PGP challenges disk wiping study
In the Aug. 28 issue of the print edition of GCN, we reported on a study
that looked at how well six disk-wiping products removed residue data hidden on a disk's $MFT file, which Microsoft Windows uses to keep track of other files. According to the tests, conducted by Hal Berghel and David Hoelzer, only one product completely eliminated the $MFT data, namely Evidence Eliminator from Robin Hood Software Ltd. (The full report
first appeared in the August 2006 issue of the Communications of the ACM
, a journal of the Association for Computing Machinery.)
Shortly after the article appeared, we got a message from John Dasher, director of products from PGP Corp., of Palo Alto Corp., which makes one of the products that did not
pass the researchers' test. He took exception with the findings. "PGP Desktop does, in fact, work with $MFT and we document how to do it with an explicit option called `Wipe NTFS Internal Data Structures.' This shred utility can be used to completely destroy sensitive information from a users' system," he wrote. (PGP Shred, the utility the researchers tested, is a component within PGP Desktop.)
A mistake in the research? We e-mailed the researchers to find out.
"We stand by our original findings," Berghel responded. "While PGP's representative claimed ... `PGP Desktop does, in fact, work with $MFT,' [he offered] no explanation of what 'working with' $MFT means, much less experimental confirmation."
"It is worthy of mention that all vendors make similar claims. Our experiments, however, shows that some claims are unfounded," Berghel added.
For the study, the research team copied a directory of files to a memory stick formatted with NTFS, which is the current Microsoft Windows file system. They then erased all these files and subdirectories from the storage device, and, afterwards, used the wipe utility on that disk. After this process was completed, they examined the disk's contents with a hex editor and a program they wrote
for such analysis.
With the drive wiped by PGP Shred, the researchers found small files still intact within the $MFT, as well as several alternate data stream names. ADS is a little-known feature of the Microsoft NTFS file system that, in effect, allows new data to be hidden within an existing file
, without changing the attributes of that file.
Dasher maintained that, contrary to Berghel and Hoelzer's results, PGP Shred eliminates remnants within $MFT as well as ADS names. As evidence, Dasher provided an excerpt from the manual on how to initiate such actions. The researchers were not impressed, however. "A single page from their user manual," Berghel noted, is "hardly a scientific refutation."
In other words, the burden of proof still resides with PGP.
"We offered to re-run our tests if PGP would provide us with a licensed copy of the software they want reviewed. Absent that, there's not much we can say," Berghel said.--Posted by Joab Jackson
Posted by Brad Grimes, Joab Jackson on Sep 22, 2006 at 9:39 AM