Forensics
Data Recovery Oct 26 2006 08:20AM
Russell Aspinwall (russell aspinwall flomerics co uk) (2 replies)
Re: Data Recovery Oct 30 2006 08:10PM
Kurt Seifried (bt seifried org)
Re: Data Recovery Oct 30 2006 07:48PM
Simson Garfinkel (simsong acm org) (2 replies)
Re: Data Recovery Oct 31 2006 12:40PM
Mario Cardenas S. (mcardenas criminalistica cl) (2 replies)
Re: Data Recovery Nov 01 2006 04:23PM
Valdis Kletnieks vt edu (1 replies)
RE: Data Recovery Nov 05 2006 03:00PM
Jim Wingate (jwingate backbonesecurity com)
Re: Data Recovery Nov 01 2006 02:51AM
Simson Garfinkel (simsong acm org)
RE: Data Recovery Oct 31 2006 11:21AM
Brewis, Mark (mark brewis eds com) (1 replies)
The pages are opened in a frame: however,
http://www.pcpro.co.uk/shopper/features/85694/recovery-position/page1.ht

ml through page6.html.
You may well have to register to access the full article.

Selective overwriting is difficult - the issues with PGP identified by
Vinnie Liu www.metasploit.com/research/vulns/pgp_slackspace/ are a
perfect example.

There is some very interesting technology out there to look at disks -
there is a paper on Magnetic Force Microscopy (MFM) by A.M. Alexeev and
A.F.Popkov, NT-MDT & State Institute for Physical Problems, Moscow,
which has some great illustrations of what data on a disk actually
'looks' like
http://www.ntmdt.ru/SPM-Techniques/SPM-Methodology/Magnetic_Force_Micros

copy_MFM/text45.html.

Leaving aside the issue of whether data can be recovered, and assuming
for the sake of argument that it can be, the issue with data recovery of
this type is that it is data: binary magnetic information. The data is
only meaningful when interpreted through an application(s) which
understands the construct. There are still big challenges with file
carving from data where the construct is known, as Simson can be the
first to tell you -
http://www.dfrws.org/2006/challenge/submissions/index.html - although
the state of the art is still improving.

Meaningful artefact identification from recovered data would be a
tremendous task, even if a complete, contiguous recovery was possible.
To extract meaning from a fragmentary recovery of a series of binary
transitions 110101 01110111 01101 10 1 10 111 1101101
0110110110110110110 etc could be a Sisyphean task.

Regards,

Mark

This email contains information which may be confidential and may be
privileged. Unless you are the intended addressee (or authorised to
receive for the addressee) you may not use, forward, copy or disclose to
anyone this email or any information contained in this email. If you
have received this email in error, please advise the sender by reply
email immediately and delete this email. Any opinions expressed in this
email are opinions of the author and do not represent a formal statement
or opinion by EDS.

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
On Behalf Of Simson Garfinkel
Sent: 30 October 2006 19:48
To: Russell Aspinwall
Cc: forensics (at) securityfocus (dot) com [email concealed]
Subject: Re: Data Recovery

Please post the full URL of the article.

It is quite possible that disk erasing programs do not delete the data.
But this is almost certainly the result of a bug with the programs in
question. It is quite difficult to selectively overwrite certain files
on a hard drive --- remnants of the files are left in non-obvious
locations (like swap space). However, it is quite easy to overwrite the
entire contents of a hard drive. To date, that has NEVER been a public
demonstration of data recovered after it was overwritten.

On Oct 26, 2006, at 4:20 AM, Russell Aspinwall wrote:

> In response to data recovery after 57+ formats query
>
> The UK magazine Computer Shopper carried a feature article "Recovery
> Position" in its March 2006 issue, which can be found here
> http://www.computershopper.co.uk and search for Recovery Position.
> It appears that disk erasing programs do not delete the data, if you
> have the right tools for recovery; however a hammer does work.
>
> --
> Regards
>
> Russell
>
> Email: russell dot aspinwall at flomerics dot co dot uk Network and
> Systems Administrator Flomerics Ltd
> Telephone: 020-8941-8810 x3116 81 Bridge Road
> Facsimile: 020-8941-8730 Hampton Court
> Surrey, KT8 9HH
> United Kingdom
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
>
> Flomerics Group plc, Registered Office 81 Bridge Road, Hampton Court,
> Surrey, KT8 9HH. Registered No. 2327348. This e-mail is confidential
> and intended solely for the use of the individual to whom it is
> addressed. Any views or opinions presented are solely those of the
> author and do not necessarily represent those of Flomerics Group plc
> or its subsidiaries. If you are not the intended recipient of this
> e-mail you may not copy, use, forward or disclose its contents to any
> other person ; please notify our Computer Service Desk on +44 (0)20
> 8487 3000 and destroy and delete the message and attachments from your

> system.
> For more information on Flomerics visit our web site at
> www.flomerics.com
>

[ reply ]
RE: Data Recovery Nov 01 2006 02:42PM
Steve Hickey (steve22 Comporium net) (3 replies)
RE: Data Recovery Nov 08 2006 01:14PM
Brewis, Mark (mark brewis eds com)
Re: Data Recovery Nov 07 2006 11:01PM
Greg Freemyer (greg freemyer gmail com)
Re: Data Recovery Nov 05 2006 01:15PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net)


 

Privacy Statement
Copyright 2010, SecurityFocus