±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 34825
New Yesterday: 11 Visitors: 161

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Is all the "several passes" an Guttman theory a kind of hoax

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3  Next 
  

Re: Is all the "several passes" an Guttman theory a kind of

Post Posted: Sun Dec 02, 2007 7:41 pm

Would be very interesting! Surely some one could make their fortune from recovering files from such a situation? Wink

If you open a pyhsical drive in a hex-editor and you see 00 from the very first byte until the last what remains to be recovered?  

Jonathan
Senior Member
 
 
  

Re: Is all the "several passes" an Guttman theory a kind of

Post Posted: Sun Dec 02, 2007 11:34 pm

- Jonathan
Would be very interesting! Surely some one could make their fortune from recovering files from such a situation? Wink

If you open a pyhsical drive in a hex-editor and you see 00 from the very first byte until the last what remains to be recovered?



Here's the thing (and Gutmann touches on this in his paper): Data stored on hard drives is not stored on discrete microscopic switches that are either "Off" or "On" (0 or 1). Rather, data is stored on magnetic particles. These particles have magnetic fields. As the read/write heads come close to a particle, they start reading the field from the side, continues reading as the head passes directly over the particle and as the head pulls away from said particle. An oscilloscope would show a signal output much like how a heartbeat appears on an EKG, viz. _/\- This is illustrated nicely by presentations available here.

If the alignment of the heads has any play or could be adjusted, then it should be possible to read "underwritten" data.  

AWTLPI
Senior Member
 
 
  

Re: Is all the "several passes" an Guttman theory a kind of

Post Posted: Mon Dec 03, 2007 5:34 am

If the alignment of the heads has any play or could be adjusted, then it should be possible to read "underwritten" data.


That's absolutely right - but as far as I know there is no way to do that with software (without looking directly on the surface of the drive) - and that's the point in that discussion....  

chris2792
Member
 
 
  

Re: Is all the "several passes" an Guttman theory a kind of

Post Posted: Mon Dec 03, 2007 11:02 am

Additionally, I want to stress the fact that Mr. Gutmann's theory does not in any point claim that ACTUAL values recovery is possible, on the contrary, it affirms how the oscilloscope and MFM techniques could be used to generate a semi-probabilistic map.

Let's analyze these two sentences (at the end of chapter two) of Mr. Gutmann's article:

When all the above factors are combined it turns out that each track contains an image of everything ever written to it, but that the contribution from each "layer" gets progressively smaller the further back it was made.

This is theoretically correct, but it bypasses the real problem, i.e. the actual precision of the "guessing work" involved in re-creating the data, the time needed for the process and provides NO evidence of a single case where an actual file was recovered.
In other words, it seems like this technique can say that a 0 wasn't always a 0, but cannot determine, if not on a probabilistic basis whether the last value before the current 0 was a 1, as it could well have been the second last value recorded in there.

Intelligence organisations have a lot of expertise in recovering these palimpsestuous images.

This one is totally and utterly apodictical, though I guess it should have won the 1996 award for "the best use of the world palimpsestuous in a public text", Rolling Eyes but I want to believe in it, the point is whether this phantomatic abilities have "leaked" outside Intelligence Agencies.


As Mr.Gutmann himself states in the "Epilogue", added to the original paper:
www.usenix.org/publica...index.html
and that can be found in the link azrael provided (thanks! Cool ):
www.cs.auckland.ac.nz/...e_del.html

Looking at this from the other point of view, with the ever-increasing data density on disk platters and a corresponding reduction in feature size and use of exotic techniques to record data on the medium, it's unlikely that anything can be recovered from any recent drive except perhaps a single level via basic error-cancelling techniques. In particular the drives in use at the time that this paper was originally written have mostly fallen out of use, so the methods that applied specifically to the older, lower-density technology don't apply any more. Conversely, with modern high-density drives, even if you've got 10KB of sensitive data on a drive and can't erase it with 100% certainty, the chances of an adversary being able to find the erased traces of that 10KB in 80GB of other erased traces are close to zero.

(emphasis added by me)

So it seems like Mr. Guttmann debunked himself his theory, deeming it as a thing of the past. Wink

jaclaz  

Last edited by jaclaz on Sat Jan 31, 2009 6:15 pm; edited 1 time in total

jaclaz
Senior Member
 
 
  

Re: Is all the "several passes" an Guttman theory a kind of hoax

Post Posted: Mon Dec 03, 2007 11:46 am

I remember a case I was involved 1997/1998 where the discussion about the extent to which it may be possible to recover deleted data arose.

Dependent on the number of layers of permeable iron (such as, gamma iron oxide or barrium ferrite) laid on the platter to bed-down a magnetisable platform, the layer depth was significant. Some hdds may have 2, 3 or 4 layers etc. As far as I recall for the stability of physical data to remain was also influenced by expensive high-end hdd vis-a-vis cheap low-end hdd.

Would this still be relevant to today?  

trewmte
Senior Member
 
 
  

Re: Is all the "several passes" an Guttman theory a kind of hoax

Post Posted: Mon Dec 03, 2007 12:20 pm

- trewmte
I remember a case I was involved 1997/1998 where the discussion about the extent to which it may be possible to recover deleted data arose.

Dependent on the number of layers of permeable iron (such as, gamma iron oxide or barrium ferrite) laid on the platter to bed-down a magnetisable platform, the layer depth was significant. Some hdds may have 2, 3 or 4 layers etc. As far as I recall for the stability of physical data to remain was also influenced by expensive high-end hdd vis-a-vis cheap low-end hdd.

Would this still be relevant to today?


Don't take this the wrong way Smile , but, to put it bluntly, was it relevant at the time?

I mean, did you try (and succeeded or failed) to perform this kind of recover or were you just discussing about it's feasibility? Shocked

jaclaz  

jaclaz
Senior Member
 
 
  

Re: Is all the "several passes" an Guttman theory a kind of hoax

Post Posted: Mon Dec 03, 2007 1:03 pm

No offence is taken by your reply jaclas.

Yes it was relevant at the time. The detail of this matter is in confidence so I can't go deeply into it as it involved a well-known brand-name.

The issue of permeable iron layers is recorded in various computer books. Some reference to layering can be seen here:

www.aps.org/publicatio...fronts.cfm

I noted from one of the link articles you referred the article indicated that over-writing programs were not being recommended by some. There may be many reasons for that, apart from the programs do not work or they do not fully do what they claim to. It could be some of the research that brought those comments about may have looked at the matter I was referring.

For the purposes of your thread I was just contributing to it by discussing whether the matter is relevant today regarding why some programs are suggested to not completely wipe the drive.  

trewmte
Senior Member
 
 

Page 2 of 3
Go to page Previous  1, 2, 3  Next