Myths in computer forensics

On the modern drives even the simple head swap is often not easy (as data recovery labs know) because the physical parameters of the particular head assembly units are not same even in the same production batch. Drives compensate for that in the production cycle by forming adaptive parameters tables unique for this particular unit head-surface-preamp system. Without faithful reproduction (physical or virtual) of this system data reading is impossible. No scanning microscope systems can mimic this.

@ NeGrusti

So, if an "analyzing mechanism" knew the amount of play in a hard drives head, would it be possible to read the data?

If I understand you right. The adaptive parameter table is unique to each hard drive. And not unique to each production cycle? This information is then stored in the each individual hard drive.

Chatting with my brother yesterday, he runs an IT repair centre. He says he is seeing some laptops with solid-state drives as opposed to conventional HDDs. I asked him as solid-state has number-of-write limitations expressed in the manufacturer's spec has he had any repairs specifically dealing with write failure. He said not yet but he thinks it will be evitable, given the manufacturer's spec and generally computing high write rates, that he expects to see life of SSD about 2 years between upgrades.

A quick Google search seems to tell me that newer SSDs have a write cycle time that, under normal usage, could easily be measured in decades. With wear-levelling you basically have to fill the entire SSD the number of times that you have write-cycles.
This site (http//www.storagesearch.com/ssdmyths-endurance.html) talks about it, and they say this towards the end

"I found some data from Mtron (one of the few SSD oems who do quote endurance in a way that non specialists can understand). In the data sheet for their 32G product - which incidentally has 5 million cycles write endurance - they quote the write endurance for the disk as 'greater than 85 years assuming 100G / day erase/write cycles' - which involves overwriting the disk 3 times a day."

I won't pretend to have any real experience with SSDs, and the proof will really only rear its head in a few years when we see how they actually go. But info on the web seems to show they are now a very capable replacement for HDDs.

Gromit, I suppose what he is saying is in his view, based upon how systems fail and what systems are brought in for repair. he is predicting the future. I must admit I thought 2 years wasn't long at all, because it implied the manufacturers hadn't thought about it. However, 2 years in computer component evolution isn't long I suppose when we learn that something we bought a year ago is now out of date because of built-in obsolences.

I based my misregistration statements on a whitepaper I found that talks about the precision of the spin stand tester that was used to get the data. I compared this with current data densities and the two are incompatible. Spin stand testers may have improved their accuracy, but I could find no evidence to support that so could only go with what was proven.
The whitepaper was by Prof Gomez, and outlined his superior results in using a SST over a mag. force microscope. I think it was dated around 2001, but as I said I couldn't find anything more current.
I agree that you can't say "no data can be covered", but I've always tried to say that "no useful data can be recovered". I'm sorry if I didn't write that here in my opening statement.
Having said that, I've not seen any evidence whatsoever that accurate data of even just a few bytes has been recovered from an overwrite.
I still believe misregistration is not particularly useful on modern equipment, and look forward to reading that I'm wrong should evidence be forthcoming.
Could you provide some evidence of what the Airforce is able to do with their equipment? I run into something like that said a lot, but there is never anything done to back it up. I'm hoping you can shed some light on this field for us all.
At the end of the day I've been waiting for any proof beyond theory that it can be done for the last 6 or 7 years, and all I ever hear is "well, a friend of a work colleague says the NSA can do it" and that's about as close as I get. Believe me - I WANT to be convinced otherwise. After all, it's pretty much the holy grail of data recovery for computer forensics.

I did not mean it to sound like I was disrespecting your statement. I participated in the US Air Force's ACE Cyberengineering Bootcamp in 2005. As part of the program, we were exposed to technologies that a lot of people used the terms "impossible" and "undoable" that were being done. My project was tracking and collecting cellular phone data on CDMA and GSM (a lot of people say it isn't possible because of the frequency hopping, but we were doing it all-the-same).

In any case, they talked about the research being done on data recovery and specifically mentioned reading between the tracks of data. This program I participated in took place at the research laboratory in Rome, New York. I guess my honest confession is I took their word for it, since I didn't actually get to see the equipment they set up to do the project.

All that being said, I guess I have a tendency to react to definite statements that cannot be 100% conclusively proven to be true. Adding conditions like the "no useful data" brings it closer to being true and makes the statement more acceptable. Once again, I didn't mean any disrespect. We are all professionals here and every opinion counts.

My project was tracking and collecting cellular phone data on GSM…..frequency hopping, but we were doing it all-the-same).

Were you looking at 1020 or 1208 or both

My project was tracking and collecting cellular phone data on GSM…..frequency hopping, but we were doing it all-the-same).

Were you looking at 1020 or 1208 or both

I'm not actually sure. I handled most of the hardware side of things. I was installing equipment racks, computers, and antennas into a Hum-V. The software side of things were handled by someone else. Highly mobile system, though… and a 50 inch LCD TV for the display console. Not bad. In any case, I can't answer your question on that one. You'd have to ask the software guys, although I'm sure they couldn't answer you anyway, due to security clearance concerns.

All that being said, I guess I have a tendency to react to definite statements that cannot be 100% conclusively proven to be true. Adding conditions like the "no useful data" brings it closer to being true and makes the statement more acceptable. Once again, I didn't mean any disrespect. We are all professionals here and every opinion counts.

I didn't take any offence from your statements, and would find it hard to get upset at anyone who has C= in their blood are your avatar seems to imply anyway. )
My research, however, seems to indicate that the reliability of any bit you get back of overwritten data in unlikely to be greater than about 60%. Considering just guessing the state of a bit puts you at 50%, this is no great shakes. I eagerly await evidence that proves otherwise, but there just doesn't seem to be any out there.
At those reliability levels, it might as well be called impossible. And once again I would like to reinterate that this hasn't been done on any hard drives made in the last decade or more, and densities have increased a phenomenal amount. I think it was also performed on MFM-encoded drives, which are supposed to be more susceptible to this sort of thing (but I've honestly no idea why.)

My project was tracking and collecting cellular phone data on GSM…..frequency hopping, but we were doing it all-the-same).

Were you looking at 1020 or 1208 or both

I'm not actually sure. I handled most of the hardware side of things. I was installing equipment racks, computers, and antennas into a Hum-V. The software side of things were handled by someone else. Highly mobile system, though… and a 50 inch LCD TV for the display console. Not bad. In any case, I can't answer your question on that one. You'd have to ask the software guys, although I'm sure they couldn't answer you anyway, due to security clearance concerns.

Hi Vic20, no worries, nothing I asked or you answered was security clearance related as its all public domain info. Also, 1020 and 1208 relates to the methods (hardware and software) and set of info (data) you aim to obtain to be able to look at the data you mentioned using the equipment installed in Hum V. Its not a software question per se.

Hey mates, you might have missed this thread
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=2065

Mr.Guttmann himself says data cannot be recovered on modern hard disks, and as said in the thread his work was mostly theoretical also in 1996.

jaclaz