This post is the second in a series of three which address deleted data. Today I will talk about something that is, I believe, an urban legend in the field of computer forensics – the recovery of data using an electron microscope.
The Myth
Since my first days in the field of computer forensics, I have heard stories about how data can be read from a hard drive, even if it has been overwritten, by using an “electron microscope.” Usually, it’s the US government that is doing the reading, and the stories usually end with something like “…so, the only way you can REALLY be sure the data is gone is if you melt the drive down!” followed by a grunt.
These “electron microscope” stories may have their origins in a paper written by a computer scientist from New Zealand named Peter Gutmann – “Secure Deletion of Data from Magnetic and Solid-State Memory.” He published a follow-up paper in 2001 – “Data Remanence in Semiconductor Devices.”
I’ll let you read them for yourself, but let me warn you – they aren’t as exciting as they sound.
Gutmann is actually referring to the use of magnetic force microscopy (MFM), and a variation of this technology called magnetic force scanning tunneling microscopy (STM), to read magnetic forces on the surface of a disk. I assume most of you own, or have at least seen, a magnetic force scanning tunneling microscope, but in case you haven’t, here’s a picture of one:
http://www.postech.ac.kr/chem/poly/research/instru.htm
The theory of using MFM to read overwritten data goes something like this:
Imagine that a hard drive is a little like a phonograph record (those were large vinyl disks that music was recorded on back before every device in your house was an MP3 player). Data on a hard drive is stored on metal disks and it is read and written with a drive head analogous to the needle on a record player. The disks spin very fast and sometimes the drive head can “wander” a bit as it is writing data. So, when the drive goes to write over a portion of the drive that already contains data, the drive head might not write over the EXACT SAME space that it had written the previous data, and you might end up with something like this:
The amount of this variance is what scientists refer to as “very small,” but if you happen to have an MFM device, you might be able to use it to look at the disk and see artifacts of the first write (the red line). And, in this way, you could theoretically read the data that is “underneath” the current layer of data. This has been referred to by some as the “Gutmann Method” of data recovery.
I admit this is a massive simplification, so if you prefer, here’s a more detailed explanation:
The Reality
Now that you fully understand MFM, I’m sure you can see some obvious limitations. While recovering data in this way may have been possible with drives built prior to the 1990’s, it seems highly improbable that this method could be put to practical use today. Here are just a few problems:
1) Cost/Benefit – Unless the drive contains something incredibly valuable, like the formula for transparent aluminum or nude pictures of Sarah Palin, it’s probably not worth the cost of trying to examine a drive using MFM.
2) It would take a VERY LONG TIME – trying to read a simple email one bit at a time would be tedious to say the least. A relatively small document or email – let’s say just 10KB – is over 80,000 bits.
“…seventy-nine thousand nine hundred and ninety-nine, and finally, eighty thousand! Done! Now, we just put all these pieces together and we can finally read the…DAMN!!! It’s just an advertisement for Viagra!”
3) It’s Never Been Done – In nearly seven years working as a computer forensic examiner, and in several hours spent searching the Internet and speaking with peers, I’ve never heard of a single verifiable case where MFM was used to recover sensitive data. If anyone knows of such a case, please, by all means, share it with the rest of us.
In fact, Gutmann himself states in the epilogue of his paper that drives have changed a great deal since he originally wrote it and that the method described would probably not work on current drives.
“Any modern drive will most likely be a hopeless task, what with ultra-high densities and use of perpendicular recording I don’t see how MFM would even get a usable image…”
What’s the Problem?
So why do I care? I mean, what’s wrong with people believing overwritten data can be read if it encourages them to be more careful about their data. Well, first of all, you end up with secure file deletion standards that are unnecessary and wasteful – DOD, HIPPA, NSA, NIST, etc. For one hard drive, maybe six overwrites instead of just one is no big deal, but with hundreds of thousands of hard drives out there, that’s a lot of unnecessary drive activity. The first overwrite is effective and useful – the 2nd thru 6th overwrites are effectively voodoo.
Second, I don’t think it DOES encourage people to be more careful with their data – I think it makes them throw their hands up. A recent article at Computerworld shows just how little the average computer user understands about the data on his or her computer. For those users whose drives still contained sensitive or personal information, a single overwrite would have sufficiently protected them. But, start talking to a typical user about overwriting data to “DOD 5220.22-M standard,” or explain that it is going to take 72 hours to completely wipe his 500 GB drive, and his eyes roll back in his head. It doesn’t have to be that complicated.
So, is the government using MFM to read your email? I doubt it. Could they? Maybe, but why would they? And if they are, I want to know what the H-E-Double-Hockey-Sticks you have on your drive!
The bottom line for me: As presumed purveyors of “the facts” and acknowledged experts on computers, I think CF examiners need to be careful not to let stories like “the electron microscope” become part of the accepted body of industry knowledge.
If you would like to read more about this, here’s an interesting article written by Daniel Feenberg of the National Bureau of Economic Research.
In my last post (which was also coincidentally my first post), you learned how persistent data can be, and in this post you’ve learned a little about what’s required to get rid of it effectively. Now you’re ready to go start deleting! Are you sure you want to do that? Read my next post to find out.
Great article.
Personally I like the fact the majority of people are oblivious to matters such as overwriting. If too many people know about it, then it raises the bar for those who want to circumvent it.