Is 35-Times Guttmann Secure Disk Wipe Really Necessary?

Or is a 1, 2, and/or 7 times Secure Disk Wipe good enough for eliminating all the unnecessary free disk space?

 

35 passes is 34 more than necessary. I'd wipe twice if you're incredibly worried.

 

I am doing 7 right now with Truecrypt (in the process of creating a Hidden OS) and three right now with CCleaner cleaning up my C-drive's free-space. I think that should be more than sufficient don't you think?

 

I don't think CCleaner will do all the necessary erasing of specific things like cluster tips. Eraser will though. All that being said, you neither want to wait out a 35 pass erase on a large drive, nor do you need to. If I were an enemy of the state, or the largest pedophile the world had ever seen, I'd still only erase twice and then do my best to physically obliterate the drives and dump the shards a few miles away in the woods.

Forensics tools and professionals can do amazing things these days, but even the heavy duty toys like electron microscopes are pretty much screwed after the first, thorough pass. If we're talking about an SSD drive, it's a little bit more difficult.

 

If I were keeping super sensitive info I'd be encrypting anyways. My suggestion is to encrypt from the beginning.

 

I do use Truecrypt. This is just my first time encrypting my entire harddrive. I use to only encrypt USB sticks and partitions on my HDD. Just not the whole thing.

 

Isn't that a contradiction? First you say, two passes isn't enough to permanently shred data since you should probably destroy the physical medium to prevent data from getting recovered, and then you contradict yourself by saying that two passes is enough to even dumbfound professional forensic tools. How is an SSD drive a little bit more difficult? In what respects is it a little bit more difficult?

I am now using 3 passes. Even 7 passes takes too long. Let alone 35 passes. Which is obvious overkill.

 

what i don't understand then why 35 passes was created

 

Probably for the uber-paranoid who want to delete all traces of secret info from their storage mediums without destroying their storage mediums.

 

I'm not being contradictory at all, I was looking at it from the standpoint of a not so technically inclined, hyper-paranoid criminal. The truth is, one pass will do the job just fine.

On to SSDs: http://arstechnica.com/security/2011/03/ask-ars-how-can-i-safely-erase-the-data-from-my-ssd-drive/. They operate differently than the old tried and true mechanical drives.

Yeah, 35 passes on what one could consider a decent sized drive today would take hours upon hours. Enough time that if you suddenly found the need to perform it, it's quite likely you'll have your door busted in before the process can finish.

@Acuariano: The Guttmann method came about because of warnings by Peter Guttmann about data being recoverable by these microscopes. No concrete data was ever given as practical proof, and it's generally widely regarded as impossible to do.

 

Thanks for the info. I don`t fall under that uber-paranoid category thankfully, and I don`t need to clean up the free space of an SSD drive.

 

It's all a moot point anyway, they will come at you other ways if they know (AND THEY DO KNOW) you use encryption or shred your drives with DBAN. Like a poster already said, it will be too late to shred the drives because I doubt you will have the opportunity to erase the drives with a gun in your face.

 

I guess that means 1-pass or if you want to be safe MAYBE 3-passes (not that it would make that much of a difference compared to just 1-pass). I guess anymore would be overkill.

 

I don't use DBAN, I use BC Total WipeOut (Erases DCO/AHO which DBAN does not, lot's of nasty things can hide in DCO/AHO like malware) and Bruce Scheiner's 7 pass algorithm but that's overkill.

And if your that special that they need to use a electron microscope on you, then they will come at you in other ways first.

 

It doesn't matter how many dozen times you disk wipe. Computer forensics will still find incriminating evidence because the hard disk is not encrypted.

Second, even if the hard disk encrypted, users always make mistake to leave a tiny unallocated spaces (because of normal partition method).

 

ok so this mistake occurs during FDE, how is it exploited and how is it avoidable on a windows system
thanks

 

with regards to encryption if you got a brand new hard disk and the first thing you did after installing windows was to encrypt the entire disk with say truecrypt, does that mean that any data you delete in the future cannot be recovered??

I presume it can be recovered but the deleted data which they recover would be encrypted? But would the data really be encrypted? because while you are viewing the file on your desktop prior to deletion it is Unencrypted, or does truecrypt encrypt it again when you delete the file?

 

Encrypted or not, there is no known way to recover data that has been properly overwritten or an entire drive overwritten currently. Period. Peter Guttmann's 1996 paper is the only source of doubt, and no other sources have backed it up. Forensics is a science, not a magic wand.

 

The argument about x time being enough seems to assume that the software is working as expected. This is a very dangerous thing to do.


First of you have to count on software-bugs since no code is perfect + the endless options of hardware and such, does this software properly support/discover all of my drive? And can I even trust in what it is telling me about having wiped the whole thing now? Maybe the software even report something that looks correct to you (hey we found this much space on your harddisk.. and even reports to successfully overwrite it all) But still misses some part of the drive (maybe due to some bug in the code) you could end up with a partially overwritten drive.

Maybe running the software 3 times instead of once would solve this? But safer is probably to run different softwares for this purpose. Think of it as anti-virus softwares, why does so many use software such as MBAM if they already has norton? Because the second scanner can sometimes find what the other misses.

Personally I think at least 3 softwares should be used to ensure a somewhat safe delete of the data when selling the computer.

1) dban-1.0.6 (for paranoia, some claim any version of dban after this was crippled due to wanting to push the corporate edition of dban called eban, so we start with what people say isn't crippled).
1) dban-2.2.7 (latest version, might have bugfixes but could also have holes or intentional flaws?).
3) Wipe my disk (we can't just put all trust in one manufacturer? http://hddguru.com/software/Wipe-My-Disks/ )
4) Secure erase (all data should be wiped by now hopefully but this software was once backed financially by NSA, its supposed to work a bit diffrently than dban it unlocks + runs some BIOS erase command to make a secure wipe.. http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml )
5) Get a linux distro on an usb stick or some CD and try its options for data deletion (described here: http://how-to.wikia.com/wiki/How_to_wipe_a_hard_drive_clean_in_Linux )

As for Dban I would run a 3 or 7 times wipe scan probably, just let it run over night if it takes a lot of time.

Now you think that the data is gone, but you have not confirmed it. For confirmation that the data is in fact wiped I suggest running recovery software to really confirm that the software you are trying to fool won't find anything. There are so many tools for this, but here are some suggestions:

1) install windows.
2) install recuva (http://www.piriform.com/recuva) let it run a deep scan and scan for just everything, if it find nothing of value then that is a good start.
I would probably be satisfied at this point personally as long as nothing was found. But you can never be too safe when it comes to deleting personal nude pictures, if you want you can test other recovery tools as well, google them.

 

a simple 1 pass is enough if youre paranoid enough just do a 3pass as mentioned , use above methods like dban on non hpa/dco drives without bad sectors, so those can be securely cleaned

with dban , everything after you should indeed use programs that erases the hpa/dco , just to make sure , usually nothing userdata wise gets written to those thou except if youve gotten a virus or youve bought a

prebuild system , good practice is to encrypt the drives before you do anything and make sure for fresh OS installs considering windows , to merge the "unallocated space" aka mbr with the OS partition, all you gotta do is delete the 1st partition after the 100mb system partition then simply select merge and youre good to go, no sledgehammer nor thermite required ,lol and no unencrypted spaces storing userdata

 

I think single pass pseudo-random overwrite is more than enough for most users. It's what i do before i sell storage mediums or laptops.
In theory, if you don't know what tools were used for the erasing, it's very hard to reconstruct the data back.

 

If there was very sensitive data on my HDD that needed to go, I would use the Russian GOST erase algorithm which is x2 passes. I would then use a follow up of x1 pass with 0x00000000 so the drive looks normal and like it has nothing to hide which pretty much equals x3 passes, x2 GOST and x1 0's. Good erasing and also stops the drive from looking suspicious, no need for physical destruction.

 

I've been using the old Maxtor low-level format tool (zero fill) for years.
After three full passes, I am unable to recover any intelligible information from an unencrypted SATA drive using Recuva.

 

Hi arran,

What you are looking at when you view the file prior to deletion is a buffer in RAM of the unencrypted file as decrypted from the encrypted disk file.

When a file is deleted, the delete function in the OS simply marks the space occupied by the file as reusable (removes the pointer to the file) without immediately removing any of its contents. I suspect the same may be true in a Trucrypt volume, but never having used Trucrypt - I do not know. Even if it does, which I suspect it might, the data content left in the now freed up space on the disk was encrypted anyway. This is problem for unencrypted sensitive date left on a hard drive which has not been wiped, but should not be a problem for encrypted data unless someone other than the owner knows how to decrypt it which is unlikely.

-- Tom