Quantcast

Maximum PC

It is currently Fri Oct 24, 2014 7:40 am

All times are UTC - 8 hours




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: Overwritten data: recoverable? Not if actually overwritten.
PostPosted: Mon Aug 25, 2008 3:45 pm 
Coppermine
Coppermine

Joined: Fri May 13, 2005 3:11 am
Posts: 536
This isn't a question, it's an article about the recoverability of overwritten data.

I'm writing this because there are still some people who believe that overwritten data on a hard drive can be recovered. It can't. At least, it can't by any method available to civilians. If the government has a way to do it, they're keeping it a secret. But I'd bet my house they don't.

You may have heard stories about people having overwritten data recovered. They are incorrect. Back around 1990 or so, a guy named Peter Gutmann wrote a paper about how overwritten data on RLL and MFM drives (which were pretty much obsolete by 1990) could, in theory, be recovered. Though no one has ever successfully managed to recover data using Gutmann's method, he did manage to patent and sell his own method of proprietary data erasure which was guaranteed to erase data so securely that even his recovery method couldn't recover it. A nice bit of marketing there, but the Gutmann method of erasure is in reality no better than a simple single-pass overwrite.

When "overwritten" data is recovered, it wasn't actually overwritten in the first place. However, that may be contrary to what would seem common sense.

For example, let's say I have a three-page Word document that I've saved. I open it, clear everything out of it that I had typed in before, type six pages of entirely new data, and then save it. The original file is overwritten, right? It would seem so, but I have seen cases in which the newer save goes to a different part of the drive and the original file, though I can't access it normally, is untouched and is recoverable with a data recovery sig search process.

Then there is a case of repartitioning and reformatting a drive, and re-installing Windows and applications on it. User files may be recoverable because they haven't necessarily been overwritten.

For example, say you load Windows and all your favorite apps, and that takes up exactly 8 GB on the drive. That means that the first 8 GB of the drive contains data. When you save some new files, it starts using that 9th GB. (It's not really that cut-and-dried because of fragmentation and other phenomena, but in general that's how it works.)

Next, you add 500 MB worth of personal documents, PST (email) file and database files to the drive that already has 8 GB on it, so now you have 8.5 GB of data on the drive. Then you repartition, reformat, reinstall Windows and your apps, and now the drive appears to have only 8 GB on it again. The chances are that at least some of the personal stuff you put on the drive is recoverable, because it was written out past that 8 GB which was overwritten. I'm not saying that all of that data will be recoverable, but there's a fairly good chance that at least some of it will.

FAQs:

But what about residual magnetization, or reading the edges of the data tracks?

See Gutmann's method above.

If a single pass overwrite erases data so it can't ever be recovered, then why does the Department of Defense specify a triple-pass overwrite for their erasure standard?

Because when you're dealing with top secret information that could compromise national security if it gets out, it's worth spending the extra time to overwrite the drive three times just in case someone figures out how to recover data from a single-pass overwrite, no matter how sure hard drive engineers are that a single-pass is good enough.


Top
  Profile  
 
 Post subject:
PostPosted: Fri Aug 29, 2008 8:03 am 
Klamath
Klamath
User avatar

Joined: Mon Mar 31, 2008 5:58 am
Posts: 255
cool post


Top
  Profile  
 
 Post subject:
PostPosted: Fri Aug 29, 2008 8:29 am 
Coppermine
Coppermine

Joined: Fri May 13, 2005 3:11 am
Posts: 536
pcwizmtl wrote:
cool post


Thanks!! :D

I gathered this info through working at the biggest data recovery company, and found articles online to back up what I've learned through working here.


Top
  Profile  
 
 Post subject:
PostPosted: Fri Aug 29, 2008 10:21 am 
Team Member Top 500
Team Member Top 500

Joined: Wed May 30, 2007 11:15 am
Posts: 1431
webgrunt wrote:
pcwizmtl wrote:
cool post


Thanks!! :D

I gathered this info through working at the biggest data recovery company, and found articles online to back up what I've learned through working here.


I'd heard the gutman method was based on some paper, but i never knew anything more about it, interesting read.

EDIT:

Since you worked at a data recovery co. can you tell us if there actually is a real reason why it costs so much, or is it simply a we know how and you dont type of thing.


Top
  Profile  
 
 Post subject:
PostPosted: Fri Aug 29, 2008 11:48 am 
Coppermine
Coppermine

Joined: Fri May 13, 2005 3:11 am
Posts: 536
bathtbgin wrote:
webgrunt wrote:
pcwizmtl wrote:
cool post


Thanks!! :D

I gathered this info through working at the biggest data recovery company, and found articles online to back up what I've learned through working here.


I'd heard the gutman method was based on some paper, but i never knew anything more about it, interesting read.

EDIT:

Since you worked at a data recovery co. can you tell us if there actually is a real reason why it costs so much, or is it simply a we know how and you dont type of thing.


Good question! The answer depends on the amount of work we have to do to get the data. Some cases the profit margin is very slim because a lot of hours are spent in the clean room, getting parts for defective drives, etc. I suspect some jobs are actually done at a loss, because it's better to get something for the amount of work invested than have it turn to a bag job because the customer can't meet the price.

However, in some cases, the recovery is fairly simple, and for those the bulk of the price is for the R&D and expertise.

TCIWF (The company I work for) has developed good data recovery software that, while not exactly cheap, is much cheaper than the service option, so people with hard drives that are physically OK but have file structure or other data damage can recover their data more economically.


Top
  Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group

© 2014 Future US, Inc. All rights reserved.