Recovery from disk after single overwrite

Networking/Security Forums -> Computer Forensics and Incident Response

Author: ENixon PostPosted: Wed Mar 26, 2008 6:57 am    Post subject: Recovery from disk after single overwrite
    ----
Hi,
I have a user who used a disk overwrite tool to write zeros all over a 2 year old Western Digital 120GB SATA hard disk when he should not have.
My manager wants me to recover some of the files that were on the disk and I think I am allowed to spend up to $2000.00 to do it.
I have already used a Hex editor and it just shows zeros on every sector I have looked at. The user said he just used the quick single overwrite option.
Can anyone point me to someone who can recover the files or tell me of any tools that might help me, such as a different controller or better firmware or anything?
HELP

Author: White ScorpionLocation: The Netherlands PostPosted: Wed Mar 26, 2008 1:15 pm    Post subject:
    ----
If you are willing to spend some cash on it, then bring it to a specialist and don't play with it yourself.
I'm sure a good specialist can recover your data without any problems Wink

Author: ENixon PostPosted: Mon Mar 31, 2008 4:00 am    Post subject: Recovery from disk after single overwrite - IMPOSSIBLE
    ----
Thanks everyone who replied here and elsewhere.
I have concluded the data can not be recovered off the disk. The best advice was the NIST Special Publication 800-88 which said “…for ATA disk drives manufactured after 2001 (over 15 GB) the terms clearing and purging have converged. Studies have shown that most of today’s media can be effectively cleared and purged by one overwrite using current available sanitization technologies.”
The urban myth of data recovery was also debunked at : http://www.nber.org/sys-admin/overwritten-data-gutmann.html

I think most people who said it was possible to recover data assumed my user had used a file delete utility, however what was used was a utility to overwrite every single sector of the disk with zeros.

Fortunately our user (1) has found paper copies of most of the documents and he has recovered a few that he emailed to others. He is now keeping those files on the server where we have a good backup system. The user (2) who ran the overwrite utility has been reminded about double checking that all backups have been made before preparing a computer for transfer. Valuable lessons have been learnt.
Eric

Author: The_Real_GandalfLocation: Athens,Greece PostPosted: Fri May 30, 2008 9:40 am    Post subject:
    ----
even though i am too late on this one... the article fails to mention that there is also hardware magnetic retrieval which is not done via S/W but via special h/w means which track the "trail"" of the magnetic recording and they just retrieve it.

Overwriting once is not by any means , enough to be considered as "sanitization" of the HDD. The only thing is that this drive should be sent to a specialist with appropriate H/W to do it. Software wont do the job here, unless there are fragments left unharmed and then someone can re-compile the data with a hex editor tool.

Gandalf

Author: Ipsec Espah PostPosted: Mon Jul 07, 2008 2:23 am    Post subject:
    ----
The_Real_Gandalf wrote:
even though i am too late on this one... the article fails to mention that there is also hardware magnetic retrieval which is not done via S/W but via special h/w means which track the "trail"" of the magnetic recording and they just retrieve it.

Overwriting once is not by any means , enough to be considered as "sanitization" of the HDD. The only thing is that this drive should be sent to a specialist with appropriate H/W to do it. Software wont do the job here, unless there are fragments left unharmed and then someone can re-compile the data with a hex editor tool.

Gandalf



Actually according to a SANS GCFA instructor, once data is overwritten once, it's gone. He said the same thing ENixon said. The reason why the government still requires multiple overwrites is just to make sure that if someone somewhere discovers a similar data recovery method. In fact, Peter Gutmann wrote a follow up on his Secure Deletion of Data from Magnetic and Solid-State Memory paper, which hints to it. In the Epilogue it states:

Quote:

In the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques. As a result, they advocate applying the voodoo to PRML and EPRML drives even though it will have no more effect than a simple scrubbing with random data. In fact performing the full 35-pass overwrite is pointless for any drive since it targets a blend of scenarios involving all types of (normally-used) encoding technology, which covers everything back to 30+-year-old MFM methods (if you don't understand that statement, re-read the paper). If you're using a drive which uses encoding technology X, you only need to perform the passes specific to X, and you never need to perform all 35 passes. For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do. As the paper says, "A good scrubbing with random data will do about as well as can be expected". This was true in 1996, and is still true now.

Looking at this from the other point of view, with the ever-increasing data density on disk platters and a corresponding reduction in feature size and use of exotic techniques to record data on the medium, it's unlikely that anything can be recovered from any recent drive except perhaps a single level via basic error-cancelling techniques. In particular the drives in use at the time that this paper was originally written have mostly fallen out of use, so the methods that applied specifically to the older, lower-density technology don't apply any more. Conversely, with modern high-density drives, even if you've got 10KB of sensitive data on a drive and can't erase it with 100% certainty, the chances of an adversary being able to find the erased traces of that 10KB in 80GB of other erased traces are close to zero.

Another point that a number of readers seem to have missed is that this paper doesn't present a data-recovery solution but a data-deletion solution. In other words it points out in its problem statement that there is a potential risk, and then the body of the paper explores the means of mitigating that risk.

Author: ashu.wifiLocation: Heaven PostPosted: Thu Aug 28, 2008 10:57 am    Post subject:
    ----
Hi

You must use photorec its open source free and very much effective not easy to use for beginners though iam giving you and link where you will find an video tutorial about using it and also link to download it.I formatted my usb-stick to test this and it recovered the data even after formatting isn't that is great?

http://www.irongeek.com/i.php?page=videos/data-carving-with-photorec-to-retrieve-deleted-files-from-formatted-drives-for-forensics-and-disaster-recovery

i hope this is informative for you Smile

Author: The_Real_GandalfLocation: Athens,Greece PostPosted: Thu Sep 18, 2008 12:23 pm    Post subject:
    ----
most software shredders-erasers, use a math pattern-motive to overwrite binary code on stored information (they do not change binary randomly). If someone has the motive algorithm of the software (the numeric pattern used to write over binary) then he will be able to use a kind of "reverse engineering" and replace all overwritten data to their previous state.

So it is not impossible , but it is hard to do it.. .in addition to this i do not think that 2000$ are enough to accomplish this.

Gandalf



Networking/Security Forums -> Computer Forensics and Incident Response


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group