Forensics
RE: Data Recovery Oct 31 2006 02:02PM
Greg Kelley (gkelley vestigeltd com)
Nice article, Kurt, but this issue is not confined to just NTFS
formatted volumes. With Windows, and other operating systems,
propensity to create temp files and use memory paging, I would never
trust a wiping application to remove all evidences of a file by just
wiping the file itself. A complete erase of the disk is the only way to
insure that the data is gone.

Greg Kelley, EnCE
Vestige Digital Investigations
Computer Forensics | Electronic Discovery | Corporate Surety
46 Public Square, Ste 220
Medina, OH 44256
(330)721-1205 x5432
(330)721-1206 Fax
http://www.vestigeltd.com

-----Original Message-----
From: Kurt Seifried [mailto:bt (at) seifried (dot) org [email concealed]]
Sent: Monday, October 30, 2006 3:10 PM
To: Russell Aspinwall; forensics (at) securityfocus (dot) com [email concealed]
Subject: Re: Data Recovery

> In response to data recovery after 57+ formats query
>
> The UK magazine Computer Shopper carried a feature article "Recovery
> Position" in its March 2006 issue, which can be found here
> http://www.computershopper.co.uk and search for Recovery Position. It
> appears that disk erasing programs do not delete the data, if you have
the
> right tools for recovery; however a hammer does work.

No surprise there.

http://www.seifried.org/security/advisories/kssa-003.html

Pretty much all the programs fail with NTFS alternate data streams,
files
that are hosted in the NTFS MFT, or simply fail to wipe normal files at
all.

> --
> Regards
>
> Russell

-Kurt

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus