[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apple mini

Hello,

On Thu, Jan 09, 2020 at 12:11:54PM +1300, Ben Caradoc-Davies wrote:
> If you need to protect against an attacker willing to examine your HDD with
> magnetic force microscopy, there is no substitute for physical destruction
> of the media.

Even then it's unnecessary! No has ever recovered usable data from a
modern (less than 15 years old) used HDD after a single pass of
writes. A study was done with 2006-era drives and magnetic force
microscopy (MFM) between 2006 and 2008:

    https://www.vidarholen.net/~vidar/overwriting_hard_drive_data.pdf

    "4   Conclusion

    The purpose of this paper was a categorical settlement to the
    controversy surrounding the  misconceptions involving  the
    belief  that  data  can  be  recovered following  a  wipe
    procedure.  This  study  has  demonstrated that  correctly
    wiped  data  cannot  reasonably  be  retrieved even  if  it  is
    of  a  small  size  or  found  only  over small  parts  of  the
    hard  drive. Not even with the use of a MFM or other known
    methods. The belief that a tool can be developed to retrieve
    gigabytes or terabytes of information from a wiped drive is in
    error.

    Although there is a good chance of recovery for any individual
    bit from a drive, the chances of recovery of any amount of data
    from a drive using an electron microscope are negligible. Even
    speculating on the possible recovery of an old drive, there is
    no likelihood  that  any data  would  be  recoverable  from  the
    drive.  The  forensic recovery  of data using electron
    microscopy is infeasible. This was true both on old drives and
    has become more difficult over time. Further, there is a need
    for the data to have been written and then wiped on a raw unused
    drive for there to be any hope of any level of recovery even at
    the bit level, which does not reflect real situations. It is
    unlikely that a recovered drive will have not been used for a
    period of time and the interaction of defragmentation,  file
    copies  and  general  use  that overwrites  data  areas  negates
    any  chance of data recovery. The fallacy that data can be
    forensically recovered using an electron microscope or related
    means needs to be put to rest."

So, for the main data areas of the HDD, one pass of writes is always
enough and anything more is just a meaningless ritual.

Some will argue that a better-funded attacker may somehow have
better microscopes even to the point that they have technological
breakthroughs not known to the wider world. However, the paper also
makes clear that the limit is not the sensitivity of the microscope,
but the fact that any drive that has been in use for a while has too
much noise for the data immediately prior to the wipe to be
distinguishable from that.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting
Reply to: