This is a happy one
Posted by CosmeticBrainSurgery@reddit | talesfromtechsupport | View on Reddit | 52 comments
Though I was in tech support at the time, this wasn't exactly a tech support issue, but it's a great and true story.
The cops came to the company I work for asking if we could recover the data on a laptop they recovered along with other stolen goods. This was a very expensive laptop, and I think they suspected whoever stole it was responsible for a rash of thefts. They said they were looking for any info that might lead them to who had the laptop in possession after it was stolen.
We asked when it was stolen and they said June 11. we had the DR engineers take a look and they found out that someone did use it on the 12th.
We gave the cops that person's full name, phone number, address, former employers, and three personal references.
He had saved his resume on there and then did a quick format in the FAT drive (this was 30 years ago.) FAT doesn't overwrite all the sectors with a quick format so it was an easy recovery.
TheLadySlaanesh@reddit
Even with newer formats, like NTFS, data recovery isn't that hard with the proper forensic tools. I've managed to recover documents for companies as well as police for cases.
bob152637485@reddit
To make data harder to recover, I think you need special software that writes all 1s to everything, then all 0s, then 1s again, and repeats that several times.
TheLadySlaanesh@reddit
Yup. There are several good pieces of software that do forensic wipes to NSA and DoD standards. It's especially helpful for things like HIPAA, GDPR and SOC2 compliance for properly disposing of drives that have sensitive data on them
Rathmun@reddit
If you're disposing of a drive that has sensitive data, rather than re-using for other sensitive data, then the correct utility is an angle grinder.
meitemark@reddit
On HDDs, drill a hole on the top, fill in some iron oxide and magnesium dust and put a sticker over the hole with "Tested, works. ". The result may be flammable. SSD: microwave oven.
SoMuchSpentBrass@reddit
I prefer a paint stripper pad in a die grinder, but the outcome is the same. It's really hard to recover ones and zeros from a pile of dust that used to be the data layer.
anubisviech@reddit
You could also just put the disks in the grinder and pull a magnet or screw driver over it. I used to do this when i was a kid (not with a grinder though, i just powered the disk opened).
Rathmun@reddit
Sure, use your abrasive tool of choice, as long as it's aggressive enough. π
Ich_mag_Kartoffeln@reddit
The most secure method of data destruction I've ever witnessed was a guy I went to uni with. He'd take HDDs to his parents' place, and melt them. Entirely.
His father's hobby was metal casting. Both foundry work and HDD melting are pretty awesome to watch.
denimadept@reddit
I heard thermite was good for this application.
Rathmun@reddit
It is, but if you want to make sure it actually does the job, you still have to get the platters out of the drive. Because once the thermite heats up enough to turn liquid, it tends to run down through the drive all in one spot. This heats the surrounding area above the curie point, but it may not get the whole platter. Some data is still recoverable with enough time and money, and you don't know which data is still recoverable.
For most people's threat models, that's good enough, and thermite is fun. But it's not good enough for anyone whose threat model includes state actors.
denimadept@reddit
Is removing the top cover sufficient?
Rathmun@reddit
If you make sure all the space between the drives is packed with thermite before ignition... probably. But if you just pop the top and pour the thermite in, then you'll likely still get it burning a hole in the bottom and all running out before it fully destroys the platters.
If you're planning on destroying drives with thermite, get yourself some firebricks and stack them such that the thermite can't flow out the bottom or sides of the drive. Or at least can't flow easily. Thermite can hit 1250 very quickly, you just need to keep it on and more importantly in the drive long enough to make sure all the platters hit that temperature over their whole surface.
Honestly, abrasive tools are more practical. Unless you have an arc furnace.
Quantology@reddit
NSA standard for incineration requires heating the entire drive to 1250Β° F. So... probably not.
Quantology@reddit
The current NSA standard is a degaussing machine (if magnetic media) followed by complete physical destruction of the drive. I am unaware of any software that can do this.
The DoD standard of 3 or 7 passes is 20 years old. It is overkill for magnetic drives and ineffective for flash drives due to wear-leveling and over provision.
NIST currently recommends a single pass of 0s for magnetic media, and the built-in purge or secure erase command for flash. This is sufficient unless you're worried about major state actors, in which case you should destroy the drive.
RAVEN_STORMCROW@reddit
Dban https://sourceforge.net/projects/dban/ Darik's Boot and Nuke DOD SHORT BABY
Quantology@reddit
No longer true. With old drives it was possible to recover individual bits using residual magnetic fields left after overwriting. Any HDD manufactured in the last several years is high-density enough that a single pass of all 0s makes it impossible to recover individual bits.
With SSDs, multiple passes does nothing but over-wear the memory cells. The Secure Erase command will send a voltage spike that immediately wipes all flash cells.
Loading_M_@reddit
My understanding is that A) modern SSDs do wear leveling, so you can actually write over specific sectors, and B) for at least some SSDs, secure erase works by always transparently encrypting the data with AES, and just overwriting the key with random data when the TRIM command is sent.
Loading_M_@reddit
Some modern SSDs have a secure erase feature (called TRIM), which works by transparently encrypting sectors with AES, and just deleting the key when sent the TRIM command. It's also nice because you avoid the need to write to the same cell repeatedly (which many SSD controllers won't let you so anyway).
Terrible_Shirt6018@reddit
ShredOS, a replacement for DBAN does that. Or you can have interns take the platers out and mangle them with a hammer and then melt them down into ingots.
StuBidasol@reddit
Looks like he now has a different answer for the "have you ever been convicted..." question.
pockypimp@reddit
I work at an airport facility and since I have to service APs that are near the taxiway I have to get an airport clearance badge. Two of the questions on the form that I laugh at every time are "Have you ever been convicted of hijacking an aircraft?" and something along the lines of "Have you ever been convicted of committing terrorist attacks?"
The first time I saw those I laughed and said to the person at my company who handles this stuff "If I had I wouldn't be here filling out this form!"
meitemark@reddit
"Never convicted. I'm too good at hiding the evidence, so none of the trials ever got anywhere. Also, since I give money from my crimes to the current adminstration, I can do whatever I want."
DrHugh@reddit
It's like nailing Al Capone for tax evasion. You ask the questions to force people who did to lie.
When I applied to be a Scout leader when my son joined, I was asked if I'd been convicted of felony, or charged with other crimes. The people in the council took pains to say that telling the truth was essential, something like shoplifting wasn't going to bar me from being a volunteer, but if I lied and they found legal issues on my background check, that would stop my application cold.
FunnyAnchor123@reddit
One belief about data recovery I hold firmly about is that given enough time & money, one can recover any file on a drive, no matter how much itβs been wiped or reformatted.
Now Iβm not saying your usual IT support person will be able to pull this off. What am saying is that governments β & tech companies who specialize in this β have the skilled people & equipment to do this. If the NSA wants to find deleted files on a discarded drive, they can do it. If Ukraine gets their hands on a drive Putin was using in his computer, you can bet they will work around the clock to extract every last bit of data that is & was on that drive.
The only assured way to delete any data on a drive is to melt it into a lump, whether a metal or plastic one.Β
Finn_Storm@reddit
That depends on how you format it. A recursive write of all 0s, then 1s, repeat 7 times, is enough for DoD standards against state actors.
FunnyAnchor123@reddit
The problem with even a DoD wipe like that is that one is not writing 0s & 1s on the drive, it's writing approximately 0.0 & 1.0 to the drive. And with the right equipment & an experienced tech, they'd be able to recover more data than you'd expect.
Last time I looked into it, the cost of data recovery like this starts at a few thousand dollars. Since that was something like 30 years ago, the starting cost would be closer to a tens of thousands of dollars. Too much of a price to recover evidence of a cheating spouse, but if the drive has the necessary details of Putin's secret Swiss bank account, hundreds of thousands of dollars to recover that information is a bargain.
BTW if what I've heard is correct, SSD drives do not properly delete data, but end up marking part of the storage space as "unreadable". This is why, as time goes on, the actual space on SSDs shrink. And if the space is simply marked as "unreadable", there are ways to gain access to it. (I've noticed this with SSDs when I work on servers.) Ways which the NSA & other government-level groups undoubtedly know. So the only assured way to delete data is destroying the drive with extremely high heat.
CosmeticBrainSurgery@reddit (OP)
I have almost 30 years experience in data recovery. What you're saying sounds like a theory published by a guy named Peter Claus Gutmann about 20-25 years ago. It's one of those things that sounds brilliant, and it's a really interesting idea, but it's absolutely unworkable. No one has ever been able to use the Gutmann method to recover a single file that was overwritten in a single pass. It simply does not work.
A single pass overwrite is enough.
You can bring us a boxcar full of cash and tell us it's ours if we recover from a single pass overwrite, and we're going to look at all that money and cry when we tell you we don't know of any way it can be recovered. And my company has been recovering data since the 1980s. It's not a case of not enough money or not enough experience. Nobody recovers overwritten data.
We've investigated a few cases where people swore to us overwritten data was recovered. We asked them to share the source drive with us and several did. in each case, the overwrite process failed for one reason or another. Not all the data was overwritten, so some files were recoverable.
Defense departments only use multiple overwrite passes out of fear that someone could develop a technology in the future that can recover single-pass wiped data. Also, the military is known for overkill. I hears about one instance where they ran the DoD standard 7-pass overwrite seven times (so 49 passes), then they tan over the drive with a tank, and they took the unrecognizable pancake of flattened metal that resulted and buried it in an undisclosed location in a restricted area. π€£
SeanBZA@reddit
In the military we had an incinerator, you put all confidential and higher documents, floppy diskettes, and hard drives in there, and pressed start. After the grinder, there was a diesel fired burner, that would reduce everything to ash, and that then went through another grinder as well. Files went in complete, folder, binders, and covers complete, along with any other items for destruction. would also chop up hard wood, the local iron wood Acacia, as if it was pine.
CosmeticBrainSurgery@reddit (OP)
That's good security! What branch if you don't mind saying?
SeanBZA@reddit
Chair force, though the south African air forca is a shadow of it's former self, having only one operational helicopter, an oryx, in service, and a single operational fighter, and almost none of the transport fleet. The SAAF Museum has more operational aircraft......
CosmeticBrainSurgery@reddit (OP)
Wow. Is this concerning? Or is South Africa pretty unlikely to be attacked?
SeanBZA@reddit
Let us just say if the US invaded, it would be all over in 15 minutes, with the only force required being a commando platoon and some rubber duckies.
Ich_mag_Kartoffeln@reddit
Maxim 37: There is no "overkill." There is only "open fire" and "reload."
CosmeticBrainSurgery@reddit (OP)
I'm sure you've been really enjoying the news lately.
Finn_Storm@reddit
Maybe during production, instead of deleting files windows will just make the file unreadable and overwriteable yes. It does this for both hdds and ssd's to prevent wear and tear.
But virtually all ssd's released in the last 10 years are encrypt-on-write with AES 256. The key is stored in plaintext on the drive and can be deleted with secure erase, effectively wiping the disk within seconds.
Now I'm not gonna claim that the data is unrecoverable, because technically you could also just get lucky and guess the key, but as far as I'm aware AES256 is quantum resistant for at least 2 more decades, and sufficient encryption standards already exist that for all intents and purposes are immune to quantum computing for the next 100 years (extrapolating current computational power)
SabaraOne@reddit
Personally I just bash up the circuit board with a hammer but i've never had to deal with any data more sensitive than some small business financials with a likely attacker no more complex than an opportunistic dumpster diver. ShredOS followed by an Overture's worth of claw hammering is probably good enough for that model.
Unnnatural20@reddit
I'm not a techie, but I know from experience that leaving a couple under supervised kids in a room with instructions to not touch anything can yield amazingly destructive results.
DiodeInc@reddit
You only break the circuit board? Yeesh
SabaraOne@reddit
For data of no significant value? Sure. If it was important I'd at least bash it until the platters came out and hit those a few times too. I've never had to destroy a drive with PII or customer financial data. Maybe a spreadsheet of transaction amounts but not even account numbers.
CosmeticBrainSurgery@reddit (OP)
For data that's not critical, busting the controller board is fine. You know smashing the platters is best when it's critical data.
Controller boards are customized to a drive before it leaves the factory. Even if you take the exact same controller board (It can't just be from the same make and model drive, you have to match the chip version numbers because every update changes things) the board also contains non-volatile memory containing a map of bad sectors. Without that map, you start reading a drive and all the sudden everything is one sector skewed...then two...and so forth. It makes recovery a pain, but it might be possibly to recover some files if you send it to the right lab. It's unlikely to cost under $700-1500, though.
Incidentally, the company I work for bought a company that claimed to be able to recover data from drives that had holed drilled through the platters. We were all dying to find out how the hell they did that because it seemed practically impossible. A few months after we bought them I started asking around because I hadn't heard how they do it. The answer was they can't. π
SabaraOne@reddit
That's kinda my thought too. In my pissant town even if someone knows where the drive comes from they probably won't have the means to recover a drive beyond plugging it in and hoping it works.
Mdayofearth@reddit
Not true.
You can wipe a drive by repeatedly writing all 0s and 1s a few times, alternating between the two. This will greatly diminish the life of an SSD, but if its being chucked, who cares.
A cheap way is to keep copying some small MP3 until the drive is completely full and format; and repeat that a few times.
The cheapest way is to just destroy the platters of a hdd; or the nand chips of a ssd.
CosmeticBrainSurgery@reddit (OP)
I can confirm absolutely that is not true.
TinyNiceWolf@reddit
Ironically, he didn't even need a resume to land his new job making license plates.
Trin959@reddit
I still remember when Peter Norton released his first DOS file recovery program back when he worked for PC Magazine. I can't remember if they published it as an Assembly language program, released it on disk as a subscription perk, or both. Can anyone help my memory?
CleeBrummie@reddit
Yeah, I remember when Norton Utilities was the gold standard
DiodeInc@reddit
And now it's the F standard
Ich_mag_Kartoffeln@reddit
Hey, it's still the gold standard! For my DOS machines.
Thick_You2502@reddit
Probably on a floppy disk with the tools of that month issue
Trin959@reddit
You're probably right. It's been a while.
CharcoalGreyWolf@reddit
Previous occupations: Served on the Technology Reappropriation Committee of a small business