• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Recovery from disk after single overwrite

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response

View previous topic :: View next topic  
Author Message
ENixon
Just Arrived
Just Arrived


Joined: 26 Mar 2008
Posts: 0


Offline

PostPosted: Wed Mar 26, 2008 6:57 am    Post subject: Recovery from disk after single overwrite Reply with quote

Hi,
I have a user who used a disk overwrite tool to write zeros all over a 2 year old Western Digital 120GB SATA hard disk when he should not have.
My manager wants me to recover some of the files that were on the disk and I think I am allowed to spend up to $2000.00 to do it.
I have already used a Hex editor and it just shows zeros on every sector I have looked at. The user said he just used the quick single overwrite option.
Can anyone point me to someone who can recover the files or tell me of any tools that might help me, such as a different controller or better firmware or anything?
HELP
Back to top
View user's profile Send private message
White Scorpion
Just Arrived
Just Arrived


Joined: 19 Sep 2003
Posts: 5
Location: The Netherlands

Offline

PostPosted: Wed Mar 26, 2008 1:15 pm    Post subject: Reply with quote

If you are willing to spend some cash on it, then bring it to a specialist and don't play with it yourself.
I'm sure a good specialist can recover your data without any problems Wink
Back to top
View user's profile Send private message Send e-mail Visit poster's website
ENixon
Just Arrived
Just Arrived


Joined: 26 Mar 2008
Posts: 0


Offline

PostPosted: Mon Mar 31, 2008 4:00 am    Post subject: Recovery from disk after single overwrite - IMPOSSIBLE Reply with quote

Thanks everyone who replied here and elsewhere.
I have concluded the data can not be recovered off the disk. The best advice was the NIST Special Publication 800-88 which said “…for ATA disk drives manufactured after 2001 (over 15 GB) the terms clearing and purging have converged. Studies have shown that most of today’s media can be effectively cleared and purged by one overwrite using current available sanitization technologies.”
The urban myth of data recovery was also debunked at : http://www.nber.org/sys-admin/overwritten-data-gutmann.html

I think most people who said it was possible to recover data assumed my user had used a file delete utility, however what was used was a utility to overwrite every single sector of the disk with zeros.

Fortunately our user (1) has found paper copies of most of the documents and he has recovered a few that he emailed to others. He is now keeping those files on the server where we have a good backup system. The user (2) who ran the overwrite utility has been reminded about double checking that all backups have been made before preparing a computer for transfer. Valuable lessons have been learnt.
Eric
Back to top
View user's profile Send private message
The_Real_Gandalf
Trusted SF Member
Trusted SF Member


Joined: 14 Apr 2004
Posts: 0
Location: Athens,Greece

Offline

PostPosted: Fri May 30, 2008 9:40 am    Post subject: Reply with quote

even though i am too late on this one... the article fails to mention that there is also hardware magnetic retrieval which is not done via S/W but via special h/w means which track the "trail"" of the magnetic recording and they just retrieve it.

Overwriting once is not by any means , enough to be considered as "sanitization" of the HDD. The only thing is that this drive should be sent to a specialist with appropriate H/W to do it. Software wont do the job here, unless there are fragments left unharmed and then someone can re-compile the data with a hex editor tool.

Gandalf
Back to top
View user's profile Send private message Visit poster's website AIM Address
Ipsec Espah
Just Arrived
Just Arrived


Joined: 16 Mar 2003
Posts: 4


Offline

PostPosted: Mon Jul 07, 2008 2:23 am    Post subject: Reply with quote

The_Real_Gandalf wrote:
even though i am too late on this one... the article fails to mention that there is also hardware magnetic retrieval which is not done via S/W but via special h/w means which track the "trail"" of the magnetic recording and they just retrieve it.

Overwriting once is not by any means , enough to be considered as "sanitization" of the HDD. The only thing is that this drive should be sent to a specialist with appropriate H/W to do it. Software wont do the job here, unless there are fragments left unharmed and then someone can re-compile the data with a hex editor tool.

Gandalf



Actually according to a SANS GCFA instructor, once data is overwritten once, it's gone. He said the same thing ENixon said. The reason why the government still requires multiple overwrites is just to make sure that if someone somewhere discovers a similar data recovery method. In fact, Peter Gutmann wrote a follow up on his Secure Deletion of Data from Magnetic and Solid-State Memory paper, which hints to it. In the Epilogue it states:

Quote:

In the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques. As a result, they advocate applying the voodoo to PRML and EPRML drives even though it will have no more effect than a simple scrubbing with random data. In fact performing the full 35-pass overwrite is pointless for any drive since it targets a blend of scenarios involving all types of (normally-used) encoding technology, which covers everything back to 30+-year-old MFM methods (if you don't understand that statement, re-read the paper). If you're using a drive which uses encoding technology X, you only need to perform the passes specific to X, and you never need to perform all 35 passes. For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do. As the paper says, "A good scrubbing with random data will do about as well as can be expected". This was true in 1996, and is still true now.

Looking at this from the other point of view, with the ever-increasing data density on disk platters and a corresponding reduction in feature size and use of exotic techniques to record data on the medium, it's unlikely that anything can be recovered from any recent drive except perhaps a single level via basic error-cancelling techniques. In particular the drives in use at the time that this paper was originally written have mostly fallen out of use, so the methods that applied specifically to the older, lower-density technology don't apply any more. Conversely, with modern high-density drives, even if you've got 10KB of sensitive data on a drive and can't erase it with 100% certainty, the chances of an adversary being able to find the erased traces of that 10KB in 80GB of other erased traces are close to zero.

Another point that a number of readers seem to have missed is that this paper doesn't present a data-recovery solution but a data-deletion solution. In other words it points out in its problem statement that there is a potential risk, and then the body of the paper explores the means of mitigating that risk.
Back to top
View user's profile Send private message
ashu.wifi
Lamer
Lamer


Joined: 22 Aug 2008
Posts: 0
Location: Heaven

Offline

PostPosted: Thu Aug 28, 2008 10:57 am    Post subject: Reply with quote

Hi

You must use photorec its open source free and very much effective not easy to use for beginners though iam giving you and link where you will find an video tutorial about using it and also link to download it.I formatted my usb-stick to test this and it recovered the data even after formatting isn't that is great?

http://www.irongeek.com/i.php?page=videos/data-carving-with-photorec-to-retrieve-deleted-files-from-formatted-drives-for-forensics-and-disaster-recovery

i hope this is informative for you Smile
Back to top
View user's profile Send private message Send e-mail
The_Real_Gandalf
Trusted SF Member
Trusted SF Member


Joined: 14 Apr 2004
Posts: 0
Location: Athens,Greece

Offline

PostPosted: Thu Sep 18, 2008 12:23 pm    Post subject: Reply with quote

most software shredders-erasers, use a math pattern-motive to overwrite binary code on stored information (they do not change binary randomly). If someone has the motive algorithm of the software (the numeric pattern used to write over binary) then he will be able to use a kind of "reverse engineering" and replace all overwritten data to their previous state.

So it is not impossible , but it is hard to do it.. .in addition to this i do not think that 2000$ are enough to accomplish this.

Gandalf
Back to top
View user's profile Send private message Visit poster's website AIM Address
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register