I was asked of an outline of Peter Gutmann's paper, "Secure Deletion of Data from Magnetic and Solid-State Memory" in The Sixth USENIX Security Symposium Proceedings in private mail. Since I think the question is of general interest I am posting the answer and Bccing the original questioner. The paper starts with the comment that most secure data destruction guides are classified. There is the suspicion that the unclassified ones do not cover the newer recording materials and techniques, and will not protect you against government attackers. The analysis techniques for disks examined were Magnetic Force Microscopy (MFM) and its close cousin, Magnetic Force Scanning Tunneling Microscopy (STM). "It is possible to build a reasonably capable SPM for about US$1400, using a PC as a controller." (See http://www.skypoint.com/~members/jrice/STMWebPage.html) This cost is conceivably within the range of a high school student. Peter discusses the way that data can be recovered from under new data (due to the difference in the magnetic domains depending on whether the bits were the same or different), and beside new data due to positioning errors of the head. When trying to develop a secure erasure technique, you need to know the encoding technique used on the disk. (e.g. FM, MFM, RLL, PRML etc.) He recommends a 35 pass erasure scheme as follows: 1-4 Random 5 0x55 6 0xAA 7 0x924924 8 0x492492 9 0x249249 10 0x00 11 0x11 12 0x22 13 0x33 14 0x44 15 0x55 16 0x66 17 0x77 18 0x88 19 0x99 20 0xAA 21 0xBB 22 0xCC 23 0xDD 24 0xEE 25 0xFF 26 0x924924 27 0x492492 28 0x249249 29 0x6DB6DB 30 0xB6DB6D 31 0xDB6DB6 32-35 Random He recommends using cryptographically random numbers and randomly permuting the deterministic passes to further confuse attackers. He warns about disabling any disk caches which may be present, and discusses the problems of erasing data on now-bad sectors. He points out that data which has been left for a long time is harder to erase than recently written data. He mentions that the most powerful commercially available deguassers aren't powerful enough to erase modern disks or DAT tapes. (N.B. Deguassing a disk will also erase the factory-written control tracks, making the disk useless.) He notes that ECC may make destruction of data more difficult. He recommends burning floppy disks. He also discusses recovering data from DRAM and SRAM devices. He mentions that data which has been stored in DRAM for 10 minutes will be detectable after power is removed. He recommends that sensitive data (such as crypto keys) have their bits flipped every second or so. This technique has the beneficial side effect that the page remains recently used and is less likely to be paged out.\ I quote from his conclusion, "Data overwritten once or twice may be recovered by subtracting what is expected to be read from a storage location from what is actually read. Data which is overwritten an arbitrarily large number of times can still be recovered provided that the new data isn't written to the same location as the original data (for magnetic media), or that the recovery attempt is carried out fairly soon after the new data was written (for RAM). For this reason it is effectively impossible to sanitize storage locations by simple overwriting them, no matter how many overwrite passes are made or what data patterns are written. However by using the relatively simple methods presented in this paper the task of an attacker can be made significantly more difficult, if no prohibitively expensive." ------------------------------------------------------------------------- Bill Frantz | "Lone Star" - My personal | Periwinkle -- Consulting (408)356-8506 | choice for best movie of | 16345 Englewood Ave. frantz@netcom.com | 1996 | Los Gatos, CA 95032, USA