Always Possible to ...
 
Notifications
Clear all

Always Possible to Recover Data From Hard Drive?  

Page 1 / 2
  RSS
mwatmn
(@mwatmn)
New Member

I work for an ITAD company that deals with a lot of hard drives and I'm in charge of wiping, and verifying the wipe, before we resell them. I have a small background in Forensics, I took a few semesters of classes but had to stop when I started a family and ran out of time for school. But that background serves me well with this job. We write a single pass of zeros to the drive front to back and read the drive to make sure it is zeroed out. We'll limit this to spinning drives, SSD's are another animal lol.

So my question comes from something my boss has started telling clients. He has said that no matter what you do to a drive, shred it, wipe it once, 7-pass, someone can always recover data. Yes this would be deep pockets and unlimited time and resources someone, but he says data can always be recovered, is there any truth to this? I don't picture someone grabbing a piece of a platter out of a shred bin and being able to do anything with it to get data.

I guess I don't know where to go for facts, or if there is facts. I asked an analyst from a pretty high level crime lab once what he could do with a drive that was zeroed out and he said beyond a high level government agency being able to recover something he was 99.999% sure that nothing would be recoverable.

Any insight from you guys would be awesome, I'm not afraid to read if you want to send me to any white papers or something. Some clients will only crush their drives and some insist on a 7-pass overwrite. Bottom line is that I'd like to be able to tell the client that this is how we wipe your data, and have some proof to back up the recoverability of that data.

Quote
Posted : 18/09/2018 2:17 am
MDCR
 MDCR
(@mdcr)
Active Member

I have looked into it and a 7+ pass wipe was for over 10 years ago when harddrives used interleave because their heads were unable to move fast enough to read more than 1/7 or above of the data for each turn.

A so called "Gutman wipe" is not needed. Also some harddrive feature a built in fast wipe feature that was spec'ed by the Us military because wiping drives is so insanely slow through software like DBan. There was also some research put into that old "read with a quantum detector" or whatever it was called, and it was shown to be not practical.

One wipe is generally sufficient. Scenarios where it would be possible to recover data from a drive would be from when someone forgot to wipe the whole drive, i.e. only a partition was wiped or the drive size was set to a smaller size.

Recovering data from a shredded drive is not possible.

Your boss should stick to management and not to technical details.

ReplyQuote
Posted : 18/09/2018 8:16 am
kastajamah
(@kastajamah)
Member

One thing that I do after wiping a drive is look at the drive in a hex viewer to make sure it is all 0's. This takes a few minutes at most. I have used an imager that also had a function to wipe drives. There have been a couple of times when I have looked in the hex viewer and seen there was still data on the drive even after the software claimed to have wiped the drive.

Also, when using a physical drive wiper, I have checked the drive after a wipe in a hex viewer. I have never seen where the drive wiper missed wiping data, but I always check none the less.

If you mention to your client that you check the drive in a hex viewer to confirm the wipe, that will help install confidence with your client that you are being thorough.

ReplyQuote
Posted : 18/09/2018 1:29 pm
hectic_forensics
(@hectic_forensics)
Junior Member

One thing that I do after wiping a drive is look at the drive in a hex viewer to make sure it is all 0's.

You check every sector by eye? ?

Why not just run a simple checksum over it? We've used a tool before which will just go through each drive sector and count up the zeros to verify. If the final output is 0, you know your drive is clean. If it has a value greater than zero, you've got data!

As ever, you should always be validating your tools and methods though, but if you're telling people you are 'checking the hex' to make sure it is zeroed, there are probably better ways than skimming through it by eye!

ReplyQuote
Posted : 18/09/2018 1:42 pm
pbobby
(@pbobby)
Active Member

No.

You have to ask yourself - what is data? If it's just 1s and 0s, then you're not recovering squat, you're just reading 1s and 0s from a drive. If it's a usable file, then you're approaching 0%.

I think your boss just wants to sell more expensive services. And why not? Capitalism for the win.

ReplyQuote
Posted : 18/09/2018 7:02 pm
jaclaz
(@jaclaz)
Community Legend

Answer to the asked question
No.

Answer (not asked for)
To wipe a drive (single 00 pass, which is enough) you should use the internal SecureErase provided by the ATA standard (the result will be the same as writing all zeroes, but it will be faster)
https://www.lifewire.com/what-is-secure-erase-2626004
https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

jaclaz

ReplyQuote
Posted : 18/09/2018 8:27 pm
mwatmn
(@mwatmn)
New Member

Thanks for the responses guys. Yes, I believe one pass is good enough. We are only required by NAID to verify 10% of the drive to pass it, which I think is ridiculous. Luckily the owner was somehow convinced to verify 100% of every drive, I'm sure this is only because it sounds good. We do use DBAN, or just DD, most everything is done in Parted Magic. After the wipe I run Hexdump to read the drive front to back, if one bit isn't a zero it fails. I check for HPA/DCO's and compare the Real Max Sectors to what is read by Hexdump. I think I'm pretty thorough.

I kind of already knew the answer was no, that's why I'm here, just looking for stuff that I can show him so he believes it. I have to do some extra convincing sometimes. Plus I didn't think it was a good idea to tell a client that basically no matter what we do, your data is still there. Not a good pitch.

Secure Erase is something I haven't looked into too deeply outside of SSD's. I use it to wipe them, whether or not this leaves data in the chips themselves is a debate I've seen. They are zeroed out but I've read that it could be just the controller saying it's zero because it's supposed to be or something like that. That's another debate I have to have and figure out.

I've used it on some spinning drives a few times just to see how long it took. I don't remember the results. We have machines that we can hook up 10 drives to and that's how we wipe and verify in bulk. If I get some time maybe I'll load 2 machines up with the same drives and do a time test. I'm always up for faster results. Right now DBAN single pass with no verify is probably the fastest.

The lifewire article was a good read, I'll definitely do some more research on it. We are moving towards an enterprise software that we use for onsite jobs. I've been grilling their engineer for months now so I can understand what it's doing, so far it seems pretty solid. Maybe with Secure Erase I could wipe a bunch of drives in it and not have to worry about bandwidth.

ReplyQuote
Posted : 18/09/2018 11:49 pm
jaclaz
(@jaclaz)
Community Legend

Maybe with Secure Erase I could wipe a bunch of drives in it and not have to worry about bandwidth.

I am not sure to understand what you mean, but the whole point of Secure Erase is that the command is internal to the device, hence normally faster than transferring 00's via the normal disk drive interface.

If you already use Parted Magic, it has internal Secure Erase provisions
https://partedmagic.com/secure-erase/

About verification, probably it is a good idea to checksum the drive, and compare the MD5 or SHA1 with the theoretical one

http//www.edenprime.com/tools/epAllZeroHashCalculator.htm

jaclaz

ReplyQuote
Posted : 19/09/2018 8:53 am
mwatmn
(@mwatmn)
New Member

Sorry, some people ramble when they talk, I do when I type. I guess I was thinking out loud a little. Let's say I have a NetApp shelf that holds 24 drives, I can hook that to my wiping appliance and wipe them that way. The more drives the slower it goes though due to bandwidth constraints. If I did that and issued a Secure Erase command to each drive that wouldn't be an issue since it's one command going out. Hopefully I get some time to try it out.

Yes, I love the Secure Erase in Parted Magic, makes it work really easily.

I actually downloaded that zero hash calculator years ago when I was figuring out how to verify a drive properly. Pretty sure I found it through this forum. I didn't understand how it worked. I always got an error when I put anything into the first field. I did think about trying a hash vs running hexdump to verify a drive. I think the speeds were similar, I don't remember. I think that's what this program is supposed to do. Unless I'm missing something. It looks like checksum is much faster than a hash but not reliable.

Sorry, got off topic a bit, back to data recovery. Is there a possibility of data recovery from an SSD that has been either overwritten with software or secure erased? There was a white paper I can't find now about an erased SSD that when directly connected to the memory chips you could recover data still, something like that. I realize this is probably not a yes or no easy answer, but if you could point me in a direction I'll check it out.

One last question about spinning drives about recovery. If you were to get a drive that you know is completely filled with zeroes, what is that next step? Is there a next step? Is there anything possible with reallocated sectors? I've had drives pass verification with thousands of reallocated sectors and often wondered if there was data to be recovered on them.

Is reallocated sectors and G list essentially the same thing?

Sorry I rambled again, I thank you guys for your time.

ReplyQuote
Posted : 19/09/2018 11:40 pm
jaclaz
(@jaclaz)
Community Legend

I actually downloaded that zero hash calculator years ago when I was figuring out how to verify a drive properly. Pretty sure I found it through this forum. I didn't understand how it worked. I always got an error when I put anything into the first field. I did think about trying a hash vs running hexdump to verify a drive. I think the speeds were similar, I don't remember. I think that's what this program is supposed to do. Unless I'm missing something. It looks like checksum is much faster than a hash but not reliable.

I don't understand.

The zero hash calculator (and yes a hash is much more reliable than a checksum) works by inputting either the EXACT number of bytes or the EXACT number of sectors (and the sector size).

For hard disk verification it makes more sense to use the second field, the one for sectors, which is usually a known and easier to type (shorter) number, and the program multiplies that for sector size.

Sorry, got off topic a bit, back to data recovery. Is there a possibility of data recovery from an SSD that has been either overwritten with software or secure erased? There was a white paper I can't find now about an erased SSD that when directly connected to the memory chips you could recover data still, something like that. I realize this is probably not a yes or no easy answer, but if you could point me in a direction I'll check it out.

You are probably thinking of this paper
https://www.usenix.org/event/fast11/tech/full_papers/Wei.pdf

One last question about spinning drives about recovery. If you were to get a drive that you know is completely filled with zeroes, what is that next step? Is there a next step? Is there anything possible with reallocated sectors? I've had drives pass verification with thousands of reallocated sectors and often wondered if there was data to be recovered on them.

Is reallocated sectors and G list essentially the same thing?

No next step.

Basically yes, they are the same thing.

I believe it depends greatly, but Secure Erase should also clear reallocated sectors
https://superuser.com/questions/1160878/how-do-you-securely-erase-remapped-bad-sectors-on-hdd-in-linux

jaclaz

ReplyQuote
Posted : 20/09/2018 10:28 am
mwatmn
(@mwatmn)
New Member

Thanks jaclz,

Yes I did figure out the second field, I'm already doing that by comparing real max sectors and the result from hexdump.

Yes it was the Wei paper, so is it a reality that data can be recovered that way?

I will try and do some experimenting at work today regarding Secure Erase and the reallocated sectors.

ReplyQuote
Posted : 20/09/2018 12:56 pm
jaclaz
(@jaclaz)
Community Legend

Yes it was the Wei paper, so is it a reality that data can be recovered that way?

Hard to say, your mileage may greatly vary.

IMHO the paper is now a bit dated, and more or less revolves around the single idea that a number of SSD manufacturers - at the time and on some models - did not implement (or did not implement correctly) the ATA Secure Erase command

We tested ATA commands for sanitizing an entire
SSD, software techniques to do the same, and software
techniques for sanitizing individual files. We find that
while most implementations of the ATA commands are
correct, others contain serious bugs that can, in some
cases, result in all the data remaining intact on the drive.

and later they did not test the (if provided) manufacturers' tools to erase

In addition to the standard commands, several drive
manufacturers also provide special utilities that issue
non-standard erasure commands. We did not test these
commands, but we expect that results would be similar
to those for the ATA commands most would work cor-
rectly but some may be buggy.

As a personal side note, the 3.2.3 paragraph about degaussing and eddy currents made at the time (and still makes today) my "common sense" tingle, hence I recommend the SH-1 degausser in cases where the non-recoverability of data is needed

http//reboot.pro/topic/13601-software-to-wipe-a-systemdrive-from-windows/page-7#entry123099

The overall scope of the paper was I believe (and it had success in that) to raise the attention on the issue, but from that to actually recover actual data (not a "fingerprint") there still remains a loong way.

In any case, after 2010/2011, manufacturers (hopefully) started providing effective methods, example
https://www.micron.com/~/media/documents/products/technical-marketing-brief/brief_ssd_secure_erase.pdf
and even the specifications changed/evolved (at the time of the Wei article ACS-2 were still in development and now we are at ACS-4, with ACS-5 in development), the node about this (or that) manufacturer actually implementing (and implementing properly) the command however remains.

BTW there is another version (most probably an earlier implementation) of what essentially is the same article
https://cseweb.ucsd.edu/~swanson/papers/TR-cs2011-0963-Safe.pdf

Cross-reading and comparing the two articles may prove of interest.

jaclaz

ReplyQuote
Posted : 20/09/2018 5:51 pm
watcher
(@watcher)
Active Member

Lot's of good answers here, I just wanted to throw in my few cents.

The old bug-a-boo about multiple pass wipes and magnetic force microscopes had some minimal basis in reality back in the days when hard drives were measured in "megabytes". It's completely unrealistic today at any price.

That said there are still a few potential, albeit unlikely, concerns.

A vanilla wipe, such as dd with zeroes, may not account for DCO (Device Configuration Overlay) or HPA (Host Protected Area).

Similarly Bad Blocks on the drive may not be wiped. Of course this assumes the bad blocks can be resurrected and have useful content.

There are a few tracks outside of normal ATA access that contain manufacturers control and geometry structures for the drive. Custom manufacturer commands are required to get to them and they generally have very small unused areas that could hold a little bit of data if someone went to the trouble.

Finally degausing is not viable if you expect to reuse the drive. Degausing will wipe the geomtry structures and the drive will become useless. It's easier just to physically destroy it if that's the objective.

ReplyQuote
Posted : 22/09/2018 11:30 pm
mwatmn
(@mwatmn)
New Member

Sorry I got busy and forgot to respond on here. Thanks for watching watcher!

Awesome reply, it made me think of the original question I had before I started rambling. I verify that the drive is zeroed out and I check for HPA/DCO's, so I think I'm covered. I do remember reading about hiding data in a drive on a manufacture accessible only area once. I do like to be thorough but it wouldn't be practical for me check every drive that way, I'm sure it's not easy.

So with that, we end up selling a drive that has no HPA or DCO and is filled with zeroes. Am I safe to say that there is no way to recover data from this drive? Unless like watcher said, there are bad blocks and those bad blocks are recoverable and they hold useful information. And since he worded it that way I don't think I'm too concerned about letting drives go that have a lot of reallocated sectors.

To the forensic professionals, what do you do if you have a drive that is zeroed out with no hidden areas?

ReplyQuote
Posted : 23/09/2018 4:56 am
MDCR
 MDCR
(@mdcr)
Active Member

Statistically, those mapped out bad parts would most likely contain program files or nothing - and not user data. User data is a relatively small part of the drive, and larger formats such as movies require a constant stream of data to be readable.

For example in Mpeg you have an initial frame, progressive, progressive, bidirectional, progressive (and on). Without the initial frame, all you get is unintelligible junk that cannot be read by any software.

The drive just slowly shrinks in size as faults are detected. The parts that are mapped out as bad are not readable by normal data recovery software either, you have to do some pretty deep dives with specialist tools to be able to get it - and even then assuming the part is readable and don't produce random crap.

And most people do not hide data in the HPA/DCO parts so i wouldn't worry about it.

ReplyQuote
Posted : 23/09/2018 6:17 am
Page 1 / 2
Share: