computer forensics question

Joseph Sinclair plug-discuss at stcaz.net
Sun Oct 9 18:49:04 MST 2005


I can assure you that it is indeed possible to recover data from a supposedly "securely overwritten" file.  There is no packaged software or machine to do this automatically, you have to hire knowledgeable, skilled, experts to examine the drive with the tools of a micro-physicist, but it can be done, and the FBI, among others, regularly contracts the small number of private forensics firms that employ the requisite expertise to examine equipment seized in important investigations.  It's incredibly expensive to do this, however, so it's not a major concern unless the data is REALLY important.
DoD has a specific overwrite protocol that, if used, does ensure that data is not available via software, but if the reader has the know-how to open up the drive and recover latent magnetic domains from the platters, then even the DoD protocol is inadequate.

If you want to be really sure, there are two means available:
1) Burn/melt the drive, make sure it reaches a temperature of over 575 Kelvins for at least 15 minutes (tossing it in a kiln-certified melt-vessel then firing it with your next ceramic mug works quite well).  This is what is required for really sensitive military information.
2) Use a commercial bulk demagnetizer on the drive, these are widely available, and 3 or more complete cycles will generally wipe out data to an extent that even best forensics experts cannot retrieve it.  Many large corporate IT departments currently use this approach, since it's relatively cheap, quick, and very effective.
The downside of these approaches is that the drive is completely useless after the procedure is complete, it can never again be used for data storage.

If you want a software tool to at least make it really hard to get at the data, then Darik's Boot and Nuke(DBAN) is a good utility to look at.  DBAN is available at (http://dban.sourceforge.net/).

==Joseph++

Technomage wrote:
> On Sunday 09 October 2005 01:38, Devin Rankin wrote:
> 
>>I don't know.
>>
>>I was a computer forensic guy for the Phoenix Police Department.  I can
>>tell you that no local or state agency has any equipment to read a drive
>>once it has been erased and over written, even once.
> 
> 
> well, this "tends to confirm" my logical argument on this point. however.....
> 
> 
>>There have long been rumors that equipment existed to read the data on a
>>drive that had been over written by detecting a residual magnetic charge of
>>the original data.  But with something being over written 3 or more times,
>>I really don' know how you would sort out what was original and what was
>>the 3rd  or 4th pass of random characters.
> 
> 
> well, I am working with a person in Topeka kansas on a project or 2 that 
> requires some forensice know-how (and man, it is a learning experience).. 
> from what he informs me of, it is getting easier (with software) to recover 
> lost data (even that which has been over written a number of times). I am 
> still skeptical of this, however, he does make some very persuasive arguments 
> to bolster his case (including, but not limited to: the 2nd law of 
> thermodynamics).
> 
> 
>>Maybe this was possible on the older, lower density drives, but with todays
>>drives, and how tight the tolerances are getting between data tracks, I
>>think its getting less and less likely.
> 
> 
> oh yeah. most of the older drives also used far lower quality "stuff" for the 
> magnetic material (relative to today's high tolerance materials). erasing 
> those and keeping the data erased  However, one has to realize that most 
> modern equipment is still subject to the laws governing entropy. the 
> read/write head will not read/write in exactly the same place each time (its 
> called "mechanical drift in aging"). couple this with the smaller head size, 
> strength of fields produced, etc, it might be possible to read data that was 
> supposedly erased (I have my doubts on this, but again, my friend in kansas 
> makes some extremely persuasive and logical arguments).  This my question 
> still stands: is it possible to so thuroughly erase data on an HD platter 
> such that it becomes "virtually impossible" to determine what the data was?
> 
> 
>>I trained with all kinds of government agent, from military to IRS, and
>>none of then had ever actually seen any equipment that would really be able
>>to read erased data.  If the equipment exists that can do it, its very
>>rare, or very secret or both.
> 
> 
> may have been 15 years ago... can it exist now, and if so, would it be 
> publically available (or in use by civilian authorities)?
> 
> 
>>Devin
> 
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 


More information about the PLUG-discuss mailing list