Myths in computer forensics

Someone I know went through the SANS GCFA training and said that the instructor said some things that were surprising. If you don't think these are myths, or you have some more myths let's hear them.

Myth You need to overwrite data multiple times to prevent laboratory attacks using specialized microscopes.
Fact You can't recover overwritten data using a microscope on modern hard drives. The reason why the government still wipes data multiple times is just in case someone has or will have once again found a way to recover overwritten data. If data is overwritten even one time, it is unrecoverable.

It's refreshing to see someone else stating this, as I tend to fight a bit of a losing battle whenever it comes up in conversation myself. I wouldn't have used their reason for why the government does multi-pass wipes, though. I would have said it was a nice blanket statement that covers their under-trained staff wiping drives that may harken back to the early 90s and before. Those older units actually had a chance of recovering misregistered data or suchlike, something newer drives are just too dense to allow. Ancient MFM-encoded stuff might have also allowed overwritten data recovery, even though Prof Gomez's attempts didn't seem too successful in my opinion, and he seems to be the leading expert.

Well, these guys

http//www.ontrackdatarecovery.com/data-disasters-2007/?news=120407

(point no. 7) imply they can recover overwritten data!

An absolute myth, I am convinced.

Duncan

If clusters containing evidence are marked as bad by the HDD controller, they would not be wiped. Swap the controller and you'll potentially have access to data previously thought wiped….

If you used an evidence elimination style program, will it wipe the bad clusters marked as bad by the OS? I doubt it. They could contain evidence previously thought wiped….

When dealing with IIOC, one has to air on the side of caution and ensure no data can remain, hence destruction of the drive.

I guess in real terms, the questions are, could it be possible? Yes. Is it likely? No. Would I be willing to take the chance? No.

Just a note, having worked a little with this myself. Hard drive platters often have a small amount of space between the tracks that magnetic data can bleed over to. Overwriting the data only once does not guaranty that the area between the tracks gets wiped as well. So, if the hard drive is disassembled and the head is recalibrated a little from where it was, it is possible to sometimes see data that was on the drive before. Because magnetism isn't always that precise, most of the time the data is jumbled and unreadable. To say that the data unrecoverable would not necessarily be correct, however. You just have to have a lot of patience and the right tools. This is the reason some government agencies sand down the platters of the hard drives before disposing of them.

Another note. Data recovery by this means is extremely expensive, time consuming, and requires experts. Most people won't even bother pursuing it.

Well, these guys

http//www.ontrackdatarecovery.com/data-disasters-2007/?news=120407

(point no. 7) imply they can recover overwritten data!

Point number 7 says that the photographer claimed they overwrote the data. This is hardly conclusive that the data itself was actually overwritten, rather than jsut deleted and then other data written to the media.
Anecdotal marketing speak at best, I'd say.

Just a note, having worked a little with this myself. Hard drive platters often have a small amount of space between the tracks that magnetic data can bleed over to. Overwriting the data only once does not guaranty that the area between the tracks gets wiped as well. So, if the hard drive is disassembled and the head is recalibrated a little from where it was, it is possible to sometimes see data that was on the drive before. Because magnetism isn't always that precise, most of the time the data is jumbled and unreadable. To say that the data unrecoverable would not necessarily be correct, however. You just have to have a lot of patience and the right tools. This is the reason some government agencies sand down the platters of the hard drives before disposing of them.

I covered misregistration in my first post, and I've not seen any evidence whatsoever that it can produce meaningful amounts of data (or indeed any at all) on anything approaching modern data densities. Sure, run it on some decade-old tech if you need to, but anything made later than that is just too finely engineered for it to be a useful technique.

It's all well and good to say that it sounds reasonable, but there just isn't any evidence out there to show people have recovered overwritten data to any useful degree.

You just have to have a lot of patience and the right tools.

Could you be more specific ?

Ta.

I agree that most, if any data recovered by misregistration would be gibberish. On the other hand, to say the data is too dense, I would agree with you if you simply used the heads in most hard drives. Then again, if data is so dense, how do they make it denser every year? It's not all just compression techniques. It's also a matter of how much more sensitive and precise can the heads be made and how small we can make each 1 and 0. We know that data has been written to bacteria and recovered from that bacteria. Nano-level technologies has shown that data can be handled at the levels not even imaginable before.

As for the example, I know the Air Force has research labs that remove platters from hard drives and mount them on a new spindle, then more sensitive magnetic heads can be used to look at the magnetic signatures on the platters. It takes a bit to calibrate the new heads to interpret what's between a track and what's a 1 or a 0, but it's possible. This process isn't feasible for most labs, because the technology is too expensive and way too time consuming.

Now, I agree that most or all data will probably be lost if a disk is wiped or overwritten. I just disagree with the absolute statement that no data can be recovered. I prefer the term of not feasible over not possible.

I agree that most, if any data recovered by misregistration would be gibberish. On the other hand, to say the data is too dense, I would agree with you if you simply used the heads in most hard drives. Then again, if data is so dense, how do they make it denser every year? It's not all just compression techniques. It's also a matter of how much more sensitive and precise can the heads be made and how small we can make each 1 and 0. We know that data has been written to bacteria and recovered from that bacteria. Nano-level technologies has shown that data can be handled at the levels not even imaginable before.

As for the example, I know the Air Force has research labs that remove platters from hard drives and mount them on a new spindle, then more sensitive magnetic heads can be used to look at the magnetic signatures on the platters. It takes a bit to calibrate the new heads to interpret what's between a track and what's a 1 or a 0, but it's possible. This process isn't feasible for most labs, because the technology is too expensive and way too time consuming.

Now, I agree that most or all data will probably be lost if a disk is wiped or overwritten. I just disagree with the absolute statement that no data can be recovered. I prefer the term of not feasible over not possible.

I based my misregistration statements on a whitepaper I found that talks about the precision of the spin stand tester that was used to get the data. I compared this with current data densities and the two are incompatible. Spin stand testers may have improved their accuracy, but I could find no evidence to support that so could only go with what was proven.
The whitepaper was by Prof Gomez, and outlined his superior results in using a SST over a mag. force microscope. I think it was dated around 2001, but as I said I couldn't find anything more current.
I agree that you can't say "no data can be covered", but I've always tried to say that "no useful data can be recovered". I'm sorry if I didn't write that here in my opening statement.
Having said that, I've not seen any evidence whatsoever that accurate data of even just a few bytes has been recovered from an overwrite.
I still believe misregistration is not particularly useful on modern equipment, and look forward to reading that I'm wrong should evidence be forthcoming.
Could you provide some evidence of what the Airforce is able to do with their equipment? I run into something like that said a lot, but there is never anything done to back it up. I'm hoping you can shed some light on this field for us all.
At the end of the day I've been waiting for any proof beyond theory that it can be done for the last 6 or 7 years, and all I ever hear is "well, a friend of a work colleague says the NSA can do it" and that's about as close as I get. Believe me - I WANT to be convinced otherwise. After all, it's pretty much the holy grail of data recovery for computer forensics.

In theory, it is correct that overwitten data is, for all practical purposes by usual methods, unrecoverable. I will tell you though that not all "Disc Wiping" utilites can be relied upon to completely overwrite your target drive.

As an experiment, I ran a free version of Kill Disk in single pass zero fill mode over a Dell 40GB that contained a completely intact version of XP, as well as several hundred .jpg files.

I was shocked to find that I was able to extract and recover about 80% of those "overwritten" .jpg's. As always, test, and confirm, and document everything…