Hello everybody,
I've been asked to verify if data from several different storage devices has been properly deleted. That is… my client wants to know if I can recover something after the wiping he's done. My question is… how could there be anything recoverable? Isn't wiping supposed to overwrite the whole disk, and hence, nothing will be suitable for recovery? I've tried with EnCase, and as expected only 0s were written. Does anyone know any other tool more powerful than EnCase for files recovery (specially after wiping)?
Thanks a lot
You may want to try R-Studio's recovery software. I've found that it recovers more than Encase or FTK.
Hello everybody,
I've been asked to verify if data from several different storage devices has been properly deleted. That is… my client wants to know if I can recover something after the wiping he's done. My question is… how could there be anything recoverable? Isn't wiping supposed to overwrite the whole disk, and hence, nothing will be suitable for recovery? I've tried with EnCase, and as expected only 0s were written. Does anyone know any other tool more powerful than EnCase for files recovery (specially after wiping)?
Thanks a lot
No practical experience here, just some reading. But, after wiping, you may need to send it off to a recovery company. They will have extra sensitive equipment that can read the magnetic state (polarity, i think) of each "bit" on the disk. Then through some analysis, take an educated guess at what the bit used to be before it was wiped with a 0.
If it was only wiped once, I'd say your odds were good. More then that…well…no.
Most organizations with that capability will charge you BOTH, the arm AND the leg to do it….
If this is just a verification thing and not some mission critical data recovery then I'd just say forget it.
I think most experts would recommend you use physical destruction to ensure the data is gone. Grind it to dust, chipper shredder, incinerate, or a stress relieving, therapeutic, group activity that involves sledge hammers and safety goggles.
)
Skip
PS. About a tool…any "software" tool you use will be restricted by the fact it has to run on the same hardware. No matter what software tool you use you would only be capable of reading the 0's.
Hello everybody,
I've been asked to verify if data from several different storage devices has been properly deleted. That is… my client wants to know if I can recover something after the wiping he's done.
Thanks a lot
iruiper,
If the drive has been wiped securely it is unlikely that anyone will get the data back. I normally do a DOD wipe and then a final wipe using HEX00, then by running a checksum against the drive and the results is 0000 0000 0000 0000 then the drive is wiped correctly.
Alan
Thank you all. Your ideas have been very useful, specially that one of calculating the hash… it's a quite rapid method to discover if the whole disk is full of 0's.
I attended the SANS SEC508 course in Las Vegas this month and the instructor himself said that a SINGLE PASS wipe is all it takes to make data unrecoverable. Nobody has ever recovered anything after doing this. The only reason why the DoD and other agencies mandate multiple wipes is to protect data in the event technology develops in the future that can recover data after a multi-pass wipe.
See I did learn something out there!
I attended the SANS SEC508 course in Las Vegas this month and the instructor himself said that a SINGLE PASS wipe is all it takes to make data unrecoverable. .
See I did learn something out there!
I agree, there are theoretical ways of getting data back but these have never been proven in the public domain. I use DOD when wiping client PCs as an extra precaution.
Alan
I tend to disagree. A paper written in 1996 makes a solid arguement that data can be recovered after single wipes. Check it out at the Cornell site.
Here is an excerpt
The recovery of at least one or two layers of overwritten data isn't too hard to perform by reading the signal from the analog head electronics with a high-quality digital sampling oscilloscope, downloading the sampled waveform to a PC, and analysing it in software to recover the previously recorded signal. What the software does is generate an "ideal" read signal and subtract it from what was actually read, leaving as the difference the remnant of the previous signal. Since the analog circuitry in a commercial hard drive is nowhere near the quality of the circuitry in the oscilloscope used to sample the signal, the ability exists to recover a lot of extra information which isn't exploited by the hard drive electronics
The last sentence is the biggy for me "Since the analog circuitry in a commercial hard drive is nowhere near the quality of the circuitry in the oscilloscope used to sample the signal, the ability exists to recover a lot of extra information which isn't exploited by the hard drive electronics"
This suggests that if you are using a standard hard drive with standard r/w heads then yes, one wipe is fine.
In the paper they discuss the methods used, if they were doing it in 1996 I feel safe in saying they can still do it now.
Skip
I attended the SANS SEC508 course in Las Vegas this month and the instructor himself said that a SINGLE PASS wipe is all it takes to make data unrecoverable. Nobody has ever recovered anything after doing this. The only reason why the DoD and other agencies mandate multiple wipes is to protect data in the event technology develops in the future that can recover data after a multi-pass wipe.
See I did learn something out there!
My background is EE and I can tell you that if it is an older drive, say around 1995 or earlier, and you did a single pass wipe of the drive, I can painstakingly recover a very large percentage of the data on the drive by using nothing more than an oscilloscope.
For modern hard drives however, I believe that it is incredibly difficult.
Modern drive are of a much higher density so its likely they are more difficult to recover from. The reality is that for most commercial companies a DOD wipe is sufficient. But if people are really paranoid about their data then it should not be stored on the disk in the first place.
Alan