Home   Groups   Digests   Personalise   Search   Login
  POV-Ray : Newsgroups : povray.off-topic : Oh what joy! : Re: Oh what joy! Server Time
7 Sep 2024 21:13:34 EDT (-0400)
  Re: Oh what joy!  
From: Jim Henderson
Date: 27 Jun 2008 15:48:31
Message: <4865440f@news.povray.org>
 
On Fri, 27 Jun 2008 20:00:50 +0100, Orchid XP v8 wrote:

> Jim Henderson wrote:
> 
>> Send it here:  http://www.ontrack.com
> 
> I see lots of talk of *boken* hard drives, but not much about
> deliberately erased media.

They've got the equipment for that.  I used to talk with them 
occasionally, and they did do forensic analysis for law enforcement back 
then.  Don't know if they still do.

>> Or maybe here:  http://salvagedata.com
> 
> Ditto.
> 
>> Or use something like this: http://freshmeat.net/projects/mobiusft/
> 
> I can't even find any documentation explaining what this *is*...

It's a forensic data toolkit.  Used for investigating criminal activity 
that's been stored on hard drives and then wiped/erased/whatever.  Often 
times, you don't recover a file, but you recover data on individual 
blocks (think like chkdsk).

> 
>> Or maybe http://freshmeat.net/projects/fccubootcd/
>> 
>> (The latter is reportedly used by the Belgian Federal Computer Crime
>> Unit)
> 
> Seems to contain a bunch of tools for undeleting files, and recovering
> deleted partition tables. The main "data aquisition" tool is listed as
> being "dd". On the drives in question, all this will give you is a giant
> image file full of zeros - useless for analysis perposes.
> 
>> Forensic data recovery is a booming business at the moment (got a
>> friend who does it, in fact).  Just wiping a drive is absolutely not
>> sufficient
> 
> The DSS appears to disagree:
> 
> https://www.dss.mil/GW/ShowBinary/DSS/isp/odaa/documents/
clear_n_san_matrix_06282007_rev_11122007.pdf
> 
> The NIST concludes
> 
> http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf
> 
> that "for ATA disks of 15 GB or more", clearing prevents a "laboratory
> attack".
> 
>> - people have been convicted using evidence recovered from a drive
>> without using "a microscope" (and BTW, how would that help?  The data
>> is encoded in a magnetic field, a microscope won't see that).
> 
> I didn't mean a light microscope - I was actually thinking of a Magnetic
> Force Microscope...

Well, all I know is that I know people who actually *do* this kind of 
work on a regular basis.

Doing a DoD style wipe is generally sufficient, but as others pointed 
out, the point from a data security standpoint is to make the cost of 
recovery more than the value of the data when recovered.  In *most* 
cases, a wipe is sufficient, but it really depends on how valuable the 
data is to your competition.

Jim


Post a reply to this message

Copyright 2003-2023 Persistence of Vision Raytracer Pty. Ltd.