digg

Facebook Connect Join Digg About

Cover-up: special investigator "cures" virus with 7-stage hard drive wipe

arstechnica.com A US special investigator leading the inquiry into Karl Rove has himself been called out for suspicious behavior, after taking several systems to third-party techs for a thorough data wipe that he says was needed because of malware. Right.

Who dugg this? Made popular Dec 3, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

121 Comments

show profanity settings
expand all
  • sophiaperennis, on 12/03/2007, -1/+103Interesting. When people who are sued by the RIAA / MPAA would use this exact same argument or any other reason to re-format their hard-drive, it would easily be labelled as destruction of evidence.
  • Herostratus, on 12/03/2007, -2/+47I work in computers and do this type of wipe on a regular basis. It's the DOD standard to make a drive safe from data retrieval. There is no reason whatsoever to do it for any other reasons as a virus cannot affect a system after 1 wipe. You do 7 when you dont want anyone to get data back.
  • autosovereign, on 12/06/2008, -2/+23"either Bloch was taken to the cleaners by Geeks on Call, or Bloch is covering something up."
    Probably both
  • slashbot, on 12/03/2007, -1/+18Wow that must have been some virus.

    Geeks on call? lol... I doubt that conforms to DoD regulations
  • MattB123, on 12/03/2007, -1/+15Excellent. But if that's the case, where my state medical insurance? Where's my state-paid college education?
  • Dragular, on 12/03/2007, -3/+14I thought the RIAA lawsuits didn't actually involve seizure of the drives, only records of what files were downloaded by what IPs? Your property can't be seized for a civil suit AFAIK.
  • jellygraph, on 12/03/2007, -0/+10http://www.truecrypt.org/

    If you use this, no one will ever be able to find what you are hiding (or even know you are hiding anything... plausible deniability)
  • NotThatGuy, on 12/03/2007, -1/+10No, it's possible to retrieve data after the hard drive has been formatted, it just makes it a little harder. You have to format it several times, and even then there are labs that can still get some data from it.
  • conna, on 12/03/2007, -0/+9That is sorta a myth. If you ever taken apart a hard drive then you know how strong the magnet is that is used to move the heads across the platters. That magnet is about as close as you can get but it does not erase the magnetic orientation on the platters themselves. It comes down to how the magnet fields is orientated to the platter surface. Yes you can corrupt a HD with a magnet but it has to be strong and lined up with the platter surface in the right way or it won't do much. The one on the inside of the drive has a weak magnetic field on the "smaller" side. If it "somehow" flipped 90 degrees then it would start erasing data.

    On a side note, an electron microscope is used to read smashed platters and formatted drives in strong federal cases, even if the drive had been formatted or even written with 0's. The microscope looses it's effectiveness after each wipe though.

    If the hard drive held classified info then it must be shredded and melted. DoD 5220.22-M
  • 6502programmer, on 12/03/2007, -0/+8Should've gone to Geek Squad. Then there'd be an almost guaranteed backup of the data.
  • richbradshaw, on 12/03/2007, -0/+8Damn Small Linux embedded edition ftw!
  • inactive, on 12/03/2007, -2/+9how do you spoof that? can't you just set back the system clock?
  • altgeeky1, on 12/03/2007, -1/+8I see you've never read about SPA audits. I think the SPA is defunct now because it was co-opted by Microsoft, and all the other publishers pulled out until MS just does their own policing. Anyways, using sophisticated tools, you can build a graph of how long you have used that PC using and cross referencing everything on the system.

    Of course, the SPA is loads smarter than the RIAA. For example the RIAA writes silly GUI apps to monitor network traffic, then submits "screenshots" as evidence.

    You could backdate your BIOS, reinstall the OS, and then move the system clock and that would NOT cover your tracks.
    It's pretty tough not to leave a trail.

    Come to think of it, probably the smartest thing is to anticipate this problem and work inside a VM on a keychain.
  • slicerace, on 12/03/2007, -0/+7Perhaps that would make it *too* obvious to the lay man that this was an attempt to destroy information. Your average Joe doesn't know anything about data erasure; destroying the hard drive is more analogous to incinerating documents or something, so this turns out better for them anyway.

    It's probably easier, though, to wipe the drive than destroy it since I'm sure all that stuff is kept track of. You can't just have a hard drive go missing, I suppose, so wiping it this way leaves the drive in tact (i.e. less chance of getting caught or raising suspicion).
  • inactive, on 12/03/2007, -0/+7You are waisting time, and even Peter Guttman, the bogus computer scientist, admits it.
  • bradleyland, on 12/03/2007, -0/+7Timeline plays a very important part in any investigation, and changing your system clock does tend to make an investigator's job more difficult, but it doesn't destroy the case. If you're using your computer to communicate with the outside world, you will inevitably have files on your computers that contain embedded dates and times that can be used to determine an offset. Once the investigator has that, he's golden. It just makes his/her job a pain in the ass.
  • mzwaterski, on 12/03/2007, -1/+7I'm pretty sure you are wrong. The property isn't "seized" in the sense that a governmental body asserts immediate control/ownership over it, but they can force you to turn them over in discovery or face contempt of court. You still own the hard drive, but you have to let them have access to it if they request it. (In US Federal courts)
  • WilliamDavis, on 12/03/2007, -0/+6I think you're right. Total lie as well. Never, ever, does somebody wipe a hard drive like that for virus removal. Never. Geeks on Call would not have done a wipe without being asked, or recommended a wipe.
  • slicerace, on 12/03/2007, -0/+6There's a utility out there for making the job very difficult; the utility's name is "Timestomp" and it basically resets all the creation/modified/accessed data so that forensics tools can't get the information. The obvious flipside of this is that clearly the system has been tampered with, since the lack of the time information is a dead giveaway, but hey, it might still help.
  • Haapi, on 12/03/2007, -1/+6Leave him alone. He had realized that his work computer was not the place for his pr0n collection, that's all.
  • robbh66, on 12/03/2007, -0/+5The powerdrill would only prevent the casual person from recovering data- areas not hit by the drill would still be easily recoverable.
  • slicerace, on 12/03/2007, -0/+5That's still easier than recovering aver a seven pass wipe since the actual magnetic grains on the platter haven't been modified -- in the case of the plane, etc. the shell and possible the platters had "only" been shattered.
  • corbs132, on 12/03/2007, -1/+6and the cure for the common cold is 47 thorough smacks to the head via hammer. right....
  • iceman0113, on 12/03/2007, -2/+7Wouldn't it have been cheaper to just destroy the hard drives and buy new ones?

    Anyway, back to the article. FTA: "Bloch has been under investigation since 2005 for improperly dismissing issues brought to the OSC's attention by whistleblowers and then failing to protect said employees from retaliation. "
    Great to see that people who want to protect this country will not be protected from retaliation. /sarcasm
  • kastyr, on 12/03/2007, -0/+4Actually this is the old DoD standard for wiping drives, but seven is going to be pretty damn effective at making it very implausible to get any of the data back, unless you're the NSA or have alot of money to throw at it.
  • laterthandawn, on 12/03/2007, -1/+5"Malware" indeed.
  • LongShlong, on 12/03/2007, -1/+5... In government we like to take a power drill to any hard-drive that's going off-site for disposal. Good times, indeed.
  • lagrange, on 12/04/2007, -0/+4Thou shalt take thy hard disk from this place to another place, where it shall be anointed with the holiest of oils, then heated to at least 4500f for 60 minutes.

    Amen.
  • JEWestbrookJR, on 12/03/2007, -3/+7You obviously know nothing. Even Norton software will retrieve after 1 wipe.
  • jacobsor, on 12/03/2007, -4/+8Yes it's the DOD standard, but it's totally unnecessary. If you do one full wipe (i.e., overwriting every bit in every sector with dummy data), there's no way anyone is getting that data back. (Note that this is NOT the same as doing a reformat.)

    The DoD standard says that you need to "wash, rinse and repeat" six more times one some theory that there might be "stray" magnetic fields left on those individual sectors that could be picked up to. The theory is that someone could use a scanning electronic microscope to somehow detect those "residual" fields and restore the data.

    There's a good paper somewhere (sorry, can't find it) that explains that this is entirely hocus-pocus vodoo science. Once you've overwritten a block completely, there's no way to recover the earlier data. Period. Doing it six additional times for "luck" doesn't hurt, but also doesn't make it any more secure. Everyone does it just because it's the DoD standard, which sounds impressive. It's superstition, not science.
  • Kronos6948, on 12/03/2007, -0/+4Thanks. You've saved me tons of time and CPU usage.
  • jacobsor, on 12/03/2007, -0/+4Sorry, here's a good summary with a link to the paper:

    http://shsc.info/DataRecovery#titelanker5

    As the article notes, a mid-level format that "zeros out" every byte will be enough in any real-world situations. (This is different from a standard Windows format.)
  • inactive, on 12/03/2007, -0/+4Norton will recover from a format, not a wipe. A format doesn't actually overwrite any of the data... It just writes the sector control bits. Simply overwriting the files once is more than enough.

    Interestingly enough, the "Computer scientist" who invented the concept that you can recover data after it has been wiped once is Peter Gutman, the same guy who wrote the Vista DRM hit piece. He has since admitted he was full of ***** about the need to write over data more than once, although he still insists that Vista has tin foil hat levels of secret DRM. A popular urban mythology on websites like Digg.
  • jjohnstn, on 12/03/2007, -1/+5DOD standard is 3x: http://www.qsgi.com/usdod_standard_dod_522022m.htm
    Maybe there is another standard requiring more passes. Overboard if all you're worried about is deleting a virus.
  • slicerace, on 12/03/2007, -0/+3There is a higher DoD standard for a seven pass wipe for more sensitive data, just fyi.
  • JEWestbrookJR, on 12/03/2007, -3/+6Yeah, I work own a computer repair business and have all of my certs. 1 wipe = no viruses, 7 wipes = no chance at data recovery
  • TheLoneHoot, on 12/03/2007, -0/+3Do you understand the things you comment on at all?
  • mllawso, on 12/03/2007, -0/+3It's easy with linux. Just make a .gz.tar of your hard drive, remove this incriminating bits (mp3s, internet cache) wipe and restore.
    Now your computer is clean and looks like you haven't wiped the hd.
  • TheWindBlows, on 12/03/2007, -0/+3its both politically destructive porn.
  • slicerace, on 12/03/2007, -0/+3A drive wipe would only fix this if it wiped the boot sector... I think you can do this is less than a second by typing fdisk /mbr, so again, a drive wipe is basically never required to remove a virus.
  • koreth, on 12/03/2007, -0/+3In other words, it's an order of magnitude slower than the job actually requires. Nice.
  • JEWestbrookJR, on 12/03/2007, -2/+5All that for Malware, eh? I don't think there is a virus in existence that can even survive a quick format before re-installing the OS.
  • naonao, on 12/03/2007, -0/+3Formatting still leaves a trace. I prefer the enormous magnet for perfect, quick, wipe. Shame the hard drive gets *****.
  • slicerace, on 12/03/2007, -0/+3The "Gutmann wipe" is, however, outdated andmost people who mention it have no idea what all those passes are for. 7 passes of pseudorandom data is about the best that you can do to wipe today's modern drives.
  • VitriolAndAngst, on 12/03/2007, -1/+4Hah. They even outsource the coverups.
    Next time cash geniuses.
    All these people who think bad guys are stopped by investigating all of America's honest transactions, apparently never heard of cash or disposable cell phones or just stealing things. And now we know why -- their greed is only excelled by the Bush administration cronies incompetency. So much for crony hires -- it's so hard to find good, help when you want evil.
  • fieldcar, on 12/03/2007, -0/+3Right jjohnstn, DOD is 3 passes, NSA is 7 passes, Gutmann is 35 passes.
    I use CCleaner ( http://www.ccleaner.com ), a free utility to empty your recycle bin and delete all temp internet and program temp files. You have the option of enabling secure deletion methods as stated before.
  • FortyCaliber, on 12/03/2007, -1/+4I disagree. Even Marine Corps Data Specialists are top notch... nothing but business.
  • lordmetroid, on 12/03/2007, -0/+3easily solved by disintegrating the material itself
  • qwerty121, on 12/03/2007, -2/+4If the data doesn't get recovered, I'd be interested to know which program he did it with.
  • VitriolAndAngst, on 12/03/2007, -0/+2Let me be the first to predict that the Special Investigator of the Special Investigator, will be picked by Karl Rove.
  • Fetching more discussions...
    Show 51 - 100 of 120 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.