 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Thu, 26 Jun 2008 16:45:38 +0100, Invisible wrote:
> Uh... like, WTF?
>
> I mean, sure, if you take the drive apart and crawl over it with a
> microscope, you can recover data. But who the **** is going to bother?
> It's not like you could recover any particularly valuable data.
There are some very good forensic tools available to the general public
that make it possible to recover a fair amount of data from a wiped drive.
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Thu, 26 Jun 2008 17:02:14 +0100, Invisible wrote:
> Right. Well I'll tell you what, you show me an actual technique that
> allows you to recover data from a harddrive after every individual block
> has been written with zeros, without the use of a microscope. ;-)
Send it here: http://www.ontrack.com
Or maybe here: http://salvagedata.com
Or use something like this: http://freshmeat.net/projects/mobiusft/
Or maybe http://freshmeat.net/projects/fccubootcd/
(The latter is reportedly used by the Belgian Federal Computer Crime Unit)
Forensic data recovery is a booming business at the moment (got a friend
who does it, in fact). Just wiping a drive is absolutely not sufficient
- people have been convicted using evidence recovered from a drive
without using "a microscope" (and BTW, how would that help? The data is
encoded in a magnetic field, a microscope won't see that).
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Invisible wrote:
> Damn it Phil, it's too early on a Friday!! >_<
Phillip, do you realise that you were directly responsible for me
spending my entire afternoon looking up the Wikipedia entries for
Erasure, Depeche Mode, Shamen, Orbital, The Chemical Brothers, Beth
Orton, William Orbit, house, acid house, trance, rave, and two dozen
other articles?!
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Jim Henderson wrote:
> Send it here: http://www.ontrack.com
I see lots of talk of *boken* hard drives, but not much about
deliberately erased media.
> Or maybe here: http://salvagedata.com
Ditto.
> Or use something like this: http://freshmeat.net/projects/mobiusft/
I can't even find any documentation explaining what this *is*...
> Or maybe http://freshmeat.net/projects/fccubootcd/
>
> (The latter is reportedly used by the Belgian Federal Computer Crime Unit)
Seems to contain a bunch of tools for undeleting files, and recovering
deleted partition tables. The main "data aquisition" tool is listed as
being "dd". On the drives in question, all this will give you is a giant
image file full of zeros - useless for analysis perposes.
> Forensic data recovery is a booming business at the moment (got a friend
> who does it, in fact). Just wiping a drive is absolutely not sufficient
The DSS appears to disagree:
https://www.dss.mil/GW/ShowBinary/DSS/isp/odaa/documents/clear_n_san_matrix_06282007_rev_11122007.pdf
The NIST concludes
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf
that "for ATA disks of 15 GB or more", clearing prevents a "laboratory
attack".
> - people have been convicted using evidence recovered from a drive
> without using "a microscope" (and BTW, how would that help? The data is
> encoded in a magnetic field, a microscope won't see that).
I didn't mean a light microscope - I was actually thinking of a Magnetic
Force Microscope...
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Jim Henderson wrote:
> There are some very good forensic tools available to the general public
> that make it possible to recover a fair amount of data from a wiped drive.
*sigh*
Clearly I am going to have to undertake some scientific experiments...
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Fri, 27 Jun 2008 20:00:50 +0100, Orchid XP v8 wrote:
> Jim Henderson wrote:
>
>> Send it here: http://www.ontrack.com
>
> I see lots of talk of *boken* hard drives, but not much about
> deliberately erased media.
They've got the equipment for that. I used to talk with them
occasionally, and they did do forensic analysis for law enforcement back
then. Don't know if they still do.
>> Or maybe here: http://salvagedata.com
>
> Ditto.
>
>> Or use something like this: http://freshmeat.net/projects/mobiusft/
>
> I can't even find any documentation explaining what this *is*...
It's a forensic data toolkit. Used for investigating criminal activity
that's been stored on hard drives and then wiped/erased/whatever. Often
times, you don't recover a file, but you recover data on individual
blocks (think like chkdsk).
>
>> Or maybe http://freshmeat.net/projects/fccubootcd/
>>
>> (The latter is reportedly used by the Belgian Federal Computer Crime
>> Unit)
>
> Seems to contain a bunch of tools for undeleting files, and recovering
> deleted partition tables. The main "data aquisition" tool is listed as
> being "dd". On the drives in question, all this will give you is a giant
> image file full of zeros - useless for analysis perposes.
>
>> Forensic data recovery is a booming business at the moment (got a
>> friend who does it, in fact). Just wiping a drive is absolutely not
>> sufficient
>
> The DSS appears to disagree:
>
> https://www.dss.mil/GW/ShowBinary/DSS/isp/odaa/documents/
clear_n_san_matrix_06282007_rev_11122007.pdf
>
> The NIST concludes
>
> http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf
>
> that "for ATA disks of 15 GB or more", clearing prevents a "laboratory
> attack".
>
>> - people have been convicted using evidence recovered from a drive
>> without using "a microscope" (and BTW, how would that help? The data
>> is encoded in a magnetic field, a microscope won't see that).
>
> I didn't mean a light microscope - I was actually thinking of a Magnetic
> Force Microscope...
Well, all I know is that I know people who actually *do* this kind of
work on a regular basis.
Doing a DoD style wipe is generally sufficient, but as others pointed
out, the point from a data security standpoint is to make the cost of
recovery more than the value of the data when recovered. In *most*
cases, a wipe is sufficient, but it really depends on how valuable the
data is to your competition.
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Fri, 27 Jun 2008 20:01:39 +0100, Orchid XP v8 wrote:
> Jim Henderson wrote:
>
>> There are some very good forensic tools available to the general public
>> that make it possible to recover a fair amount of data from a wiped
>> drive.
>
> *sigh*
>
> Clearly I am going to have to undertake some scientific experiments...
First rule in data security: Never assume any data is unrecoverable.
Second rule in data security: Never assume nobody is watching.
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Invisible wrote:
> holding file data will still be intact. (Formatting with, say, ext2
> takes a tiny fraction of the time that FAT or NTFS formatting takes,
D'oh? Hardly. I've never had an NTFS format take more than a half a
minute or so, and formatting a 750G drive with ext3 on the same machine
takes 10 or 15 minutes.
All NTFS has to write is about 5 blocks of file data and the free space
bitmap (which isn't stored as a bitmap anyway). I'd be surprised if it
writes more than a hundred K regardless of the size of the disk. NTFS
doesn't preallocate i-nodes, nor are the i-nodes spread all over the
disk, so it's generally way, way faster. In other words, an NTFS format
formats two or three superblocks, one boot record, two copies of the
first sixteen "i-nodes", and writes out an empty root directory, an
almost-empty free space map, and an almost-empty ACL table. I wouldn't
be surprised if FAT32 on a big drive took more writing than NTFS to format.
Ext2/3 stores i-nodes all over the disk, preformatting them. This takes
time when you have a couple gig of i-nodes to fill out.
(The difference between ext3 and ext2 is a few seconds of creating the
journal, so that's not the problem.)
> I am unsure as to whether #4 and #5 are different in any way. Both seem
> to take the same amount of time...
On my drives, at least one of the maxtor "format back to factory-fresh"
only wrote the first sector on each track or something. It finished way
too fast to be writing the whole drive. Unless the drive had a command
built in that wiped the entire track in one rotation or something,
rather than actually having to transfer the data from memory to the
drive for the whole thing.
--
Darren New / San Diego, CA, USA (PST)
Helpful housekeeping hints:
Check your feather pillows for holes
before putting them in the washing machine.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
scott wrote:
> Oh, I thought that "format" really went over every byte of the partition
> and wrote to it? IIRC there is a "quick format" option, which I assumed
> just did the headers and stuff to make it look like it was formatted.
Format *used* to write to the whole drive, way back in DOS 3/4 days or
so. Now quick-format writes only the file system (first few tracks,
basically) assuming all sectors are good, and non-quick format writes
the first few tracks after *reading* all the sectors to make sure
they're good.
--
Darren New / San Diego, CA, USA (PST)
Helpful housekeeping hints:
Check your feather pillows for holes
before putting them in the washing machine.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Darren New" <dne### [at] san rrcom> wrote in message
news:48654c14@news.povray.org...
>
> On my drives, at least one of the maxtor "format back to factory-fresh"
> only wrote the first sector on each track or something. It finished way
> too fast to be writing the whole drive. Unless the drive had a command
> built in that wiped the entire track in one rotation or something,
> rather than actually having to transfer the data from memory to the
> drive for the whole thing.
>
One the subject of format, what does Low-level format actually do? I
remember years ago disks had to be low level formatted by the user. Now a
low level format will render a drive useless (or so documentation says)
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|
