Always Possible to ...
 
Notifications
Clear all

Always Possible to Recover Data From Hard Drive?

20 Posts
8 Users
0 Likes
1,928 Views
(@mwatmn)
Posts: 6
Active Member
Topic starter
 

I work for an ITAD company that deals with a lot of hard drives and I'm in charge of wiping, and verifying the wipe, before we resell them. I have a small background in Forensics, I took a few semesters of classes but had to stop when I started a family and ran out of time for school. But that background serves me well with this job. We write a single pass of zeros to the drive front to back and read the drive to make sure it is zeroed out. We'll limit this to spinning drives, SSD's are another animal lol.

So my question comes from something my boss has started telling clients. He has said that no matter what you do to a drive, shred it, wipe it once, 7-pass, someone can always recover data. Yes this would be deep pockets and unlimited time and resources someone, but he says data can always be recovered, is there any truth to this? I don't picture someone grabbing a piece of a platter out of a shred bin and being able to do anything with it to get data.

I guess I don't know where to go for facts, or if there is facts. I asked an analyst from a pretty high level crime lab once what he could do with a drive that was zeroed out and he said beyond a high level government agency being able to recover something he was 99.999% sure that nothing would be recoverable.

Any insight from you guys would be awesome, I'm not afraid to read if you want to send me to any white papers or something. Some clients will only crush their drives and some insist on a 7-pass overwrite. Bottom line is that I'd like to be able to tell the client that this is how we wipe your data, and have some proof to back up the recoverability of that data.

 
Posted : 18/09/2018 1:17 am
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

I have looked into it and a 7+ pass wipe was for over 10 years ago when harddrives used interleave because their heads were unable to move fast enough to read more than 1/7 or above of the data for each turn.

A so called "Gutman wipe" is not needed. Also some harddrive feature a built in fast wipe feature that was spec'ed by the Us military because wiping drives is so insanely slow through software like DBan. There was also some research put into that old "read with a quantum detector" or whatever it was called, and it was shown to be not practical.

One wipe is generally sufficient. Scenarios where it would be possible to recover data from a drive would be from when someone forgot to wipe the whole drive, i.e. only a partition was wiped or the drive size was set to a smaller size.

Recovering data from a shredded drive is not possible.

Your boss should stick to management and not to technical details.

 
Posted : 18/09/2018 7:16 am
kastajamah
(@kastajamah)
Posts: 109
Estimable Member
 

One thing that I do after wiping a drive is look at the drive in a hex viewer to make sure it is all 0's. This takes a few minutes at most. I have used an imager that also had a function to wipe drives. There have been a couple of times when I have looked in the hex viewer and seen there was still data on the drive even after the software claimed to have wiped the drive.

Also, when using a physical drive wiper, I have checked the drive after a wipe in a hex viewer. I have never seen where the drive wiper missed wiping data, but I always check none the less.

If you mention to your client that you check the drive in a hex viewer to confirm the wipe, that will help install confidence with your client that you are being thorough.

 
Posted : 18/09/2018 12:29 pm
hectic_forensics
(@hectic_forensics)
Posts: 40
Eminent Member
 

One thing that I do after wiping a drive is look at the drive in a hex viewer to make sure it is all 0's.

You check every sector by eye? ?

Why not just run a simple checksum over it? We've used a tool before which will just go through each drive sector and count up the zeros to verify. If the final output is 0, you know your drive is clean. If it has a value greater than zero, you've got data!

As ever, you should always be validating your tools and methods though, but if you're telling people you are 'checking the hex' to make sure it is zeroed, there are probably better ways than skimming through it by eye!

 
Posted : 18/09/2018 12:42 pm
pbobby
(@pbobby)
Posts: 239
Estimable Member
 

No.

You have to ask yourself - what is data? If it's just 1s and 0s, then you're not recovering squat, you're just reading 1s and 0s from a drive. If it's a usable file, then you're approaching 0%.

I think your boss just wants to sell more expensive services. And why not? Capitalism for the win.

 
Posted : 18/09/2018 6:02 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Answer to the asked question
No.

Answer (not asked for)
To wipe a drive (single 00 pass, which is enough) you should use the internal SecureErase provided by the ATA standard (the result will be the same as writing all zeroes, but it will be faster)
https://www.lifewire.com/what-is-secure-erase-2626004
https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

jaclaz

 
Posted : 18/09/2018 7:27 pm
(@mwatmn)
Posts: 6
Active Member
Topic starter
 

Thanks for the responses guys. Yes, I believe one pass is good enough. We are only required by NAID to verify 10% of the drive to pass it, which I think is ridiculous. Luckily the owner was somehow convinced to verify 100% of every drive, I'm sure this is only because it sounds good. We do use DBAN, or just DD, most everything is done in Parted Magic. After the wipe I run Hexdump to read the drive front to back, if one bit isn't a zero it fails. I check for HPA/DCO's and compare the Real Max Sectors to what is read by Hexdump. I think I'm pretty thorough.

I kind of already knew the answer was no, that's why I'm here, just looking for stuff that I can show him so he believes it. I have to do some extra convincing sometimes. Plus I didn't think it was a good idea to tell a client that basically no matter what we do, your data is still there. Not a good pitch.

Secure Erase is something I haven't looked into too deeply outside of SSD's. I use it to wipe them, whether or not this leaves data in the chips themselves is a debate I've seen. They are zeroed out but I've read that it could be just the controller saying it's zero because it's supposed to be or something like that. That's another debate I have to have and figure out.

I've used it on some spinning drives a few times just to see how long it took. I don't remember the results. We have machines that we can hook up 10 drives to and that's how we wipe and verify in bulk. If I get some time maybe I'll load 2 machines up with the same drives and do a time test. I'm always up for faster results. Right now DBAN single pass with no verify is probably the fastest.

The lifewire article was a good read, I'll definitely do some more research on it. We are moving towards an enterprise software that we use for onsite jobs. I've been grilling their engineer for months now so I can understand what it's doing, so far it seems pretty solid. Maybe with Secure Erase I could wipe a bunch of drives in it and not have to worry about bandwidth.

 
Posted : 18/09/2018 10:49 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Maybe with Secure Erase I could wipe a bunch of drives in it and not have to worry about bandwidth.

I am not sure to understand what you mean, but the whole point of Secure Erase is that the command is internal to the device, hence normally faster than transferring 00's via the normal disk drive interface.

If you already use Parted Magic, it has internal Secure Erase provisions
https://partedmagic.com/secure-erase/

About verification, probably it is a good idea to checksum the drive, and compare the MD5 or SHA1 with the theoretical one

http//www.edenprime.com/tools/epAllZeroHashCalculator.htm

jaclaz

 
Posted : 19/09/2018 7:53 am
(@mwatmn)
Posts: 6
Active Member
Topic starter
 

Sorry, some people ramble when they talk, I do when I type. I guess I was thinking out loud a little. Let's say I have a NetApp shelf that holds 24 drives, I can hook that to my wiping appliance and wipe them that way. The more drives the slower it goes though due to bandwidth constraints. If I did that and issued a Secure Erase command to each drive that wouldn't be an issue since it's one command going out. Hopefully I get some time to try it out.

Yes, I love the Secure Erase in Parted Magic, makes it work really easily.

I actually downloaded that zero hash calculator years ago when I was figuring out how to verify a drive properly. Pretty sure I found it through this forum. I didn't understand how it worked. I always got an error when I put anything into the first field. I did think about trying a hash vs running hexdump to verify a drive. I think the speeds were similar, I don't remember. I think that's what this program is supposed to do. Unless I'm missing something. It looks like checksum is much faster than a hash but not reliable.

Sorry, got off topic a bit, back to data recovery. Is there a possibility of data recovery from an SSD that has been either overwritten with software or secure erased? There was a white paper I can't find now about an erased SSD that when directly connected to the memory chips you could recover data still, something like that. I realize this is probably not a yes or no easy answer, but if you could point me in a direction I'll check it out.

One last question about spinning drives about recovery. If you were to get a drive that you know is completely filled with zeroes, what is that next step? Is there a next step? Is there anything possible with reallocated sectors? I've had drives pass verification with thousands of reallocated sectors and often wondered if there was data to be recovered on them.

Is reallocated sectors and G list essentially the same thing?

Sorry I rambled again, I thank you guys for your time.

 
Posted : 19/09/2018 10:40 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I actually downloaded that zero hash calculator years ago when I was figuring out how to verify a drive properly. Pretty sure I found it through this forum. I didn't understand how it worked. I always got an error when I put anything into the first field. I did think about trying a hash vs running hexdump to verify a drive. I think the speeds were similar, I don't remember. I think that's what this program is supposed to do. Unless I'm missing something. It looks like checksum is much faster than a hash but not reliable.

I don't understand.

The zero hash calculator (and yes a hash is much more reliable than a checksum) works by inputting either the EXACT number of bytes or the EXACT number of sectors (and the sector size).

For hard disk verification it makes more sense to use the second field, the one for sectors, which is usually a known and easier to type (shorter) number, and the program multiplies that for sector size.

Sorry, got off topic a bit, back to data recovery. Is there a possibility of data recovery from an SSD that has been either overwritten with software or secure erased? There was a white paper I can't find now about an erased SSD that when directly connected to the memory chips you could recover data still, something like that. I realize this is probably not a yes or no easy answer, but if you could point me in a direction I'll check it out.

You are probably thinking of this paper
https://www.usenix.org/event/fast11/tech/full_papers/Wei.pdf

One last question about spinning drives about recovery. If you were to get a drive that you know is completely filled with zeroes, what is that next step? Is there a next step? Is there anything possible with reallocated sectors? I've had drives pass verification with thousands of reallocated sectors and often wondered if there was data to be recovered on them.

Is reallocated sectors and G list essentially the same thing?

No next step.

Basically yes, they are the same thing.

I believe it depends greatly, but Secure Erase should also clear reallocated sectors
https://superuser.com/questions/1160878/how-do-you-securely-erase-remapped-bad-sectors-on-hdd-in-linux

jaclaz

 
Posted : 20/09/2018 9:28 am
Page 1 / 2
Share: