Forensics
RE: Data Recovery Nov 07 2006 09:16PM
Steve Hickey (steve22 Comporium net)
Eric:

Great link! Everyone that wipes drives prior to resale should visit
http://cmrr.ucsd.edu/Hughes/SecureErase.html to read and understand how
HDDerase.exe could simplify their lives.

Ultimately I'm trying to pin down the idea that if a wiping program properly
writes a single-pass of zero's on every sector, it's sufficiently sanitized
for use by a new owner. Other than exotic techniques which involve opening
the case and using the Hubble telescope or like equipment -- can the
existing drive electronics and mechanisms reveal over-written data?

My understanding is that it does take specialized equipment to perform this
magic, am I correct?

STEVE

-----Original Message-----
From: Hagen Eric [mailto:hagene (at) DenverNewspaperAgency (dot) com [email concealed]]
Sent: Tuesday, November 07, 2006 12:32 PM
To: Steve Hickey; forensics (at) securityfocus (dot) com [email concealed]
Subject: RE: Data Recovery

Wiping a drive with zeros is not sufficient. Use of physical level disk
diagnostic hardware can read the bias from the previous write fairly
successfully. I posted an article last week about researchers who can
get 99% recovery using this method.

The researcher suggested that if it is written with random data and/or
is written more than once, he would likely be unable to recover any of
it using that technique.

I'm sorry I can't find the link today...

Eric

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
On Behalf Of Steve Hickey
Sent: Wednesday, November 01, 2006 7:42 AM
To: forensics (at) securityfocus (dot) com [email concealed]
Subject: RE: Data Recovery
Importance: Low

Sooo... if Magnetic Force Microscopy is not a realistic method for data
recovery, is a single pass of wiping a drive with zero's enough of a
sanitizing process or are there other considerations?

STEVE

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed]
[mailto:listbounce (at) securityfocus (dot) com [email concealed]]On Behalf Of Brewis Mark
Sent: Tuesday, October 31, 2006 6:22 AM
To: forensics (at) securityfocus (dot) com [email concealed]
Cc: Russell Aspinwall; Simson Garfinkel
Subject: RE: Data Recovery

The pages are opened in a frame: however,
http://www.pcpro.co.uk/shopper/features/85694/recovery-position/page1.ht

ml through page6.html.
You may well have to register to access the full article.

Selective overwriting is difficult - the issues with PGP identified by
Vinnie Liu www.metasploit.com/research/vulns/pgp_slackspace/ are a
perfect example.

There is some very interesting technology out there to look at disks -
there is a paper on Magnetic Force Microscopy (MFM) by A.M. Alexeev and
A.F.Popkov, NT-MDT & State Institute for Physical Problems, Moscow,
which has some great illustrations of what data on a disk actually
'looks' like
http://www.ntmdt.ru/SPM-Techniques/SPM-Methodology/Magnetic_Force_Micros

copy_MFM/text45.html.

Leaving aside the issue of whether data can be recovered, and assuming
for the sake of argument that it can be, the issue with data recovery of
this type is that it is data: binary magnetic information. The data is
only meaningful when interpreted through an application(s) which
understands the construct. There are still big challenges with file
carving from data where the construct is known, as Simson can be the
first to tell you -
http://www.dfrws.org/2006/challenge/submissions/index.html - although
the state of the art is still improving.

Meaningful artefact identification from recovered data would be a
tremendous task, even if a complete, contiguous recovery was possible.
To extract meaning from a fragmentary recovery of a series of binary
transitions 110101 01110111 01101 10 1 10 111 1101101
0110110110110110110 etc could be a Sisyphean task.

Regards,

Mark

This email contains information which may be confidential and may be
privileged. Unless you are the intended addressee (or authorised to
receive for the addressee) you may not use, forward, copy or disclose to
anyone this email or any information contained in this email. If you
have received this email in error, please advise the sender by reply
email immediately and delete this email. Any opinions expressed in this
email are opinions of the author and do not represent a formal statement
or opinion by EDS.

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
On Behalf Of Simson Garfinkel
Sent: 30 October 2006 19:48
To: Russell Aspinwall
Cc: forensics (at) securityfocus (dot) com [email concealed]
Subject: Re: Data Recovery

Please post the full URL of the article.

It is quite possible that disk erasing programs do not delete the data.
But this is almost certainly the result of a bug with the programs in
question. It is quite difficult to selectively overwrite certain files
on a hard drive --- remnants of the files are left in non-obvious
locations (like swap space). However, it is quite easy to overwrite the
entire contents of a hard drive. To date, that has NEVER been a public
demonstration of data recovered after it was overwritten.

On Oct 26, 2006, at 4:20 AM, Russell Aspinwall wrote:

> In response to data recovery after 57+ formats query
>
> The UK magazine Computer Shopper carried a feature article "Recovery
> Position" in its March 2006 issue, which can be found here
> http://www.computershopper.co.uk and search for Recovery Position.
> It appears that disk erasing programs do not delete the data, if you
> have the right tools for recovery; however a hammer does work.
>
> --
> Regards
>
> Russell
>
> Email: russell dot aspinwall at flomerics dot co dot uk Network and
> Systems Administrator Flomerics Ltd
> Telephone: 020-8941-8810 x3116 81 Bridge Road
> Facsimile: 020-8941-8730 Hampton Court
> Surrey, KT8 9HH
> United Kingdom
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
>
> Flomerics Group plc, Registered Office 81 Bridge Road, Hampton Court,
> Surrey, KT8 9HH. Registered No. 2327348. This e-mail is confidential
> and intended solely for the use of the individual to whom it is
> addressed. Any views or opinions presented are solely those of the
> author and do not necessarily represent those of Flomerics Group plc
> or its subsidiaries. If you are not the intended recipient of this
> e-mail you may not copy, use, forward or disclose its contents to any
> other person ; please notify our Computer Service Desk on +44 (0)20
> 8487 3000 and destroy and delete the message and attachments from your

> system.
> For more information on Flomerics visit our web site at
> www.flomerics.com
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus