GCN Tech Blog

By GCN Staff

Blog archive

PGP challenges disk wiping study

In the Aug. 28 issue of the print edition of GCN, we reported on a study that looked at how well six disk-wiping products removed residue data hidden on a disk's $MFT file, which Microsoft Windows uses to keep track of other files. According to the tests, conducted by Hal Berghel and David Hoelzer, only one product completely eliminated the $MFT data, namely Evidence Eliminator from Robin Hood Software Ltd. (The full report first appeared in the August 2006 issue of the Communications of the ACM, a journal of the Association for Computing Machinery.)

Shortly after the article appeared, we got a message from John Dasher, director of products from PGP Corp., of Palo Alto Corp., which makes one of the products that did not pass the researchers' test. He took exception with the findings. "PGP Desktop does, in fact, work with $MFT and we document how to do it with an explicit option called `Wipe NTFS Internal Data Structures.' This shred utility can be used to completely destroy sensitive information from a users' system," he wrote. (PGP Shred, the utility the researchers tested, is a component within PGP Desktop.)

A mistake in the research? We e-mailed the researchers to find out.

"We stand by our original findings," Berghel responded. "While PGP's representative claimed ... `PGP Desktop does, in fact, work with $MFT,' [he offered] no explanation of what 'working with' $MFT means, much less experimental confirmation."

"It is worthy of mention that all vendors make similar claims. Our experiments, however, shows that some claims are unfounded," Berghel added.

For the study, the research team copied a directory of files to a memory stick formatted with NTFS, which is the current Microsoft Windows file system. They then erased all these files and subdirectories from the storage device, and, afterwards, used the wipe utility on that disk. After this process was completed, they examined the disk's contents with a hex editor and a program they wrote for such analysis.

With the drive wiped by PGP Shred, the researchers found small files still intact within the $MFT, as well as several alternate data stream names. ADS is a little-known feature of the Microsoft NTFS file system that, in effect, allows new data to be hidden within an existing file, without changing the attributes of that file.

Dasher maintained that, contrary to Berghel and Hoelzer's results, PGP Shred eliminates remnants within $MFT as well as ADS names. As evidence, Dasher provided an excerpt from the manual on how to initiate such actions. The researchers were not impressed, however. "A single page from their user manual," Berghel noted, is "hardly a scientific refutation."

In other words, the burden of proof still resides with PGP.

"We offered to re-run our tests if PGP would provide us with a licensed copy of the software they want reviewed. Absent that, there's not much we can say," Berghel said.

--Posted by Joab Jackson

Posted by Brad Grimes, Joab Jackson on Sep 22, 2006 at 9:39 AM


  • Workforce
    Shutterstock image 1658927440 By Deliris masks in office coronavirus covid19

    White House orders federal contractors vaccinated by Dec. 8

    New COVID-19 guidance directs federal contractors and subcontractors to make sure their employees are vaccinated — the latest in a series of new vaccine requirements the White House has been rolling out in recent weeks.

  • FCW Perspectives
    remote workers (elenabsl/Shutterstock.com)

    Post-pandemic IT leadership

    The rush to maximum telework did more than showcase the importance of IT -- it also forced them to rethink their own operations.

Stay Connected