Wikipedia:Reference desk/Archives/Computing/2013 September 6

Computing desk
< September 5	<< Aug | September | Oct >>	September 7 >

Welcome to the Wikipedia Computing Reference Desk Archives
The page you are currently viewing is an archive page. While you can leave answers for any questions shown below, please ask new questions on one of the current reference desk pages.

September 6

Secure Deletion Methods

I've read various articles on this subject and there seems to be a lot of disagreement over what is and isn't sufficient to securely wipe a hard drive. Some say one pass with random data is sufficient to make the previous information on the hard drive completely unrecoverable. Though others suggest this isn't enough alone and a 3-pass or 7-pass method is necessary (though most agree the 35-pass method is way overkill). And supposedly, if the article on the subject is to be believed, Bradley Manning's (single pass) zero-filled drive had its data recovered, so that seems to be an insecure method if true.

I suppose my question here is: Assuming I had the necessary and expensive modern hardware, how feasible would it be to retrieve a meaningful amount of overwritten data from a hard drive that has been filled with a single pass of pseudo-random data? -Amordea (talk) 05:12, 6 September 2013 (UTC)[reply]

An interesting query. The relevant WP page is Data recovery#Overwritten data. It appears that we need to know whether we are talking about a 'standard' magnetic type Hard disk drive(HDD) or a Solid-state drive (SSD) as it is relevant as to how easy it is to recover overwritten data. A scientific paper by Peter Gutmann on how recovery might be achieved is Secure Deletion of Data from Magnetic and Solid-State Memory USENIX Security Symposium Proceedings, San Jose, California, July 22-25, 1996. Possibly rather out of date by now! --220 of ^Borg 05:42, 6 September 2013 (UTC)[reply]

In my mind, I was automatically thinking of a magnetic hard drive. But I am interested to know what would be effective for an SSD as well. -Amordea (talk) 06:17, 6 September 2013 (UTC)[reply]

On old 1980s style magnetic media, it was easy to write data between tracks, and relatively easy to recover data that had been overwritten (even several times on the same machine). I recall being able to read overwritten data on a floppy disk just by moving it to a drive with a different head alignment. Modern media has tracks so close together that there is much less opportunity for residual data to remain, and I would be happy with a single complete overwriting for any of the confidential data that I've held (though I did once smash a hard drive with a sledge hammer). The problem is in persuading the operating system to overwrite every track and sector, that's why specialist software is used that bypasses the operating system. In Bradley Manning's case, I think it was unallocated sectors that held the recovered data. Although normal specialist equipment cannot recover data that has genuinely been overwritten (preferably with random data, not just zeros), computer forensics at the leading edge of technology might have techniques that could detect some residual magnetism from previous writes, even after several overwrites. This would involve removing the disk from the drive in a clean room and remounting it so that it could be read by microscopic detectors at molecular level, much smaller than the original write heads. This would cost many tens of thousands of pounds, and success seems unlikely to me, because the magnetism comes in discrete units, but I'm not au fait with modern computer forensics. Most recovery is from sectors that just didn't get overwritten. Have we any experts? (I expect that the true experts are sworn to secrecy!) ... later note Apologies to 220 of Borg, I wrote the above before reading the excellent linked article by Peter Gutmann. His methods obviously worked well with 1990s media densities, but he does say that they are unlikely to work with modern media. Dbfirs 07:40, 6 September 2013 (UTC)[reply]

As for the Bradley Manning article, I'm skeptical of the line that says it could be retrieved: "The operating system had been re-installed in January 2010, and on or around January 31, 2010, an attempt had been made to erase the hard drive by doing a "zero-fill," which involves overwriting material with zeroes. The material had been overwritten only once, which meant it could be retrieved.[46]" I wonder if the original source is more nuanced in its description. That line probably needs to be reviewed more carefully. Shadowjams (talk) 08:53, 6 September 2013 (UTC)[reply]

Yeah, I admit some skepticism there too (if you couldn't tell from the language of my original post). The Wired article it pulls that information from isn't much more helpful, saying more or less the same thing, but even that is second-hand information. We have no idea the full context of what the computer forensics experts had to say about how they recovered the data and I've never read anywhere else that zero-filling is insecure for file shredding. -Amordea (talk) 09:28, 6 September 2013 (UTC)[reply]

Does anyone know if any of the data from her hard drive was actually used as evidence during the court martial? If it was then it demonstrates that it was definitely recoverable. I don't have a name (talk) 12:37, 6 September 2013 (UTC)[reply]

As I explained at length here Talk:United States v. Manning#Source doesn't say material was recovered from overwritten space, I don't think the Wired article actually says what our article says although I agree it's confusing. I thought I changed both articles so either I made a mistake or someone changed the main article back. Either way I've changed our article back to what IMO the Wired article actually says. Note that the fact evidence may have been used at her trial doesn't tell us anything about whether it was recovered from overwritten space as it remains unclear whether the entire hard drive was zerofilled (and the relevance of 'unallocated space' is unclear if it was, does it mean an OS was reinstalled and they could only recover data which hadn't been subsequently overwritten so perhaps two passes were enough?). I would hope at the trial precisely how and from what the data was recovered would have been discussed in more depth whether under examination or cross-examination but if all we have is similar to what we have at the moment, it still won't help us. As for the general question, this has been discussed at length before on the RD and so far no one has presented evidence it's actually possible (as in someone has actually done it) to recover data on a HD which has been overwritten. Our article was the first time I'd ever even heard a claim, but then on reading the Wired article I realised what actually happened is unclear and IMO there remains no evidence that anyone has ever demonstrated recovery from actual overwritten data. Nil Einne (talk) 14:51, 6 September 2013 (UTC)[reply]

Okay I did a search on the transcripts from [1] and the Wired article is worse than I thought (whether this is Wired's fault or the information presented pretrial was just misleading I don't know. Take a look at [2] particularly page 53. The investigator actually says "Nothing can be recovered prior to 25 January, nothing in unallocated space can be prior to 31 January" (if you read earlier you'll understand the dates, the whole drive was zerofilled on 25 January when the OS was installed and free space was zerofilled on 31 January).

So basically even the investigator is saying you can't recover anything. However a seven pass was used for the free space, not a single pass. (As I mentioned in the article talk page, erasing only the free space is somewhat risky in that it's often difficult to ensure all the free space was erased although I believe in OS X it's an OS option which may reduce the risk, although there is also stuff like technically non free space such as tiny files where some unwanted info may reside. However from what I saw, there's nothing that complicated here and it's perhaps not that surprising.)

Of course this doesn't tell us whether the investigator could have recovered everything if only one pass was used. (I don't know what option was used during OS install my guess would be a single pass which could mean anything allocated would have been written at least twice once for the zero file and once when it was written.) But there's definitely nothing in this trial that I've seen suggesting it is possible.

There was some early discussion about how secure erase was overwriting and no mention of how many times or the number of passes being relevant. Another cancelled attempt to erase free space was done in February and there is some brief discussion of stuff being wiped in the first 2 minutes but there's no suggestion that anything could be recovered if it had only been overwritten once, although the investigator also doesn't point out that comparing it to the 3h40min for the 7 pass would be misleading since a single pass would be enough. They were mostly going by what they saw on the logs so probably weren't thinking that carefully. Much later there's also brief mention of zeroing HDs and data being lost during military upgrades although I presume the military always does more than one pass anyway. (In any case, if you really could recover data from overwritten sectors, you'd need atomic force microscopy or something so I presume someone other than the forensic investigator mentioned would need to be involved.) All in all, this transcript seems to mostly support what I've heard before namely if it really is possible to recover data that's been really overwritten (as opposed to believed to have been overwritten but not actually) even only one time, forensic investigators aren't talking about it or using it in court cases. (Of course even if any of this were possible and the US government may have been willing to reveal they could do so, it seems it wasn't necessary in this case and despite all the hype I'm not convinced they cared enough to reveal such information even if the case hinged on it.)

The case does ilustrate two things. Number one, as I said before it's probably more beneficial to do a single pass erase of the whole disk than to do a multiple pass erase of a portion of it. Number two, there's no point doing any erase, multiple pass or single, if you're just going to rewrite the same incriminating data (okay to be fair I'm not sure it was the same data, the previous data may have been worse). (And funnily enough a secure container which was never broken was created the same day of the abandoned erase attempt in February. Maybe if the secure container had been diligently used and the erase attempt completely there would have been much less evidence at least from that computer.)

Nil Einne (talk) 15:43, 6 September 2013 (UTC)[reply]

Wow, this has been very informative. Thank you for the investigative legwork, Nil Einne. -Amordea (talk) 22:04, 6 September 2013 (UTC)[reply]

I thought I could keep this as a simple minor offside, but it seems I was wrong, hiding to avoid distracting from the main discussion, not to shut down discussion. Nil Einne (talk) 20:06, 6 September 2013 (UTC)[reply]

Somewhat offtopic While looking at the transcripts I noticed this [3]: “ So the military has a program where they'll take a green suiter, put us into a civilian corporation, and I had the luck of working at Microsoft in the place where they handle all of the zero day exploits that Microsoft works with, and a zero day exploit is something such as an exploit that they're no known patch for that vulnerability for yet and those are highly valuable. So the Microsoft security MSRC really taught me a lot how corporations deal with this threat of mallware or malicious software vunerabilities in their operating systems and how they respond to it and how about they triage it and how their teams handle it at the program manager level type of thing. ” Unspoken but obvious is why the military would be interested in having someone working with zero day Microsoft exploits... Nil Einne (talk) 15:59, 6 September 2013 (UTC)[reply] Because the United States Government owns and operates millions of computers, many running Microsoft Windows, and has a vested interest in knowing any vulnerabilities? Because there's an entire career track in the U.S. Army and other services that focuses entirely on making sure the information-technology operated on behalf of the American defense department remains secure? Because part of the Army career path for information technology specialists is to provide training that will be relevant in the civilian marketplace? The quote doesn't sound sinister to me. Nimur (talk) 17:45, 6 September 2013 (UTC)[reply] Sure the military is obviously interested in protecting their computers (and other computers important to the US government), nothing I said suggested otherwise (in fact I intended to say it but decided it was unnecessary particularly since this is offtopic and I always get TL;DR complaints but if you prefer that version so be it) but they are surely also interested in breaking computers used by other parties, and that know of zero day exploits before many other parties is clearly going to help. And who said anything about sinister? I said it was obvious, not sinister. The fact that the US military is going to be extremely interested in both exploiting zero day bugs and protecting themselves from them is as I was trying to say before you replied obvious and unsurprising, and this would be the same even before the Edward Snowden revelations. (And the fact Microsoft is quite willing to help them is similarly obvious not sinister and similarly the fact they clearly have a great advantage in this area over even nominal allies who have to hope it will be shared with them and not used against them, as further proven by the Edward Snowden stuff should be obvious not sinister.) What I didn't say because I thought it was obvious is that despite some weird denials or strange expressed belief that it wasn't happening by a variety of parties (particularly before the Edward Snowden stuff), there's strong evidence it's happening and it isn't even that hidden as this example I happened to come across shows, even if until recently rarely discussed in many cirles. (If you consider what's obviously happening implies something sinister, that's your business not mine.) I don't get the relevance of the other stuff, no one ever said the military wasn't interested in providing training relevant to the civilian marketplace and the wider commentary sort of implies that providing training (both for the civilian marketplace but also training from the civilian marketplace that they can bring back to the military). But there's no reason why that training would in particular be in working with Microsoft zeroday exploits. And to say it's just a coincidence that they have someone doing so as part of a wider programme to provide such training defies reality. (Although I'm not that sure you're actually trying to say that because you earlier acknowledged there were actually good reasons why they would want it even if only acknowledging one of the obvious ones. However I felt in my original comment I was clearly addressing the fact they had someone working with zeroday Microsoft exploits not that they had people working in the civilian marketplace in general so I don't really see that wider discussions on such programmes and what their general aims are is particularly useful to this discussion which I acknowledged two times now is offtopic. But of course being offtopic, I'm not going to complain if you want to initiate such discussions, it's just that it sounds like you aren't particularly interested in such discussions.) Nil Einne (talk) 19:37, 6 September 2013 (UTC)[reply]

I didn't find enough information regarding Recovery of overwritten drives, quite bizarre there are more articles about deleting than about recovering. 190.60.93.218 (talk) 17:30, 6 September 2013 (UTC)[reply]

Note as I've said in previous discussions and somewhat suggested in the main topic, that's good evidence no one is doing it, or at least if someone is it's very secretive not the sort of stuff you're likely to have to worry about unless you're a real terrorist or a foreign government or something similar. Nil Einne (talk) 19:56, 6 September 2013 (UTC)[reply]

Q from a firefox n00b

Somehow this morning, I clicked a wikipedia link and it appeared above the tabs. I noticed that and wanted to undo it, but the undo option was disabled (WTF? There IS not much a browser ever has to undo, how can it miss that obvious one?) And now I'm stuck with the W icon. Any idea how I can enable the undo feature and/or undo it without the heavy guns (System restore etc)? This is NOT on a rig which would get wiped anyway. :( Puzzled, - ¡Ouch! (^{hurt me} / _{more pain}) 06:09, 6 September 2013 (UTC)[reply]

By "above the tabs" do you mean in the Bookmark Toolbar? Thanks ツ Jenova20 ^(email) 09:07, 6 September 2013 (UTC)[reply]

What was the link you clicked? Can you upload a screenshot?--Shantavira|^{feed me} 15:51, 6 September 2013 (UTC)[reply]

RD/S, I clicked the tab and somehow dragged it. - ouch

Also, should we assume you have the latest version of Firefox? But back to the question, when you say it appeared above the tabs, do you mean that it was in its own window? Dismas|^(talk) 16:02, 6 September 2013 (UTC)[reply]

Not even close. I should have added that it is still 3.0.4. I don't like the new ones with their ginormous RAM footprints. Not a window. It appeared in a line betwen URL and tabs. - ouch

Sounds like you bookmarked a page and now it's in your bookmarks toolbar. Click the bookmark with your right mouse button and select "Delete" from the menu. Alternatively find the bookmarks menu and select "Show All Bookmarks", you can organize your bookmarks there. 88.112.41.6 (talk) 16:33, 6 September 2013 (UTC)[reply]

Show all bookmarks seems to work. Didn't try it before System Restore, :( - ouch

I agree with 88.112.41.6. You've just added it to your bookmarks toolbar by mistake, by inadvertently dragging the link into that region of the browser window. As mentioned above, just right-click and press "delete". --.Yellow1996.^(ЬMИED¡) 03:12, 7 September 2013 (UTC)[reply]

Thanks all. It was in the bookmarks line; I must have dragged a tab there somehow. Delete did not actually delete it; I had to use System Restore to get rid of it, which took an awfully long time. Virus scan didn't find anything else.

It's funny how a word processor, which has to process ~10,000 undoable actions (virtually anything that's not New/Load/Save/Print) does so flawlessly, but a browser, which usually doesn't encounter even one undoable action per hour, promptly fails.

I made another bookmark (not by dragging but by r-click and "add to bookmarks") and I could delete that one.

Resolved (or at least I hope so), thanks. - ¡Ouch! (^{hurt me} / _{more pain}) 15:55, 7 September 2013 (UTC)[reply]

Missing dll file

This screenshot shows a missing file on another laptop. Apparently it is causing all kinds of problems because it is missing. How to I get it and where do I install it? Would a virus somehow have destroyed it?--Doug Coldwell (talk) 19:45, 6 September 2013 (UTC)[reply]

This is intriguing. reader_sl.exe, the program which is throwing the error, is a helper app by Adobe designed to make their Adobe Reader program open quicker. mc_dec_dv100.dll, the broken file, seems to be by a company called MainConcept and is part of an audio decoder. And finally the whole thing seems to be going on in Google's appdata folder, which is where programs like Google Chrome are installed and where they store their user data.

It sounds like a possible Win32/Goblin infection. You could try using the tool on this page. I have not tested it. —Noiratsi (talk) 06:42, 7 September 2013 (UTC)[reply]

Collapsed information cut off on right

Hopefully this Teahouse question won't be archived. I couldn't see the text on the right when I clicked on "show". I asked about this thinking there was some glitch in how it was added to the page. User:PrimeHunter said there should be a scrollbar but there wasn't. He asked my browser, which is Internet Explorer 9.— Vchimpanzee · talk · contributions · 20:56, 6 September 2013 (UTC)[reply]

I see a scroll bar on my chrome browser. It should be at the very bottom of your screen, horizontally. If you don't see it, you may want to try Google Chrome, it's free. If you just want to read the information, I may be able to transcribe the entire thing for you. I don't know how else to help.--ɱ (talk) 21:23, 8 September 2013 (UTC)[reply]

I have no desire to change browsers. I have my reasons, and I tried Chrome on my uncle's computer anyway. I don't like it. For many reasons. And I don't have to. I don't see why this can't just work.— Vchimpanzee · talk · contributions · 17:18, 9 September 2013 (UTC)[reply]

I copied and pasted the information into an email to myself and I get a scrollbar that way. Or rather a picture of one. It is nonfunctional and I can't see what's cut off on the right. However, only that text which looks like the plain text on the edit screen is cut off. Once I send the email and look at it at the recipient address, things may be different.— Vchimpanzee · talk · contributions · 17:22, 9 September 2013 (UTC)[reply]

Incidentally, everything showed up when I clicked on "edit".— Vchimpanzee · talk · contributions · 20:27, 9 September 2013 (UTC)[reply]

Even if you don't like Chrome, I still recommend that you still update to a modern browser. You can get IE 11, which is available for Windows 7 computers, but when comparing functionality, there are many superior browsers.--ɱ (talk) 02:04, 11 September 2013 (UTC)[reply]

I don't like IE9. There's no way I would mess things up further. And I got my computer in 2008, so it does not have Windows 7 and I don't want it. As for the scrollbar, it worked in the email when I received it, though this is Firefox. Which I don't like. I'm just at this library because it's close and I feel more comfortable with web sites outside the select group here.— Vchimpanzee · talk · contributions · 14:49, 11 September 2013 (UTC)[reply]