The Science of Data Recovery
By dcb on Mar 08, 2005
Chris Gerhard made an off hand comment about the fact that disk scrubbing simply hinders (doesn't necessarily prevent) a motivated attempt to retrieve information from a disk drive. Disk Scrubbing is the process of (attempting to) securely erasing a disk to prevent others from accessing previously stored information. This is typically done by writing (possibly multiple times) random data over the entire surface of a disk.
Since I work with various government accounts/agencies/programs, this is an area of interest to me and some of my clients.
You might think that a digital medium designed to store only zeros
and ones would be immune to forensic recovery of residual data once the
zeros and ones are randomly altered. The fallacy with this is that
magnetic storage is not a digital medium at all. Magnetic domains are
created when the read/write head applies energy to a bit location to
align some (not all) of the particles to reflect either a zero or a
one. The precise location of the "domain" for each write varys slightly
in three dimensions (including depth). This reality provides
interesting opportunities or risk (depending on your perspective).
A colleague (thanks Joe) pointed me to a fascinating report on techniques involved in recovering data from ostensibly erased disks and computer memory. This is amazing and spooky stuff for the technically inclined. Here is another report (thanks Kurt) that's also very interesting and enlightening. Joe also pointed me to Prof. Gutman's website, who has a lifetime of security related knowledge to share!
Here are a few brief excerpts (read the article for context):
When all the above factors are combined it turns out that each (disk) track contains an image of everything ever written to it, but that the contribution from each "layer" gets progressively smaller the further back it was made. Intelligence organisations have a lot of expertise in recovering these palimpsestuous images.
To effectively erase a medium to the extent that recovery of data from it becomes uneconomical requires a magnetic force of about five times the coercivity of the medium... (a modern hard drive has a coercivity of 1400-2200 Oe).... Even the most powerful commercial AC degausser cannot generate Oe needed for full erasure. It may be necessary to resort to physical destruction of the media to completely sanitise it (in fact since degaussing destroys the sync bytes, ID fields, error correction information, and other paraphernalia needed to identify sectors on the media, thus rendering the drive unusable, it makes the degaussing process mostly equivalent to physical destruction).
One example of an adequate degausser was the 2.5 MW Navy research magnet used by a former Pentagon site manager to degauss a 14" hard drive. It bent the platters on the drive...