Gutmann’s 35-Pass Overwrite Technique

Full Disk Encryption (FDE) is increasingly being adopted by hard disk drive manufacturers (e.g., Seagate and others). Since all data are always encrypted, there is no need to wipe the contents of the drive at all (assuming that a secure passphrase is utilized).

Traditionally, however, FDE hasn’t worked well in conjunction with image backup applications (e.g., Norton Ghost 14 by Symantec or ShadowProtect Desktop 3.2 by StorageCraft). Until that problem is solved in a realistic and practical way, then (for me at least) FDE isn’t a viable option.

 

TrueCrypt System Encryption seems to play mostly-nice with Acronis.

I have used Acronis to backup/restore a TC system encryption and it works just fine. The key to remember is you need to back up the cleartext files, not try to back up the encrypted data (sector by sector from outside the booted system).

Use Acronis password protection, which I believe uses AES to encrypt the image, or you can put the image on media otherwise secured. Why do a cleartext? 1) Backup location only needs to be the size of the data being imaged, not the size of the entire volume. 2) Encryption can't be compressed.

 

KookyMan, that is very interesting. To clarify, are you saying that you created an image of a Windows system partition that is fully encrypted by TrueCrypt from within Windows – and successfully restored it using Acronis True Image?

My experience is that problems arise when you attempt to restore that image, since the pre-boot authentication is expecting the disk to be encrypted – but, the restore will deposit only the plaintext version of files on the volume.

Thank you.

 

Interesting topic. I would love to read some technical information on this, as in-depth as possible would suit me well.

If memory serves me correct, the DoD used iLook and dcfldd for a long while, and yes, they do claim that the tools can identify possible patterns of data wiped away from the disk magnetic surface although more complicated equipment is needed to actually recall it enough as readable -- e.g., through scanning of atomic and magnetic patterns and comparing the original magnetic strip to the now altered, (etc).

I am pretty sure there was a white paper on this but it has since been removed. Ibas based in UK published it around 2002. The link to the paper was part mentioned here: http://www.derkeiler.com/Newsgroups/alt.computer.security/2004-03/0354.html

EDIT - Found the paper: http://whitepapers.zdnet.co.uk/0,1000000651,260285576p,00.htm?r=7

Nearly all of the claims for that actually being possible rely solely on brute forced methods which do not have any empirical testing outside the scope of governmental institutes published, and a large chunk of them were referenced in Gutmann's original paper. The problem with this call is, every discovery literally comes from these Top Class confidential scientific departments so chances are very high they can have something you are unaware of because they want you to remain unaware of it simply stated. I know the crime departments working in terrorist branches within the UK have access to some very advanced and little publically known techniques for data retrieval since I've come across them a few times but it really is way beyond my knowledge or position to understand or comment on it and I don't even know if the techniques work successfully, but only know they were being trialed at least in two branches.

However, that's just one side of the hip... I work within a sub-division of a government medical department and quite obviously data security is a profoundly major concern of ours especially since the last two years where corporational civilian, law and government hacking has now risen dramatically. To be totally honest, we [mainly] use these tools by Intelligent Computer Solutions for drive duplications, backing up, data sanitization and scrubbing: ImageMASSter 6007SAS and IM WipeMasster

A rather out-dated short review of the IM WipeMasster is here: http://www.eweek.com/c/a/Storage/IM-WipeMasster-Gives-Data-the-Clean-Sweep/1/

We've used them for a long while now. Personally speaking, and for most of my colleagues... we do not believe you can retrieve any useful data once the above or any similar sector scrubbing technique has been implemented successfully. Hardly anyone in our industry does and that is exactly the reason why we use these methods daily, because it has assured us 100% data confidentiality, security and sanitization. Till this day, and with many attempts, there has not been a company of many acclaimed which we commissioned, who follow the Association of Chief Police Officers and The National Hi Tech Crime Unit's guidelines for digital evidence recovery, that has been able to successfully retrieve data we wiped using the above method and we have issued internal testings many times to evaluate our security risks and area's of weakness, given our professional industrial nature. I do not believe it is possible to retrieve the data as claimed by some, no, and if there was, the above linked companies would very easily be out of business by a while now with security breaches happening daily (yes, attack to retrieve wiped data such as these are extremely common in corporations and within government departments as even the slightest data is highly valuable). I think it is purely a scare tactic, in other words, FUD by preying hard on our ignorance of the higher powers. I think firms pry on our ignorant paranoia to withdraw profit with services such as these. That all said, I would love to see myself proven incorrect and enlightened.

Alina

 

Is that even the issue with SSD drives? Do they still even need to be wiped?

 

The same statements generally hold - file deletion is not really active removal of content, it's just a resetting of it's storage state until the space is reclaimed by some other/unrelated activity. If you want the content gone - a wipe of the contents is a prudent measure, although once is enough (IMHO, this is also true of current technology HDD's).

Blue

 

They are totally different technologies. I can understand wiping it once as your operating system doesn't actually remove it. But once it is wiped it should be gone right?

 

In an SSD the answer is an unambiguous yes since one can't appeal to mechanically based tracking variations as a source of residual ghost signatures that can, in theoretical principle, possibly be harvested. I was simply emphasizing that the same operationally holds for current generation classical HDD's as well.

The commotion on this whole discussion is really misplaced. If one is worried about information remaining on a drive for any reason, virtually any approach that overwrites that file space one or more times should yield the same result, and overwriting more than once is simply wasted effort.

What isn't always addressed by this step are all the locations on that HDD where information derived from that file, either in it's entirety or simply via the filename or metadata, may be transiently located and eliminated by a classical file deletion. Unless those locations are also actively wiped, information remains resident on the device and can be harvested. 35 passes or 4,206,309 passes isn't the real issue, one pass will do it. Unhandled residual copies of information (in free/slack/file system zones) is where the focus should be if you wish to have something to dwell upon.

Blue

 

BlueZannetti, thanks for adding some perspective to the discussion. I don’t think that anyone would argue that the completeness (i.e., comprehensiveness or thoroughness) of the scope of the erase operation is the more important facet. Stated different, ensuring that all privacy traces – wherever they may reside - are erased is more important than how they are erased (i.e., number of overwrite passes).

 

Excuse me for asking, how long would US DoD 5220.22-M take on a 80gb hard disk?

I plan using it next month to bring my hard disk to a clean condition, as a new OS will be installed on it

 

PiCo, you don’t need to erase/wipe the hard disk drive in order to install a new operating system. Simply reformat the partition.

If, however, you still wish to erase the hard disk drive, the duration will depend on which software utility you are using and the speed of your PC. In my own case, my erase speed is about 3GB/minute (on a HP xw4600 Workstation with 15K RPM SAS drives), based upon a simple one-pass overwrite of free space with random bytes.

 

I have a messed-up MBR actually and the hard disk has a lot of corrupted data on it due to previous bad OS installs/uninstalls, so I thought what the heck?
I have the time I have the SoftWare (Active KillDisk), why not go on a full erase?

It's a 80gb SeaGate SATA drive, which I use to intall only OS. I think it will be a nice exerience

 

I have read reports of hard disk drives experiencing a fatal thermal overload during a disk-intensive, multi-pass erase. Thus, it would be wise to first check that your disk is operating within its proper thermal parameters by using a utility such as SpeedFan. If your disk temperatures are running “high,” then improve the air flow in the case or reconsider the decision to run a full disk erase.

 

I'm curious because software eraser is limited in scope AFAIK no matter the algorithms or passes for a full sanitized wipe of the metal platter, so whats anyone's thoughts on applying a mobile type of magnetic degaussing for home and office use if any exists, or even a garage project to fully eliminate any and all previously written data on a hard drive.

It's a simple matter to pull the lid off, and if you could degauss the platter safely, i wonder if thats something possible or not, or would that process simply destroy the usefulness of the drive ever again.

 

Hmm I use PC Wizard 2008 and hard disk temperature never got above 30°C, cause I even have a fan cooling it.

DoD makes 3 passes so I guess it is pretty safe, but I wouldn't know about Gutmann’s 35-Pass Overwrite Technique. It would probably need 1-2 days to complete.

 

I understand. It seems to me that the best solution is really to use whole disk encryption. That way there won't be any redundant copies.