[18740] in bugtraq
Re: BugTraq: EFS Win 2000 flaw
daemon@ATHENA.MIT.EDU (Ryan Russell)
Tue Jan 23 12:41:02 2001
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSO.4.30.0101221608290.6829-100000@mail>
Date: Mon, 22 Jan 2001 16:13:55 -0800
Reply-To: Ryan Russell <ryan@SECURITYFOCUS.COM>
From: Ryan Russell <ryan@SECURITYFOCUS.COM>
X-To: Russ <Russ.Cooper@RC.ON.CA>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <E9A01F52DC939448BBDE44ED2E1C468F108AE9@muskie.rc.on.ca>
On Fri, 19 Jan 2001, Russ wrote:
> To the best of my knowledge, Peter Guttman(sp?) has demonstrated for years
> now that there is no form of over-writing which makes any substantial
> difference to the ability to recover previously written data from a computer
> hard disk.
>
> My understanding of current "high security" standards wrt the re-use of
> disks which previously contained classified materials is that they only be
> re-used in similarly classified systems, or, are destroyed beyond any form
> of molecular reconstruction (e.g. melted).
I see a big difference in being able to recover some files by simply
booting to a different OS vs. having to break out the electron microscope
and manually piece bits together. I could boot DOS or Linux to read a
deleted file... I don't think I'd be able to find someone who could read
the bits from 3 writes ago off of a physical disk surface for me... unless
you gave me a huge amount of time and money.
If the problem does exist as described... the possibility that a
government forensics lab might recover some data is no exucse for not
handling temp files properly for EFS.
Ryan
