I would take Mr Barila's word on it but I would rather see him prove it and
have others say yes it has been done, and here is the evidence, and here is
a paper, and here are my peers(ie people much smarter than me) agreeing
after rigorously scrutinising.
In fact I'd love it if anyone did that. I'm all for pushing back the
boundaries of knowledge.
I see that Mr Barila does not actually say that he has performed such a
recovery. Just that it is possible on a single bit. Or that he believes it
to be possible.
His reasoning appears to be logical and correct. But is it possible?
>>Then you can subtract that ideal value and see what the second generation
>>previous values were. It does require specialized equipment, but it's not
>>TLA-named governmental entity kind of equipment, just "highly motivated
>>party" kind of equipment. I'm told there are commercial entities in Russia
>>that do this, though I have no first-hand knowledge of that.
To recover in this way, try and calculate the probabilities of getting
enough bits 'right' when doing electron tunneling microscope(or whatever
high end equipment your Russians might be using) just to recover a single
1024kb file. Now do it for a 100Gb drive. How many bits are on that drive?
Sure, there may be a 'high' probability of getting one bit right but
millions of them?
Ansgar mentioned newer drives too, for a reason. Because they are more
accurate at the whole 1 and 0 thing and at writing in exactly the same
'spot'. Not to mention bigger. As for SS drives, I don't know what the
thinking is.
Thanks
> >-----Original Message-----
> >From: Matt [mailto:matt-martin (at) tx.rr (dot) com [email concealed]]
> >Sent: Wednesday, October 08, 2008 6:51 PM
> >To: Murda Mcloud
> >Subject: Re: Hard Drive Forensics Question
> >
> >Murda Mcloud wrote:
> >
> >Hello all,
> >
> >I've been lurking here for the last 6 months or so and this thread
> >caught my eye.
> >
> >I'd agree about most of the comments in this thread with the exception
> >of a few regarding data recovery after a file has been 'zeroed'
> >and whether there is any benefit to using random data during the
> >overwrite.
> >
> >The below thread/link was responded to by a senior engineer from a well
> >known
> >disk manufacturer, and according to him - data can be recovered after
> >being
> >over-written with new data (several generations back).
> >
> >Given Mr. Barila has decades of experience and plays an active role in
> >the design
> >and development of mass storage devices along with the supporting
> >firmware,
> >I'll take his word for it...
> >
> >http://www.osronline.com/showThread.cfm?link=92173
> >
> >Regards,
> >
> >m
> >
> >(P.S. - First, I was the OP in the above thread, and second, do keep in
> >mind
> >that the responder (Mr. Barila) has access to a lot of lab equipment
> >that very
> >few people do... )
> >
> >>>> Which is more likely to appear on a normal hard drive that has not
> >>>> been tampered with or set up: Entire blocks of 0s, or random
> >malformed
> >>>> data?
> >>>>
> >>
> >> In the case of the OP, I get the feeling that if someone examined the
> >drive
> >> they could easily draw the conclusion that the drive had been
> >'tampered'
> >> with either way. Whether there were 0s or randoms on it.
> >> It still doesn't matter which method you use. No-one is going to get
> >any
> >> data from it but I just wanted to see why you said random data were
> >better.
> >> I don't agree that your reason makes it 'better'.
> >> As Ansgar pointed out, finding a credible report on data recovery from
> >a
> >> zeroed(if that is a verb) drive is impossible.
> >> You can always take the challenge if you believe otherwise:
> >>
> >> http://16systems.com/zero/index.html
> >>
> >>
> >> And I still don't understand why you said:
> >>
> >>
> >>>> Delete it so as to be able to write over it again. Multiple write-
> >overs
> >>>>
> >> ensure that no data may be recovered.
> >>
> >> My lack of understanding may be because I'm not seeing what benefit you
> >are
> >> trying to gain from the 'deleting'. I thought that you could overwrite
> >> something without the need for first deleting it but perhaps you know
> >> something that I don't.
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>>> -----Original Message-----
> >>>> From: Razi Shaban [mailto:razishaban (at) gmail (dot) com [email concealed]]
> >>>> Sent: Monday, October 06, 2008 11:25 PM
> >>>> To: Murda Mcloud
> >>>> Cc: security-basics (at) securityfocus (dot) com [email concealed]
> >>>> Subject: Re: Hard Drive Forensics Question
> >>>>
> >>>> On Mon, Oct 6, 2008 at 7:00 AM, Murda Mcloud
> ><murdamcloud (at) bigpond (dot) com [email concealed]>
> >>>>
> >>>> I won't reply to the first part, as I feel that it doesn't really
> >need
> >>>> much more elaboration.
> >>>>
> >>>>
> >>>>>>>> And why do you feel that random is better?
> >>>>>>>>
> >>>>>>> If it is actual files that are copied, they may be recovered.
> >>>>>>> Depending on the nature of those files, opinions could be made
> >either
> >>>>>>> way. If it's random data, nothing can be retrieved and they are
> >left
> >>>>>>> with nothing to work with. If they are accusing him of wrong-doing
> >>>>>>> that he is innocent of, he should leave them with as little as
> >>>>>>> possible to work with, in my opinion.
> >>>>>>>
> >>>>> Maybe I should have asked, "Why do you feel that random is better
> >than
> >>>>> something else eg 0's?"
> >>>>>
> >>>>> I don't think it matters whether it's random or not-overwrite
> >something
> >>>>>
> >>>> and
> >>>>
> >>>>> it's overwritten. Which means it's unrecoverable. Some apps will
> >>>>>
> >>>> overwrite
> >>>>
> >>>>> with random numbers. Eg DBAN
> >>>>> If someone sees a pattern in the hard drive after I do
> >>>>> dd if=/dev/zero of=/dev/hdax
> >>>>> because it's not random they would be right. It's not random.
> >However,
> >>>>>
> >>>> can
> >>>>
> >>>>> they see any files I had on there before? No.
> >>>>>
> >>>>>
> >>>> Which is more likely to appear on a normal hard drive that has not
> >>>> been tampered with or set up: Entire blocks of 0s, or random
> >malformed
> >>>> data?
> >>>>
> >>>> --
> >>>> Razi
> >>>>
> >>
> >>
> >>
Thanks for the link to that forum.
You may also be interested in something else that everyone seems to have
taken as gospel:
http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
I would take Mr Barila's word on it but I would rather see him prove it and
have others say yes it has been done, and here is the evidence, and here is
a paper, and here are my peers(ie people much smarter than me) agreeing
after rigorously scrutinising.
In fact I'd love it if anyone did that. I'm all for pushing back the
boundaries of knowledge.
I see that Mr Barila does not actually say that he has performed such a
recovery. Just that it is possible on a single bit. Or that he believes it
to be possible.
His reasoning appears to be logical and correct. But is it possible?
>>Then you can subtract that ideal value and see what the second generation
>>previous values were. It does require specialized equipment, but it's not
>>TLA-named governmental entity kind of equipment, just "highly motivated
>>party" kind of equipment. I'm told there are commercial entities in Russia
>>that do this, though I have no first-hand knowledge of that.
To recover in this way, try and calculate the probabilities of getting
enough bits 'right' when doing electron tunneling microscope(or whatever
high end equipment your Russians might be using) just to recover a single
1024kb file. Now do it for a 100Gb drive. How many bits are on that drive?
Sure, there may be a 'high' probability of getting one bit right but
millions of them?
Ansgar mentioned newer drives too, for a reason. Because they are more
accurate at the whole 1 and 0 thing and at writing in exactly the same
'spot'. Not to mention bigger. As for SS drives, I don't know what the
thinking is.
Thanks
> >-----Original Message-----
> >From: Matt [mailto:matt-martin (at) tx.rr (dot) com [email concealed]]
> >Sent: Wednesday, October 08, 2008 6:51 PM
> >To: Murda Mcloud
> >Subject: Re: Hard Drive Forensics Question
> >
> >Murda Mcloud wrote:
> >
> >Hello all,
> >
> >I've been lurking here for the last 6 months or so and this thread
> >caught my eye.
> >
> >I'd agree about most of the comments in this thread with the exception
> >of a few regarding data recovery after a file has been 'zeroed'
> >and whether there is any benefit to using random data during the
> >overwrite.
> >
> >The below thread/link was responded to by a senior engineer from a well
> >known
> >disk manufacturer, and according to him - data can be recovered after
> >being
> >over-written with new data (several generations back).
> >
> >Given Mr. Barila has decades of experience and plays an active role in
> >the design
> >and development of mass storage devices along with the supporting
> >firmware,
> >I'll take his word for it...
> >
> >http://www.osronline.com/showThread.cfm?link=92173
> >
> >Regards,
> >
> >m
> >
> >(P.S. - First, I was the OP in the above thread, and second, do keep in
> >mind
> >that the responder (Mr. Barila) has access to a lot of lab equipment
> >that very
> >few people do... )
> >
> >>>> Which is more likely to appear on a normal hard drive that has not
> >>>> been tampered with or set up: Entire blocks of 0s, or random
> >malformed
> >>>> data?
> >>>>
> >>
> >> In the case of the OP, I get the feeling that if someone examined the
> >drive
> >> they could easily draw the conclusion that the drive had been
> >'tampered'
> >> with either way. Whether there were 0s or randoms on it.
> >> It still doesn't matter which method you use. No-one is going to get
> >any
> >> data from it but I just wanted to see why you said random data were
> >better.
> >> I don't agree that your reason makes it 'better'.
> >> As Ansgar pointed out, finding a credible report on data recovery from
> >a
> >> zeroed(if that is a verb) drive is impossible.
> >> You can always take the challenge if you believe otherwise:
> >>
> >> http://16systems.com/zero/index.html
> >>
> >>
> >> And I still don't understand why you said:
> >>
> >>
> >>>> Delete it so as to be able to write over it again. Multiple write-
> >overs
> >>>>
> >> ensure that no data may be recovered.
> >>
> >> My lack of understanding may be because I'm not seeing what benefit you
> >are
> >> trying to gain from the 'deleting'. I thought that you could overwrite
> >> something without the need for first deleting it but perhaps you know
> >> something that I don't.
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>>> -----Original Message-----
> >>>> From: Razi Shaban [mailto:razishaban (at) gmail (dot) com [email concealed]]
> >>>> Sent: Monday, October 06, 2008 11:25 PM
> >>>> To: Murda Mcloud
> >>>> Cc: security-basics (at) securityfocus (dot) com [email concealed]
> >>>> Subject: Re: Hard Drive Forensics Question
> >>>>
> >>>> On Mon, Oct 6, 2008 at 7:00 AM, Murda Mcloud
> ><murdamcloud (at) bigpond (dot) com [email concealed]>
> >>>>
> >>>> I won't reply to the first part, as I feel that it doesn't really
> >need
> >>>> much more elaboration.
> >>>>
> >>>>
> >>>>>>>> And why do you feel that random is better?
> >>>>>>>>
> >>>>>>> If it is actual files that are copied, they may be recovered.
> >>>>>>> Depending on the nature of those files, opinions could be made
> >either
> >>>>>>> way. If it's random data, nothing can be retrieved and they are
> >left
> >>>>>>> with nothing to work with. If they are accusing him of wrong-doing
> >>>>>>> that he is innocent of, he should leave them with as little as
> >>>>>>> possible to work with, in my opinion.
> >>>>>>>
> >>>>> Maybe I should have asked, "Why do you feel that random is better
> >than
> >>>>> something else eg 0's?"
> >>>>>
> >>>>> I don't think it matters whether it's random or not-overwrite
> >something
> >>>>>
> >>>> and
> >>>>
> >>>>> it's overwritten. Which means it's unrecoverable. Some apps will
> >>>>>
> >>>> overwrite
> >>>>
> >>>>> with random numbers. Eg DBAN
> >>>>> If someone sees a pattern in the hard drive after I do
> >>>>> dd if=/dev/zero of=/dev/hdax
> >>>>> because it's not random they would be right. It's not random.
> >However,
> >>>>>
> >>>> can
> >>>>
> >>>>> they see any files I had on there before? No.
> >>>>>
> >>>>>
> >>>> Which is more likely to appear on a normal hard drive that has not
> >>>> been tampered with or set up: Entire blocks of 0s, or random
> >malformed
> >>>> data?
> >>>>
> >>>> --
> >>>> Razi
> >>>>
> >>
> >>
> >>
[ reply ]