Does anyone know the difference between the DOD short wip and the DOD
long wipe of a hard drive?
Is one more preferred than the other to make data from a hard drive
unrecoverable?
Which one is the actual standard that most techs are doing to wipe a
drive?
Thanks for any thoughts!
Drew
DOD is a waste of time, unless you're wiping the drive for a DOD machine, a
mob boss, a spy, or a terrorist.
For the rest of us a single-pass all zeros does the job more than
adequately. To retrieve the data after that you need to pay big money and
send the drive to a data recovery company...and get real lucky, too. Fees
for that start in the thousands and it's not a job anyone can ever do at
home.
-John O
It's interesting to me that something like that (recovery
of anything after an all-zero pass) is possible at all.
Very unusual = you have national security data, terrorist data or
criminal activity data on your PC.
OTHERWISE (which is almost everyone), ANY actual overwrite of the data
... just a non-DOD, simple overwrite ... is all that you need. Once the
data is overwritten (any simple overwrite, non-DOD at all), retrieving
it becomes IMPOSSIBLE at a normal end-user level (no matter what
end-user software tools are used). At this point, while forensic,
non-end-user recovery is still possible, the cost goes up into 6-figures
(hundreds of thousands of dollars), the time required goes up into the
hundreds of hours (in a VERY specialized lab that very few have access
to at any cost) and not even law enforcement would attempt such recovery
unless there was a very specific, very compelling reason to do so.
[FWIW the long wipe wipes the disk more times with more patterns. Each
overwrite makes recovery more difficult, more expensive, and closer to
totally impossible (although actually achieving totally impossible is,
itself, impossible).]
The BEST way to eradicate data on a disk is not DOD approved. Disk
drives have a "secure erase" command (aka a "destroy yourself" command
... although only the data is destroyed, the drive itself is NOT
destroyed). This command is HIGHLY secure, once the command is issued
the action is done entirely within the drive, and it's more secure than
any external data elimination done by writing to the drive.
For more information on this, see:
http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml
Also, in terms of security, overwriting with data is better than
overwriting with all 0's or all 1's. What I do is just repartition the
drive to a single large partition (which, by itself, does nothing in
terms of data security), then copy a 100GB folder of TV shows and movies
to the drive (multiple times if necessary) until the drive is full, then
erase everything. That effectively overwrites everything on the drive,
and if someone wants to do data recovery, they will get several seasons
of "Gray's Anatomy" and "24" (how fitting) ... and nothing else.
In a couple weeks I get to hang out with guys who work at one of the FBI
forensics labs. As you say Barry, even they rarely send drives out for
recovery (they contract out the procedure) after a wipe because of the
expense and because they can usually find other evidence at far less expense
and time.....most criminals just aren't smart enough to cover *all* their
tracks.
-We recently wrote an IT forensics course...very cool stuff.
-John O