digg

Facebook Connect Join Digg About

When "delete" is not enough

news.com.com It was only a single digit in a 20-page Microsoft Word contract between two partners, but Scott Cooper earned his fee several years ago when he found it.

Who dugg this? Made popular Apr 10, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

103 Comments

show profanity settings
expand all
  • joel2600, on 10/12/2007, -9/+51shift delete has nothing to do with this story. are you high?
  • apersaud, on 10/12/2007, -12/+37I work in computer forensics (I have a MS) and yes, even if you smash up the hard drive to pieces, we are able to put it back together and recover the data.

    Even if we dont have all the pieces - data is eitehr 1 or 0, therefore can use statistics for what pieces we are missing.
  • AdotB, on 10/12/2007, -7/+29Shift+Delete only bypasses the recycling bin, the data is overwritten, and can still be recovered.
  • srw777, on 10/12/2007, -3/+22Yes. But even after re-writing all zeroes, with the right sophisticated equipment, it is possible to read where there _was_ a 1 and where there _was_ a zero. One process involves removing the platter and using read heads that have a much narrower pickup pattern, then reading slightly off track. If you really want to make sure the data will never be read again, you'd better get yourself some thermite grenades.
  • robsonde, on 10/12/2007, -1/+16Question:
    How can I wipe my hard drive so that no one can recover my data?


    Technical stuff first:
    The disks of a hard drive are divided into lots of little parts called sectors, each sector holding 512 bytes of data. So that the computer knows which sectors are being used to hold data, there is a reserved and protected part of the disk called the FAT (file allocation table).

    When a file is written to the disk, the OS marks off in the FAT each sector used by the file. It also makes a note of the file name and the first sector of that file. When the file is read back, the OS looks up the first sector of the file and then reads-in the 512 bytes from the sector along with the address of the next sector for the file, and so on to the end of the file.

    When you permanently delete a file (by emptying the recycle bin, allowing the bin to get full so that it overwrites the oldest files, or using a utility that bypasses the recycle bin) the OS does not delete data from every sector because this takes time. Instead it simply marks as free in the FAT every sector used by that file, and then removes the file name from the directory listing. It also makes the file name invisible to normal disk search methods, usually by replacing the first letter. This means that the space is now free to be used by other files, but the actual data is still present on the drive and can be recovered using undelete utilities provided it has not been overwritten by newer files.

    Formatting the drive will empty the FAT and directory listing but again, it will not remove the data, and at this point your data can be recovered by reading directly from the sectors and putting the files back together like a puzzle.

    So back to the question, how to stop people getting the data back?


    Answer:
    This depends on how much you care and how much cash you have.

    1) The first and easiest way is just to reformat the drive. This will be OK if you just want to keep the drive and reuse it for other data. Your original data could still be recovered if a person wanted to, but it will get rid of data that you don't want, clearing the disk for you to reuse.

    2) The next level of security is provided by wiping the free space using a program like pgp or drive-crypt. This writes random data to all unused parts of the drive and is a good plan if you are selling the drive. If you do this and then change your mind, then no one can (economically) help you recover your data. Note that some programs don't write random data but instead they only write lots of 0's (zeros) to fill up the drive.

    There are several programs that you can use to perform a random wipe:

    pgp: http://www.pgp.com
    drive-crypt: http://www.securstar.de
    Partition Magic: http://www.powerquest.com
    Window Washer: http://www.webroot.com/washer.htm
    ERASER: http://www.prdownloads.sourceforge....er/eraser53.zip
    Steganos: http://www.steganos.com
    KillDisk: http://www.killdisk.com/features.htm

    I don't know how well each of the above programs work, so do your own research. Read the info about them at their web pages and see if it is a random wipe or a 0's fill, because a 0's fill is not quite as good. Search for and read any user reviews to help you decide.

    3) If you are a Linux user then a random wipe can be done as follows:

    dd if=/dev/random of=/dev/hda bs=1024k count=4096

    The Linux "dd .." method requires care. You need to calculate the "count=" value to match the size of the disk (or not include it... no "count=xxxx" will "probably" write the whole disk). The "hda" in the example means "the whole of the first disk on the first IDE interface". That might be your system disk. There is no permission byte for "the whole disk"; it's not part of a file system -- it's the whole disk. So use the correct "/dev/XXX" value, the idea is to unrecoverably erase a disk. For "complete" erasure, repeat the command a few times. Seven seems to be the US DoD number.

    The above Linux magic is thanks to Graham L.

    4) Any true random wipe program will take a lot of time to run, so don't trust any program that says it can wipe a disk in under 10 minutes. Just stop for a moment and consider how long it should take to write 40Gb of data to the drive 7 times over!

    5) A special note for the paranoid or those who have something to hide - even after random data has been written to the drive it is still possible to recover data using special tools that security consultants, police and government agencies have access to.

    6) If this is a problem for you and you really think that the government is out to get you, then you should simply destroy the drive and buy a new one. Exactly how you destroy it is up to you but I read that the US government has a system for destroying computer equipment by cross cut, crush, grind, burn and then spread on the roads as grit in winter.

    7) For more info about data recovery and the art of data destruction, have a read here.

    8) As for setting up a system that will destroy the drive at time of boot unless some special start-up procedure is followed, this might have worked in years gone by but in today's world serious investigators won't boot a system until the drive has been copied.


    REMEMBER: "The computer allows you to make mistakes faster than any other invention, with the possible exception of handguns and tequila." - Mitch Ratcliffe.


    Use of any of the programs in this FAQ will wipe ALL your DATA and it will no longer be recoverable by any ECONOMICALLY AVAILABLE means so be very very sure you want (or need) to do this before you start.



    http://www.theanswerguy.co.nz
  • inactive, on 10/12/2007, -2/+16So...you are saying that you dugg the story before reading it, and now that you did read it you are mad?

    Let that be a lesson to you to not digg until you RTFA.
  • keane, on 10/12/2007, -1/+12More about Word metadata at http://www.digg.com/software/Remove_hidden_data_in_Microsoft_Word_documents
    (37 days ago, not a dupe)
  • Arramol, on 10/12/2007, -4/+14Page can't be found. Guess it was in the way of a hyperspace expressway or something.
  • RealityBender, on 10/12/2007, -1/+10The only way to really hard for recovery is to delete and overwrite (duh!), the more time the better

    Windows treat your hard drive like a circle. It has a pointer to segment on this circle and when a block is allocated the pointer move forward. Window always move the pointer in one direction. When you delete something it will remain in that location and the file reference is just forgotten. It will not overwrite that section until the pointer move back around to that location, which can take sometime.

    Linux tries to save on hard drive access so when a file get delete it is first in line to get overwritten because it's location is already in main memory (RAM) and is know to be free, and often overwritten immediately
  • AdotB, on 10/12/2007, -10/+17Sorry, i meant "the data is NOT overwritten"
  • purplegrog, on 10/12/2007, -0/+7If you're going to go that route, you might want to do the Gutmann wipe first, *then* physically shred and burn the drive. just a thought. : )
  • inactive, on 10/12/2007, -4/+11don't worry. The kids username is masterchief.
  • mistshadow2k4, on 10/12/2007, -0/+7"A safe bet is overwriting the data at least 3 times. "

    No less than seven times is the military standard, if I'm not mistaken. (See how long that takes with a 320 gig hard drive!)
  • Settra, on 10/12/2007, -1/+8Wow! You can't spell!
  • grunties, on 10/12/2007, -0/+7I am under the impression that the data is lost as far as a normal floppy disk drive is concerned, but if you have the right tools you can actually magnetically detect remnants of the former data. This is why tools exist that overwrite files multiple times with random bit strings to make this process much more difficult.
  • modian, on 10/12/2007, -2/+9 Gashee morphousite, thou expungiest quoopisk!
    Fripping lyshus wimbgunts, awhilst moongrovenly kormzibs.
    Bleem miserable venchit! Bleem forever mestinglish asunder frapt!
    Gerond withoutitude form into formless bloit, why not then? Moose.
  • sinembarg0, on 10/12/2007, -1/+7A safe bet is overwriting the data at least 3 times. Interstingly enough, OS X Disk Utility has the optin, when formatting, to 0 out a hard drive, to do so 3? times, and to do so 7 times, just to be sure your data is gone.
  • inactive, on 10/12/2007, -0/+6If you overwrite the disk a couple of dozen times with a really good zeroing/random algorithm, you'll likely be fine. Same with a hard drive. Still, the only way to be completely sure is to completely destroy the media device the data you stored was on. Degaussing and a good acid bath is probably good.
  • e_mnc, on 10/12/2007, -1/+7I would suggest dban - Darik's Boot and Nuke
    http://dban.sourceforge.net/
  • AntiMe, on 10/12/2007, -1/+6I've heard they use thermite nets of a sort if they're going to be captured with sensitive electronic stuff. they just throw this net over the equipment, something ignites it, and well, goodbye to the equipment. Thermite rocks.
  • prockcore, on 10/12/2007, -1/+6There are remnants of the original data. For *all* magnetic media, the read/write heads don't line up perfectly. You ever record something on VHS and then tape over it and see a ghost image of the old show in the background?

    You need special hardware to read that residual data however.
  • evilpandas, on 10/12/2007, -6/+11Quite Accurate. The Amount of data that can be forensically gathered, if you have the time and patience that is, is really unbelievable
  • InternetUser, on 10/12/2007, -1/+6No, apersaud means he has an academic degree and is qualified to speak with authority on the subject.

    And what apersaud says is entirely correct; why the hell has his comment been modded down?
  • AntiMe, on 10/12/2007, -0/+5Formatting (as long as it's not a quick format) does write zeros over the whole disk (and sometimes verifies that it reads zeros back). However, using advanced techniques, the trace magnetism of the old data can still be read (although not directly by the computer). That's why DOD erasing techniques do something else.. they write binary 10101010 and then 01010101 and zeros and random data, multiple times. That tends to totally screw any attempt to retrieve the old data.
  • sporkwitch, on 10/12/2007, -1/+6Actually, while yes, a low-level format does zero out the drive, as was previously stated, it only does so once. All it does is go over it once marking out the track and sector markings and putting zeros in between. There are however COUNTLESS applications (most of which are linux-based bootable disks that will work in any computer) that will overwrite with randomized information over every track and sector on the harddrive X number of times (in some applications it's user-defined, with no limit to the number of rewrites.)

    So as long as you think you might be under investigation, just toss that disk in, boot from it, and just hold down the "9" key for a while and let it fry your drive away until you're declared to officially not be a suspect :P I have a strange feeling that 72+ hours of garbage information constantly being rewritten to a drive will make data recovery rather difficult.
  • srw777, on 10/12/2007, -1/+5That's mostly, but not entirely true. Apparently, the experts can sometimes still find trace magnetism due to the fact that hard drive heads don't follow exactly the same track each time, but tend to follow the same track twice in a row... For example, data that was written when the drive was cold, might be readable from one edge of the track even after multiple write passes with the drive warm.
    (I wish I could remember where I read all this... I was doing some research into hard drive disposal a few months back, and got way more knowledge than I really needed for my situation.)
  • inactive, on 10/12/2007, -0/+4The Final Showig Markup thing was responsible for one of the 2 main political parties in australia having egg on their face after some journalist uncovered all the drafts of one of their policy speeches. The changes were exposed for all to see and showed some total backflips that were changed for the final document.
  • dbzer0, on 10/12/2007, -0/+4the *other* partner was the culprit
  • inactive, on 10/12/2007, -1/+5Formatting does nothing these days compared to the days of DOS. But even then, files could easily be recovered from a formatted drive so long as nothing had over written it.
  • hackwrench, on 10/12/2007, -1/+5Quote: The use of any overwriting software can be detected, tipping off investigators that the person under scrutiny has something to hide.

    Yes, but the "something to hide" need not be criminally prosecutable, for instance.
  • inactive, on 10/12/2007, -0/+3So, this guy only got the $96 million that was coming to him? No penlties for the attempted fraud?
  • hackwrench, on 10/12/2007, -0/+3Yes, but was the 1 deleted before or after the contract was signed, and where are the hashes for the signed document?
  • skell, on 10/12/2007, -12/+15"Umm hello? Ever herd of Shift+Delete?"

    Classic.
  • srw777, on 10/12/2007, -2/+5I wish I could find an authoritative source, but I've heard that Thermite is the US Army's method of choice for destroying data in the field. I'd guess that's a pretty sure way to ensure privacy.
  • aoeuhtns, on 10/12/2007, -0/+3a few seconds in the microwave usually do the trick
  • elsnow77, on 10/12/2007, -9/+12oh crap, someone's gonna be able to see all my porn
  • sporkwitch, on 10/12/2007, -0/+3They already exist, and there are linux distros with them. There've also been several applications on the Digg front page that encrypt files as you create and edit them.
  • sporkwitch, on 10/12/2007, -0/+3@xtrek

    Exactly. Saying that is the same as refusing to let them search your car if they don't have probable cause. Just because I refuse your search, doesn't mean I'm hiding anything. Likewise, just because I choose to make sure when I delete data it actually IS DELETED, doesn't mean that I'm hiding anything that you have a right to know.
  • tuxracer, on 10/12/2007, -0/+3Do I understand this correctly? Someone was writing the contract and at some point in time during writing it there happened to be a "1" in front of a "5" (making it 15). Therefore, this other party is somehow able to get 15%?

    What's next, if you were thinking of giving someone more money than you actually agreed to give them than you can be brought to court and forced to give the amount you originally thought of???
  • TheShrike, on 10/12/2007, -2/+5Vogon?

    Well... at least they don't offer poetry or planetoid demolition as services, so I guess we're safe.
  • CupofDice, on 10/12/2007, -0/+2http://www.docscrubber.com/ This should get rid of data in Word Docs. Made by the guys behind EULAlyzer.

    Check out http://www.javacoolsoftware.com/products.html for other free things you may need (Spyware Blaster, Spyware Guard).

    http://www.jetico.com/index.htm#/bcwipe.htm wipes using DoD and Peter Gutmann. You can also create your own scheme.
  • stylerm, on 10/12/2007, -8/+10MS Word. View->Tool Bars->Reviewing. Original Showing Markup.
  • XTrek, on 10/12/2007, -0/+2You might perhaps have sighed a non disclosure agreement for some data. It is completely valid to want to securely delete the data.

    This quote is directly from a prosecutor who is trying to make a legal case against you. Privacy is completely legal...
  • robsonde, on 10/12/2007, -0/+2yes!!

    i got a second hand flash USB drive and recovered all kinds of cool stuff :-)

    there are many programs to recover data from flash starage.
  • ZekeSulastin, on 10/12/2007, -0/+2Ah, but you can undigg it - just look in your profile ...
  • Silencer7, on 10/12/2007, -0/+2For optical media, Tom's Hardware had this nifty review of a CD shredder, as well as this little bit on how the NSA makes data disappear:
    http://www.denguru.com/2005/09/29/the_/page3.html
    "The NSA-approved CD shredder that Orvis said he has seen is a grinder that transforms the CD's top surface (where the data resides) into dust, but leaves the rest alone, including the hub where the serial number resides, "so you can be assured that it is properly destroyed," Orvis said."
  • quadvods, on 10/12/2007, -0/+2Lesson 1: When $64,000,000 is at stake, make a backup.
  • sporkwitch, on 10/12/2007, -0/+23.5" floppies use the FAT12 file system (IIRC). In any case, when you format a floppy (a full format, not a windows "quick-format") you're doing a low-level format of the drive. However, as earlier stated, nothing is 100% other than running a great random algorithm several dozen times, degausing, shattering, and bathing her in acid (and in all honestly I'd like to see how much data could STILL be recovered from that, could prove interesting).

    I'd also like to point out that DBAN rocks, I used it on my computer when I got out of school (I don't like leaving footprints when I don't have to, not to mention what I used it for is none of their business since it was all legal and related to my education ^_^)
  • jaspinDroid, on 10/12/2007, -4/+6low level format = drive rewritten with 0s
  • inactive, on 10/12/2007, -0/+2Well, that is my question. He could try to get part of HIS share. Instead of 15%, he could try to get 17% or something. A $12 million or so payment for punitive damages.
  • Fetching more discussions...
    Show 51 - 100 of 103 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.