EH-Net

Hello,

  I'm posting because I have very little experience in forensic recovery but at an event over the weekend I overheard someone tell a casual computer user that if they were going to sell their computer on eBay all they had to do was a "low level format" of the drive to destroy all their data.  The explanation was that if the user formatted the drive from the BIOS menu that the computer would overwrite all the sectors on the hard drive and that only people who could spend hundreds of dollars would be able to recover any data.  The computer in question was an old Windows XP machine with no special security software.  I'm wondering how effective such a formatting is, how easy it would be to recover data off a drive formatted in this way, and basically if this advice holds any water at all?  I'm inclined to think that if you aren't doing a DoD spec wipe you're asking for trouble, and my suggestion was to simply TrueCrypt the drive so data recovery would be impossible.  Does anyone have any thoughts/insights/suggestions about a situation like this?  Thanks in advance.

I am only qualified with EnCase, and I do forensics now and again so wouldnt say I was best to answer, but it is amazing what can be got back from a drive after simple formating.

If you want to ensure someone will have a hard job accessing your old data, a format with random data overwriting is the way.

So many free apps to do this so no excuse really. Most people wont need DoD type standards so 3 overwrites should be fine and not to time consuming.

Something like Darik's Boot and Nuke is ideal.

Encrypting the data then wiping it sets you up for a cold boot attack if done improperly (http://en.wikipedia.org/wiki/Cold_boot_attack (http://en.wikipedia.org/wiki/Cold_boot_attack)) the proper method to destroy data would be to degauss the drive however, this would make the drive unusable. Anyhow, you can check out the following document on data sanitization: http://cmrr.ucsd.edu/people/Hughes/DataSanitizationTutorial.pdf (http://cmrr.ucsd.edu/people/Hughes/DataSanitizationTutorial.pdf)

You could also use a program like Helix and do a dd command to write zeros over the whole drive.  This way the drive is operational and sellable.

One important point when it comes to discussing disposal of hard disks is the ever-present issue of risk. If you are a poor student and getting $50 for a used hard drive is big deal then destructive disposal seems a poor choice. If you're a multinational company then hit your old disks with a hammer. A big hammer.

The student's solution would be to use something like Darik's Boot and Nuke.

http://www.dban.org/

Regardless of who is disposing of their old computers it's worth erasing the disks, even if the machine is going to be scrapped. I've seen plenty of scavengers trying to take dumped kit from refuse dumps and recycling centres.

Jimbob

Just out of curiosity, does the "low level format" concept still exist?   I haven't seen a BIOS offer that option in years.   

I don't think that you need to DoD wipe the drive.   I don't think that anything more then 1 complete wipe pass is necessary.   If you write zeros to every sector of the drive, traditional data recovery becomes almost impossible.   The trick is to write zeros to EVERY sector of the drive.

Wikipedia on low-level formatting:

http://en.wikipedia.org/wiki/Low_level_format (http://en.wikipedia.org/wiki/Low_level_format)

In short, no you generally can't do that anymore.