Forensics
Re: Data Recovery Nov 11 2006 04:07PM
Butterworth, Jim (jim butterworth guidancesoftware com)
I've watched this topic ebb and flow for quite sometime and I've often wondered if anyone has ever taken a test drive, placed a "sensitive" file on it, either a string of ascii or a whole file, overwritten the drive, and tasked another person to find it using currently available open source or commercially available methods.

I am unaware of anything available, that is easily accessible, that would make magnetic signature anomoly analysis of a hard drive a useful and reliable tool in proving anything other than the presence of data on a drive. Even if you were able to find something buried so far down on the disk, how would you possibly prove that the presence is attributable your subject?

The magnetic microscopes often cited in these arguments are probably very capable of reading the variance of magnetic field in a single sector. Having never seen one, this is pure speculation, admittedly. Now introduce fragmentation, file slack, unallocated space, and all the other ways a file becomes non contiguous, on a 400Gb drive, and you've got a challenge of epic proportions on your hands.

After that test, try it again after using a magnetic degausser.

Jim

Jim Butterworth, EnCE, GCIA

Manager, Professional Services, Southwest

*** Sent while Mobile ***

-----Original Message-----

From: listbounce (at) securityfocus (dot) com [email concealed] <listbounce (at) securityfocus (dot) com [email concealed]>

To: forensics (at) securityfocus (dot) com [email concealed] <forensics (at) securityfocus (dot) com [email concealed]>

Sent: Tue Nov 07 13:16:18 2006

Subject: RE: Data Recovery

Eric:

Great link! Everyone that wipes drives prior to resale should visit

http://cmrr.ucsd.edu/Hughes/SecureErase.html to read and understand how

HDDerase.exe could simplify their lives.

Ultimately I'm trying to pin down the idea that if a wiping program properly

writes a single-pass of zero's on every sector, it's sufficiently sanitized

for use by a new owner. Other than exotic techniques which involve opening

the case and using the Hubble telescope or like equipment -- can the

existing drive electronics and mechanisms reveal over-written data?

My understanding is that it does take specialized equipment to perform this

magic, am I correct?

STEVE

-----Original Message-----

From: Hagen Eric [mailto:hagene (at) DenverNewspaperAgency (dot) com [email concealed]]

Sent: Tuesday, November 07, 2006 12:32 PM

To: Steve Hickey; forensics (at) securityfocus (dot) com [email concealed]

Subject: RE: Data Recovery

Wiping a drive with zeros is not sufficient. Use of physical level disk

diagnostic hardware can read the bias from the previous write fairly

successfully. I posted an article last week about researchers who can

get 99% recovery using this method.

The researcher suggested that if it is written with random data and/or

is written more than once, he would likely be unable to recover any of

it using that technique.

I'm sorry I can't find the link today...

Eric

-----Original Message-----

From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]

On Behalf Of Steve Hickey

Sent: Wednesday, November 01, 2006 7:42 AM

To: forensics (at) securityfocus (dot) com [email concealed]

Subject: RE: Data Recovery

Importance: Low

Sooo... if Magnetic Force Microscopy is not a realistic method for data

recovery, is a single pass of wiping a drive with zero's enough of a

sanitizing process or are there other considerations?

STEVE

-----Original Message-----

From: listbounce (at) securityfocus (dot) com [email concealed]

[mailto:listbounce (at) securityfocus (dot) com [email concealed]]On Behalf Of Brewis Mark

Sent: Tuesday, October 31, 2006 6:22 AM

To: forensics (at) securityfocus (dot) com [email concealed]

Cc: Russell Aspinwall; Simson Garfinkel

Subject: RE: Data Recovery

The pages are opened in a frame: however,

http://www.pcpro.co.uk/shopper/features/85694/recovery-position/page1.ht

ml through page6.html.

You may well have to register to access the full article.

Selective overwriting is difficult - the issues with PGP identified by

Vinnie Liu www.metasploit.com/research/vulns/pgp_slackspace/ are a

perfect example.

There is some very interesting technology out there to look at disks -

there is a paper on Magnetic Force Microscopy (MFM) by A.M. Alexeev and

A.F.Popkov, NT-MDT & State Institute for Physical Problems, Moscow,

which has some great illustrations of what data on a disk actually

'looks' like

http://www.ntmdt.ru/SPM-Techniques/SPM-Methodology/Magnetic_Force_Micros

copy_MFM/text45.html.

Leaving aside the issue of whether data can be recovered, and assuming

for the sake of argument that it can be, the issue with data recovery of

this type is that it is data: binary magnetic information. The data is

only meaningful when interpreted through an application(s) which

understands the construct. There are still big challenges with file

carving from data where the construct is known, as Simson can be the

first to tell you -

http://www.dfrws.org/2006/challenge/submissions/index.html - although

the state of the art is still improving.

Meaningful artefact identification from recovered data would be a

tremendous task, even if a complete, contiguous recovery was possible.

To extract meaning from a fragmentary recovery of a series of binary

transitions 110101 01110111 01101 10 1 10 111 1101101

0110110110110110110 etc could be a Sisyphean task.

Regards,

Mark

This email contains information which may be confidential and may be

privileged. Unless you are the intended addressee (or authorised to

receive for the addressee) you may not use, forward, copy or disclose to

anyone this email or any information contained in this email. If you

have received this email in error, please advise the sender by reply

email immediately and delete this email. Any opinions expressed in this

email are opinions of the author and do not represent a formal statement

or opinion by EDS.

-----Original Message-----

From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]

On Behalf Of Simson Garfinkel

Sent: 30 October 2006 19:48

To: Russell Aspinwall

Cc: forensics (at) securityfocus (dot) com [email concealed]

Subject: Re: Data Recovery

Please post the full URL of the article.

It is quite possible that disk erasing programs do not delete the data.

But this is almost certainly the result of a bug with the programs in

question. It is quite difficult to selectively overwrite certain files

on a hard drive --- remnants of the files are left in non-obvious

locations (like swap space). However, it is quite easy to overwrite the

entire contents of a hard drive. To date, that has NEVER been a public

demonstration of data recovered after it was overwritten.

On Oct 26, 2006, at 4:20 AM, Russell Aspinwall wrote:

> In response to data recovery after 57+ formats query

>

> The UK magazine Computer Shopper carried a feature article "Recovery

> Position" in its March 2006 issue, which can be found here

> http://www.computershopper.co.uk and search for Recovery Position.

> It appears that disk erasing programs do not delete the data, if you

> have the right tools for recovery; however a hammer does work.

>

> --

> Regards

>

> Russell

>

> Email: russell dot aspinwall at flomerics dot co dot uk Network and

> Systems Administrator Flomerics Ltd

> Telephone: 020-8941-8810 x3116 81 Bridge Road

> Facsimile: 020-8941-8730 Hampton Court

> Surrey, KT8 9HH

> United Kingdom

>

>

> ______________________________________________________________________

> This email has been scanned by the MessageLabs Email Security System.

> For more information please visit http://www.messagelabs.com/email

> ______________________________________________________________________

>

> Flomerics Group plc, Registered Office 81 Bridge Road, Hampton Court,

> Surrey, KT8 9HH. Registered No. 2327348. This e-mail is confidential

> and intended solely for the use of the individual to whom it is

> addressed. Any views or opinions presented are solely those of the

> author and do not necessarily represent those of Flomerics Group plc

> or its subsidiaries. If you are not the intended recipient of this

> e-mail you may not copy, use, forward or disclose its contents to any

> other person ; please notify our Computer Service Desk on +44 (0)20

> 8487 3000 and destroy and delete the message and attachments from your

> system.

> For more information on Flomerics visit our web site at

> www.flomerics.com

>

Note: The information contained in this message may be privileged and

confidential and thus protected from disclosure. If the reader of this

message is not the intended recipient, or an employee or agent responsible

for delivering this message to the intended recipient, you are hereby

notified that any dissemination, distribution or copying of this

communication is strictly prohibited. If you have received this

communication in error, please notify us immediately by replying to the

message and deleting it from your computer. Thank you.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus