered?if you change a 0 to a 1 and the hdd agrees then howw ould you get it to read otherwise? Strogian nailed this one- you need to understand the theories and workings of recording to electromagnetic media. Think of it this way:
Writing to a hard drive is no different than recording to an audio tape; in the writing/recording process, you apply an electrical signal to the media which aligns the magnetic particles on that media in a certain way. The particular way in which those particles are aligned is interpreted back into a human-understandable form during the process of reading/replaying from the media.

However, the particle alignment is in no way permanent; if it were, you would never be able to write to the media again. The strength of the magnetizing signal applied during the recording process determines the amount of "persistence" that the particles have; the weaker the applied signal, the easier it is to alter or overwrite. The stonger the applied signal, the more likely it is that some traces of that signal will still remain (will persist) after one or many subsequent writes/records. This is why data can still be recovered/reconstructed after many overwrites.

In the mid 80s I was involved in a forensic project to recover information from a badly-damaged and partially erased audio tape as part of a corporate lawsuit. At the time, it was amazing to see what we could recover using only about $100,000 worth of that day's technology. With that in mind, and given the $$ amount thrown towards current concerns of terrorism and security, I really wouldn't consider any sensitive enterprise level or government level data safely purged without thoroughly destroying the media on which it's saved.

Note that stand-alone devices called "degaussers" are often used to permanently erase any trace of data on magnetic media, because they apply an extremely strong magnetic field to any media passed through them; thereby scrambling any data on the media beyond recongnition. This is something that can't be equalled by disk-wiping programs, because the intensity of a drives write heads simply can't pump out that powerful a field.

Originally posted by psi42
"dd if=/dev/null of=/dev/hda" (I think that's right) :) If you meant /dev/zero, not /dev/null, yeah, you're right. ;)

See above (esp. David's post) for why this doesn't really work, though.

For a technical reason why it doesn't work, you need to know a couple of things. First, if you write a zero byte to a disk, the disk platter does not contain 8 zero bits in that spot. If you write an entire sector's worth of zero bytes (512 of them) to a disk, that sector does not contain 4096 zero bits. The disk controller compresses the data that the OS sends to it before writing to the disk, and decompresses it when it comes back. The algorithm is called RLL compression, I believe.

This is why writing zeros won't necessarily put the "level" on the disk at zero. There will still be some one bits on there, as a part of the compression scheme.

The other thing is, the disk is an analog medium, not a digital one. When the disk controller writes a zero "bit" to it, if the previous value was 1, then the platter ends up having about a 0.1 value on it (or so). If you write a 1 when the previous value was 0, you end up with about a 0.9.

The read head can take these values and round them off to a digital value of 1 or 0, so you can read what you've just written to the disk. However, other people can also read what you've previously written to the disk -- not by putting it into an IDE slot, but by manual inspection of the magnetic field on the platter. They figure out what the current value is, and "subtract" that analog wave off the real wave. Then, they magnify the residual and feed that signal to the read head.

It used to be that they could go up to 7 layers of changes (overwriting with 1, 0, 1, 0, 1, 0, then 1). I don't know if this is still the case or not, though.

Why didn't I post this link earlier...this should clear things up completely...

http://www.linuxsecurity.com/feature_stories/data-hiding-forensics.html

In there it says to wipe the empty space use this...
# dd if=/dev/zero of=/home/bigfile
# sync
# rm /home/bigfile
# sync

and to wipe slack space (the extra data that doesn't get removed completely from blocks) using bmap

# echo "evil data is here" | bmap --mode putslack /etc/passwd


very good article, well worth the read

Ok, if you just write straight zero's, then it's possible that there is small traces of electricity where the one's used to be. Shredders don't work that way, though. Most good shredder's write a series of random one's and zero's over the deleted area. They usually make several passes too.

I would be very impressed if anyone has ever recovered any files from a good shredding.

Originally posted by Sepero
I would be very impressed if anyone has ever recovered any files from a good shredding.

You should be impressed then; it's most certainly possible to recover some data off a drive that's been shredded...

I know that a guy from IBM was telling us at uni once how it was easily possible to read data that was on a drive up to 7 or 8 writes ago.

Presumably there's a point where data can't be read anymore, but as technology improves, that point could move further and further away...

Originally posted by Alex Cavnar, aka alc6379
When the government has super-sensitive data that they want to protect, they just lock the computer away in a warehouse under guard, never to be used again. That way, nobody should be able to get ahold of it.

Yeah... that's a sure fire way to prevent theft (http://www.usatoday.com/news/nation/2002-08-07-missing-laptops_x.htm) . :D


The Defense Department is not the only federal agency to suffer embarrassing security lapses in recent years. Two years ago, the State Department acknowledged that it had lost 15 laptop computers. This year, the FBI admitted that hundreds of laptops, some containing sensitive material, had gone missing over the previous decade.


With a record like that, I think it's time to explore other methods of security besides "lock it away in some warehouse under guard."

Originally posted by Stween
I know that a guy from IBM was telling us at uni once how it was easily possible to read data that was on a drive up to 7 or 8 writes ago.Ask him how likely it is to recover a file that's been shredded 8 times. Depending on how long that previous file had been there, I'd be willing to bet it's near impossible.

P.S.
If you really don't want people reading your junk, I recommend an encrypted filesystem. ;)

Originally posted by carrja99
Yeah... that's a sure fire way to prevent theft (http://www.usatoday.com/news/nation/2002-08-07-missing-laptops_x.htm) . :D



Point taken. That's why I said nobody should be able to get ahold of it. But, those computers were still in use when they were stolen/lost.


With a record like that, I think it's time to explore other methods of security besides "lock it away in some warehouse under guard."

When I mentioned locking away computers, I was talking about ones that are no longer being used, like a machine used for a limited-time scope analysis or something. They don't wipe the drives on those types of computers and reuse them-- they just lock them away in a warehouse, under armed guard, FOREVER.

While i was in school I heard about a company or government agency that was paranoid enough to degauss, then grind the platters down to a fine powder, then store that powder in a guarded vault... how true any of this is i dunno but lets see someone recover anything from that.

Originally posted by SeT
While i was in school I heard about a company or government agency that was paranoid enough to degauss, then grind the platters down to a fine powder, then store that powder in a guarded vault... how true any of this is i dunno but lets see someone recover anything from that.

I think by the point it's been ground to said fine powder, there probably would be no need to guard it anymore.

:)