GCN Tech Blog

By GCN Staff

Blog archive

PGP challenges disk wiping study

In the Aug. 28 issue of the print edition of GCN, we reported on a study that looked at how well six disk-wiping products removed residue data hidden on a disk's $MFT file, which Microsoft Windows uses to keep track of other files. According to the tests, conducted by Hal Berghel and David Hoelzer, only one product completely eliminated the $MFT data, namely Evidence Eliminator from Robin Hood Software Ltd. (The full report first appeared in the August 2006 issue of the Communications of the ACM, a journal of the Association for Computing Machinery.)

Shortly after the article appeared, we got a message from John Dasher, director of products from PGP Corp., of Palo Alto Corp., which makes one of the products that did not pass the researchers' test. He took exception with the findings. "PGP Desktop does, in fact, work with $MFT and we document how to do it with an explicit option called `Wipe NTFS Internal Data Structures.' This shred utility can be used to completely destroy sensitive information from a users' system," he wrote. (PGP Shred, the utility the researchers tested, is a component within PGP Desktop.)

A mistake in the research? We e-mailed the researchers to find out.

"We stand by our original findings," Berghel responded. "While PGP's representative claimed ... `PGP Desktop does, in fact, work with $MFT,' [he offered] no explanation of what 'working with' $MFT means, much less experimental confirmation."

"It is worthy of mention that all vendors make similar claims. Our experiments, however, shows that some claims are unfounded," Berghel added.

For the study, the research team copied a directory of files to a memory stick formatted with NTFS, which is the current Microsoft Windows file system. They then erased all these files and subdirectories from the storage device, and, afterwards, used the wipe utility on that disk. After this process was completed, they examined the disk's contents with a hex editor and a program they wrote for such analysis.

With the drive wiped by PGP Shred, the researchers found small files still intact within the $MFT, as well as several alternate data stream names. ADS is a little-known feature of the Microsoft NTFS file system that, in effect, allows new data to be hidden within an existing file, without changing the attributes of that file.

Dasher maintained that, contrary to Berghel and Hoelzer's results, PGP Shred eliminates remnants within $MFT as well as ADS names. As evidence, Dasher provided an excerpt from the manual on how to initiate such actions. The researchers were not impressed, however. "A single page from their user manual," Berghel noted, is "hardly a scientific refutation."

In other words, the burden of proof still resides with PGP.

"We offered to re-run our tests if PGP would provide us with a licensed copy of the software they want reviewed. Absent that, there's not much we can say," Berghel said.

--Posted by Joab Jackson

Posted by Brad Grimes, Joab Jackson on Sep 22, 2006 at 9:39 AM


Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.