Damn your data to hell, or just scrub clean?

February 11th, 2011 by David Bradley >> 31 Comments

On the BBC TV news this morning, there was video footage of a man in overalls feeding hard drives, one after the other, into an incinerator. The hard drives had been pulled from computers used in the UK government’s failed ID card endeavours. Now, forgive me, it may have been purely for show and it was easier to publicly have an operative burn the disks rather than show an IT person using scrubbing software to remove all the data they contain and so allow the drives to be re-used. But. If they really are burning them, two things:

First, <durrh>why not simply use DBAN at a high level</durrh>. DBAN will wipe all data, no matter how sensitive, from rewritable media (hard drives, USB drives etc) by repeatedly writing random bits over all sectors of the disk. Done at an adequate level renders any data on the disk beyond retrieval even by the F.B.I! So, they could have done that which is a much less wasteful, less energy intensive, and downright greener option. DBAN is open source software so anyone with the skills can verify what it does and modify it if they need to to make it even more effective (if that’s possible). (It turns out, that they did “wipe” the disks, but somehow feel the need to burn them as well, which is just a WEEE waste).

Secondly, and more importantly. Why was the private and personal data on all these dozens, if not hundreds, of drives <durrh>not securely encrypted</durrh>. Securely encrypted with something like TrueCrypt to put it beyond even a supercomputer’s wit? It takes little time to encrypt a drive and once done the only way to get the data off it is to enter the passkey. That way, if the drive were stolen (or more likely <sarc>lost by the operative simply leaving it on a train</sarc>), the data would not be accessible to anyone. By the way, password protecting a drive of whatever kind only acts as a simple deterant, it does not encrypt and protect data and can be circumvented very, very easily. (That includes BIOS level passwords, operating system passwords etc).

<rant>Oh, there is a third thing. Why so many hard drives? There was never enough ID card data to fill more than one decent-sized drive, but why wasn’t this information on a private, firewalled, server (encrypted adequately, of course)? Does anyone in government, who was supposed to be in charge of these things, actually know anything about ICT at all? Or, are they all as dumb as the politicians who issue the didacts that initiate unworkable and pointless tasks like setting up an ID card system in the first place?</rant>

<durrh>, <sarc> and <rant> aren’t real html codes, they’re a little joke.

BoxCryptor, Dropbox Realtime Encryption (ghacks.net)
Dread clicks and whirs: the sounds of hard drives failing (boingboing.net)
How to Encrypt an External Hard Drive (brighthub.com)
How To Create A Truly Hidden Partition With TrueCrypt 7 (makeuseof.com)
Top 5 Hard Drive Encryption Tools Review (brighthub.com)
Self-Encrypted Drives Set to Become Standard Fare (pcworld.com)
ID card data crushed (bigbrotherwatch.org.uk)
UK.gov shreds last ID scheme hard drives (go.theregister.com)
Five Best File Encryption Tools [Hive Five] (lifehacker.com)
TrueCrypt levels up: Hardware acceleration, convenience improvements (download.cnet.com)
How to Erase Files, Folders, Drives Securely in Linux (brighthub.com)
ID cards go up in flames in first step to tackle ‘database state’ (independent.co.uk)

Self-encrypting hard drives Every consumer, government civil servant, doctor, business executive, journalist, scientist needs a self-encrypting drive for their data, surely? They provide ...
QRpedia QR codes for Wikipedia QRPedia.org is doing QR codes for seriously interesting information and museum exhibits what QR codes did for restaurant windows. Standing ...
Modern minimalist business card Smus had a post on a modern, minimalist business card a while back. Gizmodo only just got to it and ...
Before the next Google Mail FAIL UPDATE: Check out Mailstore Home - a standalone repository/archive for your web email accounts. Set it up to grab all ...
Is your head in the cloud? Research suggests that outside the technophilic geekerati few people realize that they are using cloud services when they access so ...

Leave a comment ↓

alecmuffett // Feb 11, 2011 at 10:36 am

You know, I totally agree, but on the other hand with reasonable expertise in data destruction I can answer all your questions from the perspective of the ID-card people too.

1) oddly enough incinerators aren’t enough to destroy data on modern drives unless the platter goes molten, although it does make recovery a grotesque task; the coercivity of the material is stupendously high and basically the magnetic structure will remain until the platter goes gloop.

2) so we can assume therefore that this is all for show, and that the goal is to reassure, and to forestall questions in the commons, or put to the ICO

3) why so many drives? because there was probably no centralised database, but instead replica copies.

4) lack of crypto would be an abomination, and i am not fit to judge whether it was used, but see point 2 regardless.

5) economics: it’s probably economically unviable to scrub the drives and re-home them as “secondhand”; if they are more than 3 years old they are a tax writeoff, if more than 18 months old they are not interestingly large (moore’s law kinda thing) and to DBAN (say) 100Gb would take a few technically-capable-and-vetted-man-hours, multiplied by a few hundred drives. Ripping the drives out and putting them beyond use makes economic sense. Plus, see point 2.

6) DBAN – great software, love it to bits. Alas it cannot wipe remapped sectors which the HD controller will not let it access unless using magic manufacturer commands, so there _might_ just be the name of some little kiddywink there, just waiting to be handed over to some foreign revolutionary technoterrorist faction, leading the Daily Mail to trumpet about how Govt ecoweenies put childrens’ lives at risk. Plus, see point 2.

…etc etc. I agree it’s dumb, but I can see why they did it.

ceramic platters do not readily go “gloop”.

Also I was told by a trusted friend that in the mid 90s the UK Govt way with top secret drive disposal was to pulverise the platters into powder, blend it, and store the powder in barrels for 10 years before chucking it.

There used to be a similar rule for drive disposal in (iirc) the USA, that they would be shredded and put through a 0.25? mesh, but since 0.25? now can store a significant number of gigabytes I rather hope they’ve advanced beyond that.
David Bradley // Feb 11, 2011 at 11:03 am

For the skeptical…NIST reckons that even a single pass wipe will take a hard drive beyond forensics at the magnetic force microscopy level!

http://www.anti-forensics.com/disk-wiping-one-pass-is-enough

http://www.springerlink.com/content/408263ql11460147/
Michael W // Feb 11, 2011 at 11:09 am

the answer to your final question is obvious,its YES !

“Or, are they all as dumb as the politicians who issue the didacts that initiate unworkable and pointless tasks like setting up an ID card system in the first place?
alecmuffett // Feb 11, 2011 at 4:26 pm

I posted comments but haven’t seen them yet; but I recycled my text and posted to this article, here:

http://blogs.computerworlduk.com/unscrewing-security/2011/02/zen-and-the-art-of-data-destruction/index.htm
David Bradley // Feb 12, 2011 at 4:22 pm

Thanks for the comments and the link Alec. I think you’re probably correct in that it’s economics too. But, they spent the manhours pulling these drives out of what were probably perfectly good PCs and possibly replacing them with new drives. I think they could’ve used DBAN to simply scrub them in situ. Ten minutes for someone with a boot disk…
Criação de Sites // Feb 13, 2011 at 2:23 pm

After alecmuffett knowledgeable comment, whatelse can be said?
Well, instead of an incinerator, why not using a saw of some kind, destroying the plates physically, beyond any recovery?
David Bradley // Feb 13, 2011 at 3:17 pm

I still think there’s no need. But if you feel insecure then sawing through a disk might not be enough. With
magnetic microscopy you’d still be able to extract data. Software shredding (or incineration) are the only secure methods.
alecmuffett // Feb 13, 2011 at 3:30 pm

Peter Gutmann published this paper back in 96:

http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/

…regarding recovery of data; technology has improved stupendously, which makes it less and less possible to recover data by his method… but there is more and more data in a square mm, and if your data is valuable enough then someone might give it a try.

See also http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html#Epilogue for the followup.
alecmuffett // Feb 13, 2011 at 4:15 pm

> the only ALMOST TOTALLY secure methods

FTFY.
David Bradley // Feb 13, 2011 at 7:11 pm

FTFY? Charming!
David Bradley // Feb 13, 2011 at 7:13 pm

I think that was the point I was making regarding the “sawing it in half” or “drilling a few holes approach”. Fully incinerated there is nothing left for a magnetic force microscope to see, but a data wipe will also fully obliterate every last bit (far better than drilling or sawing.
David Bradley // Feb 13, 2011 at 7:18 pm

Gutmann says: “There are two ways that you can delete data from magnetic media, using software or by physically destroying the media. For the software-only option, to delete individual files under Windows I use Eraser and under Linux I use shred, which is included in the GNU coreutils and is therefore in pretty much every Linux distro. To erase entire drives I use DBAN, which allows you to create a bootable CD/DVD running a stripped-down Linux kernel from which you can erase pretty much any media. All of these applications are free and open-source/GPLed, there’s no need to pay for commercial equivalents when you’ve got these available, and they’re as good as or better than many commercial apps that I’ve seen.”

So that corroborates what I originally wrote in my post, surely?
alecmuffett // Feb 13, 2011 at 7:26 pm

> Charming!

Sorry – that’s why there was a smiley; I’ll presume that you don’t hang out on Reddit much?

Frankly: you’re right. Data wipe it and you’re proof against almost all threats. Sledgehammer it too, and you’ll need to be on an AlQuaeda watchlist before they will even bother trying to recover it. At least one police data-recovery forensic firm I know has trouble with the concept of remapped blocks, so they are missing a trick / slightly ignorant even in the face of repeated attempts to explain.

I need to write-up the ill-advisedness of using “shred” at an above-the-filesystem layer; the way SSDs (and/or filesystems like ZFS) waltz the physical blocks around under the nose of the block-to-sector mapping table is hilarious.

Put differently: just because you overwrite the file, no longer means you are overwriting the data; instead you’re writing some new blocks somewhere else in order to (say) smooth out the number of read/write cycles that any given sector suffers.
alecmuffett // Feb 13, 2011 at 7:33 pm

Oh, and later this week I’ll be finishing a posting I started about 2 weeks ago, re: someone I know who does human rights stuff in South America.

She’s faced with erasing all data on her laptop / not carrying a phone, and then installing it in-situ once she’s past the border guards.

Apparently she saw 4 people with whom she was working, get shot because of their efforts; she doesn’t want to die, and she ALSO doesn’t want to give away the names of anyone else with whom she’s working (eg: by virtue of data recovery by government stooges at border crossings)

So the fine details and results of different techniques is of great interest today; I’ll try to remember to ping this posting when it gets published.
David // Feb 13, 2011 at 11:18 pm

What was in the gap between the title of your piece and the ‘share’ buttons before you wiped it?
David Bradley // Feb 14, 2011 at 8:28 am
David Bradley // Feb 14, 2011 at 8:39 am

@David Bennett Assume that was just a joke, otherwise no idea what you’re talking about.

@Alec Muffett Didn’t he add appendices subsequently? According the much more recent paper by NIST, proper software wiping means nothing can be recovered with the need to liquefy or vaporize a hard disk. But, what do you see as the bottom line, do you have a paper that demonstrates recovery of data fragments from a properly wiped drive?
alecmuffett // Feb 14, 2011 at 9:24 am

Generalisations like “nothing can be recovered” really scare me – if you talk to Peter / read his current stuff he will say something along the lines of “The bits nowadays are stacked vertically (so the old magnetic microscope / reading off-centre-tracks trick won’t easily work any more) – and their incredible density-per-square-mm means it’s a nightmare to extract data anyway.”

And this is perfectly true. And this is why DBAN works.

Where this all falls apart is

(1) copy-on-write (CoW) filesystems and users who use “GNU shred” or similar, on top of them. Bad idea.

(2) SSD systems, where in many cases the apparent “sector list” has nothing to do with reality, and so it’s essentially the same as the CoW problem, but from below the level of the device driver. Technologies change here all the time, so generalisations are dangerous.

(3) Remapped sector tables. See this video: http://www.youtube.com/watch?v=XwYSdD4fyRU

Every “red” sector that the HD skips-away from is “bad” or “dubious” from the perspective of the hard drive firmware, but it was probably written-upon at least once before and contains data (Identity Cards! Children! Secrets!) that would be recoverable if you prod the drive with some extra, special, magic commands.

DBAN will overwrite the green / remapped sectors, but the “dodgy” red ones will be left alone, for retrieval by anyone who has the magic software. On an old disk that can be quite a significant amount of data left en-clair, hence the wisdom of using a cryptographic filesystem from the outset.

So, in short:

a) recovering data after overwriting _might_ still be feasible at the “Spooks and Spies” high-end, but that was always the case/risk; every so often the technology becomes more feasible for universities to achieve this (eg: Ross Anderson) but that effect is mirigated by advances in drive technology (eg: encoding bits in 3d/vertically)

BUT

b) Because of the above, guaranteeing you’ve overwritten everything is nigh-on impossible; so if that’s a worry for you, overwrite and then destroy the disk.

I don’t know any current papers that exist regarding these perspectives, since they don’t require “research” rather than common sense and some kind of understanding of what the hell is actually going on “under the hood”.

Would you like me to get one written? I know some folk way more authoritative than I.

What journal would you like it to be in?
David // Feb 14, 2011 at 10:06 am

@David Bradley I was referring to the blank space about 280px deep between the short horizontal line below the date and byline, and the ‘share’ buttons.

Now looking around a few posts, I see it is a design feature.
Gordon Rae // Feb 14, 2011 at 11:42 am

In January, the government said that destruction of the data “by an approved supplier” would cost £400,000. Since 15,000 people applied for an ID card, that’s around £27 per user. http://www.computerweekly.com/Articles/2011/01/20/244978/Destruction-of-ID-card-data-to-cost-163400000.htm
David Bradley // Feb 14, 2011 at 2:15 pm

It’s not a design feature, it’s a bug I need to fix!
David Bradley // Feb 14, 2011 at 2:16 pm

David Quillcards isn’t a spam commenter. He’s a friend. He’s highlighted a bug in my theme that I need to fix. Thanks for the further comments on this. It would be very useful to see a peer-reviewed paper that counters what the NIST papers have said…
David Bradley // Feb 14, 2011 at 2:21 pm

Has that fixed it? I was using a snippet of php to display ads only for older posts but it seems not to have been operating properly. I tweaked it so that you shouldn’t see ads or the gaps if you visit the site directly or from Twitter, Facebook etc
David Bradley // Feb 14, 2011 at 2:40 pm

@Gordon Yep, ICT support is never cheap
David // Feb 14, 2011 at 2:43 pm

@ David Bradley

Yes: Blank space gone.
David Bradley // Feb 14, 2011 at 2:44 pm

@Alec RE: S American contact. Wouldn’t the cloud be the place to store sensitive information and to simply have dummy information on a laptop one is taking across borders. TrueCrypt lets you create hidden encrypted partitions, but anyone who looks at the size of the hard drive would know that you were hiding data. Of course, there’s also the emergence of textual steganography about which I wrote a couple of weeks ago (on Sciencebase.com).
David Bradley // Feb 14, 2011 at 3:00 pm

Excellent. Thanks for spotting.
alecmuffett // Feb 14, 2011 at 3:02 pm

> Wouldn’t the cloud be the place to store sensitive information

Yes, she hauls what she needs off the network.

> but anyone who looks at the size of the hard drive would know that you were hiding data

…and then we are into the realms of what is euphemistically called “rubber hose cryptography”, which is not a nice place to visit.

It’s easier and safer to not give them any excuse whatsoever.
David Bradley // Feb 14, 2011 at 4:26 pm

Rubber-hose crytography. There’s bound to be a credit card and 18+ only web site for that…
Watching Them, Watching Us // Feb 14, 2011 at 10:08 pm

It takes a significant number of hours to overwrite a modern multi terabyte hard disk, especially with multiple passes of random data via the operating system.

Many modern ATA / IDE hard disks do actually incorporate a Secure Erase function, called the ATA Security Feature Set, built into the hard disk electronics, which is much faster.

Some free software (HDDErase.exe) to use this feature, and plenty of other useful advice is available from the Secure Erase project, originally sponsored by the US National Security Agency, headed by one of the pioneers of hard disk technology, Dr. Gordon F. Hughes, at the Center for Magnetic Recording Research (CMRR), at the University of California San Diego (UCSD)

http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml

Are there any similar secure erase functions built in to other types of hard disk ?

Some laptop computer magnetic hard disks also contain significant amounts of non-volatile Flash Memory buffers, probably stuffed full of logon credentials and crypto keys.

Securely erasing Flash Memory (including USB pen drives, Digital Camera or Mobile Phone memory cards etc.) through software alone seems to be very difficult, given that it often uses Wear Leveling Algorithms

https://secure.wikimedia.org/wikipedia/en/wiki/Wear_leveling

which mean that the software used to erase normal magnetic media, may not actually overwrite the physical flash memory cells at all.

Flash Memory is pretty well immune to magnetic fields which would scramble a hard disk platter.

The Home Office Press release indirectly explains why the National Identity Register hard disks a magnetic tapes he been shredded and then incinerated – that is the Cabinet Office and CESG approved box ticking, paperwork procedure, regardless of cost or economics or the benefits of recycling working but redundant computer equipment.
David Bradley // Feb 16, 2011 at 2:05 pm

Revelations that the UK’s Ministry of Defence “lost” 57 computers and 47 USB sticks in 2010 makes a total and utter mockery of the PR exercise that was the incinerating of hard drives.

http://www.computerweekly.com/Articles/2011/02/16/245458/MoD-lost-57-computers-and-47-USB-sticks-in-2010.htm