±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34837
New Yesterday: 0 Visitors: 116

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Always Possible to Recover Data From Hard Drive?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3  Next 
  

Re: Always Possible to Recover Data From Hard Drive?

Post Posted: Wed Sep 19, 2018 1:53 am

- mwatmn
Maybe with Secure Erase I could wipe a bunch of drives in it and not have to worry about bandwidth.


I am not sure to understand what you mean, but the whole point of Secure Erase is that the command is internal to the device, hence normally faster than transferring 00's via the normal disk drive interface.

If you already use Parted Magic, it has internal Secure Erase provisions:
partedmagic.com/secure-erase/

About verification, probably it is a good idea to checksum the drive, and compare the MD5 or SHA1 with the theoretical one:

www.edenprime.com/tool...ulator.htm

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Always Possible to Recover Data From Hard Drive?

Post Posted: Wed Sep 19, 2018 4:40 pm

Sorry, some people ramble when they talk, I do when I type. I guess I was thinking out loud a little. Let's say I have a NetApp shelf that holds 24 drives, I can hook that to my wiping appliance and wipe them that way. The more drives the slower it goes though due to bandwidth constraints. If I did that and issued a Secure Erase command to each drive that wouldn't be an issue since it's one command going out. Hopefully I get some time to try it out.

Yes, I love the Secure Erase in Parted Magic, makes it work really easily.

I actually downloaded that zero hash calculator years ago when I was figuring out how to verify a drive properly. Pretty sure I found it through this forum. I didn't understand how it worked. I always got an error when I put anything into the first field. I did think about trying a hash vs running hexdump to verify a drive. I think the speeds were similar, I don't remember. I think that's what this program is supposed to do. Unless I'm missing something. It looks like checksum is much faster than a hash but not reliable.

Sorry, got off topic a bit, back to data recovery. Is there a possibility of data recovery from an SSD that has been either overwritten with software or secure erased? There was a white paper I can't find now about an erased SSD that when directly connected to the memory chips you could recover data still, something like that. I realize this is probably not a yes or no easy answer, but if you could point me in a direction I'll check it out.

One last question about spinning drives about recovery. If you were to get a drive that you know is completely filled with zeroes, what is that next step? Is there a next step? Is there anything possible with reallocated sectors? I've had drives pass verification with thousands of reallocated sectors and often wondered if there was data to be recovered on them.

Is reallocated sectors and G list essentially the same thing?

Sorry I rambled again, I thank you guys for your time.  

mwatmn
Newbie
 
 
  

Re: Always Possible to Recover Data From Hard Drive?

Post Posted: Thu Sep 20, 2018 3:28 am

- mwatmn

I actually downloaded that zero hash calculator years ago when I was figuring out how to verify a drive properly. Pretty sure I found it through this forum. I didn't understand how it worked. I always got an error when I put anything into the first field. I did think about trying a hash vs running hexdump to verify a drive. I think the speeds were similar, I don't remember. I think that's what this program is supposed to do. Unless I'm missing something. It looks like checksum is much faster than a hash but not reliable.

I don't understand.

The zero hash calculator (and yes a hash is much more reliable than a checksum) works by inputting either the EXACT number of bytes or the EXACT number of sectors (and the sector size).

For hard disk verification it makes more sense to use the second field, the one for sectors, which is usually a known and easier to type (shorter) number, and the program multiplies that for sector size.

- mwatmn


Sorry, got off topic a bit, back to data recovery. Is there a possibility of data recovery from an SSD that has been either overwritten with software or secure erased? There was a white paper I can't find now about an erased SSD that when directly connected to the memory chips you could recover data still, something like that. I realize this is probably not a yes or no easy answer, but if you could point me in a direction I'll check it out.

You are probably thinking of this paper:
www.usenix.org/event/f...rs/Wei.pdf


- mwatmn

One last question about spinning drives about recovery. If you were to get a drive that you know is completely filled with zeroes, what is that next step? Is there a next step? Is there anything possible with reallocated sectors? I've had drives pass verification with thousands of reallocated sectors and often wondered if there was data to be recovered on them.

Is reallocated sectors and G list essentially the same thing?

No next step.

Basically yes, they are the same thing.

I believe it depends greatly, but Secure Erase should also clear reallocated sectors:
superuser.com/question...d-in-linux

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Always Possible to Recover Data From Hard Drive?

Post Posted: Thu Sep 20, 2018 5:56 am

Thanks jaclz,

Yes I did figure out the second field, I'm already doing that by comparing real max sectors and the result from hexdump.

Yes it was the Wei paper, so is it a reality that data can be recovered that way?

I will try and do some experimenting at work today regarding Secure Erase and the reallocated sectors.  

mwatmn
Newbie
 
 
  

Re: Always Possible to Recover Data From Hard Drive?

Post Posted: Thu Sep 20, 2018 10:51 am

- mwatmn

Yes it was the Wei paper, so is it a reality that data can be recovered that way?


Hard to say, your mileage may greatly vary.

IMHO the paper is now a bit dated, and more or less revolves around the single idea that a number of SSD manufacturers - at the time and on some models - did not implement (or did not implement correctly) the ATA Secure Erase command:

We tested ATA commands for sanitizing an entire
SSD, software techniques to do the same, and software
techniques for sanitizing individual files. We find that
while most implementations of the ATA commands are
correct, others contain serious bugs that can, in some
cases, result in all the data remaining intact on the drive.

and later they did not test the (if provided) manufacturers' tools to erase:


In addition to the standard commands, several drive
manufacturers also provide special utilities that issue
non-standard erasure commands. We did not test these
commands, but we expect that results would be similar
to those for the ATA commands: most would work cor-
rectly but some may be buggy.



As a personal side note, the 3.2.3 paragraph about degaussing and eddy currents made at the time (and still makes today) my "common sense" tingle, hence I recommend the SH-1 degausser in cases where the non-recoverability of data is needed:

reboot.pro/topic/13601...ntry123099

The overall scope of the paper was I believe (and it had success in that) to raise the attention on the issue, but from that to actually recover actual data (not a "fingerprint") there still remains a loong way.

In any case, after 2010/2011, manufacturers (hopefully) started providing effective methods, example:
www.micron.com/~/media..._erase.pdf
and even the specifications changed/evolved (at the time of the Wei article ACS-2 were still in development and now we are at ACS-4, with ACS-5 in development), the node about this (or that) manufacturer actually implementing (and implementing properly) the command however remains.

BTW there is another version (most probably an earlier implementation) of what essentially is the same article:
cseweb.ucsd.edu/~swans...3-Safe.pdf

Cross-reading and comparing the two articles may prove of interest.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Always Possible to Recover Data From Hard Drive?

Post Posted: Sat Sep 22, 2018 4:30 pm

Lot's of good answers here, I just wanted to throw in my few cents.

The old bug-a-boo about multiple pass wipes and magnetic force microscopes had some minimal basis in reality back in the days when hard drives were measured in "megabytes". It's completely unrealistic today at any price.

That said there are still a few potential, albeit unlikely, concerns.

A vanilla wipe, such as dd with zeroes, may not account for DCO (Device Configuration Overlay) or HPA (Host Protected Area).

Similarly Bad Blocks on the drive may not be wiped. Of course this assumes the bad blocks can be resurrected and have useful content.

There are a few tracks outside of normal ATA access that contain manufacturers control and geometry structures for the drive. Custom manufacturer commands are required to get to them and they generally have very small unused areas that could hold a little bit of data if someone went to the trouble.

Finally degausing is not viable if you expect to reuse the drive. Degausing will wipe the geomtry structures and the drive will become useless. It's easier just to physically destroy it if that's the objective.  

watcher
Member
 
 
  

Re: Always Possible to Recover Data From Hard Drive?

Post Posted: Sat Sep 22, 2018 9:56 pm

Sorry I got busy and forgot to respond on here. Thanks for watching watcher!

Awesome reply, it made me think of the original question I had before I started rambling. I verify that the drive is zeroed out and I check for HPA/DCO's, so I think I'm covered. I do remember reading about hiding data in a drive on a manufacture accessible only area once. I do like to be thorough but it wouldn't be practical for me check every drive that way, I'm sure it's not easy.

So with that, we end up selling a drive that has no HPA or DCO and is filled with zeroes. Am I safe to say that there is no way to recover data from this drive? Unless like watcher said, there are bad blocks and those bad blocks are recoverable and they hold useful information. And since he worded it that way I don't think I'm too concerned about letting drives go that have a lot of reallocated sectors.

To the forensic professionals, what do you do if you have a drive that is zeroed out with no hidden areas?  

mwatmn
Newbie
 
 

Page 2 of 3
Go to page Previous  1, 2, 3  Next