Are you sure you wiped all the data?

Are you sure you wiped all the data?

I have worked as a digital forensic investigator and with logical and physical data data recovery within law enforcement authorities and at private security companies. From my work and experience I’ve learned a “bit” or two about what kind of data that is technically possible to reconstruct from digital storages.

3860064436_81bf150079_o
The picture show Darik´s Nuke & Boot! A great open source tool for disk wiping!

A while back I came across an issue regarding secure disk erasure tools for hard drives. The question is: Does an erasure tool delete all the content on a hard drive, and if so, can you can sure that the disk does not contain old data?

The manufacturers and software companies claim that their software erases EVERYTHING.

To quote a major player in the industry “NN software helps guarantee that all data has been erased”

With this in mind, I wanted to verify the claim. A former colleague and I discussed the issue and came up with the following proof of concept to test the claim. Our hypothesis was that erasure tool did not delete / overwrite everything on a hard disk drive, but the software deletes the sectors on the hard disk that the software can access.

Say hello to: g-list & p-list.

Bad sectors fall into two categories; those created during the manufacturing process and those, which develop when the drive is in operation. Hard drives are designed to identify and contain bad sectors by the use of two defect tables.

The P-list Table

When disk manufacturers produce a hard drive, it always comes with some errors on the hard disk. Errors will be analysed prior to shipping and hardcoded into the firmware on the disk in a table called P-list. This list keeps track of “default” bad sectors so that the disk does not write data to the damaged sectors.

The G-list table

The G-list or “growth” defect table contains sectors, which have become corrupted while the drive is in use. Although data operations are automatically redirected to uncorrupted sectors, the G-list table does reduce drive access speed and it may become necessary to replace the drive.

Proof of concept!

Obtain an unused new hard drive type S-ATA or (IDE). This is still the most commonly used hard drive and can be found in everything from mainstream laptops to workstations, portable drives and servers. Format the drive in the NTFS file system, which is the most commonly used file system under Windows, and write some data to the disk. In this case you can make a simple text file. Then open the disk in a hex editor to locate the file and note the sector where the file/data is stored. Let us say that the data is written to sector 10000

A disk used over long time of period such as two to three years will have many bad sectors and information about the bad sectors are recorded in the g-list table.

To simulate disk usage and bad sectors set the sector 10000 as a bad sector and add it to the g-list with a tool. What happens next is that the content of this sector is remapped (copied) to a new sector. (eg. 30000) and the original sector are marked as “bad” in the g-list.

Now to the Wiping/Secure Erasure process

Install the drive in a computer and booted this up with a CD-ROM or floppy disk that contains the erasure software. This can be open-source tools or commercial tools as previously cited. You will then be guided through a process and software overwrites all recordable sectors. But not the sectors located in the p-list and the G-list. In other words, it overwrites only the sectors the software can access.

Now, let´s do some magic!

PCIlarge6Screenshot from the PC3000 software from Ace Labs! State of the art, data recovery tool!

 

Again connect the drive to a tool that allows you to edit the g-list. Remove sector 10000 from the table, which tells the drive that sector I OK. Analyse the disk with a HexEditor and lookup sector 10000 and the file/data is suddenly accessible and readable.

Conclusion

Many consumers, businesses and government agencies are in my opinion misguided in thinking that software-based disk wipe tools are good enough.  Security authorities worldwide have approved these tools for wiping confidential data. But suppliers and manufacturers forget to tell you about this weakness!

Lots of hard disk drives with sensitive information will in so-called secure erase still contain a lot of data; witch to a threat actor can be very valuable assets.

Counter-arguments from the industry will certainly be that. This is correct, but this is so technically difficult to implement, the risk that some fail to follow the procedure as described further up in this document is very small or inconceivable. Which reminds me of the saying “Security Through Obscurity” That is that the difficulty or the secrecy of how things really work creates the illusion that the flaws/vulnerability are not known, and attackers will be unlikely to find them or is so difficult or complicated that threat actors can, or do not understand how to compromise the barriers.

This is not an attack against the producers or erasure software. They constitute an important part for most people who want to erase data on a “secure” way. But to be absolutely sure it’s just degaussing, cross cutting and melting that actually does the job!

Reference: