Hello,
On Thu, Jan 09, 2020 at 12:11:54PM +1300, Ben Caradoc-Davies wrote:
> If you need to protect against an attacker willing to examine your HDD with
> magnetic force microscopy, there is no substitute for physical destruction
> of the media.
Even then it's unnecessary! No has ever recovered usable data from a
modern (less than 15 years old) used HDD after a single pass of
writes. A study was done with 2006-era drives and magnetic force
microscopy (MFM) between 2006 and 2008:
https://www.vidarholen.net/~vidar/overwriting_hard_drive_data.pdf
"4 Conclusion
The purpose of this paper was a categorical settlement to the
controversy surrounding the misconceptions involving the
belief that data can be recovered following a wipe
procedure. This study has demonstrated that correctly
wiped data cannot reasonably be retrieved even if it is
of a small size or found only over small parts of the
hard drive. Not even with the use of a MFM or other known
methods. The belief that a tool can be developed to retrieve
gigabytes or terabytes of information from a wiped drive is in
error.
Although there is a good chance of recovery for any individual
bit from a drive, the chances of recovery of any amount of data
from a drive using an electron microscope are negligible. Even
speculating on the possible recovery of an old drive, there is
no likelihood that any data would be recoverable from the
drive. The forensic recovery of data using electron
microscopy is infeasible. This was true both on old drives and
has become more difficult over time. Further, there is a need
for the data to have been written and then wiped on a raw unused
drive for there to be any hope of any level of recovery even at
the bit level, which does not reflect real situations. It is
unlikely that a recovered drive will have not been used for a
period of time and the interaction of defragmentation, file
copies and general use that overwrites data areas negates
any chance of data recovery. The fallacy that data can be
forensically recovered using an electron microscope or related
means needs to be put to rest."
So, for the main data areas of the HDD, one pass of writes is always
enough and anything more is just a meaningless ritual.
Some will argue that a better-funded attacker may somehow have
better microscopes even to the point that they have technological
breakthroughs not known to the wider world. However, the paper also
makes clear that the limit is not the sensitivity of the microscope,
but the fact that any drive that has been in use for a while has too
much noise for the data immediately prior to the wipe to be
distinguishable from that.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
