Some more concerns about new types of hard disks
From SecuriWiki
Author Class Year Detlev Matthies MSSF 2007/2008
This article is a follow up on Destroying Data ... is it possible.
Uncertainty grows about sufficient means of data sanitization due to recent changes in hard disk technology.
Contents |
true ... or not
overwrite = purge?
The NIST “Guidelines for media sanitization“(September 2006) reads: “Advancing technology has created a situation that has altered previously held best practices regarding magnetic disk type storage media. Basically the change in track density and the related changes in the storage medium have created a situation where the acts of clearing and purging the media have converged. That is, for ATA disk drives manufactured after 2001 (over 15 GB) clearing by overwriting the media once is adequate to protect the media from both keyboard and laboratory attack.“(NIST Guideline) One can notice a strong tendency to believe that increasing density of stored data on the medium does no longer leave space for the so called “track edge phenomenon” as described for example in the famous 1996 Paper by Peter Guttman.[1]
degaussing = purging?
Another strong belief exists in degaussing as means of purging magnetic media.
doubtful, at least
This article will show, that these most common beliefs are misleading and some advisories, like the quoted above, are at least inaccurate.
New hard disk technologies
The most relevant development started with the nobel prize winning discovery of giant magnetoresistance [2] that lead directly to a new technology for read-and-write heads [3] of Hard Disks (see also Wikipedia on hard disks [4]) These heads work different from the former inductive heads. They measure the change in electrical resistance that a magnetic field causes in the platter materials. The disk drive electronics send a small, constant current through the magneto-resistive material (usually an alloy of iron and nickel) and measure the change in voltage across the head—as the resistance of the head goes up, the voltage goes down. The magneto-resistive action is read-only, it can detect changes in magnetic fields, it cannot create the fields. Therefore, disk drives with magneto-resistive heads actually have combination heads—a magneto-resistive read head combined with an inductive write head. The magneto-resistive design allows for higher frequency operation, which equates to greater storage densities and operating speeds. With this design the inductive head writes on a broader part of the surface than the GMR head will read from. This difference will be of importance for the retrieval of overwritten data. The most recent hard disks use perpendicular magnetic recording [5] which facilitates a more dense read/write operation; heads on these disks work at half the distance of longitudinal recordings (10µm instead of 20µm) That smaller distance allows more accurate operation on the surface but also needs a magnetic material of higher coercivity [6] which will be of importance for the operation of degaussers [7] (cmp.: Hardware Bible)
Spin stand microscopy
Magnetization imaging of hard disk surfaces is routinely performed by using magnetic force microscopy MFM [8], yet the use of MFM is limited by. the low rate of image acquisition. Recently, a new technique of magnetic imaging on a spin-stand has been developed. In this technique, raw image acquisition is performed by scanning a target area of a hard drive disk by a magnetoresistive head in the along- and cross-track directions. The spin-stand imaging technique has a high rate of image acquisition compared to MFM. But, due to the nonlocalized nature of the magnetoresistive head in the cross-track direction, the collected images can be distorted. In addition, the collected raw images are scalar in nature, while magnetization distributions are vector fields. Therefore, an image reconstruction is neccessary to retrieve the actual magnetization distributions from the raw images.
A recently published study reads:
“In this set of experiments, giant magnetoresistive (GMR) heads were used. First, F6 patterns (hexadecimal F6 = 11110110 in binary notation) were recorded and then they were overwritten by F9 patterns (hexadecimal F9 = 11111001 in binary notation) with controlled misregistrations ranging from 0.3 μm to 0.07 μm.
Fig. 3.3.
The overwritten tracks were scanned and the collected raw images were reconstructed. (...)It is apparent that remnants of F6 patterns can be clearly seen and identified on the edges of the overwritten track (see middle plots).” (from: Spin-stand Microscopy)
As the spin stand enables work on a whole platter, recovery of a reasonable large amount of overwritten data is more feasible then ever. Nonetheless, there are no commercial companies offering these techniques to the public.
The Holy Grail of computer forensics
In April 2007 the abstract of a Ph.D thesis states: “(...) Besides physically distorting the original recording, degaussing also results in extremely low recording Signal-to-Noise Ratios (SNR). The SNR after degaussing is far below the sensitivity level of the storage unit's read head and outside its noise filtering and error correction capabilities. Therefore, degaussed (i.e., sanitized) magnetic media can no longer be read by its original recording system. Information recovery from degaussed magnetic storage media is widely considered to be the holy grail of computer forensics. The objective of the research presented here was to advance the state-of-the-art in computer forensics by modeling and developing novel signal and image processing algorithms for recovering and "descrambling" of residual information patterns from degaussed magnetic storage media. This presentation will provide an overview of these computational data recovery models and algorithms, discuss experimental results, and outline future extensions.” (see: Residual information )
The Hysteresis Loop can explain how a degausser works: As the (hard disk) media runs through the magnetic field of the device, the magnetic field of the Media (H) will be fully saturated, all data bits will flip in the direction of this field. (This flipping affects also all servo data [9] ).
Fujitsu, as a vendor of degaussers, challenged DriveSavers, a commercial recovery service, to perform a data recovery on degaussed harddrives. “DriveSavers final conclusion was that all media surfaces appeared to be in pristine condition, but the hard disk drives were completely unrecoverable due to missing servo data. Without the servo data, the HDDs could not properly read the media and complete a data recovery. Based on this testing, DriveSavers certified that no commercial software utility program or data recovery service company would be capable of recovering data from any of the hard disk drives that had been erased by the Mag EraSURE P2V product, regardless of the resources devoted to the effort.” This statement is especially interesting, as it relies on an inevitable necessity of the servo data which is in fact not true, for example the before mentioned Spin-stand technology does not use it.
However, a magnetic signal is still to find on the media: even though partially erased up to 10-20% most parts stay above 30%, some even 70% of the original strength.
Even though this signal may be unrecoverable using the original read-and-write system, this cannot be guaranteed for more sophisticated approaches as claimed above. The situation gets even worse with the newer generation of hard disks using PMR. Higher coercivity needs higher magnetic flux density, therefore appropriate degaussers have to be carefully choosen.
Conclusion
The initial assumptions do not hold, there is no way to sanitize magnetic media by magnetic means.
Still to explore
The latest step in recording technology Heat Assisted Magnetic Recording [10] is not yet covered. Other techniques of sanitization were left aside, for example a famous
Governmental approach
"So with a knowledge of what methods are available for the analysis of magnetic media, how do goverments treat their own data ? In the UK, the Ministry Of Defense has it's own idea of what contitutes the declassifying of magnetic media; hard disks for example. They require that the surface of all hard disk platters be ground off, and the dust securely stored for twelve years! The dust is still officially classified even after this period. Things are little different in the United States. A US naval document entitled OPNAVINST 5239.1A states that disks that are "unclassified", can either have their surfaces sanded away, or dissolved by acid !!! Who's paranoid !!!” (from: NGO-in-a-box )
References
- NIST Special Publication 800-88 rev.1
- Winn L. Rosh, Hardware Bible, Que Publishing 2005
- Spin-stand Microscopy of Hard Disk Data, I. Mayergyoz, C. Tse, Elsevier 2007
