LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-07-2008, 05:53 AM   #16
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86

Quote:
Originally Posted by syg00 View Post
Yes. You can also get it to report its progress - see the manpage. Also use a (decent) blksize to speed things up.
I know there is a forensic version of dd that would tell you the progress, but I didn't know that it was built in now. I'll have to check that out.

You're right about increasing the block size. bs=4k should help a lot. conv=noerror would continue if it ran into an error as well.
 
Old 07-07-2008, 07:56 AM   #17
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Some general remarks only.

Not to belittle or chide anyone but one should note the standard mentioned that doesn't argue for different methods (or which incineration is just one) and n passes to be used because it's "good", it's about uniformity, quality and certainty. And wrt to standards and threads about wiping data one thing that's often overlooked is the verification stage: you can use all sorts of n passes schemes but if you fail to verify the result, the task isn't finished. One could argue it's a rule only people who handle classified or sensitive data work with, but IMHO it is just common sense to make certain the data is gone.


Also note there's a fast alternative to /dev/urandom called frandom (not for crypto purposes):
Code:
time dd if=/dev/urandom bs=1M count=10 of=/var/tmp/speed 
10485760 bytes (10 MB) copied, 9.07479 seconds, 1.2 MB/s
time dd if=/dev/erandom bs=1M count=10 of=/var/tmp/speed 
10485760 bytes (10 MB) copied, 0.52803 seconds, 19.9 MB/s

Quote:
Originally Posted by lwasserm View Post
An empty, wiped disk would raise some suspicions all by itself that a disk with innocuous data would not.
If you seize a disk anywhere out of its factory-sealed packaging, knowing the seizure location and the fact disks leave the factory patterned, then from an investigative point of view that's a very good observation. Next to emptied disks the ones that contain b0rken filesystems or containing patterned locations are the easiest way to spot "interesting" usage.
 
Old 07-07-2008, 08:55 AM   #18
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by unSpawn View Post
Some general remarks only.

If you seize a disk anywhere out of its factory-sealed packaging, knowing the seizure location and the fact disks leave the factory patterned, then from an investigative point of view that's a very good observation. Next to emptied disks the ones that contain b0rken filesystems or containing patterned locations are the easiest way to spot "interesting" usage.
It is negative information. You could just be looking at a privacy advocate who takes steps beyond the ordinary...just because.

And I would love to see the prosecutor: "Your Honor, we are sure this suspect was up to no good because his hard drive was wiped and patterned. We know he was doing bad things because there was no evidence..."

Of course, in the current Orwellish environment, that might just happen...

Speaking just for myself, every now and then I fill up my /home and my / directories with a file in /tmp, and one in ~/tmp, that I fill from /dev/null, then delete, then fill from /dev/urandom - and I set it to run dd until the drive is full.

Ain't perfect, but should get rid of anything that I deleted.

Last edited by jiml8; 07-07-2008 at 08:58 AM.
 
Old 07-07-2008, 08:58 AM   #19
Meson
Member
 
Registered: Oct 2007
Distribution: Arch x86_64
Posts: 606

Rep: Reputation: 67
FYI the military standard for cleaning a disk can be found here: http://www.dtic.mil/whs/directives/c...ml/522022m.htm

When I needed to send my hard disk back to Dell when it failed, I cleaned it with this: http://abaababa.ouvaton.org/wipe/ which is conveniently located in the Ubuntu repositories. The disk was 230 GB and it took all night and into the morning to complete all 8 passes.

You'll obviously want to read through the manual page to see what the options are all about, but I'm pretty sure if you apply the default settings to a full hard disk, and have the time to wait, that your data will be irrecoverable.

I mean, what do you really have on there anyway? If someone is capable of getting your stuff after 8 passes it means they have a lot of money and really really want it. No one (no government/military) is going through all that trouble for your cookies or even for some financial information. If you have data that is that seriously private then you need to disassemble the hard disk, burn it, and bury the parts over a number of hard to find locations. Then station a loyal troll to protect each of said locations.
 
Old 07-07-2008, 11:38 AM   #20
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Quote:
Originally Posted by jiml8 View Post
You could just be looking at a privacy advocate who takes steps beyond the ordinary...just because.
What you've given there is a possible explanation. When you investigate things you have to be careful to deal with facts only and not let personal perception, opinion, influence what you (think you) are seeing. There are settings where regulations and policies mandate wiping. Most of the time those will be formally documented and accompanied by an auditing trail. Cutting things short, if there's no regulations or policies in effect then wiping data requires the user to have knowledge of wiping data as a solution and be technically knowledgable enough to chose a tool and perform the wiping. True, that is not a conclusion or rocket science but simply an observation that could trigger a more in-depth investigation.



Quote:
Originally Posted by jiml8 View Post
And I would love to see the prosecutor: "Your Honor, we are sure this suspect was up to no good because his hard drive was wiped and patterned. We know he was doing bad things because there was no evidence..."
You don't have to be a lawyer to see that's cutting things a wee bit too short. Humourous nonetheless.
 
Old 07-07-2008, 12:46 PM   #21
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 116Reputation: 116
Quote:
Cutting things short, if there's no regulations or policies in effect then wiping data requires the user to have knowledge of wiping data as a solution and be technically knowledgable enough to chose a tool and perform the wiping. True, that is not a conclusion or rocket science but simply an observation that could trigger a more in-depth investigation.
Agreed. But presuming that the person being investigated is competent (and wiping data is evidence of competence) then the more in-depth investigation should lead noplace.

Also, the more in-depth investigation might be constrained by either time, funds, or the interest of the relevant authorities, based upon the severity of the suspected problem.

Bottom line is that a private individual (or organization) who has any reason at all to fear that any of his personal data on his computer could be compromising in any fashion should wipe hard drives. If this causes the authorities to become suspicious, so be it.

I once was hauled before Immigration and Naturalization Service because I married a foreigner. "We are going to investigate your marriage to make sure it is not a sham to get her papers". The interviewer started asking me questions. My answers came slower and slower as the questions got more personal. Finally I told the interviewer that I would answer no further questions.

The interviewer became irate: "Why won't you answer my questions? What do you have to hide?"

My response: "This interview is OVER, you f---ing NAZI!!! I WILL NOT PERMIT A GOVERNMENT FUNCTIONARY TO SPEAK TO ME IN THIS FASHION. I WILL SPEAK TO YOUR SUPERVISOR RIGHT NOW!!!". And I did. And I reamed him, and his flunky: "How DARE THIS BITCH SPEAK TO ME THIS WAY??? YOU WILL NOT INVADE MY PRIVACY. YOU WILL NOT SUGGEST THAT MY INSISTENCE THAT YOU KEEP YOUR BUREAUCRATIC NOSE OUT OF MY BUSINESS SUGGESTS THAT I AM DOING ANYTHING AT ALL WRONG. I will remind you of the law of the land: I am innocent until proven guilty. If you can come up with ANY EVIDENCE AT ALL of wrongdoing by me, then you may approach me. Until that time stay the F*** OUT OF MY FACE AND OUT OF MY WAY."

He took it; he had no choice. My wife got her permanent visa, and later her citizenship.

The point is that they can be as suspicious as they want. But in the US anyway (at least, pre-Patriot Acts) suspicion gets them nothing. They need evidence.

Last edited by jiml8; 07-07-2008 at 12:47 PM.
 
Old 07-07-2008, 03:54 PM   #22
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Quote:
Originally Posted by jiml8 View Post
But presuming that the person being investigated is competent (and wiping data is evidence of competence) then the more in-depth investigation should lead noplace.
"Should" does not equal "state with onehundred percent certainty" and so, without knowing the strategy and inventory of the theoretically seized items and even if just an exercise, that is an assumption and one I can not support.


Quote:
Originally Posted by jiml8 View Post
Also, the more in-depth investigation might be constrained by either time, funds, or the interest of the relevant authorities, based upon the severity of the suspected problem.
...or be sped up by certain persons forgetting to wipe their sticks, long-forgotten slash off-site backups, et cetera ;-p
 
Old 07-07-2008, 04:14 PM   #23
trickykid
LQ Guru
 
Registered: Jan 2001
Posts: 24,149

Rep: Reputation: 255Reputation: 255Reputation: 255
The only disk that is most likely impossible to recover data is the one that has turned to dust. I use to work for a data recovery company, it was amazing the data they pulled from drives that had been wiped, damaged, burned and so on.. So wipe all you want, there's someone out there that can recover something from it.
 
Old 07-07-2008, 06:43 PM   #24
Red Squirrel
Senior Member
 
Registered: Dec 2003
Distribution: Mint 17.1 KDE on workstation, CentOS 6.x on servers
Posts: 1,143

Original Poster
Rep: Reputation: 47
Quote:
Originally Posted by jiml8 View Post
But in the US anyway (at least, pre-Patriot Acts) suspicion gets them nothing. They need evidence.
...Unless it's the RIAA or other copyright type company. :/ It makes me sick to the stomac the stuff they get away with.


also this is something wacked I thought of, but given /dev/random and /dev/urandom generate random data based on stuff going on in the system, is there a possibility of it writing say, memory? I could see using this method being dangeraus, and using a set of patterns being more secure.

Sure I'm being paranoid, but I just like considering these type of things. I rarely sell/give HDDs away, only time I'll really get rid of one is if it fails, and I usually just physically destroy it because its fun.


Also using dd how do I manage to output a pattern, but make it repeat?

if I do something like

dd if=pattern1.txt of=/dev/hda

it will just copy pattern1 once. I don't want to have to generate a 500GB file, I want to make like a 100 byte one, then have it repeat.
 
Old 07-15-2008, 06:03 AM   #25
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Quote:
Originally Posted by Red Squirrel View Post
Also using dd how do I manage to output a pattern, but make it repeat?
Of all the dd-related tools 'dcfldd' is the only one which has a builtin "pattern" and "textpattern" option (see the manual), for others (at least with 'dd') you can echo the pattern and pipe it through it.
 
Old 04-28-2014, 02:33 PM   #26
maples
Member
 
Registered: Oct 2013
Location: IN, USA
Distribution: Arch, Debian Jessie
Posts: 814

Rep: Reputation: 265Reputation: 265Reputation: 265
Quote:
Originally Posted by trickykid View Post
I use to work for a data recovery company, it was amazing the data they pulled from drives that had been wiped, damaged, burned and so on.
...how? If the magnetic coating is gone, the data goes with it, right? Or does the coating not get burned...

Out of curiosity, have you ever heard of a recovery from a piece of a platter?

Along a similar line, what if I took a powerful magnet and slid it all over the platters? Would that effectively destroy the magnetic patterns in it?
 
Old 04-28-2014, 02:47 PM   #27
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,237

Rep: Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651
As I understand it, the only reason that anyone wipes anything twice+ is because of floppies. It was a medium that could leave magnetic traces behind, and made data recoverable in theory.

Hard disk drives that are wiped one time with zero's/random data have never been successfully recovered -- there is no proof anywhere that it has happened. I think its just a relic of the floppy disk/magnetic media days and a continued urban legend propagated by paranoids.

Last edited by szboardstretcher; 04-28-2014 at 02:49 PM.
 
Old 04-28-2014, 03:29 PM   #28
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 491Reputation: 491Reputation: 491Reputation: 491Reputation: 491
There is no proof that you can recover anything even wiping with /dev/zero. However, for the extra paranoid the best option is to encrypt the entire HDD. Multiple runs of a PRNG don't add significant extra security, because PRNGs are not cryptographically secure. Mersenne twister is the most common PRNG used and it can be entirely predicted using 624 consecutive outputs.
https://blog.spideroak.com/201212051...n-ruby-and-php

So, if you were able to look at the HDD and identify the bits that were there previously and recover them all (supposedly it can be done, but is extremely tedious), then all you would have to do is decypher the data, which is easy for Mersenne twister, but difficult if it is encrypted.
 
Old 04-28-2014, 04:50 PM   #29
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,843

Rep: Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472
Quote:
Originally Posted by szboardstretcher View Post
As I understand it, the only reason that anyone wipes anything twice+ is because of floppies. It was a medium that could leave magnetic traces behind, and made data recoverable in theory.

Hard disk drives that are wiped one time with zero's/random data have never been successfully recovered -- there is no proof anywhere that it has happened. I think its just a relic of the floppy disk/magnetic media days and a continued urban legend propagated by paranoids.
No - it used to work in the really old days. The way disks worked (using a linear recording), left large gaps between tracks. Because the mechanics of head movement, two separate seeks almost never got exactly the same location... so different seeks would be offset slightly in different directions.

Disk drives even has sub-track positioning capability (on the CDC 9600 specifically I know had this) with up to 20 offset positions on either side of the center of the track. You could actually have a complete track recorded by using offset 20 and offset -20... but there could be some bleed over. Using the offsets was a way to attempt to recover from a read error. A sector was never identified as bad, unless all 41 reads (using all possible offsets + the center). If one of the passes worked, then the sector was good.

Making a single pass overwrite would not remove the possibility of recovering prior data by looking at the extreme offsets. Prior data could more easily be retrieved using specialty equipment that had higher resolution than that available to the general head positioning mechanics. (besides just the surface reading, the magnetic domain also had a depth dimension where the surface could be removed, then the domains underneath retrieved). So using multiple overwrites would count on the seek imprecision to write to slightly different locations...

Most of this died when disk manufacturing switched from horizontal recording to vertical recording (the depth field vanished), and the higher precision of of head positioning (and incredibly smaller size of the magnetic domain grains) has made multiple overwrites mostly unnecessary.

What remains though are bad sectors - these are never overwritten, and can still carry sensitive information. Thus the process of removing the platters, degaussing, and grinding to powder is the final method.

Last edited by jpollard; 04-28-2014 at 04:58 PM.
 
Old 04-28-2014, 09:21 PM   #30
maples
Member
 
Registered: Oct 2013
Location: IN, USA
Distribution: Arch, Debian Jessie
Posts: 814

Rep: Reputation: 265Reputation: 265Reputation: 265
Quote:
Originally Posted by jpollard View Post
[snip]
What remains though are bad sectors - these are never overwritten, and can still carry sensitive information. Thus the process of removing the platters, degaussing, and grinding to powder is the final method.
Out of curiosity, why can't bad sectors be written to? Is it something that the OS is currently incapable of, or does the HDD itself prevent you from doing it?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Hard disk wipe software suggestions airman99 Linux - Software 14 11-19-2007 09:47 AM
[OpenBSD] safe disk wipe out noir911 *BSD 2 03-08-2007 03:53 AM
LXer: "military grade" Linux PDA gains WiFi, Bluetooth LXer Syndicated Linux News 0 07-08-2006 07:54 PM
MacOS 8.6 -- disk detect problem after a disk wipe BinJajer Other *NIX 2 02-05-2006 03:24 AM
how to wipe disk in best way to reinstall WinXP and Mandrake as dual boot jukebox4joe Linux - Software 3 01-23-2004 04:57 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:24 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration