Jump to content











Photo
- - - - -

DeviceEraser


  • Please log in to reply
13 replies to this topic

#1 booty#1

booty#1

    Frequent Member

  • .script developer
  • 285 posts
  • Location:Near Frankfurt
  •  
    Germany

Posted 22 July 2007 - 12:27 PM

File name: DeviceEraser


Description:
Requirements: none
Tested with WinBuilder 072 & VistaPE 008

Computer hard disks, floppies, usb-sticks and other fixed or removable media types are containing a lot of information that should be kept private/secret. Therefore anyone should wipe any media before selling of giving it away. Most users think that formatting would erase all information on a media - but they are wrong. The data is only invisible and can be recovered by unformatting tools.

DeviceEraser allows to completely overwrite a large number of media, making it impossible to recover anything useful from them.
It runs directly under Windows or in a PE environment and therefore can access even SATA and other rare drives that are usually invisible to BootDisks like DBAN
Currently several overwriting methods are supported:

1 Pass overwriting with ones/zeros/random (fast erase which makes the data unrecoverable from normal users)
3 Pass overwriting using ones, zeros and random.

booty#1

Download file

Edited by booty#1, 22 July 2007 - 12:28 PM.


#2 Nuno Brito

Nuno Brito

    Platinum Member

  • Team Reboot
  • 10452 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 22 July 2007 - 12:40 PM

Good tool!

What do you recommend for forensics? :)

:yahoo:

#3 booty#1

booty#1

    Frequent Member

  • .script developer
  • 285 posts
  • Location:Near Frankfurt
  •  
    Germany

Posted 22 July 2007 - 01:37 PM

What do you recommend for forensics? :yahoo:

Well after DeviceEraser has done it's job forget about it. :)
Without erasing, "PC Inspector™ File Recovery 4" and the "Recuva" you posted should be the right tools for the job.
Or if you prefer to see the raw content, I like very much the disk edit mode of HxD.
But I don't have much experience in forensics because everything I give away is securly wiped or if a disk fails I have a backup available - therefore no need for forensics...

booty#1

#4 Nuno Brito

Nuno Brito

    Platinum Member

  • Team Reboot
  • 10452 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 22 July 2007 - 02:17 PM

Sometimes it's necessary to profile the use of a certain machine on my daytime work - so far I've stumbled on this nifty app: http://www.mitec.cz/wfa.html

It will reveal a great deal of usage details from a machine - of course that wiping completely the data from the drive as you mention throws away this possibility.

:yahoo:

#5 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7771 posts

Posted 22 July 2007 - 02:36 PM


What do you recommend for forensics? :yahoo:

Well after DeviceEraser has done it's job forget about it. :)

I would recommend a clean room and some very expensive machinery. :)
Secure wiping was once seven wipes with specific patterns, today it's something like 12.
For home use (read: only software based recovery) once overwriting every byte is good enough. (If someone can correct me on this one, i would be very interested in learning what software is capable of this.)

:)

#6 paraglider

paraglider

    Gold Member

  • .script developer
  • 1716 posts
  • Location:NC,USA
  •  
    United States

Posted 22 July 2007 - 03:00 PM

It depends on what you are trying to acheive. If you are trying to make it unreadable by anybody including government agencies then who knows what is good enough - they are certainly not going to tell you.

#7 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7100 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 22 July 2007 - 04:41 PM

It depends on what you are trying to acheive. If you are trying to make it unreadable by anybody including government agencies then who knows what is good enough - they are certainly not going to tell you.


Right! :yahoo:

Usually American, URSS and God only knows which other countries embassies abroad have ANY "Classified related" PC in the underground, protected by reinforced concrete, with the reinforcing bars soldered and connectd to ground as to create a very fine "Faraday's cage":
http://en.wikipedia....ki/Faraday_cage
as Governments are said to have the tecnology to "interpret" the (very, very tiny) change in the electric field by the click of a keyboard key, one can only imagine what kind of technologies they have to read in a Mass Storage Device....

My personal guess is however that, apart maybe Governent Agencies, very few people will get a MFM microscope for looking at your HD platters, and thus doing more passes is just a way to lose time.

Again, my personal opinion, but I agree with the author of this article:
http://www.nber.org/...ta-guttman.html

that the original Gutmann theory:
http://www.usenix.or...mann/index.html
is really just a theory, overhyped by media :) , it is quite singular that noone has ever published a real scientific report from field application of his theory actually working, in the several years since it was published.

Moreover, even IF it would work, the actual result would NOT be "data" but "probability range" about "possible data", so I really doubt that ANY Court could ever take anything coming from this kind of recovery into account.

Do get and read these:
http://www.actionfro...20Ver14Alrs.pdf
http://www.actionfro..... Preprint.pdf
that tell you more about reliability (almost not-existant) of real MFM technology and, moreover, about TIME needed to perform this probabilistic data recovery.

And, in case of doubt, do use the method of "partitioning" illustrated in picture #4.4 here :) :
http://members.aol.c...oons1000/break/

jaclaz

#8 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7771 posts

Posted 22 July 2007 - 04:41 PM

It depends on what you are trying to achieve. If you are trying to make it unreadable by anybody including government agencies then who knows what is good enough - they are certainly not going to tell you.

The most secure at the moment is, as far as i know, the Gutmann algorythm.

And who says the government won't tell us what secure erasing is?
There still exists the National Industrial Security Program Operating Manual of the US Department of Defence. :yahoo:
btw. that was the 7 writes system popular in the last mellenium! :)

:)

#9 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7100 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 26 September 2008 - 12:07 PM

Just for the record:
http://www.forensicf...m...065&start=0

And I am not the only one searching (vainly :huh:) for a proof:
http://16systems.com/zero/index.html

Q. What is this?

A. A challenge to confirm whether or not a professional, established data recovery firm can recover data from a hard drive that has been overwritten with zeros once. We used the 32 year-old Unix dd command using /dev/zero as input to overwrite the drive. Three data recover companies were contacted. All three are listed on this page. Two companies declined to review the drive immediately upon hearing the phrase 'dd', the third declined to review the drive after we spoke to second level phone support and they asked if the dd command had actually completed (good question). Here is their response... paraphrased from a phone conversation:

"According to our Unix team, there is less than a zero percent chance of data recovery after that dd command. The drive itself has been overwritten in a very fundamental manner. However, if for legal reasons you need to demonstrate that an effort is being made to recover some or all of the data, go ahead and send it in and we'll certainly make an effort, but again, from what you've told us, our engineers are certain that we cannot recover data from the drive. We'll email you a quote."

Q. Why are you doing this?

A. Because many people believe that in order to permanently delete data from a modern hard drive that multiple overwrites with random data, mechanical grinding, degaussing and incinerating must be used. They tell others this. Like chaos, it perpetuates itself until everyone believes it. Lots of good, usable hard drives are ruined in the process.


:huh:

jaclaz

#10 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7771 posts

Posted 27 September 2008 - 05:53 PM

Though i'm also no fan of uselessly overwriting HDD to clean them, i can't believe that plain zeros are good enough.
That sounds too much like like goig with black inc over a letter written with a ball pen.
Yes, one can't read it anymore, but one can still reconstruct what was written.

Make it overwritten once with random patterns and i might agree.

Also the test is not entirely without bias. Those companies are in the market to make money. They're not some government institution which has money to burn.
When i had one of my TV set last repaired, the technician also said that it can't be fixed. What he meant of course was that it can't be done for any reasonable amount of money, but that's not the problem we were talking about, was it?

:huh:

#11 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7100 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 27 September 2008 - 06:29 PM

Yes, one can't read it anymore, but one can still reconstruct what was written.


Definitely NOT "anyone", maybe "one" with a MF microscope, I know noone having one, do you? :huh:

Now I don't think what I am asking to be much :huh:, just a single report by a reputable source that this has been done ONCE on a modern hard disk.

I tried to ask in a forum of professionals dealing with data recovery and police work, and beside some more theory, noone could report to have ever recovered or having ever seen a single file recovered from a zeroed out single pass disk:
http://www.forensicf...m...065&start=0

You may want to re-read the previously linked sources, where the Author of the theory himself says:
1) that this was just a theory that was never directly tested by him
2) that the theory would not apply, or would not apply in any useful manner on modern hard disks

Compare the original article (1996):
http://www.usenix.or...mann/index.html

With latest version:
http://www.cs.auckla...secure_del.html


this is the relevant part:

9. Conclusion
Data overwritten once or twice may be recovered by subtracting what is expected to be read from a storage location from what is actually read. Data which is overwritten an arbitrarily large number of times can still be recovered provided that the new data isn't written to the same location as the original data (for magnetic media), or that the recovery attempt is carried out fairly soon after the new data was written (for RAM). For this reason it is effectively impossible to sanitise storage locations by simple overwriting them, no matter how many overwrite passes are made or what data patterns are written. However by using the relatively simple methods presented in this paper the task of an attacker can be made significantly more difficult, if not prohibitively expensive.


Epilogue
In the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques. As a result, they advocate applying the voodoo to PRML and EPRML drives even though it will have no more effect than a simple scrubbing with random data. In fact performing the full 35-pass overwrite is pointless for any drive since it targets a blend of scenarios involving all types of (normally-used) encoding technology, which covers everything back to 30+-year-old MFM methods (if you don't understand that statement, re-read the paper). If you're using a drive which uses encoding technology X, you only need to perform the passes specific to X, and you never need to perform all 35 passes. For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do. As the paper says, "A good scrubbing with random data will do about as well as can be expected". This was true in 1996, and is still true now.

Looking at this from the other point of view, with the ever-increasing data density on disk platters and a corresponding reduction in feature size and use of exotic techniques to record data on the medium, it's unlikely that anything can be recovered from any recent drive except perhaps a single level via basic error-cancelling techniques. In particular the drives in use at the time that this paper was originally written have mostly fallen out of use, so the methods that applied specifically to the older, lower-density technology don't apply any more. Conversely, with modern high-density drives, even if you've got 10KB of sensitive data on a drive and can't erase it with 100% certainty, the chances of an adversary being able to find the erased traces of that 10KB in 80GB of other erased traces are close to zero.

(bolding/underlining by me)

:)

jaclaz

#12 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7771 posts

Posted 27 September 2008 - 07:29 PM

:huh: Why are you trying to sell me on the idea that overwriting with random data is good enough? I said so.
And as far as forensics police experts go, i havn't been too impressed with them. They too give up, long before any hacker would even start thinking about doing so.
As with everything else in the world, if you want something done right, get a fanatic not someone, who's just making a living.

And since. at least i don't know anyone, who has the right equipment in his garage to play around with this. I think the chances are rather slim, that we can ever find out, if it really can be done or is just a theoretical thing.


:huh:


PS: It's surprisingly low tech to read through blacked out text these days, if the used type of color or the used type of applying it, is just different enough.

#13 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7100 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 28 September 2008 - 02:15 PM

:) Why are you trying to sell me on the idea that overwriting with random data is good enough? I said so.


Not trying to sell anything :huh:, just wanted to buy (for free :)) a single report of anyone recovering any data after a single zero pass, if you think I am trying to "sell" anything (for free as well :)), it is that in my opinion there is:
1) no need for more that one pass
2) no need for "random" data

I am saying, just like the people at 16systems.com do, that there is no actual evidence that anything has ever actually been recovered by a drive wiped from a single pass zero wipe, (as said before by a non-Government Agency, what they can or cannot do is understandably secret) thus I claim that anything more is a waste of time for any "normal" privacy or security need.

And of course I will be as well happy if someone produces any evidence (not theories, not hearsays) that this claim is wrong.

:huh:

jaclaz

#14 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13749 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 25 December 2010 - 07:04 PM

An interesting related read:

How to securely delete data

To permanently delete data, there is an order of progression with trade offs of convenience and time vs privacy:

  • Shred the file (with one pass).
  • Overwrite the free disk space.
  • Overwrite the whole drive (including the OS and all data).
  • Mechanically destroy or degauss the drive.
  • Destroy data on backups, ISPs, online accounts, etc.

However, in practice things become more complicated.
Keeping data private

Here are some suggestions to keep your data private
  • Don't keep secrets. It's easier to sleep.
  • Don't waste time with multiple passes for data sanitation.
  • Second guess any software which advertises multiple passes to wipe files or free disk space. Do the authors not honestly know what they are doing, or is a useless feature for marketing purposes?
  • Use full volume encryption, though someone may hit you with a $5 wrench until you reveal the key.
  • If giving a hard drive (or whole computer) to someone else, use DBAN to wipe the entire drive, including the remapped sectors—even though reinstalling an operating system, security updates, applications, and settings is a pain. It's not enough to delete files, empty the recycle bin (or trash can), and wipe the free space because some useful data may be in the swap file, hibernation file, Windows registry, and application registries (such as passwords in Firefox's configuration). If you are not willing to do that, minimally delete the user accounts on the system and then wipe free disk space.
  • If you really need DoD class security, use the only sanitation method approved by the DoD 5220.22-M standard: degauss or mechanically destroy the storage device.
  • Don't assume you control all the data. Say you download a file from www.example.com: there may be records on your computer, your ISP, www.example.com's server, www.example.com's ISP, www.example.com's backup site, the Internet backbone, etc. Think about how much data is stored on your email server, Facebook account, etc.
  • Don't use any computers because the Nosy Secret Agents may looking over your shoulder using Van Eck phreaking.


Full doc:
http://bleachbit.sou...files-wipe-disk

:whistling:
Wonko




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users