Gutmann method


Gutmann method

The Gutmann method is an algorithm for securely erasing the contents of computer hard drives, such as files. Devised by Peter Gutmann and Colin Plumb, it does so by writing a series of 35 patterns over the region to be erased.

The selection of patterns assumes that the user doesn't know the encoding mechanism used by the drive, and so includes patterns designed specifically for three different types of drives. A user who knows which type of encoding the drive uses can choose only those patterns intended for their drive. A drive with a different encoding mechanism would need different patterns. Most of the patterns in the Gutmann method were designed for older MFM/RLL encoded disks. Relatively modern drives no longer use the older encoding techniques, making many of the patterns specified by Gutmann superfluous.Gutmann, Peter. (July 22-25, 1996) " [http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html Secure Deletion of Data from Magnetic and Solid-State Memory.] " University of Auckland Department of Computer Science. Epilogue section. (writing, "In fact performing the full 35-pass overwrite is pointless for any drive since it targets a blend of scenarios involving all types of (normally-used) encoding technology, which covers everything back to 30+-year-old MFM methods (if you don't understand that statement, re-read the paper). If you're using a drive which uses encoding technology X, you only need to perform the passes specific to X, and you never need to perform all 35 passes. For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do. As the paper says, "A good scrubbing with random data will do about as well as can be expected". This was true in 1996, and is still true now.").]

Technical overview

One standard way to recover data that has been overwritten on a hard drive is to capture the analog signal which is read by the drive head prior to being decoded. This analog signal will be close to an ideal digital signal, but the differences are what is important. By calculating the ideal digital signal and then subtracting it from the actual analog signal it is possible to ignore that last information written, amplify the remaining signal and see what was written before.

For example: Analog signal: +11.1 -8.9 +9.1 -11.1 +10.9 -9.1 Ideal Digital signal: +10.0 -10.0 +10.0 -10.0 +10.0 -10.0 Difference: +1.1 +1.1 -0.9 -1.1 +0.9 +0.9 Previous signal: +11 +11 -9 -11 +9 +9

This can then be done again to see the previous data written: Recovered signal: +11 +11 -9 -11 +9 +9 Ideal Digital signal: +10.0 +10.0 -10.0 -10.0 +10.0 +10.0 Difference: +1 +1 +1 -1 -1 -1 Previous signal: +10 +10 -10 -10 -10 -10

However, even when overwriting the disk repeatedly with random data it's theoretically possible to recover the previous signal. The permittivity of a medium changes with the frequency of the magnetic fieldFact|date=December 2007. This means that a lower frequency field will penetrate deeper into the magnetic material on the drive than a high frequency oneFact|date=December 2007. So a low frequency signal will, in theory still be detectable even after it has been overwritten hundreds of times by a high frequency signal.

The patterns used are designed to apply alternating magnetic fields of various frequencies and various phases to the drive surface and thereby approximate degaussing the material below the surface of the driveFact|date=December 2007.

Method

An overwrite session consists of a lead-in of four random write patterns, followed by patterns 5-31, executed in a random order, and a lead-out of four more random patterns.

Each of patterns 5-31 was designed with a specific magnetic media encoding scheme in mind, which each pattern targets. The drive is written to for all the passes even though the table below only shows the bit patterns for the passes that are specifically targeted at each encoding scheme. The end result should obscure any data on the drive so that only the most advanced physical scanning (e.g. using a magnetic force microscope) of the drive is likely to be able to recover any data.

The series of patterns is as follows:Encoded bits shown in bold are what should be present in the ideal pattern, although due to the encoding the complementary bit is actually present at the start of the track.

Criticism

Some have criticized Gutmann's claim that intelligence agencies are likely to be able to read overwritten data. [cite web|url=http://www.nber.org/sys-admin/overwritten-data-gutmann.html|title=Can Intelligence Agencies Read Overwritten Data? A response to Gutmann.]

The delete function in most operating systems simply marks the space occupied by the file as reusable (removes the pointer to the file) without immediately removing any of its contents. At this point the file can be fairly easily recovered by numerous recovery applications. However, once the space is overwritten with other data, there is no known way to recover it. It cannot be done with software alone since the storage device only returns its current contents via its normal interface. Gutmann claims that intelligence agencies have sophisticated tools, among these magnetic force microscopes, that, together with image analysis, can detect the previous values of bits on the affected area of the media (for example hard disk).

This has not been proven one way or the other, and there is no published evidence as to intelligence agencies' current ability to recover files whose sectors have been overwritten, although published Government security procedures clearly consider an overwritten disk to still be sensitive. [cite web|url=http://www.cse-cst.gc.ca/documents/publications/gov-pubs/itsg/itsg06.pdf|title=Clearing and Declassifying Electronic Data Storage Devices]

Companies specializing in recovery from damaged media cannot recover completely overwritten filesFact|date=December 2007. These companies specialize in the recovery of information from media that has been damaged by fire, water or otherwise. No private data recovery company claims that it can reconstruct completely overwritten data as of now.Fact|date=December 2007

Gutmann himself has responded to some of these criticisms and also criticized how his algorithm has been abused in an epilogue to his original paper, in which he states :

Bad sectors on the disk may be silently suppressed by the drive controller so they may not be overwritten.

oftware implementations

* The GNU Core Utilities shred program
* The Sourceforge project srm, also used by Mac OS X
* The Disk Utility program provided with Mac OS X (whole disk only)
* Darik's Boot and Nuke (DBAN) (whole disk only)
* Window Washer by Webroot Software
* CCleaner by Piriform Software (since version 2.02.525)

ee also

*Data remanence
*Data recovery
*Computer forensics

External links

* [http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html Secure Deletion of Data from Magnetic and Solid-State Memory] , Gutmann's original paper
* [http://www.nber.org/sys-admin/overwritten-data-guttman.html Can Intelligence Agencies Read Overwritten Data?] , a refutation of Gutmann's claims.
* [http://www.actionfront.com/whitepaper/Drive-Independent%20Data%20Recovery%20Ver14Alrs.pdf Recovering Unrecoverable Data] , the need for drive-independent data recovery.
* [http://www.cerberussystems.com/INFOSEC/stds/ncsctg25.htm A Guide to Understanding Data Remanence in Automated Information Systems]

Notes


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Gutmann — may refer to: * Palais Gutmann, a Ringstraßenpalais in ViennaGutmann is a German surname meaning good man and may refer to: * Amy Gutmann, the current president of the University of Pennsylvania * Galit Gutmann, an Israeli actor and fashion model …   Wikipedia

  • Peter Gutmann (computer scientist) — Peter Gutmann is a computer scientist in the Department of Computer Science at the University of Auckland, Auckland, New Zealand. He has a Ph.D. in computer science from the University of Auckland. His Ph.D. thesis and a book based on the thesis… …   Wikipedia

  • Data remanence — is the residual representation of data that remains even after attempts have been made to remove or erase the data. This residue may result from data being left intact by a nominal file deletion operation, by reformatting of storage media that… …   Wikipedia

  • Data erasure — (also called data clearing or data wiping) is a software based method of overwriting data that completely destroys all electronic data residing on a hard disk drive or other digital media. Permanent data erasure goes beyond basic file deletion… …   Wikipedia

  • Data recovery — is the process of salvaging data from damaged, failed, corrupted, or inaccessible secondary storage media when it cannot be accessed normally. Often the data are being salvaged from storage media such as internal or external hard disk drives,… …   Wikipedia

  • Data Shredder — Developer(s) CBL Datenrettung Stable release 1.0.1 / April 3, 2007; 4 years ago (2007 04 03) Operating system Windows, MS DOS x86 …   Wikipedia

  • DBAN — Darik s Boot and Nuke Developer(s) Darik Horn Stable release …   Wikipedia

  • Disk Utility — Developer(s) Apple Inc …   Wikipedia

  • National Industrial Security Program — The National Industrial Security Program, or NISP, is the nominal authority (in the United States) for managing the needs of private industry to access classified information. The NISP was established in 1993 by Executive Order 12829.[1] The… …   Wikipedia

  • Darik's Boot and Nuke — Infobox Software name = Darik s Boot and Nuke caption = developer = Darik Horn latest release version = 1.0.7 latest release date = August 13, 2006 operating system = genre = Secure erase license = GNU General Public License website =… …   Wikipedia