Would be very interesting! Surely some one could make their fortune from recovering files from such a situation? wink
If you open a pyhsical drive in a hex-editor and you see 00 from the very first byte until the last what remains to be recovered?
Would be very interesting! Surely some one could make their fortune from recovering files from such a situation? wink
If you open a pyhsical drive in a hex-editor and you see 00 from the very first byte until the last what remains to be recovered?
Here's the thing (and Gutmann touches on this in his paper) Data stored on hard drives is not stored on discrete microscopic switches that are either "Off" or "On" (0 or 1). Rather, data is stored on magnetic particles. These particles have magnetic fields. As the read/write heads come close to a particle, they start reading the field from the side, continues reading as the head passes directly over the particle and as the head pulls away from said particle. An oscilloscope would show a signal output much like how a heartbeat appears on an EKG, viz. _/\- This is illustrated nicely by presentations available
If the alignment of the heads has any play or could be adjusted, then it should be possible to read "underwritten" data.
If the alignment of the heads has any play or could be adjusted, then it should be possible to read "underwritten" data.
That's absolutely right - but as far as I know there is no way to do that with software (without looking directly on the surface of the drive) - and that's the point in that discussion….
Additionally, I want to stress the fact that Mr. Gutmann's theory does not in any point claim that ACTUAL values recovery is possible, on the contrary, it affirms how the oscilloscope and MFM techniques could be used to generate a semi-probabilistic map.
Let's analyze these two sentences (at the end of chapter two) of Mr. Gutmann's article
When all the above factors are combined it turns out that each track contains an image of everything ever written to it, but that the contribution from each "layer" gets progressively smaller the further back it was made.
This is theoretically correct, but it bypasses the real problem, i.e. the actual precision of the "guessing work" involved in re-creating the data, the time needed for the process and provides NO evidence of a single case where an actual file was recovered.
In other words, it seems like this technique can say that a 0 wasn't always a 0, but cannot determine, if not on a probabilistic basis whether the last value before the current 0 was a 1, as it could well have been the second last value recorded in there.
Intelligence organisations have a lot of expertise in recovering these palimpsestuous images.
This one is totally and utterly apodictical, though I guess it should have won the 1996 award for "the best use of the world palimpsestuous in a public text", roll but I want to believe in it, the point is whether this phantomatic abilities have "leaked" outside Intelligence Agencies.
As Mr.Gutmann himself states in the "Epilogue", added to the original paper
http//
and that can be found in the link azrael provided (thanks! 8) )
http//
Looking at this from the other point of view, with the ever-increasing data density on disk platters and a corresponding reduction in feature size and use of exotic techniques to record data on the medium, it's unlikely that anything can be recovered from any recent drive except perhaps a single level via basic error-cancelling techniques. In particular the drives in use at the time that this paper was originally written have mostly fallen out of use, so the methods that applied specifically to the older, lower-density technology don't apply any more. Conversely, with modern high-density drives, even if you've got 10KB of sensitive data on a drive and can't erase it with 100% certainty, the chances of an adversary being able to find the erased traces of that 10KB in 80GB of other erased traces are close to zero.
(emphasis added by me)
So it seems like Mr. Guttmann debunked himself his theory, deeming it as a thing of the past. wink
jaclaz
I remember a case I was involved 1997/1998 where the discussion about the extent to which it may be possible to recover deleted data arose.
Dependent on the number of layers of permeable iron (such as, gamma iron oxide or barrium ferrite) laid on the platter to bed-down a magnetisable platform, the layer depth was significant. Some hdds may have 2, 3 or 4 layers etc. As far as I recall for the stability of physical data to remain was also influenced by expensive high-end hdd vis-a-vis cheap low-end hdd.
Would this still be relevant to today?
I remember a case I was involved 1997/1998 where the discussion about the extent to which it may be possible to recover deleted data arose.
Dependent on the number of layers of permeable iron (such as, gamma iron oxide or barrium ferrite) laid on the platter to bed-down a magnetisable platform, the layer depth was significant. Some hdds may have 2, 3 or 4 layers etc. As far as I recall for the stability of physical data to remain was also influenced by expensive high-end hdd vis-a-vis cheap low-end hdd.
Would this still be relevant to today?
Don't take this the wrong way ) , but, to put it bluntly, was it relevant at the time?
I mean, did you try (and succeeded or failed) to perform this kind of recover or were you just discussing about it's feasibility? 😯
jaclaz
No offence is taken by your reply jaclas.
Yes it was relevant at the time. The detail of this matter is in confidence so I can't go deeply into it as it involved a well-known brand-name.
The issue of permeable iron layers is recorded in various computer books. Some reference to layering can be seen here
http//
I noted from one of the link articles you referred the article indicated that over-writing programs were not being recommended by some. There may be many reasons for that, apart from the programs do not work or they do not fully do what they claim to. It could be some of the research that brought those comments about may have looked at the matter I was referring.
For the purposes of your thread I was just contributing to it by discussing whether the matter is relevant today regarding why some programs are suggested to not completely wipe the drive.
This is a post I made to a newsgroup in 2001 re a project I had been working on (off and on) from 1994 to about 1998.
The project was shelved due to budgetary contraints but we (I) did recover data from a 650MB drive (big in those days). With more modern drives where servos mean that there is no slack in the system as they are self tracking and the areal density is such that magnetic domains are packed so tightly I think that these techniques really dont stand up. And with even more latterly perpendicular recording its all a little bit of pie in the sky.
If I were to securely delete some of my own personal data - one pass with zeroes would have me sleeping soundly.
Oh - and absolutely no way can any of this be done with a purely software approach - you need to take the platters out of the drive (or spin them in situ but use your own read write head.
Sorry have not got time for a more in depth answer (
Cheers
(please excuse formatting)
Essentially the system worked like this
Individual platters were removed from a drive and mounted on a spindle. The
spindle (sitting on air bearings) was span at a constant rate (not
necessarily the original speed) and this accurately maintained using
feedback via a phased locked loop. Read heads from a non-specific drive were
lowered into 'contact' with the platter via armatures allowing the head to
be moved across the surface of the disk as would the original head. The
output from the read head was fed into the front end of a disk controller
board, this effectively amplified and shaped the output. This was then
decoded.
OK that's the basic theory of this technique. here come the problems
1. You have to work out the data rate of the domains passing under the head.
This varies as the head moves across the platter as the data is zoned i.e.
you can fit more sectors onto the longer outer track than you can on the
shorter inner tracks.
2. The magnetic domains do not relate directly to a one or a zero. By this I
mean a magnetic north is not a one and a south a zero. The encoding method
complicates this by a) interlacing clock data between each bit and b) using
a flux reversal to indicate a 1 and a lack of a flux reversal to indicate a
0.
3. The encoding scheme used for the data, is it MFM (not likely nowadays) or
RLL, if RLL what variant.
4. To get certified good data out you need to use the correct CRC/ECC
algorithm however modern chipsets are very flexible and let you a) supply
your own polynomial for the CRC/ECC and specify what to preload the
registers with. For floppies this is obviously standardised (preload =
FFFF's and 16 bit polynomial = X^16+X12^+X^5+1 - I think, its been a long
time) other wise you would not be able to share floppies between computers.
For a hard disk this does not apply as the media is part of the drive. Also
over what 'data' is the CRC generated is it just the data, the data and the
data mark bytes or part of the data mark. Finally there are two CRC/ECCs for
any sector, one for the address mark and address and one for the data mark
and data, and how big is the CRC - normally 16 bits for the address mark but
it used to be 56 bits or more for the data.
5) Due to the tolerances or the platter centre hole and minute sizes of
individual tracks. You have a problem with centering. i.e. if the point of
rotation of the mounted platter isn't exactly the same as the original then
if the head is kept still and the platter rotated under it the head will
cross a number of tracks for each rotation. In practice we saw about 5
tracks passing under the head but this was for 1GB drives - density has
increased since then. The solution was to oscillate the heads and 'track
follow' but to do this you need to know where the tracks are, which
obviously means that you need to be able to read the address mark. A bit
chicken and egg but it could be done.
So, yes you can read the side of the track. If an older drive has gone out
slightly out of alignment it is possible to read down the side of the track
to see what was there before. as the CRC/ECC is written with the data then a
good read can be verified. The process is to read a sector as it is now and
then try to read the side of the known sector to see if you can get data
that is different. Of course once you have got it you need to make sense of
it - you almost certainly won't recover a complete drive in this way.
Of course this technique is even more useful where a user has attempted to
trash a drive physically rather than overwriting the data.
Modern drives, however, use servo tracks/platters so they always know where
they are and therefore 'track drift' is less likely to occur - Gone are the
days of stepper motors where a 'defective' drive could be made to read by
standing on its side and letting gravity help.
Also the latest encoding techniques use Partial Read Maximum Likelihood
(PRML) technology that affectively works by determining 'how likely is this
magnetic anomaly going to be a 1'
The upshot of this bit of my history is that all of the above problems still
stand when it comes to looking at the data using Microscopy. $10K may get
you some of the hardware but then you need a monster development budget.
Sorry this is a bit rambling (and maybe well out of date) but I hope its
food for thought.
Paul
Another indirect proof that the Myth is a Myth
http//
Q. What is this?
A. A challenge to confirm whether or not a professional, established data recovery firm can recover data from a hard drive that has been overwritten with zeros once. We used the 32 year-old Unix dd command using /dev/zero as input to overwrite the drive. Three data recover companies were contacted. All three are listed on this page. Two companies declined to review the drive immediately upon hearing the phrase 'dd', the third declined to review the drive after we spoke to second level phone support and they asked if the dd command had actually completed (good question). Here is their response… paraphrased from a phone conversation
"According to our Unix team, there is less than a zero percent chance of data recovery after that dd command. The drive itself has been overwritten in a very fundamental manner. However, if for legal reasons you need to demonstrate that an effort is being made to recover some or all of the data, go ahead and send it in and we'll certainly make an effort, but again, from what you've told us, our engineers are certain that we cannot recover data from the drive. We'll email you a quote."
Q. Why are you doing this?
A. Because many people believe that in order to permanently delete data from a modern hard drive that multiple overwrites with random data, mechanical grinding, degaussing and incinerating must be used. They tell others this. Like chaos, it perpetuates itself until everyone believes it. Lots of good, usable hard drives are ruined in the process.
)
jaclaz