Endpoint Encryption

Hi,

I would like to know if shred method with only 1 pass is really secure for data exclusion. I do this question because it is written in PGP Shred: "PGP Shred exceeds DoD 5220.22-M media sanitization requirements at 3 passes. While more passes are allowed, modern disk hardware does not require more than 2 passes."

When I erases a data, only 1 pass overwrites the cluster. Why I need more than 1 pass?

The CIA, FBI, NSA, Interpool or another institution have a software or "hardware scanner" to recover the shredd data?

I searched this in web for many months but not come to a conclusion. I wrote a message to the Western Digital asking this but the response was not conclusive. The manufacturer of HDD do not want to talk about it; in the internet foruns the users speculate about it; and I'll go crazy!

Sorry for my bad English! I'm learning yet.

When you do a regular delete of a file, the operating system doesn't really remove the file from the disk - it just marks the space as free for use, and the file remains on the disk until some other file happens to overwrite it.  Until the file happens to be overwritten, any undelete utility can recover the file.  Overwriting the file once, such as with PGP's 1 time pass, will prevent any undelete utility from being able to recover the file. My understanding is that old disks had excessive head movement while data was being written to the disk, so it was possible that just doing one overwrite would not actually remove all the data from the system - therefore, the more overwrites you did, the more likelihood that all the data would actually be overwritten.  Newer disks are much more accurate and consistent in the head movement, so less overwrites are actually needed to really overwrite all the data in the file. 

Various government institutions have the ability to actually scan the surface of the disk and recover data that was not more extensively overwritten.

For my personal use, I just routinely use one overwrite.  If I had something important enough to want more confidence in my overwiting of it, I would then do a PGP wiping of the disk's free space. 

"My understanding is that old disks had excessive head movement while data was being written to the disk, so it was possible that just doing one overwrite would not actually remove all the data from the system - therefore, the more overwrites you did, the more likelihood that all the data would actually be overwritten.  Newer disks are much more accurate and consistent in the head movement, so less overwrites are actually needed to really overwrite all the data in the file. 

Various government institutions have the ability to actually scan the surface of the disk and recover data that was not more extensively overwritten."

So, a solution for old and newer disks is use erasing with more than 1 pass? Am I safe using DoD US 5220.22-M with 3 passes (default)? Or I need to use NSA (7) or Gutmann (35)?

Many businesses perform 3 pass deletes/wipes.  I have used programs like Access Data's Forensic Tool Kit and have been unable to recover data after 1 pass.  Like what Tom said, when the OS deletes a file, it just marks the file header as being blank and does not actually delete the data, but doing a PGP Shred or a full wipe does delete the data. 

I have also heard the same, that some government agencies can recover data by doing a surface scan.  I have had conversations with representatives from Seagate and also from Drive Savers with the same answers on how to destroy disks and data on disks...smashing with a hammer, drilling a hole through the platters, etc...  On the other hand, I have spoken to people in more of the forensic/law industry that say they have recovered data from disks with holes drilled in them as well as disks that have been through fires. 

In my opinion, unless you are dealing with a government agency that really wants to get to your data, a single pass wipe/delete would be good enough.  If you are dealing with one of these agencies, making sure it is whole disk encrypted while using it, and then physically shredding the disk (or some other method of physically destroying the platters) would be the way to dispose old disks.

Also take note, it seems to me that it would be rather difficult to do a surface scan on a drive to recover a file that has been WDE'd as well as PGP shredded because the data recovered from a surface scan would need to be decrypted as well.

I'm not convinced that old disks are any better or worse than new disks when it comes to positional accuracy. Sure, as data density has increased, the individual cylinders are narrower, and thus require greater positional accuracy from the head in order to locate the cylinder, but thermal effects remain just as significant, and so the absolute position of the cylinder can vary slightly due to expansion and contraction of the medis substrate as well as expansion and contraction of the head arm and actuator mechanics, and the acceleration and deceleration that the head mechanism experienced just prior to the current write cycle.

Consequently, each write pass may not entirely overlap the previously written data and thus there is some residue of previous data that may be detectable at the edges of the cylinder area.  Thus the more passes that are made over the media, the more likely it is that the full width of the cylinder is overwritten. One would not be sufficient and even three would be unlikely to defeat government agencies. 35 overwrite cycles with the disk started from cold would be much more effective in ensuring that cylinder edge data is overwritten, but ultimately, total destruction of the data platters is the only way to be absolutely sure that data recovery is impossible.

Now I'm confused and insecure after the read this article: http://en.wikipedia.org/wiki/Gutmann_method

Gutmann's article is excellent, but quite old - disks are much better now.  As long as you can tolerate the slowness of it, you may as well do as many overwrites as you can. 

In this topic I got valuable information too:

http://www.sevenforums.com/general-discussion/174524-i-need-more-than-1-pass-shredd-method.html

One other thought about PGP Shredding is that if your disk is WDE'd, the file table will be encrypted as well.  The reason I bring this up is because with file shredding, a magnetic microscope is the method for recovering data and with the pointer to the file being encrypted as well as the data itself, it would be a needle in a haystack situation to attempt recovery on anything.  If a file location on the platters were to be located, the encryption keys, user records, etc... (everything that WDE uses) would need to be present and accessible.  I suppose this could be the case with a court order to give up the authentication credentials and assuming the disk is still functioning, but again, that takes us back to the needle in a haystack situation.  Also, decrypting the disk and then using the magnetic microscope would still not yield any results because the data recovered from the microscope would still be encrypted as it was a historical write.

Back with PGP's early involvement with WDE, and before I had any official connection with PGP, I had a discussion with PGP officials about this.  The view was then expressed that if a disk was encrypted, there was no need to do any overwriting of it before disposing of it.  This still seems to hold true (even though I still tend to also use DBAN to wipe the disk).  My personal use of PGP is to use the Shred When Emptying Windows Recycle Bin option (Disk tab) set to one overwrite.  This option additionally wipes any files that bypass the Recycle Bin when deleted.