Data Erasure. Alex Applegate. Mississippi State University Digital Forensics 1

Size: px

Start display at page:

Download "Data Erasure. Alex Applegate. Mississippi State University Digital Forensics 1"

Dwayne Miller
6 years ago
Views:

1 Data Erasure Alex Applegate 1

2 Overview Simple File Deletion Permanent File Deletion Data Wiping Can Wiped Data Be Recovered? Deletion on Solid State Drives 2

3 Simple File Deletion When a file is deleted in a GUI, either by using the delete key or using the rightclick menu (or its equivalent) leaves a file completely intact on the hard drive. Only the location pointer is updated by the file system Windows -> Recycle Bin Macintosh -> Trash Can Linux -> Trash 3

4 Permanent File Deletion A file can be deleted from the file system, but the underlying file is still largely, if not completely, unchanged on the actual hard drive File pointer deleted from the file table and associated clusters on hard drive marked as unallocated Those clusters are then available to be overwritten 4

5 Data Wiping An application can be used to intentionally overwrite clusters deallocated by file deletion Writes binary zeroes, ones, or random data for one or more passes Still no file associated with clusters Clusters are still marked as unallocated 5

6 Can Wiped Data Be Recovered? In 1996, Peter Gutmann wrote a paper discussing data recovery using magnetic force microscopy (MFM) and the possibility to detect data leakage Described 35 possible write patterns that would ensure maximal effectiveness on any hard drive Paper in 2000 demonstrated that even the recovered information was almost completely unusable; fractional bytes and not all the time 6

7 Gutmann s Whisker Data Leakage 7

8 Can Wiped Data Be Recovered? (cont d) Gutmann published follow-up in 2001 indicating new drive technology made data leakage as indicated by the 1996 paper highly unlikely In 2006, perpendicular storage was introduced making the possibility even more remote 8

9 MFM Images Between 2000 and

10 Perpendicular Storage 10

11 Perpendicular Storage (cont d) 11

12 MFM Image After

13 Why Is There Still Concern? Solid State Hard Drives complicate the issue instructions still written for spinning disks, SSD controllers do not necessarily do what they re told DoD Standard requires 3 pass wipes for secret data, 7 passes for top secret indicating unknown government technique for recovering wiped data Additionally, a 2009 paper analyzed the actual results of commercial tools, and even wiped data was able to be recovered most of the time 13

14 Deletion on Solid State Drives Most new drives perform deletion via a garbage collection routine or by TRIM Storage is in fixed sized blocks Data is all or nothing, no slack space or overwrites Whether by GC or TRIM, removal of unallocated blocks (controlled by OS) happens every few minutes Forensics has traditionally been able to access historical artifacts even when a file location has been properly wiped These get cleaned up by SSDs Newer operating systems are making logs and building snapshots Even if something is deleted by the user, it isn t deallocated if it s referenced in a snapshot 14

15 Summary Simple File Deletion Permanent File Deletion Data Wiping Can Wiped Data Be Recovered? Deletion on Solid State Drives 15

16 Data Erasure QUESTIONS? 16

17 References Gutmann, P., 1996, Secure Deletion of Data from Magnetic and Solid State Memory, Proceedings of the 6 th Conference on USENIX Security Gutmann, P., 2001, Data Remanence in Semiconductor Devices, Proceedings of the 10 th Conference on USENIX Security Wright, C. and D. Kleiman, 2008, Overwriting Hard Drive Data: The Great Wiping Controversy, Information Systems Security Pajek, P. and E. Pimenidis, 2009, Antiforensics and Their Impact on Computer Forensic Investigations, ICGS3 DoD/NIST Standard

FILE SYSTEMS, PART 2. CS124 Operating Systems Winter , Lecture 24

FILE SYSTEMS, PART 2. CS124 Operating Systems Winter , Lecture 24 FILE SYSTEMS, PART 2 CS124 Operating Systems Winter 2015-2016, Lecture 24 2 Files and Processes The OS maintains a buffer of storage blocks in memory Storage devices are often much slower than the CPU;