|
This isn't a question, it's an article about the recoverability of overwritten data.
I'm writing this because there are still some people who believe that overwritten data on a hard drive can be recovered. It can't. At least, it can't by any method available to civilians. If the government has a way to do it, they're keeping it a secret. But I'd bet my house they don't.
You may have heard stories about people having overwritten data recovered. They are incorrect. Back around 1990 or so, a guy named Peter Gutmann wrote a paper about how overwritten data on RLL and MFM drives (which were pretty much obsolete by 1990) could, in theory, be recovered. Though no one has ever successfully managed to recover data using Gutmann's method, he did manage to patent and sell his own method of proprietary data erasure which was guaranteed to erase data so securely that even his recovery method couldn't recover it. A nice bit of marketing there, but the Gutmann method of erasure is in reality no better than a simple single-pass overwrite.
When "overwritten" data is recovered, it wasn't actually overwritten in the first place. However, that may be contrary to what would seem common sense.
For example, let's say I have a three-page Word document that I've saved. I open it, clear everything out of it that I had typed in before, type six pages of entirely new data, and then save it. The original file is overwritten, right? It would seem so, but I have seen cases in which the newer save goes to a different part of the drive and the original file, though I can't access it normally, is untouched and is recoverable with a data recovery sig search process.
Then there is a case of repartitioning and reformatting a drive, and re-installing Windows and applications on it. User files may be recoverable because they haven't necessarily been overwritten.
For example, say you load Windows and all your favorite apps, and that takes up exactly 8 GB on the drive. That means that the first 8 GB of the drive contains data. When you save some new files, it starts using that 9th GB. (It's not really that cut-and-dried because of fragmentation and other phenomena, but in general that's how it works.)
Next, you add 500 MB worth of personal documents, PST (email) file and database files to the drive that already has 8 GB on it, so now you have 8.5 GB of data on the drive. Then you repartition, reformat, reinstall Windows and your apps, and now the drive appears to have only 8 GB on it again. The chances are that at least some of the personal stuff you put on the drive is recoverable, because it was written out past that 8 GB which was overwritten. I'm not saying that all of that data will be recoverable, but there's a fairly good chance that at least some of it will.
FAQs:
But what about residual magnetization, or reading the edges of the data tracks?
See Gutmann's method above.
If a single pass overwrite erases data so it can't ever be recovered, then why does the Department of Defense specify a triple-pass overwrite for their erasure standard?
Because when you're dealing with top secret information that could compromise national security if it gets out, it's worth spending the extra time to overwrite the drive three times just in case someone figures out how to recover data from a single-pass overwrite, no matter how sure hard drive engineers are that a single-pass is good enough.
|
Login
Register
FAQ
Search
© 2010 Future US, Inc. All rights reserved.