This is the tip of the iceberg.

Another concern is NTFS filesystems, data can be stored in the MFT if it is
small enough (i.e. under 1 or 4k depending on how your drive got formatted).
I also found that when using alternate data streams:

cat "this_is_a_string_of_text" > somefile.txt:an_ads_stream

that the string was then found on the HD twice immediately afterwards.
Wiping the file (with tools that wiped alternate data streams properly) got
rid of one copy, but you had to do a wipe free space to get rid of the
other. Not sure if this was a journaling issue or what, but if you want to
get rid of alternate data streams make sure you wipe free space.

There are other hardware/software issues too:

IDE/scsi bad block mapping at the device level
bad block mapping at the OS level (although intelligent software might be
able to deal with this)
RAID arrays, I haven't yet experimented much with wiping data on RAID 0 or 5
arrays for example but I suspect the results will be interesting.
Increasing reliance on network storage
Disk defragmentation, your data just got copied around, possibly more then
once (ever watch the soothing patterns in Win98 defrag =).

I did a presentation on data deletion and wiping at Hivercon, the
presentation is available in PowerPoint at:
http://www.hivercon.com/hc02/speaker-seifried.htm

The next version should manage to be even more depressing.

Kurt Seifried, kurt (at) seifried (dot) org [email concealed]
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/

[ reply ]