[clug] PC Forensics / Fun

Sam Couter sam at couter.id.au
Thu Mar 29 13:11:41 GMT 2007

Kane'0 <kane at areujoking.com> wrote:
> I've used Ontrack's easyrecovery on drives that have been formatted +
> reloaded 4+ times and had few problems getting the original data back. A few
> corrputed imaged was about the worst loss. Dunno of a nix equivalent.

This style of recovery method only works when "formatted" means "the
directory information has been damaged or wiped but the files are still
intact on the disk". It will not work if the disk has really been wiped.

> Best way of wiping a drive is to physically destroy it. Rip it apart and
> melt it in the fire drum.

While this is true (it's the most reliable way to destroy data), it's
overly paranoid in the majority of situations. Simply writing over the
entire disk will make it prohibitively expensive to recover the data. It
cannot be done with software, will require specialised equipment and
skilled technicians, and will cost thousands to tens of thousands of

Do this:

dd if=/dev/zero of=/dev/hda bs=10240

... and wait a while. Maybe a long while for a big disk.

Or do this:

dd if=/dev/urandom of=/dev/hda bs=10240

... and wait longer. You've now increased the cost of recovery to
hundreds of thousands to millions of dollars and substantially decreased
the probability that anything useful at all will be recovered. Randomly
tap on the keyboard and move the mouse a bit to increase the quality of
the random data.

If you think it's useful to do more and you're not doing most of the
following, you're being irrationally paranoid and need to re-evaluate
actual threats to your data security instead of going for the warm fuzzy
"I'm safe from the Government" feeling:
- Encrypted filesystems
- Physically locking your computer in a safe when you're not using it
- Only using your computer in a faraday cage or shielded room to avoid
    tempest attacks
- Requiring multi-factor authentication (USB key, SecureID tag,
    thumbprint, whatever) and hard passphrases to log in
- Using hardware-based intrusion detection systems with a monitored
    alarm on your computer and the rooms where you keep it and use it
- Well-paid armed guards
Sam Couter         |  mailto:sam at couter.id.au
                   |  jabber:sam at teknohaus.dyndns.org
OpenPGP fingerprint:  A46B 9BB5 3148 7BEA 1F05  5BD5 8530 03AE DE89 C75C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/linux/attachments/20070329/1160a783/attachment.bin

More information about the linux mailing list