2

If I want to mitigate the risk of data recovery from a disk drive resold as surplus equipment, how would the use of virtual disks assist?

For example, if I have half a dozen vmdks on a 1TB drive (for sake of argument, presume they've been added to different VMs), and I decide to decommission the drive, would simply erasing the vmdks and then selling / repurposing the drive ensure that the underlying data had been well-erased - even without extensive overwriting (for example, a quick format back to a blank drive)?

warren
  • 18,369
  • 23
  • 84
  • 135

4 Answers4

5

No. Without a disk scrub, a dereferenced (deleted, but not overwritten) file is still present on disk, including a .vmdk.

Fully wipe your disks with at least a pass of zeros (more passes of random data for sensitive data or [edit: see Puddingfox's comment below; one pass is plenty on modern drives] the paranoid) before selling, always.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • 3
    With today's incredible data densities, only one pass is necessary. The NIST has released documents stating any disk manufactured after 2003? is not susceptible to any laboratory recovery after just one pass of overwrites. – jamesbtate Apr 14 '11 at 18:56
  • @Puddingfox Good info, thanks! I'll modify my answer to reflect that it's now just for the paranoid ;) – Shane Madden Apr 14 '11 at 18:58
  • 3
    Can't seem to edit comment to elaborate... I found the relevant link: http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf Note section 2.3 which states "...[for hard disks] clearing and purging the media have converged." I was also wrong on the year. Any drive over 15GB (manufactured after ~2001) is safe. – jamesbtate Apr 14 '11 at 19:07
4

No it would not. An undelete would get the VMDKs back and usable.

Even if it did not, the VMDKs are not encrypted and are a fairly basic wrapper around another filesystem - not too difficult fiddling could read data directly from where they were on the disks.

Use DBAN to properly wipe them, it won't take too long.

TessellatingHeckler
  • 5,726
  • 3
  • 26
  • 44
  • 2
    +1, VMWare even supplies a vmfs-undelete command : http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1007243 – Renik Apr 14 '11 at 18:52
3

Deleting your virtual machines just deletes reverences to data structures it does not deletes actual data. You will need to write zeros to the drive. Even if it is possible to recover your data after this the cost will be measured in millions and it will be just cost prohibitive.

Nowadays, there is a simple alternative - you can buy a self encrypting drive and then just reset the key before resale. Your drive will be instantly "erased" without need to write anything on it. It saves time if you are talking about large volume operations.

dtoubelis
  • 4,677
  • 1
  • 29
  • 32
-4

The only safe ways of no recovery, even of a VMDK is

  1. Destroy the disk
  2. Zero out the disk (I think the DOD recommends 7 times, witch is probably overkill)
  3. Use SSD drives. As with USB keys, SSD drives will delete a file and there's no way to ever recover it.
Alex
  • 3,129
  • 21
  • 28
  • `Use SSD drives. As with USB keys, SSD drives will delete a file and there's no way to ever recover it.` Whaa? Even if you're talking about a drive that supports TRIM, TRIM only affects the controller's notion of what blocks are in use. Just read a block and the data's (probably) still there (subject to wear-leveling, but still, just keep reading blocks until you find your data). Even if your data got moved into unreachable space by the WL routines, one quick trip to the de-soldering station later and you can access the individual chip(s) that store the data you're looking for. – BMDan Apr 14 '11 at 21:16
  • (1) The original author indicated that he wants to resale the disk (3) SSD is even less secure the HDD because it always writes data to a new area leaving old data behind. There is even concern on multiuser systems that you can create a file from empty space on disk (without erasing it's content) and find a whole bunch of recent information otherwise protected by FS permissions. – dtoubelis Apr 14 '11 at 22:36
  • @BMDan and Dmitri Don't take my word for it http://www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf – Alex Apr 15 '11 at 13:15
  • @Dmitri Toubelis: To be fair, no multiuser system of which I'm aware allows non-root processes to read unallocated disk space. This might be a concern if you're using a strange OS, but I know it doesn't apply to Linux, for example. – BMDan Apr 15 '11 at 13:32
  • @Alex: Read the paper. Put simply, it's just saying you can't run EnCase on a SSD and expect to get all the data, due to wear-leveling. It certainly doesn't say that, once deleted, data on an SSD is unrecoverable. It's simply saying that the forensic standard of data acquisition for rotating-media drives cannot be easily mapped onto SSDs, and is arguing for development of a new procedure to take the changes into account. – BMDan Apr 15 '11 at 13:37
  • @BMDan it also states this " Many manufacturers have therefore added routines to the drive controller chip that can pre-emptively act to ameliorate the 'reset' problem. One common strategy is known as Garbage Collection or ‘Self Healing’. The underlying philosophy is to cautiously identify areas that are not in use, and reset them as soon as possible" in the last part you also have Aggressive garbage collection that covers garbage collection issue with forensics. – Alex Apr 15 '11 at 13:41
  • @Alex: I'm not disputing how SSDs function. I recognize that they have GC heuristics. But that quote is ambiguously worded, and I think you took the wrong message from it. What's actually happening is that the area is marked as unallocated and unused; the bits of data themselves are not zeroed, as there's no point to doing that and it would "waste" a duty cycle to do so. The data is still on the flash chips, available to be read if you disconnect them from the controller. In fact, the author considers such an approach, but dismisses it as a "very significant technical challenge". – BMDan Apr 15 '11 at 13:47
  • @Alex: The parer stating that one cannot use information recovered from SSD in a court of law as an evidence. It does not imply that the information cannot be recovered. – dtoubelis Apr 15 '11 at 14:48