Does full drive encryption make scrubbing obsolete?

Discussion in 'privacy technology' started by Ulysses_, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    In a regular unecrypted drive, scrubbing the sectors occupied by a deleted file ensures the file cannot be recovered.

    In a bitlocker encrypted drive, is it enough to overwrite the deleted file once - no additional passes are needed because the sectors cannot be seen by the recovery tool?

    Note: adversary has password.
     
    Last edited: Oct 29, 2013
  2. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    1 pass is more then enough to completely get rid of any files or data, tried this many times now and attempted my own data recoveries with no success at all.

    All you may find are files with 0000xs at most with 1 pass overwrite simple even with ccleaners tools "drive wiper" does the job fine just remember to select entire drive and not free space.

    Still to answer your question FDE is pretty much the same thing, all any adversary would find is random data... as suggested by true-crypt documentation on their site.
     
  3. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    If the attacker can decrypt, then yes, secure deletion would be needed. 1 pass is enough for modern drives.

    PD
     
  4. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    No way when you can still access the data via recovery tool after decryption. Just try something like Recuva yourself. One-pass is 100% effective, any more is only practical for checking if all sectors are working (including the zeroes).
     
  5. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    If one overwrite is enough, then why does Recuva have an option to overwrite 3 times ("DOD 5220.22-M"), or 7 times ("NSA"), or even 35 times ("Gutmann")?

    Is there anyone here familiar with a tool capable of reading the same sector in different ways to recover previously written data that has been overwritten?
     
    Last edited: Oct 30, 2013
  6. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Widespread myth and popular misconception, except for the stress testing reason I gave above. Maybe future-proofing, but I doubt it's worthwhile.

    The data was zeroed out. What do you expect to rebuild from unproven leftovers without prior knowledge?
     
  7. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    Maybe the Gutmann link above says what chunks can be rebuilt?
     
  8. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    I use to run 35 pass gutmann :eek:

    Waste of time really.... 1 pass overwrite has always been perfect its fast and does the job.

    If you really wanted to confirm this, you could test it on a pen drive or separate hdd. Put 100s of files on it, then wipe it with 1 pass (simple overwrite) on ccleaners drive wiper tool.

    Then run recuva deep scan on the it, you won't get anything back.
     
  9. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Into the exact same incriminating data from incomplete scattered little chunks (without prior knowledge)... right. There has been no practical evidence of any recovery anywhere close to the original state.
     
  10. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Guttman wrote that over a decade ago. I believe he's since said 1 pass is enough. SSD's write a zero all by themselves with TRIM...forensics guys soiled their undergarments :D

    PD
     
  11. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    Bitlocker is M$ = you said you have a current adversary!!!!

    OK as a "tin foil" privacy guy Bitlocker and Security don't even go in the same sentence. Can't prove it but almost all strong security minded folks here have their suspicions right along with me. My .02

    Assuming I am wrong (and I want to be) then a one pass will totally do the job. Pull out the Eraser code and give it a look. Its gone.
     
  12. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    oh my was not aware of this, no wonder why running data recoveries on my ssd for vboxes and other stuff was resulting in nothing or 0s !
     
  13. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    If a modern hard drive is taken to a lab where access is obtained to the analog signals or the head can be displaced slightly, is there no trace of previous writes in the magnetisation that show up in the analog signal as suggested in the Gutmann link with old hard drives?
     
  14. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    No.

    My question is why you bother with FDE and then use it like a non-FDE and concern yourself with residual data?
     
  15. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Cause FDE isn't as foolproof as overwriting sectors. Why give them a chance for data you never want to see again?
     
  16. DesuMaiden

    DesuMaiden Registered Member

    Joined:
    Jan 25, 2013
    Posts:
    534
    Why are you using bitlocker? Use truecrypt. Bitlocker contains backdoors you know?
     
  17. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    Alright, will try bestcrypt instead. Or drivecrypt. But not truecrypt because of lack of support of UEFI drives.

    Actually my motivation for FDE is not so much privacy as a password can be key-logged or beaten out of the user. The motivation here is the ability to scrub files quickly, with just one overwrite. It has to be orders of magnitude harder to extract meaningful chunks of overwritten data from an encrypted sector - a sector's previous versions can never be extracted in full, just traces, and just one bit error makes it impossible to decrypt the rest of an AES block.
     
    Last edited: Nov 1, 2013
  18. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    Does tc not support booting off 3 or 4 tb hdds then ?
     
  19. wtsinnc

    wtsinnc Registered Member

    Joined:
    Oct 3, 2008
    Posts:
    943
    A question I have is whether full drive encryption or wiping- regardless of the number of passes- truly renders the data unrecoverable ? If the Host Protected Area or Device Configuration Overlays remain unaltered, isn't it possible to access supposedly inaccessible data ?

    Does True Crypt, Bitlocker, or any other encryption software effect the HPA or DCO so to make them unreadable ?

    Which applications other than BC Wipe, PartImage, and HDDErase can reach and securely erase the HPA and DCO ?
     
  20. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    I don't think those store exact copies (or anything related in most cases) of what you shredded, unless manipulated.
     
  21. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    ...and good OPSEC dictates that after the OS, the first thing you do is encrypt...that way, no personal data ever hits the drive unencrypted. Some guys go the route of doing that on one drive, and then doing a sector by sector image and applying that to a fresh drive.

    PD
     
  22. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,089
    I like the idea of having no "sensitive information" hit the device in unencrypted form. However, that would not only include personal files but things like unique identifiers generated/stored during OS installation, account names created, and various other configuration options. So arguably, we'd want FDE active even before the OS is installed.
     
  23. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    was testing the above idea earlier, people often suggest to FDE the entire drive and then install the os, but obviously depending on set up its tricky to decrypt and then install cleanly...

    Ill have to give it a bash further, may need to change boot sequence to bootloader > cdrom and see if it allows to continue booting..... and that windows detects it decrypted !

    Either that or image based recovery, but its best to reinstall cleanly if you can.
     
  24. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    Have you tried bestcrypt (free trial)? Apparently, bestcrypt intercepts drive access at a lower level, it has a pre-boot operating system that runs a stub at all times. Not sure if truecrypt does this, it modifies the windows drivers instead.

    Here's what the bestcrypt boot prompt looks like:

    http://www.jetico.com/web_help/bcve3/
     
    Last edited: Nov 2, 2013
  25. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    To add one more thing...

    I think a critical piece to the arsenal, if you will, is a boot-to-restore application like Deep Freeze, etc. I was one of the first members to ever bring this subject up here at Wilders in 2004 and it was controversial to say the least. Most everybody here had never heard of this kind of software (light virtualization). Today, I think it's more critical than ever. Once you have that "perfect system" and you know it's clean, create your frozen system. Use it in combination with TC (be careful, some products do not play well with Truecrypt).

    You then use either A) Portable drives to save data B) Encrypted partitions to save data. C) would have said a networked system at one time, but no more. Only the programs and system files on the C: drive. Period. More important to have this layer today than ever before.

    This layer eliminates a lot of concern over the encrypted system drive and its remnants - as they are gone (for MOST purposes) at reboot using the right boot-to-restore tools. Multi-Snapshots are out. Simple Boot-To-Restore is now a crucial layer.
     
Loading...
Thread Status:
Not open for further replies.