Forensics
Re: Data Recovery Nov 05 2006 02:24AM
Robert Ball (kc8urm gmail com)
It seems the MFM has depreciated, and there are better methods for
taking the magnetism off of platters. One that I found was Scanning
Electron Microscopy with Polarization Analysis. Here is a website
describing the differences.
http://physics.nist.gov/Divisions/Div841/Gp3/Projects/MagNano/mfm_proj.h
tml
I also found a hitachi article stating that this technology could
still detect magnetic changes as close at 10nm. A lot of the
information that I found seemed to be newer on SEMPA, so MFM might be
depreciated.

I was having trouble finding information about SEMPA, this is the best
definition I could find:

The high spatial resolution imaging of magnetic microstructure has
important ramifications for both fundamental studies of magnetism and
the technology surrounding the magnetic recording industry. One
technique for imaging surface magnetic microstructure on the
10-nm-length scale is scanning electron microscopy with polarization
analysis (SEMPA). This technique employs a scanning electron
microscope (SEM) electron optical column to form a medium energy
(10?50 keV), small probe (<50 nm) of high current (>1 nA) on a
ferromagnetic specimen. Secondary electrons excited in the ferromagnet
by the high spatial resolution probe retain their spin-polarization
orientation as they leave the sample surface. The spin polarization
of the emitted secondary electrons can be related directly to the
local magnetization orientation. A surface magnetization map is
generated when the spin polarization of the secondary electrons is
analyzed as the electron beam is rastered point-by-point across the
ferromagnet's surface. In this review article we review the important
instrumental components characterizing the SEMPA system.
Characteristics of the electron probe forming optics, electron
spin-polarization analyzers with associated transport optics, and
signal processing electronics will be described. Emphasis on the
fundamental design requirements will be stressed. Data acquisition,
storage, and processing, as it applies specifically to SEMPA, will be
reviewed. Instrumental artifacts specific to SEMPA will be outlined
and techniques for their correction given. Examples of magnetic
images at high spatial resolution will be shown. Review of
Scientific Instruments is copyrighted by The American Institute of
Physics.

Also, I have been emailing my professors this week to see if I could
get in touch with someone about testing some of these methods. Let me
know if you are interested, and I will tell you what I find.

RB

> On 11/1/06, Steve Hickey <steve22 (at) comporium (dot) net [email concealed]> wrote:
> > Sooo... if Magnetic Force Microscopy is not a realistic method for data
> > recovery, is a single pass of wiping a drive with zero's enough of a
> > sanitizing process or are there other considerations?
> >
> > STEVE
> >
> > -----Original Message-----
> > From: listbounce (at) securityfocus (dot) com [email concealed]
> > [mailto:listbounce (at) securityfocus (dot) com [email concealed]]On Behalf Of Brewis Mark
> > Sent: Tuesday, October 31, 2006 6:22 AM
> > To: forensics (at) securityfocus (dot) com [email concealed]
> > Cc: Russell Aspinwall; Simson Garfinkel
> > Subject: RE: Data Recovery
> >
> >
> > The pages are opened in a frame: however,
> > http://www.pcpro.co.uk/shopper/features/85694/recovery-position/page1.ht

> > ml through page6.html.
> > You may well have to register to access the full article.
> >
> > Selective overwriting is difficult - the issues with PGP identified by
> > Vinnie Liu www.metasploit.com/research/vulns/pgp_slackspace/ are a
> > perfect example.
> >
> > There is some very interesting technology out there to look at disks -
> > there is a paper on Magnetic Force Microscopy (MFM) by A.M. Alexeev and
> > A.F.Popkov, NT-MDT & State Institute for Physical Problems, Moscow,
> > which has some great illustrations of what data on a disk actually
> > 'looks' like
> > http://www.ntmdt.ru/SPM-Techniques/SPM-Methodology/Magnetic_Force_Micros

> > copy_MFM/text45.html.
> >
> > Leaving aside the issue of whether data can be recovered, and assuming
> > for the sake of argument that it can be, the issue with data recovery of
> > this type is that it is data: binary magnetic information. The data is
> > only meaningful when interpreted through an application(s) which
> > understands the construct. There are still big challenges with file
> > carving from data where the construct is known, as Simson can be the
> > first to tell you -
> > http://www.dfrws.org/2006/challenge/submissions/index.html - although
> > the state of the art is still improving.
> >
> > Meaningful artefact identification from recovered data would be a
> > tremendous task, even if a complete, contiguous recovery was possible.
> > To extract meaning from a fragmentary recovery of a series of binary
> > transitions 110101 01110111 01101 10 1 10 111 1101101
> > 0110110110110110110 etc could be a Sisyphean task.
> >
> > Regards,
> >
> > Mark
> >
> > This email contains information which may be confidential and may be
> > privileged. Unless you are the intended addressee (or authorised to
> > receive for the addressee) you may not use, forward, copy or disclose to
> > anyone this email or any information contained in this email. If you
> > have received this email in error, please advise the sender by reply
> > email immediately and delete this email. Any opinions expressed in this
> > email are opinions of the author and do not represent a formal statement
> > or opinion by EDS.
> >
> > -----Original Message-----
> > From: listbounce (at) securityfocus (dot) com [email concealed] [mailto: listbounce (at) securityfocus (dot) com [email concealed]]
> > On Behalf Of Simson Garfinkel
> > Sent: 30 October 2006 19:48
> > To: Russell Aspinwall
> > Cc: forensics (at) securityfocus (dot) com [email concealed]
> > Subject: Re: Data Recovery
> >
> > Please post the full URL of the article.
> >
> > It is quite possible that disk erasing programs do not delete the data.
> > But this is almost certainly the result of a bug with the programs in
> > question. It is quite difficult to selectively overwrite certain files
> > on a hard drive --- remnants of the files are left in non-obvious
> > locations (like swap space). However, it is quite easy to overwrite the
> > entire contents of a hard drive. To date, that has NEVER been a public
> > demonstration of data recovered after it was overwritten.
> >
> >
> > On Oct 26, 2006, at 4:20 AM, Russell Aspinwall wrote:
> >
> > > In response to data recovery after 57+ formats query
> > >
> > > The UK magazine Computer Shopper carried a feature article "Recovery
> > > Position" in its March 2006 issue, which can be found here
> > > http://www.computershopper.co.uk and search for Recovery Position.
> > > It appears that disk erasing programs do not delete the data, if you
> > > have the right tools for recovery; however a hammer does work.
> > >
> > > --
> > > Regards
> > >
> > > Russell
> > >
> > > Email: russell dot aspinwall at flomerics dot co dot uk Network and
> > > Systems Administrator Flomerics Ltd
> > > Telephone: 020-8941-8810 x3116 81 Bridge Road
> > > Facsimile: 020-8941-8730 Hampton Court
> > > Surrey, KT8 9HH
> > > United Kingdom
> > >
> > >
> > > ______________________________________________________________________
> > > This email has been scanned by the MessageLabs Email Security System.
> > > For more information please visit http://www.messagelabs.com/email
> > > ______________________________________________________________________
> > >
> > > Flomerics Group plc, Registered Office 81 Bridge Road, Hampton Court,
> > > Surrey, KT8 9HH. Registered No. 2327348. This e-mail is confidential
> > > and intended solely for the use of the individual to whom it is
> > > addressed. Any views or opinions presented are solely those of the
> > > author and do not necessarily represent those of Flomerics Group plc
> > > or its subsidiaries. If you are not the intended recipient of this
> > > e-mail you may not copy, use, forward or disclose its contents to any
> > > other person ; please notify our Computer Service Desk on +44 (0)20
> > > 8487 3000 and destroy and delete the message and attachments from your
> >
> > > system.
> > > For more information on Flomerics visit our web site at
> > > www.flomerics.com
> > >
> >
> >
> >
> >
>
>
>
> --
> Robert M. Ball Jr. HDA, Security+
> Certified Computer Examiner
> kc8urm (at) gmail (dot) com [email concealed]
> m: 412-805-8856

--
Robert M. Ball Jr. HDA, Security+
Certified Computer Examiner
kc8urm (at) gmail (dot) com [email concealed]
m: 412-805-8856

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus