Monday, 3 December 2007

Peter Gutmann and disk recovery falacies and snakeoil

Peter Gutmann in 1996 developed a method to wipe drives in 1996. One of the issues that was not challenged at the time is the assertion that “obtaining a 0.95 when a zero is overwritten with a one, and a 1.05 when a one is overwritten with a one” is actually false.

What people seem to think is that a digital write is a digital operation. This is a fallacy. Drive writes are analogue. They have a probabilistic output. It is unlikely that an individual write will be a +1.00000 [1]. Rather - there is a set range. There is a normative confidence interval that the bit will be in.

What this means is that there is generally a 95% likelihood that the +1 will exist in the range of (0.95, 1.05) there is then a 99% likelihood that it will exist in the range (0.90, 1.10) for instance. This leaves a negligible probability (1 bit in every 100,000 billion or so) that the actual potential will be less than 60% of the full +1 value. This error is the non-recoverable error rating of the drive for a single write.

As a result, there is no statistically discernable difference to the drive of a 0.90 or 1.10 factor of the magnetic potential. What this means is that due to temperature fluctuations, humidity, etc the value will vary on EACH write. A consequence of this is that data recovery using an ESM is probabilistic. This is, the

What is being suggested by Peter Gutmann in his paper is that a 1.06 drive voltage factor will imply a previous +1. This is false. As I stated, a this is not correct. A +1 is anything in a range - normally and it has nothing to do with drive head placement. A normal write will create a reading in a range - nearly never a 1.00 but rather a 0.9 to 1.1 independent of the prior write.

There is no way to determine if a 1.06 is due to a prior write or a temperature fluctuation. There is a probabilistic occurrence of recovery at a rate better then 50%. This is true. However, recovering 60-65% of a disk track in a linear function is unlikely to provide any acceptable level of recovery and will not suffice as forensic evidence.

On top of this the issue of magnetic decay will come into play. This further skews the results. "Therefore it is theoretically possible to neutralize the last write, but only IF the head can be placed almost exactly over write spot.

No, this is false. Magnetic fields operate perpendicular to what we term reality (this is a big simplification). Magnetic field maths requires the unreal number i = SQRT(-1) for definition. Magnetic fields do not sum in real space as is implied by the statement, rather they act at 90 degrees to all physical dimensions (again a big oversimplification).



References


  • Prof. Dr. sc. nat. Lutz Schimansky-Geier (2007) "Stochastic dynamics and electromagnetic fields of confined random charges: from distribution to control" Institut für Physik Theoretische Physik (Stochastische Prozesse)

  • De Angelis, G F et al (1982) "A stochastic description of a spin-1/2 particle in a magnetic field" J. Phys. A: Math. Gen. 15 2053-2061 doi:10.1088/0305-4470/15/7/016

  • White, R B et al (1993) "Collisionless transport in a stochastic magnetic field" Plasma Phys. Control. Fusion 35 595-599 doi:10.1088/0741-3335/35/5/005

  • Hentschke, S.; Rohrer, S.; Reifschneider, N.(1996) "Stochastic magnetic field micro-sensor" ASIC Conference and Exhibit, 1996. Proceedings., Ninth Annual IEEE International Volume , Issue , 23-27 Sep 1996 Page(s):11 – 14 Digital Object Identifier 10.1109/ASIC.1996.551952

No comments: