Forensics
RE: Data Recovery Oct 30 2006 08:38PM
Hagen, Eric (hagene DenverNewspaperAgency com)
My impression of this article is a non-expert piece aimed at consumer-level users with little knowledge of sophistication in computers. The cases he cites are all simple slack-space or unallocated-space recovery after simple file operations. It has nothing to do with "disk erasing programs". The one researcher who claims to have read data did so after the drive was overwritten with zero-bits.

A program executing a DoD 7-pass wipe (or a Gutman 35-pass if you're paranoid) of the data, bit-for-bit, is likely impossible to recover from, even using the STM methods. As Gutman says in his paper, it is impossible to determine if a sector's data was overwritten before or after the original data and a 7-pass structured overwrite is unlikely to leave significant magnetic or visual traces of the original data. Even if it does, it is unlikely you will be able to determine which of the 8-10 possible data bits you retrieve are actually the real data.

The only interesting comments in this article revolve around the bad sector remapping. The DoD erase standards do not cover this topic, thought a number of discussions have revolved around it and some utilities are available to do random-data multi-pass secure deletion including g-list sectors.

http://www.storagenetworking.org/Discussion/forum_posts.asp?TID=59&PN=1

http://www.morgud.com/reviews/software/MES.asp

http://cmrr.ucsd.edu/Hughes/SecureErase.html

UCSD has some recent research that suggests, while a single-pass zero-bit overwrite may be recoverable with specialized hardware, a multi-pass, randome overwrite with data is not. The researcher producing some of these papers can be found here:

http://cmrr.ucsd.edu/Hughes/subpgset.htm

Interesting information to be found, but mostly in the realm of science-fiction.

Frankly, from my reading, it's probably less secure to use a sledgehammer than to use a good secure deletion program. Now something like a blast furnace, or a a thermite cap..... that would be secure....

Eric

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed]
[mailto:listbounce (at) securityfocus (dot) com [email concealed]]On Behalf Of Russell Aspinwall
Sent: Thursday, October 26, 2006 2:20 AM
To: forensics (at) securityfocus (dot) com [email concealed]
Subject: Data Recovery

In response to data recovery after 57+ formats query

The UK magazine Computer Shopper carried a feature article "Recovery
Position" in its March 2006 issue, which can be found here
http://www.computershopper.co.uk and search for Recovery Position. It
appears that disk erasing programs do not delete the data, if you have
the right tools for recovery; however a hammer does work.

--
Regards

Russell

Email: russell dot aspinwall at flomerics dot co dot uk
Network and Systems Administrator Flomerics Ltd
Telephone: 020-8941-8810 x3116 81 Bridge Road
Facsimile: 020-8941-8730 Hampton Court
Surrey, KT8 9HH
United Kingdom

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________

Flomerics Group plc, Registered Office 81 Bridge Road, Hampton Court, Surrey, KT8 9HH. Registered No. 2327348. This e-mail is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of Flomerics Group plc or its subsidiaries. If you are not the intended recipient of this e-mail you may not copy, use, forward or disclose its contents to any other person ; please notify our Computer Service Desk on +44 (0)20 8487 3000 and destroy and delete the message and attachments from your system.

For more information on Flomerics visit our web site at www.flomerics.com

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus