Overwriting data Multiple times ?

[CloneRanger]

Should we, or shouldn't we, that is the question ? A few years ago a number of people started suggesting that one pass was enough, and anything more was a waste of time. I've always believed that more was/is better, if only for peace of mind. So i wonder what you make of this ?

Quote:

bcrypt

There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files. This book is about the latter.
-- Preface to Applied Cryptography by Bruce Schneier

*

In addition to encrypting your data, bcrypt will by default overwrite the original input file with random garbage three times before deleting it in order to thwart data recovery attempts by persons who may gain access to your computer. If you're not quite ready for this level of paranoia yet, see the installation instructions below for how to disable this feature. If you don't think this is paranoid enough.. see below.

*

It would be wise to test the installation on a few unimportant files before encrypting anything you value, removing the only copy and overwriting it 127 times with garbage.

http://bcrypt.sourceforge.net

Note, it says "thwart data recovery" not eliminate ! Also note the "127 times" overwriting advice too !

[nightrace]

The consensus here is that one pass is enough.

http://www.anti-forensics.com/disk-w...th-screenshots

[J_L]

Way overkill, not to mention shortening the life of your hard drive.

That is, unless anyone can provide me valid proof that you can recover data from one overwrite in a feasible amount of time.

[Nebulus]

Quote:

It would be wise to test the installation on a few unimportant files before encrypting anything you value, removing the only copy and overwriting it 127 times with garbage.

Aside from the fact that I believe that one pass overwriting is enough, I find this part to be very funny. I am supposed to test 127 times overwriting? Yeah, I see it now, it's much safer than 126 times overwriting, the tests clearly show it

[PJC]

Besides, most Home Users have Not the Secrecy-Level that Intelligence/Security Services need to defend...

[noone_particular]

This subject comes up regularly here and elsewhere. When it does, it seems like "experts" from all over start coming out of the woodwork, saying multiple passes are an overkill and completely unnecessary. Perhaps it's the paranoid side of me, but the quantity and nature of those responses set off alarms for me. The worst that multiple overwrites might do is cause some extra wear on your hard drive. When compared to all the records that Windows keeps and how much it caches during normal usage, this "extra wear" IMO is insignificant at best. If this "extra wear is the only potential problem, why all the emphasis on "once is enough"? Too many "experts" adding their 2 cents on something that, if true, is insignificant. IMO, the extent of the "you don't need to do that" responses are disproportionate if using multiple passes "makes no difference". It's enough to convince me to do the opposite and continue multiple pass overwrites on anything I consider sensitive.

On my own PC, the browser cache, history, cookies, specific log files, flash storage locations, and any files I choose to erase manually get multiple passes. Locations overwritten I'll use a single pseudorandom overwrite free space, but that's done after individual files and folders are erased. These and other locations are erased on schedule at least daily or more. While my system isn't typical by any means, I haven't had a hard drive fail due to heavy erasing. The only hard drives I've had fail were under 5GB in size, which tells you how old they were. The absolute worst effect I've had from heavy overwriting is when one of the larger overwriting tasks runs at the same time that I'm gaming. Causes some lag if the game activity is also heavy at that moment.

[Nebulus]

Quote:

Originally Posted by noone_particular

This subject comes up regularly here and elsewhere. When it does, it seems like "experts" from all over start coming out of the woodwork, saying multiple passes are an overkill and completely unnecessary. Perhaps it's the paranoid side of me, but the quantity and nature of those responses set off alarms for me.

Well, I'm going to give you a non-"expert" opinion . What really matters is what kind of data are you storing on your HDD and who is your potential adversary. If you deem the data extremely sensitive, you could overwrite it as many time as you wish (and frankly I wouldn't worry about HDD wearing too much), although as far as I know nobody proved that multiple overwriting will leave less traces when the HDD is analyzed at physical level. The common sense is suggesting it so, it might be a good extra precaution.
Also as a non-"expert" opinion, as far as I know all the tools that the police is using when they are investigating your computer are using simple imaging, so a simple overwrite with pseudorandom data or zeros is enough. If a force higher than police is looking for you, I'd say that overwriting your data is the least of your worries

[noone_particular]

When I said "experts", I wasn't referring to the regular posters here, or to posts, pages, etc from just this site.

Forces higher than the police are already monitoring and/or sifting internet traffic now, under the guise of national security, catching perverts, anti-piracy, etc. The list of what they're looking for is constantly growing. In some countries, just expressing opinions contrary to what the government says is sufficient reason. It's a safe bet that anyone expressing support for individuals or groups like Anonymous, Wikileaks, and others is being watched here and in other places. When Wikileaks released that "insurance.aes" file, care to bet that they tried to keep tract of who downloaded it? Tools like Tor can cover usage tracks on the web, but those same tracks need to be covered on our PCs as well. I'd also bet that their data recovery abilities far exceed what we think is possible. Since there is no real downside to using multi-pass overwrites, I'll choose multi-pass and (if it is truly of no value) err on the side of caution. I'd rather make certain that it not only can't be recovered, but that it it's impossible to determine anything about it (size, age, type of file, etc). Yes, they can look at your hard drive and know that something was erased, but if they can't tell what it was (whether it was a sensitive file or the result of a scheduled cleaning).

[x942]

One-pass of zeros is enough. Technically even force-macroscopy has a hard time recovering data from that. Why?

Force Macroscopy works by using magnetic fields in an attempt to revert the HDD's bits to their previous position. The flaw is that if even one bit is off the entire ASCII translation is ruined. (2 bit's per character). Now if the data was encrypted one bit off = corrupted data. The other issue is you have to recover bit for bit which on a modern HDD is very time consuming, because of how dense the platters are.

So unless you are worried about some with the time and money (they are very expensive too) you can just zero it out, if the data is encrypted you are also fine because worse case is they get encrypted data. (Which just looks like random bits anyways).

I use NSA 7-Pass wipe or DoD 3-pass wipe. Rarely a gutmann level wipe is used but only for very sensitive data. I use a NSA-7 Wipe to futureproof and incase law enforcement did pay a visit. My HDD is encrypted so they can not prove if it has been wiped or is intact (encrypted). It is overkill but I would use it if you are worried about law enforcement, or are selling equipment.

[CloneRanger]

Quote:

Originally Posted by noone_particular

This subject comes up regularly here and elsewhere. When it does, it seems like "experts" from all over start coming out of the woodwork, saying multiple passes are an overkill and completely unnecessary. Perhaps it's the paranoid side of me, but the quantity and nature of those responses set off alarms for me.

Yeah, i've always wondered if "some" of those responses were from people who wanted us to keep wipes to one, for "some" reasons Not just on here but other forums/blogs etc over the years !

Quote:

I'd rather make certain that it not only can't be recovered, but that it it's impossible to determine anything about it (size, age, type of file, etc.

I & others did a few threads testing Traces & Recovery etc. I found that by using Directory Snoop even after cleaning & rebooting, "some" evidence was left If you havn't already, it might be interesting to try it Let us know if you do etc

[J_L]

Where are those threads?

[x942]

Quote:

Originally Posted by CloneRanger

Yeah, i've always wondered if "some" of those responses were from people who wanted us to keep wipes to one, for "some" reasons Not just on here but other forums/blogs etc over the years !



I & others did a few threads testing Traces & Recovery etc. I found that by using Directory Snoop even after cleaning & rebooting, "some" evidence was left If you havn't already, it might be interesting to try it Let us know if you do etc

At least in my case i was referring to DBAN. Does it work in that case as well? I use it with a zero wipe if I am just reinstalling. NSA if something is secret/private or I am paranoid that day. I have tried with photorec and Helix live CD and CAINE. I have even ran HxD over a drive and nothing was left after a DBAN wipe on one pass of zeros.

[CloneRanger]

Quote:

Originally Posted by J_L

Where are those threads?

Hi, here's a couple for you, & i know there are others as well, & from previous years. Other members may remember more threads

http://www.wilderssecurity.com/showthread.php?t=283335

http://www.wilderssecurity.com/showthread.php?t=287160

Quote:

Originally Posted by x942

At least in my case i was referring to DBAN. Does it work in that case as well?

Never used DBAN, but others mention it & similar etc in the links above

[J_L]

Quote:

Originally Posted by CloneRanger

Hi, here's a couple for you, & i know there are others as well, & from previous years. Other members may remember more threads

http://www.wilderssecurity.com/showthread.php?t=283335

http://www.wilderssecurity.com/showthread.php?t=287160

Oh, now I remember. Can't do much about Windows, unless you encrypt the whole system or wipe the entire drive.

[x942]

Quote:

Originally Posted by J_L

Oh, now I remember. Can't do much about Windows, unless you encrypt the whole system or wipe the entire drive.

Very true. Look at IronGeek's research over here as well http://www.irongeek.com/i.php?page=s...e-system-spots it's scary really.

[noone_particular]

Quite some time ago, I read a piece with a title something like "Windows XP is Spyware". Some of it was a bit much but other parts of it were easy to verify. Articles like that Iron Geek page also confirm statements that Windows operating systems are designed to keep records of just about everything the user does, and each new version of Windows takes this farther than the one before. Windows itself obviously doesn't have any need for such usage data, which leads the question:

Just who does need/want this data and why?

There aren't many possible answers to that, but there is a lot of circumstantial evidence. The level of usage data collection has steadily increased since the NSA "helped MS secure Windows". This combined with some questionable behavior changes in Windows make it very difficult to come to any other conclusion. IMO, Win-7 and Vista might be more secure against malicious code (for now), but both make the user very vulnerable to surveillance and intrusions by governments and industry. AFAIC, anyone who values their privacy shouldn't use those operating systems, and should treat XP as suspect and strip out the unnecessary components and services.

[x942]

No offense but this sounds paranoid. How can a backdoor like this work? Any router would block remote access to this (NAT), any hardware firewall would block this as well. This would have been discovered by some one (look at defcon and blackhat and all the people analyzing windows for flaws). At most I can see the PRNG being flawed again. not a true backdoor. MS would be sued to death if that happened.

[CloneRanger]

@ noone_particular

I've also been aware for years of those MS "backdoor" & usage data etc articles. Back in the good ol' 98SE days i made a copy of User.Dat and converted it to a .txt file, BIG one Amongst a host of other things, i was Alarmed to find several peoples email addresses that were Very private to me in there. As i did/do NOT use Outlook/Express or my ISP's email service, only webmail, NO such copies should have been in there. NO such valid reason/s exist, therefore my OS was recording/saving them, Without my approval or knowledge, & for what possible purpose ? Also i Always did/do empty/clean out my cache/history etc etc Every day with several good Apps & Always reboot Every day.

I was also highly suspicious of the NSA'a involvement with both Vista & W7

@ x942

Apart from any "possible" coded in backdoor/s, not saying there is though, they actually don't need one. Anybody who uses Windows Auto Update get's whatever MS delivers to them. Many of these Updates include unnanounced/undocumented "fixes" etc, & have for years. Who knows what's in those ? Not saying there is Anything dodgy, but the "possibility" is definately there.

[noone_particular]

Quote:

No offense but this sounds paranoid. How can a backdoor like this work?

An actual backdoor isn't needed. Windows doesn't have to send the data, just store it. Searching a persons PC for "evidence" is routine whenever a person is accused of most any crime, whether the alleged crime involved a computer or not. With our present laws, no real "probable cause" is required.

As for potential backdoors, UPnP comes to mind. There's already been examples of it being used to reconfigure routers. As for network hardware and its ability to be accessed and possibly reconfigured from the web, I've port scanned the last 3 DSL modems my ISP has sent over. Besides the usual remote access and telnet ports that are open on some of them (and easily closed by configuration), each has also had an upper range port (past 20,000) open. I've found no configuration option that closes them and no information regarding what they'd be for or how to deal with them. The port number was different on each modem. I can't say it's a backdoor but I can't rule out the possibility either.

Regarding backdoors and open ports in Windows itself, look at this thread and explain to me why Win-7 needs to be able to receive incoming traffic on that port. If Windows doesn't need to, why has it been made so difficult to close?

I have yet to see a reasonable answer to my questions:
Why does Windows store so much user tracks and data when it's not necessary to its operation? Since Windows doesn't need it, who does it save this data for? What do you call collecting and storing records of every file a user opens, every site they visit, every e-mail, every app they use, etc, and storing it in more places than the user can imagine so that it becomes nearly impossible for the user to delete it? By any definition I know, the process is called spying and the software that engages in this behavior is called spyware.

CloneRanger,
I did something very much like that and didn't like what I found either. Fortunately it wasn't hard to defeat that on 9X systems, thanks to DOS and a batch file that ran at bootup. From that point forward, there's been more usage data stored that's harder to find and even harder to get rid of without using 3rd party tools and/or accessing it via another OS.

[x942]

UPnP is easy to disable (and I always do disable it on the router and the service). I am not saying it is impossible but if MS was caught, and there is a high chance of that, they would be sued by every business effected not to mention all the class action suits against them.

Now storing for physical search: I will buy that. But I use FDE with PGP so good luck retrieving anything from my PC. I have also hardened it with SRP et al. But it is mostly for game developing for windows. I use linux and Mac OS X as my main platform.

[noone_particular]

Quote:

UPnP is easy to disable (and I always do disable it on the router and the service). I am not saying it is impossible but if MS was caught, and there is a high chance of that, they would be sued by every business effected not to mention all the class action suits against them.

Yes, it's easy to disable, but you shouldn't have to shut down, disable, and/or remove services and components to protect yourself. I would have thought MS would have learned something from Slammer regarding ports being left open unnecessarily, but that thread regarding Win-7 and closing port 135 says otherwise. It shouldn't be necessary to use a firewall to block access to open ports. As for MS being caught, without access to the source code, it would be impossible to tell if it was a legitimate vulnerability or a deliberate opening. It would be labelled a vulnerability, then patched like so many others have before it.

Quote:

Now storing for physical search: I will buy that. But I use FDE with PGP so good luck retrieving anything from my PC. I have also hardened it with SRP et al.

Using encryption to protect data that you choose to store is one thing. Using it to deny access to usage tracks that you can't get rid of is an entirely different matter. This is a complete reversal of its purpose. Instead of protecting your data on the OS, it's protecting you from the data on your OS. It would be functioning almost like an anti-keylogger, but for usage tracks.

Quote:

But it is mostly for game developing for windows. I use linux and Mac OS X as my main platform.

My approach is somewhat similar. I use XP for some gaming and very casual use. Nothing sensitive. When privacy or near anonymity matters, I steer clear of XP and the newer NT systems. I'll use something that allows me to control, access, and erase usage tracks without having to resort to an extensive search or specialized tools to find it.

[x942]

Quote:

Originally Posted by noone_particular

Yes, it's easy to disable, but you shouldn't have to shut down, disable, and/or remove services and components to protect yourself. I would have thought MS would have learned something from Slammer regarding ports being left open unnecessarily, but that thread regarding Win-7 and closing port 135 says otherwise. It shouldn't be necessary to use a firewall to block access to open ports. As for MS being caught, without access to the source code, it would be impossible to tell if it was a legitimate vulnerability or a deliberate opening. It would be labelled a vulnerability, then patched like so many others have before it.

Using encryption to protect data that you choose to store is one thing. Using it to deny access to usage tracks that you can't get rid of is an entirely different matter. This is a complete reversal of its purpose. Instead of protecting your data on the OS, it's protecting you from the data on your OS. It would be functioning almost like an anti-keylogger, but for usage tracks.

My approach is somewhat similar. I use XP for some gaming and very casual use. Nothing sensitive. When privacy or near anonymity matters, I steer clear of XP and the newer NT systems. I'll use something that allows me to control, access, and erase usage tracks without having to resort to an extensive search or specialized tools to find it.

Agreed 100%

[CloneRanger]

Check this out

Quote:

Examination of overwritten files with The Sleuth Kit

Most computer users today are familiar with the concept of overwriting their files instead of deleting them in order to prevent the unwanted recovery of those files. However these same users might not be familiar with what occurs behind the scenes when a file is overwritten. In this article we will save and then overwrite a file on a USB drive, use open source forensic tools to examine the data on the drive and perform some simple data
carving.

The basic process will be as follows: In order to start clean we'll wipe all data from a USB drive and format it to FAT32. We'll then save a single text file on the drive, take an image of this and perform some forensic examination. Then using Eraser we'll wipe the file on the USB drive, take another image and examine it once more. The Sleuth Kit will be part of the forensic tools used.

Using The Sleuth Kit to examine a file that is overwritten on a USB key.

http://rationallyparanoid.com/articl...ith_sleuth.pdf

Test set up as thus -

Eraser v5.8.8US with a DoD 5220.22-M(ECE) 7 pass overwrite method, which uses random data for the last pass. Plus configured to erase the file slack space "Cluster Tips" too.

Either that version of Eraser is/was faulty, and/or the tester messed up, or worst of all, the 1 pass is OK advice over the years was/is just plain wrong So now what to do, & not with USB drives/sticks ? I wonder if it ONLY applies to Flash memory/drives etc ?

[J_L]

Only way to find out is to have multiple sources. Why don't you try it yourself?

[noone_particular]

I'm not sure how much using a USB stick instead of a hard drive affects the results, but I'd be interested to see that test repeated using Eraser version 5.7.