Remote wipe of Mac ...
 
Notifications
Clear all

Remote wipe of Mac Airbook

9 Posts
5 Users
0 Likes
1,165 Views
(@mscotgrove)
Posts: 938
Prominent Member
Topic starter
 

I think I can answer my own question, but am not sure.

When a Mac Airbook is remotely wiped (after possible theft etc) are files wiped or deleted?

The airbook is all SSD so I presume it has some kind of trim process that will erase any deleted sectors.

The laptop will have been turned on for several hours since the event.

My question is, 'Is there any point trying to see if old files still exist?'

This is a general user inquiry, and not an investigation so ignore any data that might be in wear leveling locations etc. I think the answer is that all the data has gone, and will not return. Am I correct?

 
Posted : 28/02/2013 9:18 pm
 lars
(@lars)
Posts: 31
Eminent Member
 

After this happened to the writer Mat Honan, he documented how professional data recovery got him most of his data back - http//www.wired.com/gadgetlab/2012/08/how-drivesavers-got-my-data-back/

Cheers,
Lars

 
Posted : 01/03/2013 1:25 am
Bulldawg
(@bulldawg)
Posts: 190
Estimable Member
 

If I read between the lines in that article, it looks like he was able to stop the wipe before it was done. If he had booted the computer or allowed it to keep running, the wipe would have continued. His data still existed because of the interrupted wipe process.

So, it looks like it does attempt to wipe it, but if you interrupt the process and remove the drive, you may still get data.

Why he took it to Apple to re-install the OS before sending it to data recovery, I do not understand…

 
Posted : 01/03/2013 1:41 am
(@zekituredi)
Posts: 16
Active Member
 

I have a feeling I read somewhere that trim is not enabled on all models of the MacBook Air, only the newest models.

Anyway is it not best to always check, just in case?

 
Posted : 01/03/2013 2:53 am
(@mscotgrove)
Posts: 938
Prominent Member
Topic starter
 

Bulldawg - on a Airbook, I think the 'disk drive' is soldered in

 
Posted : 01/03/2013 4:32 am
Bulldawg
(@bulldawg)
Posts: 190
Estimable Member
 

You're thinking of recent MacBook Pro Retina models. Those have the SSD soldered on the board. Even the most recent MacBook Air models have a removable SSD module which can be seen here
http//www.ifixit.com/Guide/Installing+MacBook+Air+11-Inch+Mid+2012+Solid-State+Drive/12351/1

They use proprietary connectors and adapters are difficult or impossible to find, so it's best to use alternative methods to image them rather than cracking the case open, but the drive can be removed.

 
Posted : 01/03/2013 5:43 am
(@trewmte)
Posts: 1877
Noble Member
 

Michael,
Not sure if this helps; and you may have already been down this path.

Do you know if the locate my device found the device and that the "remote wipe" command actually reached the mac airbook?

I am thinking along the lines

(a) 'what if' the mac airbook gives an outward appearance of being wiped

or, alternatively,

(b) I know for a fact that remote wipe was used but a copy / back up may remain in the environment

- Enterprise
- iCloud

I know (a) vaguely seeks to address your original question and (b) doesn't deal with your original question but sometimes these question I find have a habit of providing clues or answers that hadn't yet been considered.

 
Posted : 01/03/2013 6:58 am
(@mscotgrove)
Posts: 938
Prominent Member
Topic starter
 

An update.

I did examine the customer laptop and found data. The following link is a brief report

http//www.cnwrecovery.com/html/remote_wipe.html

What I found is very similar to the report (press release) that posted earlier. The big difference is that I have no clean rooms to help make Linux disk images. If you had to buy a licence for carving software, you might still have $1600 in your pocket.

The big similarity is that both drives (250GB) had the same 64GB erased, and rest was OK.

It looks as if the remote wiping is not very secure and should not be relied on. Does anyone else have experience to confirm my results?

 
Posted : 14/03/2013 9:05 pm
Bulldawg
(@bulldawg)
Posts: 190
Estimable Member
 

Thanks for the update. That is very interesting. It's probable that the first 64GB contained mostly the operating system and pre-installed programs, so this process left most of the user's files exposed.

 
Posted : 14/03/2013 9:14 pm
Share: