Security Basics mailing list archives
RE: Hard Drive Forensics Question
From: "Murda Mcloud" <murdamcloud () bigpond com>
Date: Thu, 9 Oct 2008 13:22:45 +1000
Hi Matt, Thanks for the link to that forum. You may also be interested in something else that everyone seems to have taken as gospel: http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html I would take Mr Barila's word on it but I would rather see him prove it and have others say yes it has been done, and here is the evidence, and here is a paper, and here are my peers(ie people much smarter than me) agreeing after rigorously scrutinising. In fact I'd love it if anyone did that. I'm all for pushing back the boundaries of knowledge. I see that Mr Barila does not actually say that he has performed such a recovery. Just that it is possible on a single bit. Or that he believes it to be possible. His reasoning appears to be logical and correct. But is it possible?
Then you can subtract that ideal value and see what the second generation previous values were. It does require specialized equipment, but it's not TLA-named governmental entity kind of equipment, just "highly motivated party" kind of equipment. I'm told there are commercial entities in Russia that do this, though I have no first-hand knowledge of that.
To recover in this way, try and calculate the probabilities of getting enough bits 'right' when doing electron tunneling microscope(or whatever high end equipment your Russians might be using) just to recover a single 1024kb file. Now do it for a 100Gb drive. How many bits are on that drive? Sure, there may be a 'high' probability of getting one bit right but millions of them? Ansgar mentioned newer drives too, for a reason. Because they are more accurate at the whole 1 and 0 thing and at writing in exactly the same 'spot'. Not to mention bigger. As for SS drives, I don't know what the thinking is. Thanks
-----Original Message----- From: Matt [mailto:matt-martin () tx rr com] Sent: Wednesday, October 08, 2008 6:51 PM To: Murda Mcloud Subject: Re: Hard Drive Forensics Question Murda Mcloud wrote: Hello all, I've been lurking here for the last 6 months or so and this thread caught my eye. I'd agree about most of the comments in this thread with the exception of a few regarding data recovery after a file has been 'zeroed' and whether there is any benefit to using random data during the overwrite. The below thread/link was responded to by a senior engineer from a well known disk manufacturer, and according to him - data can be recovered after being over-written with new data (several generations back). Given Mr. Barila has decades of experience and plays an active role in the design and development of mass storage devices along with the supporting firmware, I'll take his word for it... http://www.osronline.com/showThread.cfm?link=92173 Regards, m (P.S. - First, I was the OP in the above thread, and second, do keep in mind that the responder (Mr. Barila) has access to a lot of lab equipment that very few people do... )Which is more likely to appear on a normal hard drive that has not been tampered with or set up: Entire blocks of 0s, or randommalformeddata?In the case of the OP, I get the feeling that if someone examined thedrivethey could easily draw the conclusion that the drive had been'tampered'with either way. Whether there were 0s or randoms on it. It still doesn't matter which method you use. No-one is going to getanydata from it but I just wanted to see why you said random data werebetter.I don't agree that your reason makes it 'better'. As Ansgar pointed out, finding a credible report on data recovery fromazeroed(if that is a verb) drive is impossible. You can always take the challenge if you believe otherwise: http://16systems.com/zero/index.html And I still don't understand why you said:Delete it so as to be able to write over it again. Multiple write-oversensure that no data may be recovered. My lack of understanding may be because I'm not seeing what benefit youaretrying to gain from the 'deleting'. I thought that you could overwrite something without the need for first deleting it but perhaps you know something that I don't.-----Original Message----- From: Razi Shaban [mailto:razishaban () gmail com] Sent: Monday, October 06, 2008 11:25 PM To: Murda Mcloud Cc: security-basics () securityfocus com Subject: Re: Hard Drive Forensics Question On Mon, Oct 6, 2008 at 7:00 AM, Murda Mcloud<murdamcloud () bigpond com>I won't reply to the first part, as I feel that it doesn't reallyneedmuch more elaboration.And why do you feel that random is better?If it is actual files that are copied, they may be recovered. Depending on the nature of those files, opinions could be madeeitherway. If it's random data, nothing can be retrieved and they areleftwith nothing to work with. If they are accusing him of wrong-doing that he is innocent of, he should leave them with as little as possible to work with, in my opinion.Maybe I should have asked, "Why do you feel that random is betterthansomething else eg 0's?" I don't think it matters whether it's random or not-overwritesomethingandit's overwritten. Which means it's unrecoverable. Some apps willoverwritewith random numbers. Eg DBAN If someone sees a pattern in the hard drive after I do dd if=/dev/zero of=/dev/hdax because it's not random they would be right. It's not random.However,canthey see any files I had on there before? No.Which is more likely to appear on a normal hard drive that has not been tampered with or set up: Entire blocks of 0s, or randommalformeddata? -- Razi
Current thread:
- Re: Hard Drive Forensics Question, (continued)
- Re: Hard Drive Forensics Question Razi Shaban (Oct 06)
- RE: Hard Drive Forensics Question Murda Mcloud (Oct 07)
- Re: Hard Drive Forensics Question Matt (Oct 08)
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 08)
- Re: Hard Drive Forensics Question J. Oquendo (Oct 08)
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 08)
- Re: Hard Drive Forensics Question J. Oquendo (Oct 09)
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 09)
- Re: Hard Drive Forensics Question Chris Barber (Oct 10)
- Message not available
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 08)
- Message not available
- RE: Hard Drive Forensics Question Murda Mcloud (Oct 09)
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 07)
- Re: Hard Drive Forensics Question anonymous pimp (Oct 07)
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 07)
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 06)
- Re: Hard Drive Forensics Question Morgan Reed (Oct 07)
- RE: Hard Drive Forensics Question Murda Mcloud (Oct 06)