How to delete data from digital media without a trace
Hackers Academy last edited by
t is believed that the destruction of information on digital media is the destiny of black hackers or other groups of illegal citizens. However, this is often necessary for commercial firms, government agencies, as well as ordinary users if they want to sell, donate or simply throw away their hard drive, laptop or system unit. Erasing data is an important part of the life cycle of any drive.
In 2017, the British company Kroll Ontrack, specializing in recovering lost data, bought 37 used hard disks (HDDs) and 27 solid-state drives (SSDs) on eBay. After a short analysis on 30 media, incompletely deleted data was found.
At the same time, six hard drives contained business information: technical drawings, documents, photographs, and even passwords and access keys in unencrypted form. On one of the disks there were files of a whole online store, including not only its settings and configurations, but also a virtual POS terminal, as well as invoices and sales receipts with personal data of customers.
Interestingly, one of the companies that sold used hard drives on eBay, before using their services, used the services of the company to "delete information". However, recovering deleted files was not difficult. In the hands of Kroll Ontrack engineers was a database with the names of customers, their home addresses, phone numbers and credit card details.
Without knowing it, the company made publicly available enough information to carry out fraudulent activities against its customers. And this is far from the first case.
In 2013, the British authorities fined a hospital in Surrey for £ 200 thousand, after they found registration cards and medical records of 3 thousand patients on the hard drives they put up for sale.
And in 2009, on a hard drive bought from a hand, they found no less critical information about THAAD (Terminal High Altitude Area Defense) - a mobile ground-based anti-missile system for high-altitude atmospheric interception of medium-range missiles in service in the USA, Israel, South Korea , Saudi Arabia and the UAE.
However, the problem of incomplete removal of data from disks concerns not only corporations and the military. Selling your old laptop on Avito, you can not only help out a little money, but also provide attackers with logins and passwords from their online banks, access to cryptocurrency wallets, social networks and instant messengers, personal photos and videos.
How to avoid such troubles?
Removing - delete
Now personal computers and laptops are most often equipped with two types of storage devices. The first is the classic hard disk drive (HDD), consisting of several rotating plates and electromagnetic read-write heads.
The second is SSD solid state drives, in which there are no mechanical parts. Instead, SLC, MLC, TLC or QLC flash chips are located on the circuit board. They differ in that they are capable of storing from one to four bits of information in one cell. Regardless of the type, each of them is a data bank. Information on the chip is stored page by page.
Let's start with the ageless HDD classic. Typically, the plates for them are made from composite materials and coated with a thin layer of a ferromagnet. It is he who stores the recorded data.
At the factory, low-level formatting is performed: the entire area of the plate is divided into circles - tracks, which, in turn, are divided into short segments - sectors. To access them, you need to know the disk numbers, read heads and sectors.
A ferromagnet layer consists of many magnetic domains - microscopic uniformly magnetized regions separated by boundaries. If an external magnetic field is applied to the domain, a zone of remanent magnetization will remain on its surface, which makes it possible to record any information in the domain. Each of these zones encodes one bit - 0 or 1.
If we delete a file using the standard means of the operating system, then in fact we only mark the set of sectors (with many domains) containing “deleted” data in the table of the file system as free space. Thus, until a new file is written to their place, the data can be easily read.
The standard methods of high-level formatting will not help either, since in this case the system will only find the bad sectors, mark them as bad, excluding them in the future, and overwrite the file system table.
And the low-level formatting declared by many utilities and specialized companies is not really such. On modern hard drives, it is produced only once at the factory by means of special equipment - a servo writer.
So what to do if we want to protect ourselves and completely clean the disk?
The series "Mr. Robot" is rightfully considered one of the most technically accurate adaptations
Numerous tests show that the demagnetized disk is most often no longer positioned according to servo tags, and information without the use of a tunnel or magnetic force microscope can no longer be restored.
The last method, accessible to any user, however, like other destructive methods, forever excluding the possibility of reselling a used disk and any reuse of it, is burning a layer of a ferromagnet.
This can be done using a conventional burner. So, the flame temperature during combustion of the propane-butane mixture reaches 1300 degrees Celsius, and the composite plates of the hard drive will begin to melt already at a temperature of about 660 degrees.
However, heating the hard drive to this temperature is not necessary at all. It is enough to reach the Curie point. In it, the intensity of the thermal motion of the atoms of the ferromagnet is sufficient to destroy its spontaneous magnetization. In this case, the information stored on the disk is supposedly erased.
In practice, this method will cause a lot of inconvenience (for example, smoke and stink, which is why it is not possible to use it in an apartment), and it will take a lot of time.
In addition, it must be borne in mind that there were precedents for the complete recovery of information from burned hard drives. The most significant case: after the crash of the shuttle Columbia, NASA experts were able to almost completely read the information from a practically molten hard drive.
In addition to physical methods, there are purely software methods. And for most companies, government agencies and private individuals, there will be enough of them (unless, of course, you store the launch codes of nuclear ballistic missiles or 100 thousand bitcoins on your disk).
So, the US Department of Defense from 1995 to 2006 used the standard DoD 5220.22-M (where DoD is the Department of Defense). At present, the military does not use this algorithm, preferring to completely demagnetize hard drives, as described above, or to burn it to ashes at very high temperatures to destroy truly classified information.
However, this algorithm has found widespread application in other US government agencies, as well as in various specialized software. For example, it uses the Acronis Drive Cleanser utility.
The essence of the method is trivial - three times overwriting data on a disk is used to destroy information. The first pass records any character, then its bitwise complement - a binary number obtained by switching all the bits in the previous number (that is, converting 0 bits to 1 and 1 bit to 0), performed using the XOR function (exclusive or); and finally - a random sequence:
An alternative is to completely overwrite the data with zeros, then with units, and then write to disk any arbitrary sequence of data.
A similar approach to the removal of information is offered by the well-known cipher bank, specialist in the field of cryptography and information security Bruce Schneier.
In its original version, at the dawn of computer technology, three passes were also supposed: writing zeros, then ones, and finally a pseudo-random sequence formed by a random number generator. Subsequently, with the increase in computing power of computers, Schneier further strengthened his algorithm, bringing the number of data recording passes to seven.
There are two variations of it. In one, after repeating the iterations described above twice, the last step is the sequence 01010101. And in the other, the most common iteration, only one is written first, then zeros, and then four passes are made with pseudorandom numbers.
It is this most reliable algorithm that is also used in Acronis Drive Cleanser.
Random numbers - a sequence of random values with a uniform distribution - are usually obtained by measuring physical noise. For example, atmospheric or noise produced by radioactive decay. But algorithmic implementations of random number generators cannot generate completely random numbers. Sooner or later, they begin to repeat the same sequence. Therefore, algorithmically generated realizations of a random variable are called pseudo-random numbers.
A number of other algorithms use up to six passes, recording alternately a pseudo-random sequence, and then its bitwise complement.
Well, for paranoids there is an algorithm of Peter Gutman, rewriting in 35 passes! It was developed in 1996 for hard drives of that era, based on the assumption that there is a phenomenon of residual magnetism of 5 percent.
The fact is that then we used the methods of longitudinal and, later, perpendicular recordings, which in theory left the possibility to restore the data by analyzing the weak remanent magnetization of the tracks or edge magnetization when data are read from the gaps between