Can overwritten data be recovered ?

Discussion in 'privacy general' started by eyes-open, Jan 28, 2007.

Thread Status:
Not open for further replies.
  1. eyes-open

    eyes-open Registered Member

    Joined:
    May 13, 2005
    Posts:
    721
    Thanks to another thread I was encouraged to re-visit this. I'd long been under the impression that there was a level of data recovery that was possible with an electron microscope.

    As long as you can accommodate the phrase 'successfully overwritten', it appears that not even an electron microscope can realistically be used to retrieve data, that has been overwritten as little as one time only.

    Source of quote below

     
  2. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    In a report of theirs going back to '05 they say there is a high degree of variability between individual drives and unfortunately this variability makes it dramatically harder to perform drive independent data recovery.
    Have a look at Peter Gutmann.
     
  3. DVD+R

    DVD+R Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    1,979
    Location:
    The Antipodes
    That is acctually incorrect :) Data that is properly Overwritten (DoD 5220.22-M (3 Passes) Will return a Value of 000000 Confirming the complete destruction of All Data, thus preventing it to ever be recovered (Like it wasnt there in the first place) :)
     
  4. eyes-open

    eyes-open Registered Member

    Joined:
    May 13, 2005
    Posts:
    721
    hi DVD+ :)

    I may have mis-read, but I don't think the illustration refers so much to DOD standard overwriting. as much as it does to incidental/natural overwriting of data through day to day use.

    I don't think it matters so much in this context tho'. The general aim of the quote was to illustrate that electron microscopy isn't a simple process of scanning the disc, or etching away a top layer to reveal the truth underneath, say by using some amazing algorithm that can detect whether a 1 or a 0 was always a 1 or a 0.

    It's true also that technology has moved on since that quote was produced, with both drives and imaging technology improving. The scale of the forensic challenge though, appears to be just as massive and the balance of the conclusions remain the same.

    I don't think you'll find an outright statement, that a sufficiently dedicated and resourced lab, could never recover any data from an overwritten drive. However, you have to balance that against the investment needed to attempt recovery of what is perhaps best termed 'meaningful data'. As far as I know all reports say that there are no known instances of commercial success and given what's known about the technology at the moment - then I'd think that any attempt by an agency application would have to be a targeted and amazingly time consuming resource. For more info, check out link this link which opens a .pdf document. It is the forerunner to the paper that Meriadoc references in his post. Recovering Unrecoverable Data . PDF Document ( see esp. page 20 & 21) to see a more modern interpretation of the scale of the problem. This includes taking on board what it calls the spin-stand MRM which can dramatically reduce the initial imaging time. The report while understandably retaining some wriggle room, still on balance, reduces this overall category of data recovery to the realms of the exotic or theoretical. These reports don't talk about degrees of success depending on the amount of overwriting that has taken place.

    So how convincing is this ?

    Lets say a harmless fellow called Harry lives in a small town/village. He used his computer to order a descrete subscription of fetish monthly with a credit card. He then puts the computer up for sale and the local village geek makes an offer he can't resist. Only now there's a problem..... Harry really doesn't want to risk the geek investigating the drive and discovering details about the subscription. He remembers deleting the order confirmation etc ...... but isn't sure if the geek could still recover enough data to expose his fetish to the rest of the village. While this is worrysome to Harry, he really needs the money from the sale.

    If you were advising Harry that you could help by overwriting his hard-drive - how many passes would you say were necessary to achieve peace of mind ?

    Would that change if you knew the village geek was the son of Harry's arch enemy. A computer forensic genius, with his very own magnetic force microscope ?

    To be honest, I'd probably wimp out, overwrite using the short DOD method of 3 passes, condemn meself for the coward I am - and sleep the better for it .......
     
  5. DVD+R

    DVD+R Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    1,979
    Location:
    The Antipodes
    If I were Harry I'd have installed Evidence Remover :D
     
Loading...
Thread Status:
Not open for further replies.