Parted Magic + dban will not erase data from HDD?

I was over at a good friends house this last weekend, he and his wife had a BBQ and invited me and some of his other friends over. There was one guy there that I had never met and after talking to him for a little bit I find out that he works for a computer forensics company and actually does recovery work.

He talked for a bit about some of the interesting things he's come across while recovering data from drives. At one point I asked him if his company has every recovered data from a wiped drive and he told me that they can recover data no matter how a HDD is wiped. Said that physical destruction is the only way to keep data from being recovered.

I told him my method for wiping data before selling/donating any personal computer and he claimed that his company could retrieve most if not all data even after a through wipe. My method for wiping any personal PC before selling/donating is as follows: first I run parted magics internal secure erase command "enhanced" method and secondly after that finishes I run dban 2.2.6 dod 7-pass. HDD's have no bad sectors and do not show any errors while running dban.

I was under the impression after doing quite a bit of research on wiping drives that even one pass from dban or similar programs would make data on a drive unrecoverable. Was this guy telling me the truth or just full of crapola?

 

Depends... If he works for NSA just assume they can recover it with ease. If he works for the local council he's full of ****.

Use BCWipe Total WipeOut instead of DBAN, It "can wipe Host Protected Area (HPA) on hard drives" & "identify the number of sectors hidden by the Device Configuration Overlay (DCO) function (present since ATA-6 standard) and can wipe the DCO hidden sectors."

DBAN can't do those 2 things

 

He's FOS. Cool guy points at a party with "look what I know"... JMHO. You should have given him Peter Gutmann's number (who has since stated that on modern drives, one pass is enough).

Good gouge on 'Total Wipe Out'...didn't know it could do the HPA and DCO...pretty cool.

PD

 

Not true, the same principles apply here. To the OP, the only way I can see data still being kept is if bad sectors were present that have been blocked off, or if the devices he examined, the person in question had wrote data into the HPA/DCO of the drive...otherwise the steps you mentioned are enough to wipe a non-solid-state drive.

 

Thanks for the replies/info, was kinda thinking he was full of sheet just not 100% sure. Went ahead and got BCwipe to try.

 

It depends on the type of drive. If it is a solid-state, he might be telling the truth. If it is a typical ERPML spin drive, he is full of it. You aren't going to recover any significant data after a spin drive has been overwritten, it's just not possible. The laws of physics sort of prohibit it.

 

He said that he could recover data from a regular HDD after it had been wiped.

 

SSD's are *different*, but it isn't a given that they are worse to use, from a forensic recovery standpoint:

http://news.techworld.com/security/3263093/ssd-fimware-destroys-digital-evidence-researchers-find/

...and some good comments here, including from the author of the Australian study:

http://hardware.slashdot.org/story/11/03/01/1740240/ssds-cause-crisis-for-digital-forensics

PD

 

Thanks to all for these comments. I wanted to ask: What about things like HDDErase that is supposed to use the secure erase command, doesn't that take care of HPA and DCO as well?

 

http://tinyapps.org/docs/wipe_drives_hdparm.html

PD

 

I wonder if after a hdd is wiped, if it is possible to also wipe the firmware on the hdd?

Anyone know?

I assume that if the data on the hdd is wiped and then the firmware - not even NSA would be able to do a forensic recovery because with the firmware wiped (it would also include the map of bad sectors on the hdd), that at best any recovery would be speculative at best and not be foolproof due to plausible deniability.

Of course, this is all conjecture on my part as I really do not know.

-- Tom

 

id say if you dont have any bad sectors wich dban wont even complete then anyhow , you should be good to go , if thou for any reason dban does not complete succesfully youll have to get BCWipe Total WipeOut or similar program as already suggested

 

Not sure why people keep putting the NSA into some form of "Cyber God" status here...that being said yes you can corrupt/go after the firmware of drives, but that is only if you don't intend to use them again. There are several firmware erasing options I personally recommend:

Option 1: You can perform a rotational /linear swing technique on the device

Option 2: There is also an attraction/repulsion method

Option 3: Last my personal favorite

All 3 options are guaranteed to help remove any firmware left on your hard drive. Option 4 requires a thermonuclear device and the entire first season of Macgyver.

 

same i was thinking not good idea to remove the firmware if wanted to be used again xD

 

The question of firmware removal/wiping can also be followed up by flashing a new alternative firmware onto the hdd in order to use it again independent of the original firmware.

-- Tom