computer forensics question

Technomage technomage-hawke at cox.net
Sun Oct 9 04:24:12 MST 2005 

On Sunday 09 October 2005 01:38, Devin Rankin wrote:
> I don't know.
>
> I was a computer forensic guy for the Phoenix Police Department.  I can
> tell you that no local or state agency has any equipment to read a drive
> once it has been erased and over written, even once.

well, this "tends to confirm" my logical argument on this point. however.....

>
> There have long been rumors that equipment existed to read the data on a
> drive that had been over written by detecting a residual magnetic charge of
> the original data.  But with something being over written 3 or more times,
> I really don' know how you would sort out what was original and what was
> the 3rd  or 4th pass of random characters.

well, I am working with a person in Topeka kansas on a project or 2 that 
requires some forensice know-how (and man, it is a learning experience).. 
from what he informs me of, it is getting easier (with software) to recover 
lost data (even that which has been over written a number of times). I am 
still skeptical of this, however, he does make some very persuasive arguments 
to bolster his case (including, but not limited to: the 2nd law of 
thermodynamics).

>
> Maybe this was possible on the older, lower density drives, but with todays
> drives, and how tight the tolerances are getting between data tracks, I
> think its getting less and less likely.

oh yeah. most of the older drives also used far lower quality "stuff" for the 
magnetic material (relative to today's high tolerance materials). erasing 
those and keeping the data erased  However, one has to realize that most 
modern equipment is still subject to the laws governing entropy. the 
read/write head will not read/write in exactly the same place each time (its 
called "mechanical drift in aging"). couple this with the smaller head size, 
strength of fields produced, etc, it might be possible to read data that was 
supposedly erased (I have my doubts on this, but again, my friend in kansas 
makes some extremely persuasive and logical arguments).  This my question 
still stands: is it possible to so thuroughly erase data on an HD platter 
such that it becomes "virtually impossible" to determine what the data was?

>
> I trained with all kinds of government agent, from military to IRS, and
> none of then had ever actually seen any equipment that would really be able
> to read erased data.  If the equipment exists that can do it, its very
> rare, or very secret or both.

may have been 15 years ago... can it exist now, and if so, would it be 
publically available (or in use by civilian authorities)?

>
> Devin

More information about the PLUG-discuss mailing list