According to a wired.com article, a link between Bradley Manning and Julian Assange was recovered by the US Army. My question here is, why didn't Manning just use full disk data encryption software and then lose the key?
The Army presented chat logs that link Bradley Manning with Julian Assange (and WikiLeaks). I won't go into the case in depth, since many media outlets are already covering it in great detail. I just wanted to comment and ponder on one aspect of the story. Mark Johnson, a digital forensics contractor for ManTech International who works for the Army's Computer Crime Investigative Unit, examined an image of Manning's personal MacBook Pro and said he found 14 to 15 pages of chats in unallocated space on the hard drive ... While the chat logs were encrypted, Johnson said that he was able to retrieve the MacBook's login password from the hard drive and found that the same password "TWink1492!!" was also used as the encryption key. [wired.com] It's apparent that Manning wanted to get rid of any trace and evidence of him having leaked information to WikiLeaks. Wired gives these following examples as evidence: Chat logs were protected with encryption software Manning reinstalled the computer's OS -- possibly to delete data, possibly just because (I lean towards the latter as Manning, no doubt, already knew that reformatting a computer and reinstalling an operating system means pipsqueak when it comes to deleting data) He had run what's known as a zerofill on his computer -- essentially, filling his hard drive with zeroes. As you may well know, data is only deleted in computers when it's overwritten. It doesn't matter what is used to overwrite data as long as new data is written over the old data. A string of zeroes accomplishes this as well as a string of ones, or just random data (such as when data is encrypted), or just filling up the drive with cat images. However, not all data overwrites are the same: Whoever initiated the process chose an option for overwriting the data 35 times — a high-security option that results in thorough deletion — but that operation was canceled. Later, the operation was initiated again, but the person chose the option to overwrite the information only once — a much less secure and less thorough option. All the data that Johnson was able to retrieve from un-allocated space came after that overwrite, he said. [wired.com] The 35 passes above refers to the Gutmann method. It's considered more secure because existing data is overwritten 35 times to ensure magnetic probes won't be able to read the overwritten yet "remnant" data. The process, of course, takes 35 times as long to complete than a single pass. Why would someone just do a one-pass zerofill, then? There appears to be some kind of consensus forming that modern hard drives' densities (manufactured in the past 5 years or so) mean recovering data from even one pass would be well nigh impossible. If true, one pass is as good as the Gutmann method in terms of security, plus you get time savings. The above testimony in the Manning case seems to counter this "one-pass consensus" that's been around for a decade or so. Personally, it seems to me that Manning would have been best off using hard drive encryption; then, losing the key; and then reinstalling his OS. Filling a hard drive full of zeros takes about as much time as properly securing it with encryption, and encryption is, as far as I know, not liable to fail, as a data security measure, under the watchful eye of a magnetic probe.
The Army presented chat logs that link Bradley Manning with Julian Assange (and WikiLeaks). I won't go into the case in depth, since many media outlets are already covering it in great detail. I just wanted to comment and ponder on one aspect of the story.
Mark Johnson, a digital forensics contractor for ManTech International who works for the Army's Computer Crime Investigative Unit, examined an image of Manning's personal MacBook Pro and said he found 14 to 15 pages of chats in unallocated space on the hard drive ... While the chat logs were encrypted, Johnson said that he was able to retrieve the MacBook's login password from the hard drive and found that the same password "TWink1492!!" was also used as the encryption key. [wired.com]
It's apparent that Manning wanted to get rid of any trace and evidence of him having leaked information to WikiLeaks. Wired gives these following examples as evidence:
As you may well know, data is only deleted in computers when it's overwritten. It doesn't matter what is used to overwrite data as long as new data is written over the old data. A string of zeroes accomplishes this as well as a string of ones, or just random data (such as when data is encrypted), or just filling up the drive with cat images. However, not all data overwrites are the same:
Whoever initiated the process chose an option for overwriting the data 35 times — a high-security option that results in thorough deletion — but that operation was canceled. Later, the operation was initiated again, but the person chose the option to overwrite the information only once — a much less secure and less thorough option. All the data that Johnson was able to retrieve from un-allocated space came after that overwrite, he said. [wired.com]
Whoever initiated the process chose an option for overwriting the data 35 times — a high-security option that results in thorough deletion — but that operation was canceled. Later, the operation was initiated again, but the person chose the option to overwrite the information only once — a much less secure and less thorough option.
All the data that Johnson was able to retrieve from un-allocated space came after that overwrite, he said. [wired.com]
The 35 passes above refers to the Gutmann method. It's considered more secure because existing data is overwritten 35 times to ensure magnetic probes won't be able to read the overwritten yet "remnant" data. The process, of course, takes 35 times as long to complete than a single pass.
Why would someone just do a one-pass zerofill, then? There appears to be some kind of consensus forming that modern hard drives' densities (manufactured in the past 5 years or so) mean recovering data from even one pass would be well nigh impossible. If true, one pass is as good as the Gutmann method in terms of security, plus you get time savings.
The above testimony in the Manning case seems to counter this "one-pass consensus" that's been around for a decade or so.
Personally, it seems to me that Manning would have been best off using hard drive encryption; then, losing the key; and then reinstalling his OS. Filling a hard drive full of zeros takes about as much time as properly securing it with encryption, and encryption is, as far as I know, not liable to fail, as a data security measure, under the watchful eye of a magnetic probe.
Related Articles and Sites:http://www.wired.com/threatlevel/2011/12/manning-assange-laptop/