Can God Create a Rock So Heavy Even He Can’t Lift It?

Relax, this hasn’t turned into a religious blog, I’m simply drawing a parallel to one of the best data recovery companies out there, Norwegian Ibas. Ibas are experts on recovering lost or hidden data. And it’s amazing how often they succeed. Take a look at this charred wreck of a burnt PC1):

Burned PC 

On this particular PC 100% data was recovered.

What’s this got to do with you, you ask? Or with Gawd, for that matter?

Well, if you have sensitive data that you do not want anyone to find, let alone be able to read then companies like Ibas (or NSA, for that matter) are your worst nightmare. If the data has ever been stored on your computer these guys can probably find it. Pressing “Delete”, formatting the disk or using “fdisk” or similar tools will NOT do the job. If you have data that you want to get rid of, you need something serious.

Hence the God analogy – Ibas know how to treat the data so that they themselves cannot recover it. Enter: ExpertEraser

ExpertEraser (EE) is a tiny piece of software that “wipes” (Block Erase) your hard drive so that Ibas or similar companies (including NSA) cannot recover the rata that was once stored on the disk. EE runs from a bootable floppy disk or CD, it is not installed on your hard drive. It works as long as you can boot from a floppy drive or a CD, regardless of whether you have a PC or Mac, Unix, Linux, DOS, MacOS or Windows; whether the drive you want to wipe is formatted as FAT, NTFS, HFS Plus, ext, HPFS, etc.

I’m not too big a fan of EE, though: it is closed source, which means that you have no way of knowing what it really does. In addition, Ibas collects information about your wipes (if you want to “refill” your license). These two factors makes for a bad combination. A great, and gratis, alternative to EE is the open source software DBAN (Darik’s Boot and Nuke).

DBAN, just like EE, is a disk wiping tool that does the job thoroughly. They’re both small, bootable and secure (although anything but fast; a secure wipe of a normal-sized disk will take many hours, up to days). They both exceed the requirements set by the Department of Defense (DoD 5220.22-M). http://www.killdisk.com/ is a third alternative, although not open source.

There are also tools that let you delete individual files in Windows, Linux, Unix or MacOS. Such tools will be discussed in another blog post. There are also alternatives to the slow block erase method that these tools use. I will discuss these methods in a later post.

A word of warning about wiping hard drives: What you do not know might kill you.

There are limitations to disk wiping tools. Modern hard drives will automatically mark bad sectors of the hard disk as “bad” and the hard drive will not allow write access to those sectors. DBAN, for example, is not able to wipe sectors marked bad by the hard drive. Whether or not this is the case for ExpertEraser I do not know. There are ways around this limitation, but they require a lot of work.

In addition to the bad sector problem, there are parts of the hard drive that is usually hidden from the normal user; the HPA (Host Protected Area) and the DCO (Device Configuration Overlay). The HPA is sometimes used by PC manufacturers (such as HP or Dell) to hide recovery tools for easy recovery of the operating system. The HPA could also be used by rootkits to hide themselves from anti-rootkit tools. The DCO was originally intended for storing power management features, but it is otherwise similar to the HPA and might be used to hide rootkits or other data. DBAN does not wipe HPA/DCO while Active@Killdisk do. If you really wish to wipe your hard drive, for example if you suspect that you computer has been infected by a rootkit, you should use a bootable Linux CD to remove the HPA and/or DCO (make it part of the normal hard drive space) before wiping the hard drive.

The HPA might also be used by you to hide data that you do not want others to find. This will probably work if you’re trying to hide the data from your wife, but will certainly NOT work if you’re trying to hide data from NSA. Hiding data in the HPA is like writing with invisible ink: it’s not plain to see, but will not hold up under scrutiny.

There’s only one way to really hide data from peering eyes: strong cryptography. And even with cryptography what you don’t know might kill you. But that’s for another blog post.

1) Yes, I know that the external apperance of a PC is not related to the difficulties of retrieving data from a HDD (which is usually something as unsexy as replacement of the firmware  or the electronics board or cleanroom replacement of the spindle motor, base casting or head stack) – but it’s still cool.

Advertisements

3 Comments

Filed under data forensics, data recovery, DBAN, hard drive wiping, hard drives, Ibas, NSA, privacy, security, software

3 responses to “Can God Create a Rock So Heavy Even He Can’t Lift It?

  1. Another option: 12 guage slug. Hard disk platters will readily shatter. For about $0.50, you can drag your hard disk out to the range and turn the platters into a very fine powder. I’ve tried it — it works. Only downside is that the hard disk is then only useful as a cool decoration, and one that reveals life style facts that you may prefer to keep secret, at that.

  2. Contrary to popular belief, DoD 5220.22-M does not specify the requirements on how one should wipe a media, instead there are only 2 paragraphs mentioning what cleansing and sanitization means when someone has to dispose media which has classified data on it.

  3. farvish

    Nice Post. Here is one more option to erase drive permanently other than physical damaging. You can use drive wipe software to erase drive permanently so that data erased beyond recovery.

    Thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s