GCN Tech Blog

By GCN Staff

Blog archive

PGP challenges disk wiping study

In the Aug. 28 issue of the print edition of GCN, we reported on a study that looked at how well six disk-wiping products removed residue data hidden on a disk's $MFT file, which Microsoft Windows uses to keep track of other files. According to the tests, conducted by Hal Berghel and David Hoelzer, only one product completely eliminated the $MFT data, namely Evidence Eliminator from Robin Hood Software Ltd. (The full report first appeared in the August 2006 issue of the Communications of the ACM, a journal of the Association for Computing Machinery.)

Shortly after the article appeared, we got a message from John Dasher, director of products from PGP Corp., of Palo Alto Corp., which makes one of the products that did not pass the researchers' test. He took exception with the findings. "PGP Desktop does, in fact, work with $MFT and we document how to do it with an explicit option called `Wipe NTFS Internal Data Structures.' This shred utility can be used to completely destroy sensitive information from a users' system," he wrote. (PGP Shred, the utility the researchers tested, is a component within PGP Desktop.)

A mistake in the research? We e-mailed the researchers to find out.

"We stand by our original findings," Berghel responded. "While PGP's representative claimed ... `PGP Desktop does, in fact, work with $MFT,' [he offered] no explanation of what 'working with' $MFT means, much less experimental confirmation."

"It is worthy of mention that all vendors make similar claims. Our experiments, however, shows that some claims are unfounded," Berghel added.

For the study, the research team copied a directory of files to a memory stick formatted with NTFS, which is the current Microsoft Windows file system. They then erased all these files and subdirectories from the storage device, and, afterwards, used the wipe utility on that disk. After this process was completed, they examined the disk's contents with a hex editor and a program they wrote for such analysis.

With the drive wiped by PGP Shred, the researchers found small files still intact within the $MFT, as well as several alternate data stream names. ADS is a little-known feature of the Microsoft NTFS file system that, in effect, allows new data to be hidden within an existing file, without changing the attributes of that file.

Dasher maintained that, contrary to Berghel and Hoelzer's results, PGP Shred eliminates remnants within $MFT as well as ADS names. As evidence, Dasher provided an excerpt from the manual on how to initiate such actions. The researchers were not impressed, however. "A single page from their user manual," Berghel noted, is "hardly a scientific refutation."

In other words, the burden of proof still resides with PGP.

"We offered to re-run our tests if PGP would provide us with a licensed copy of the software they want reviewed. Absent that, there's not much we can say," Berghel said.

--Posted by Joab Jackson

Posted by Brad Grimes, Joab Jackson on Sep 22, 2006 at 9:39 AM


  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.