34 replies to this topic

[john_a]

Hi all

This 'Wipe Free Space' option is a bit of a joke, isn't it? Any good intelligence or recovery professional could unencrypt this. I use Kill Disk, which wipes pre-boot, for obvious reasons.

Why was this option even added to the latest versions of CCleaner?

[Augeas]

Just out of interest, how would any recovery professional 'unencrypt' overwritten data, and who advertises that they do this? I agree that for the overwhelming majority of the human race this is a waste of time, but people love gadgets and tweaking stuff.

[john_a]

Augeas, on Mar 22 2009, 01:26 AM, said:

Just out of interest, how would any recovery professional 'unencrypt' overwritten data, and who advertises that they do this? I agree that for the overwhelming majority of the human race this is a waste of time, but people love gadgets and tweaking stuff.

It's not hard, just like trying to hear the sounds of a tape you have recorded over.

Like, one wipe, not secure, two wipes, more secure..etc etc. CCleaner is like a half wipe.. Kill Disk is one , if not the only, secure deletion method. CCleaner is no better than Webroots 'shredder', or heaps of others.

[john_a]

And also, re un-encrytption, you may wish to refer to reported events in the news media, where 'so-called' deletion methods have been 'reversed', and contents shown.

[YoKenny]

john_a, on Mar 21 2009, 11:39 AM, said:

It's not hard, just like trying to hear the sounds of a tape you have recorded over.

With Mute selected its good to fall asleep with though if the volume is turned up.

Helps to block out the beeping horns, partying neighbors that don't invite you to their party and construction trucks

Quote

Like, one wipe, not secure, two wipes, more secure..etc etc. CCleaner is like a half wipe..

I was going to insert the one that begins with "a" but I thought better of it.

I prefer the sounds of waves gently breaking at the beach lounging in a chair with a cold beverage on a table beside me.

[Augeas]

Please quote where.

A quick flick on Google with 'recover overwritten data' shows nobody is offering this service. To quote one hit, from Sean Barry (Ontrack's Remote Data Recovery Manager), “There is no chance of recovery with overwritten clusters. The bit density on hard disk drives is so great now that when the magnetics are rewritten, the data is gone." Ontrack.com claims to be the world leader in data recovery.

[john_a]

Augeas, on Mar 22 2009, 04:48 AM, said:

Please quote where.

A quick flick on Google with 'recover overwritten data' shows nobody is offering this service. To quote one hit, from Sean Barry (Ontrack's Remote Data Recovery Manager), “There is no chance of recovery with overwritten clusters. The bit density on hard disk drives is so great now that when the magnetics are rewritten, the data is gone." Ontrack.com claims to be the world leader in data recovery.

Sure, have a read of this: (LINK)

Reasons for Concern

Widely available disk overwriting software is one of the main reasons why data leaks continue to occur. Many corporate IT departments use these disk overwriting software tools to mitigate potential business risks and legal liabilities but these tools may have significant drawbacks which could compromise an organization's security.

According to a memorandum issued by the United States Department of Defense (DoD), (2001, May), overwriting software must have the following functions and capabilities in order to ensure the integrity of the sanitization process:

* The ability to purge all data or information, including the operating system (OS), from the physical or virtual drives, thereby making it impossible to recover any meaningful data by keyboard or laboratory attack.
* A compatibility with, or capability to run independent of, the OS loaded on the drive.
* A compatibility with, or capability to run independent of, the type of hard drive being sanitized (e.g., Advanced Technology Attachment (ATA)/Integrated Drive Electronics (IDE) or Small Computer System Interface (SCSI) type hard drives).
* A capability to overwrite the entire hard disk drive independent of any Basic Input/Output System (BIOS) or firmware capacity limitation that the system may have.
* A capability to overwrite using a minimum of three cycles (six passes) of data patterns on all sectors, blocks, and slack or unused disk space on the entire hard disk medium.
* A method to verify that all data has been removed from the entire hard drive and to view the overwrite pattern

[YoKenny]

If you are that paranoid why are you using a computer?

[john_a]

YoKenny, on Mar 22 2009, 02:20 PM, said:

If you are that paranoid why are you using a computer?

Of course, a typical, predictable, yet useless interruption to the conversation.

We were discussing the different wipe methods available, and in particular the usefulness/performance of the CCleaner Wipe Free Space function, but hey, thanks for the input..buddy.

[Augeas]

That article discusses shortcomings in the disk wiper's ability to access every area of the disk (bad sectors etc), the bios not reporting the full size of the disk, and problems with raid configurations.

I don't think there's much doubt that, with the right tools and a little work, fragments of data can be retrieved from otherwise inaccessible areas on a disk that the user thought secure. There is a quote somewhere to the effect of "The pagefile is the policeman's friend." However there is no evidence or example of any data - barring a few isolated bits - being recovered after it has been overwritten by anyone anywhere.

I don't how CC's free space wipe works, and I don't think think that Piriform would claim that it is a forensic standard wiper. Still, the option appears to be quite popular.

[john_a]

Augeas, on Mar 22 2009, 07:23 PM, said:

That article discusses shortcomings in the disk wiper's ability to access every area of the disk (bad sectors etc), the bios not reporting the full size of the disk, and problems with raid configurations.

I don't think there's much doubt that, with the right tools and a little work, fragments of data can be retrieved from otherwise inaccessible areas on a disk that the user thought secure. There is a quote somewhere to the effect of "The pagefile is the policeman's friend." However there is no evidence or example of any data - barring a few isolated bits - being recovered after it has been overwritten by anyone anywhere.

I don't how CC's free space wipe works, and I don't think think that Piriform would claim that it is a forensic standard wiper. Still, the option appears to be quite popular.

"and I don't think think that Piriform would claim that it is a forensic standard wiper. Still, the option appears to be quite popular."

That was a good answer, however, any recovery professional will tell you that a single wipe of free space area is probably quite useless, but as you mention, it seems to be a popular option with CCleaner users, for whatever reason.

* A capability to overwrite using a minimum of three cycles (six passes) of data patterns on all sectors, blocks, and slack or unused disk space on the entire hard disk medium.

NOTE: As a mentionable tip, if anyone is interested in wiping out free space or old data prior to selling or throwing out their old PC, or for any reason, I'd suggest this: http://www.killdisk.com/

[Augeas]

john_a, on Mar 22 2009, 09:43 AM, said:

any recovery professional will tell you that a single wipe of free space area is probably quite useless

If we concentrate on just one aspect, where is the evidence that any data has ever been recovered after being overwritten? One wipe will do.

PS Off to the pub now. Expect wit and wisdom when I return.

[john_a]

Augeas, on Mar 22 2009, 09:18 PM, said:

If we concentrate on just one aspect, where is the evidence that any data has ever been recovered after being overwritten? One wipe will do.

PS Off to the pub now. Expect wit and wisdom when I return.

Hi

I thought you may have found the wit and wisdom at the pub! (Kidding).

Anyway, I came across THIS, which seems to be related to the issue you have raised.

PS Anticipating a rebuttal.

[YoKenny]

I found that the advice Don't argue with an idiot; people watching may not be able to tell the difference works well and they are of the Ferrous Cranus type of troll:
http://redwing.hutman.net/~mreed/warriorsh...erouscranus.htm

[Augeas]

After slumping in front of a Top Gear rerun (the Vietnamese trip - excellent) thers's not much wit and wisdom left now.

The link you posted has nothing to do with whether you can recover overwritten data, but appears to be some misuse or malfunction of Eraser. Indeed the last but one post indicates that overwriting data (by using any method) makes it unrecoverable.

One overwrite of data makes that data unrecoverable. That's all there is to it.

[Charlie Freak]

john_a, on Mar 22 2009, 04:43 AM, said:

any recovery professional will tell you that a single wipe of free space area is probably quite useless, but as you mention, it seems to be a popular option with CCleaner users, for whatever reason.

This is complete FUD. Where did you get this info? There is no reputable data recovery company who will claim to be able to recover data that has been overwritten.

The fact that you compare analog audio tapes to a computer HDD, and refer to recovering overwritten data as "unencrypting" it, should be a warning to anyone reading this thread that you have a limited grasp of the technology.

Instead of spreading misinformation, maybe you should concentrate on the more important question - whether or not CCleaner does overwrite all of the data it claims to.

Here are some links for you to think about, John:

http://www.nber.org/...ta-guttman.html
http://www.h-online.com/news/Secure-deleti...-do-it--/112432
http://www.springerl...8263ql11460147/
http://16systems.com/zero.php
http://sansforensics.wordpress.com/2009/01...ard-drive-data/
http://www.securityf...ief/888?ref=rss

[dantasm]

john_a, how does the ccleaner DOD & NSA deletion options factor into this thread topic. Does that mean they're no more effective than the normal option? (:/

thank you in advance!

[Augeas]

Well, if you agree with the statement that one overwrite makes the previously written data unrecoverable, then any more than one would be superfluous. I guess the DOD etc are just super cautious, or perhaps Mr Gutmann was on board as an advisor.

[john_a]

YoKenny, on Mar 23 2009, 02:17 AM, said:

I found that the advice Don't argue with an idiot; people watching may not be able to tell the difference works well and they are of the Ferrous Cranus type of troll:
http://redwing.hutman.net/~mreed/warriorsh...erouscranus.htm

Err.., sure.

Augeas, on Mar 23 2009, 10:49 PM, said:

Well, if you agree with the statement that one overwrite makes the previously written data unrecoverable, then any more than one would be superfluous. I guess the DOD etc are just super cautious, or perhaps Mr Gutmann was on board as an advisor.

"Well, if you agree with the statement that one overwrite makes the previously written data unrecoverable.."

Where did I say that?

"According to a memorandum issued by the United States Department of Defense (DoD), (2001, May), overwriting software must have the following functions and capabilities in order to ensure the integrity of the sanitization process: -

A capability to overwrite using a minimum of three cycles (six passes) of data patterns on all sectors, blocks, and slack or unused disk space on the entire hard disk medium. "

I guess we'll have to leave it to them to recheck their research, I'm sure there will be an amendment if they come across this thread.

[Augeas]

I made that statement, John.

Funnily enough the DoD did check their research, and no version of the manual since 1997 specifies any method of data sanitisation, as they call it. The responsibility for this lies with the Cognizant Security Authority: one of these, The Defense Security Service, provides a Clearing and Sanitization Matrix which does specify methods. In the June 2007 edition of the DSS C&SM (phew!) overwriting is no longer acceptable for sanitisation of magnetic media; only degaussing or physical destruction is acceptable. A problem with disk-wiping is that it can't clean hard drives that have physically failed, presumably why degaussing or physical destruction is specified.

Furthermore in late 2004 the U.S. National Security Agency (NSA Advisory LAA-006-2004) found that a single 'DoD' overwrite instead of the three passes is sufficient to render electronic files unrecoverable.

There is no way on God's earth that a hypothesis is true because an authority, no matter how high, guards against it. It must be proven, and nobody can prove or show that overwritten data can be recovered. It can however be shown that it is not physically possible to read any magnetic track 'overlays', and if it were it is statistically impossible to recover a single error-free byte.