Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Hard Drive Forensics Question

From: "Murda Mcloud" <murdamcloud () bigpond com>
Date: Thu, 9 Oct 2008 13:22:45 +1000
Hi Matt,
Thanks for the link to that forum.
You may also be interested in something else that everyone seems to have
taken as gospel:

http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html


I would take Mr Barila's word on it but I would rather see him prove it and
have others say yes it has been done, and here is the evidence, and here is
a paper, and here are my peers(ie people much smarter than me) agreeing
after rigorously scrutinising.
In fact I'd love it if anyone did that. I'm all for pushing back the
boundaries of knowledge.

I see that Mr Barila does not actually say that he has performed such a
recovery. Just that it is possible on a single bit. Or that he believes it
to be possible.
His reasoning appears to be logical and correct. But is it possible?


Then you can subtract that ideal value and see what the second generation
previous values were. It does require specialized equipment, but it's not
TLA-named governmental entity kind of equipment, just "highly motivated
party" kind of equipment. I'm told there are commercial entities in Russia
that do this, though I have no first-hand knowledge of that.


To recover in this way, try and calculate the probabilities of getting
enough bits 'right' when doing electron tunneling microscope(or whatever
high end equipment your Russians might be using) just to recover a single
1024kb file. Now do it for a 100Gb drive. How many bits are on that drive? 
Sure, there may be a 'high' probability of getting one bit right but
millions of them?

Ansgar mentioned newer drives too, for a reason. Because they are more
accurate at the whole 1 and 0 thing and at writing in exactly the same
'spot'. Not to mention bigger. As for SS drives, I don't know what the
thinking is.





Thanks



-----Original Message-----
From: Matt [mailto:matt-martin () tx rr com]
Sent: Wednesday, October 08, 2008 6:51 PM
To: Murda Mcloud
Subject: Re: Hard Drive Forensics Question

Murda Mcloud wrote:

Hello all,

I've been lurking here for the last 6 months or so and this thread
caught my eye.

I'd agree about most of the comments in this thread with the exception
of a few regarding data recovery after a file has been 'zeroed'
and whether there is any benefit to using random data during the
overwrite.

The below thread/link was responded to by a senior engineer from a well
known
disk manufacturer, and according to him - data can be recovered after
being
over-written with new data (several generations back).

Given Mr. Barila has decades of experience and plays an active role in
the design
and development of mass storage devices along with the supporting
firmware,
I'll take his word for it...

http://www.osronline.com/showThread.cfm?link=92173

Regards,

m

(P.S. - First, I was the OP in the above thread, and second, do keep in
mind
that the responder (Mr. Barila) has access to a lot of lab equipment
that very
few people do... )


Which is more likely to appear on a normal hard drive that has not
been tampered with or set up: Entire blocks of 0s, or random

malformed

data?



In the case of the OP, I get the feeling that if someone examined the

drive

they could easily draw the conclusion that the drive had been

'tampered'

with either way. Whether there were 0s or randoms on it.
It still doesn't matter which method you use. No-one is going to get

any

data from it but I just wanted to see why you said random data were

better.

I don't agree that your reason makes it 'better'.
As Ansgar pointed out, finding a credible report on data recovery from

a

zeroed(if that is a verb) drive is impossible.
You can always take the challenge if you believe otherwise:

http://16systems.com/zero/index.html


And I still don't understand why you said:



Delete it so as to be able to write over it again. Multiple write-

overs



ensure that no data may be recovered.

My lack of understanding may be because I'm not seeing what benefit you

are

trying to gain from the 'deleting'. I thought that you could overwrite
something without the need for first deleting it but perhaps you know
something that I don't.











-----Original Message-----
From: Razi Shaban [mailto:razishaban () gmail com]
Sent: Monday, October 06, 2008 11:25 PM
To: Murda Mcloud
Cc: security-basics () securityfocus com
Subject: Re: Hard Drive Forensics Question

On Mon, Oct 6, 2008 at 7:00 AM, Murda Mcloud

<murdamcloud () bigpond com>


I won't reply to the first part, as I feel that it doesn't really

need

much more elaboration.



And why do you feel that random is better?


If it is actual files that are copied, they may be recovered.
Depending on the nature of those files, opinions could be made

either

way. If it's random data, nothing can be retrieved and they are

left

with nothing to work with. If they are accusing him of wrong-doing
that he is innocent of, he should leave them with as little as
possible to work with, in my opinion.


Maybe I should have asked, "Why do you feel that random is better

than

something else eg 0's?"

I don't think it matters whether it's random or not-overwrite

something



and


it's overwritten. Which means it's unrecoverable. Some apps will


overwrite


with random numbers. Eg DBAN
If someone sees a pattern in the hard drive after I do
dd if=/dev/zero of=/dev/hdax
because it's not random they would be right. It's not random.

However,



can


they see any files I had on there before? No.



Which is more likely to appear on a normal hard drive that has not
been tampered with or set up: Entire blocks of 0s, or random

malformed

data?

--
Razi
Previous By Date Next
Previous By Thread Next

Current thread: