TrueCrypt HDD then disk wipe, even more effective?

[TJCS]

Will TrueCrypt'ing an entire HDD followed by a 3-pass wipe be an even more effective way to keep data unrecoverable?

I have read that disk wipe programs such as Dban will fail if your hard disk is faulty or if there are compatibility issues with chipset/disk controllers. If this happens your data will remain intact on the hard disk unwiped. To ensure data isn't recoverable, here are two two methods I thought about doing:

1. Quick Format HDD> TrueCrypt HDD > (Doing this already good enough?)
2. Quick Format HDD> TrueCrypt HDD> DBan 3-pass (Better?)

Planning to sell a backup hard drive that I used to store some financial data, and thought about doing this. If you don't think this will make any difference or it's ineffective please share your reasoning .

 

[KeithP]

I can't answer your question but you might want to take a look at this thread before you go to all that trouble:
http://forums.anandtech.com/showthread.php?t=317147&highlight=wipe

The purpose of this paper was a categorical settlement to the controversy surrounding the misconceptions involving the belief that data can be recovered following a wipe procedure. This study has demonstrated that correctly wiped data cannot reasonably be retrieved even if it is of a small size or found only over small parts of the hard drive. Not even with the use of a MFM or other known methods. The belief that a tool can be developed to retrieve gigabytes or terabytes of information from a wiped drive is in error.

If the concern is an HD failure that might leave the drive in a state where it can't be completely wiped but still be read, I think it would be simpler just to fill the drive with non-critical information before wiping it. For instance, if you rip a DVD, duplicate it a few times in a folder, then dupe the folder, etc.

-KeithP

 

[TJCS]

Nice read Keith. I have read a lot about data wiping in the past, and it has always been a controversial topic. I had some problems with Dban and my disk controller in the past, and it would just freeze erasing only part of my data. But, I think fill-the-HDD with non-critical data before wiping it is a good way to verify that you have written over old data at least once.

 

[gsaldivar]

As I understand it, Truecrypting an entire partition will populate the relevant sectors with pseudo-random data anyway. In other words, a 100GB encrypted partition will be written with 100GB of data, regardless of the % of that partition that is actually being "used" to store files. So, IMHO there really isn't a need to perform redundant wiping prior to, or after, encrypting the drive with Truecrypt.

The ability to recover old data from sectors that have been written with new data, is theoretical at best. Such an effort would almost certainly require a team of engineers and an superhuman effort to uncover anything useful. That being said, there is a possibility that it can be done. And for many organizations, that possibility is (or should be) an unacceptable risk.

If the data is THAT sensitive, you should not be attempting to recover the cost of the drive by selling it on the secondary market. Instead, hire an equipment disposal company and have it permanently and professionally destroyed. These companies will also provide you with tracking documents and a disposal certificate to meet SOX/HIPAA/FACTA guidelines.

http://www.youtube.com/watch?v=yd_O7-rqcHc

Good luck!

 

[TJCS]

Thanks for your input gsaldivar. I am curious about one thing -- what happens if truecrypt writes over a bad sector or a problematic hdd? Will there be an error indication or it all depends how serious the problem is. I haven't seen that sort of problem arise yet.

 

[gsaldivar]

Thanks for your input gsaldivar. I am curious about one thing -- what happens if truecrypt writes over a bad sector or a problematic hdd?

As I understand it, directory damage or a bad sector on an existing volume could theoretically cause data loss if you are attempting to encrypt the volume with data in-place. That being said, I've never seen this type of loss. I'm sure an error message would be displayed in the unlikely event that this might occur. TC does a thorough job of checking and cross-checking the volume, before and during encryption, to avoid this exact scenario.

You might also want to post your questions in the TC forums for a better explanation that I can provide!

Thanks.

 

[Modelworks]

No need to go crazy on wiping data. Writing 0's one time is enough to prevent someone from getting the data back. More passes are done for government security reasons because of theoretical recovery with extremely expensive methods , millions of dollars to recover the drive data. Nobody has recovered data from a drive wiped one time.

If you think about it, a drive that returns a 0 on one read and a 1 the next time from previous data would be useless as a storage device. Once you change the sector it cannot be recovered without removing the platter and using an electron scanning microscope, even then it has never been done successfully.

 

[TJCS]

As I understand it, directory damage or a bad sector on an existing volume could theoretically cause data loss if you are attempting to encrypt the volume with data in-place. That being said, I've never seen this type of loss. I'm sure an error message would be displayed in the unlikely event that this might occur. TC does a thorough job of checking and cross-checking the volume, before and during encryption, to avoid this exact scenario. You might also want to post your questions in the TC forums for a better explanation that I can provide! Thanks.

Thanks for sharing your thoughts on this man.
​

No need to go crazy on wiping data. Writing 0's one time is enough to prevent someone from getting the data back. More passes are done for government security reasons because of theoretical recovery with extremely expensive methods , millions of dollars to recover the drive data. Nobody has recovered data from a drive wiped one time.

If you think about it, a drive that returns a 0 on one read and a 1 the next time from previous data would be useless as a storage device. Once you change the sector it cannot be recovered without removing the platter and using an electron scanning microscope, even then it has never been done successfully.

I think you have misunderstood this discussion. I am not asking how many passes is enough to wipe data, but whether there are alternatives to the way you wipe. Some programs fail due to hardware problems, and data remains unwiped. This has nothing to do with how many times data is wiped.
​

 

[Gamingphreek]

No need to go crazy on wiping data. Writing 0's one time is enough to prevent someone from getting the data back. More passes are done for government security reasons because of theoretical recovery with extremely expensive methods , millions of dollars to recover the drive data. Nobody has recovered data from a drive wiped one time.

If you think about it, a drive that returns a 0 on one read and a 1 the next time from previous data would be useless as a storage device. Once you change the sector it cannot be recovered without removing the platter and using an electron scanning microscope, even then it has never been done successfully.

Yea I think DoD spec is something ridiculous like 7x 0 fills before the drive can be used in an unclassified environment. I suppose if you have to worry about the best minds of an entire nation (or beyond that) the more the better...

To the OP, in my mind, if you don't 0 fill the drive, but simply do an erase, TCing the contents would provide an added benefit as a high level format merely marks all sectors as free.

-Kevin

 

[Red Squirrel]

I don't think it would do a difference. This will write random/encrypted data to the drive sure, but so will a full disk erase (lot of them will write random data then follow with a write of zeroes). So really it would be faster to just do more passes.

I usually do 27 passes of random data followed by a write of zeroes if I sell a hard drive. I've only sold a few hard drives though, and only because they were IDE and most of my stuff is sata now. I normally just recycle HDDs as backup drives.

You want to setup a dedicated machine for this, and it will take weeks. Even 27 passes, I'm sure the FBI or other high profile agency could potentially recover somehow so the only guarantee is total destruction of the drive platter surface. I like to let it run then take a sharp object and very slowly work my way from the center to the edge, and just keep doing that, then don't forget to the the other side and if there's multiple platters then do each one. Of course if you're asking about erasing then you probably don't want to destroy the drive physically.

 

[TJCS]

If I understood you guys correctly, you are saying that both TrueCrypt & Data Wipe Apps both create random data on a drive, therefore it will just be less of a hassle to just wipe the hdd.

 

[Red Squirrel]

If I understood you guys correctly, you are saying that both TrueCrypt & Data Wipe Apps both create random data on a drive, therefore it will just be less of a hassle to just wipe the hdd.

Pretty much, it really depends on the app you use. I normally use "shred" in linux. Very easy to use and it seems to be standard on most systems. You can just boot off pretty much any linux CD. I usually just hook the drive up to my main server (which is on 24/7 anyway) then do it through the OS on the server that way I'm not tying up any machine I would normally be using for something else.

Now if you wanted to go a step further you could truecrypt your actual data, that way when you want to wipe that drive, the data that was on it is already encrypted anyway. Like 5 passes would probably be more then enough in that case, good luck to someone trying to recover a drive that's been wiped a bunch of times, and that the actual data was encrypted to begin with.

 

[Pegun]

I've never had a problem with DBAN and it's generally considered to be a good enough solution by offices and universities to ensure the data can't be viewed by another party. Try it with the DoD Long wipe.

 

[blackangst1]

Thanks KeithP for reporting that article...I was gonna look for it hehe

Fully encrypt entire drive then do a quick format: unrecoverable. If you want, you can dban the drive with one pass after encrypting the full drive. Unrecoverable.

 

[Red Squirrel]

Thanks KeithP for reporting that article...I was gonna look for it hehe

Fully encrypt entire drive then do a quick format: unrecoverable. If you want, you can dban the drive with one pass after encrypting the full drive. Unrecoverable.

Keep in mind that all you're doing by encrypting the full drive is writing data over existing data. That existing data may potentially be recoverable with specialized techniques. You may as well just overwrite the data with a tool since it will come up to the same thing.

Most data recovery companies probably wont be able to recover a drive that has been fully written a single time. The multiple passes is more or less to "make sure" the magnetism is fully gone. I've heard mixed thoughts on this subject and newer drives, apparently it's not even needed but with older drives sometimes the head would not write to the EXACT same spot so even though you wrote to the same address multiple times it may be physically in 10 different locations. Doing multiple passes increases the odds that it hits the same spot. Only specialized tools can read the raw data and try to reconstruct it. I doubt this is easy.

Another theory is that when you write a 1 over a 0, it might actually be a 0.833 as far as the magnetism power goes. You wrote on it again, then it's 0.928, again now it's 0.969. So say you have multiple bits that have been filled with 1's it might look like 0.9934, 0.8342, 0.8364, 0.9823. Upon further analysis bit 2 and 3 were most likely 0 before that, but 1 and 4 were maybe already 1. This works the other way too.

 

[blackangst1]

Keep in mind that all you're doing by encrypting the full drive is writing data over existing data. That existing data may potentially be recoverable with specialized techniques. You may as well just overwrite the data with a tool since it will come up to the same thing.

No, it isnt. I suggest you read the paper that is linked. If the hard drive is newer than about 8-10 years old, one pass = unrecoverable by even an electron microscope.

 

[Red Squirrel]

No, it isnt. I suggest you read the paper that is linked. If the hard drive is newer than about 8-10 years old, one pass = unrecoverable by even an electron microscope.

How can we be 100% sure though? I know right now that's what they say, but I'm sure that's what they said back in the day and now we can recover old drives. You can never be too sure when it comes to confidential data.

Though it is true that it is much harder and maybe there is no technique known yet. Have to remember though, the FBI, CIA and such are probably 10+ years ahead of everybody as far as technology goes. Everything is held top secret. Who knows, maybe they can crack SSL and other stuff currently "uncrackable" (well SSL can be cracked now, so maybe that's a bad example).

Of course if you're not a criminal then there is not really anything to worry about, they are not out to get good people, they are out to get bad people.

Bottom line is the only way to be 100% sure is to just keep the drive or physically destroy it, or encrypt the data from day 1.

 

[lxskllr]

How can we be 100% sure though? I know right now that's what they say, but I'm sure that's what they said back in the day and now we can recover old drives. You can never be too sure when it comes to confidential data.

You're forgetting that nobody really cares what's on your drive. 99.9% of the population isn't going to try getting your data after quick formatting the drive. You don't have to protect your data against the Chinese, they just don't care ;^)

 

[Modelworks]

You're forgetting that nobody really cares what's on your drive. 99.9% of the population isn't going to try getting your data after quick formatting the drive. You don't have to protect your data against the Chinese, they just don't care ;^)

That is very true. People also assume that the government uses programs like DBAN to wipe drives and that is not true. While the government does have standards for how a drive can be erased that is not how they protect information on drives they remove. They don't use any software at all. The drives are shredded when removed, they have a protocol that states

after removal of any storage medium, the medium is to be promptly placed in the secure shredding device in the presence of the current security officer . The output of the secure shredding device must be boxed and tagged before end of the current shift. All forms must be signed by the technician performing the work and the security officer who witnessed the process. A copy should be attached to the box containing the output from the secure shredding device. A second copy must be filed with the office before end of the current shift.

Storage medium is defined as any device that could possibly contain data upon removal from host including hard disk, optical or magnetic removable media, flash devices, memory chips, eproms, eeproms or OTP type storage.

Promptly is defined as before any other task is performed by the technician. Failure to shred the medium in a timely manner will result in prosecution.

They then send that shredded metal to a furnace where it is melted down.

I doubt anyone will ever be able to recover data from that process.

 

[blackangst1]

How can we be 100% sure though? I know right now that's what they say, but I'm sure that's what they said back in the day and now we can recover old drives. You can never be too sure when it comes to confidential data.

Though it is true that it is much harder and maybe there is no technique known yet. Have to remember though, the FBI, CIA and such are probably 10+ years ahead of everybody as far as technology goes. Everything is held top secret. Who knows, maybe they can crack SSL and other stuff currently "uncrackable" (well SSL can be cracked now, so maybe that's a bad example).

Of course if you're not a criminal then there is not really anything to worry about, they are not out to get good people, they are out to get bad people.

Bottom line is the only way to be 100% sure is to just keep the drive or physically destroy it, or encrypt the data from day 1.

Again, you need to read the paper. They cover all of this, and using an electron microscope, after one pass, nothing was recoverable.

Throwing around 3 letter agencies and speaking as if they are some omnipotent force, well...

Do you remember the case a year or two ago where the guy was stopped at the Canadian border and later arrested for underage porn whose laptop was encrypted? In the end it never was decrypted. Why? Because it isnt possible (given a standard TC encrypted partition).

the FBI, CIA and such are probably 10+ years ahead of everybody as far as technology goes.

This is untrue. When AES was adopted as the standard for the government by NIST, it was after several years of input and trials by private sources. Why would such advanced agencies use private sources if they had the resources themselves?

Anyhow. I suggest you read that paper.

 

[Deleted member 4644]

How can we be 100% sure though? I know right now that's what they say, but I'm sure that's what they said back in the day and now we can recover old drives. You can never be too sure when it comes to confidential data.

Though it is true that it is much harder and maybe there is no technique known yet. Have to remember though, the FBI, CIA and such are probably 10+ years ahead of everybody as far as technology goes. Everything is held top secret. Who knows, maybe they can crack SSL and other stuff currently "uncrackable" (well SSL can be cracked now, so maybe that's a bad example).

Of course if you're not a criminal then there is not really anything to worry about, they are not out to get good people, they are out to get bad people.

Bottom line is the only way to be 100% sure is to just keep the drive or physically destroy it, or encrypt the data from day 1.

If you are storing illegal porn or proof of your tax evasion on your drives... my suggestion is to burn them to ashes before you throw them into the trash, don't be a cheapass and sell them.

Or better yet.. don't do things that could cause the FBI to knock at your door...


(And yes.. sometimes innocent people are wrongly accused or insane prosecutors go after family baby pics etc).

And yes, I am a lawyer.

 

[blackangst1]

If you are storing illegal porn or proof of your tax evasion on your drives... my suggestion is to burn them to ashes before you throw them into the trash, don't be a cheapass and sell them.

Or better yet.. don't do things that could cause the FBI to knock at your door...


(And yes.. sometimes innocent people are wrongly accused or insane prosecutors go after family baby pics etc).

And yes, I am a lawyer.

I agree; however, this hits a little too close to the "if you arent doing anything wrong you should have nothing to hide" mantra. Not sure what kind of atty you are, but I would think you of all people would not be subscribing to this POV. I have seen in trials where encryption is used, and immediately the prosecution uses the "if youre innocent, why would you have a problem decrypting it?" which throws reasonable doubt into the jury's minds. Which is dead assed wrong. The better question, often asked too late, is...if I did something so wrong, where is your compelling evidence? Encryption is NOT compelling evidence.

But thats another thread...