Is anyone familiar with the NSA's attack guidelines for recovering digital evidence? I've just got an "Advanced Digital Forensics" CBT from Career Academy, and in it they mention the three different classes of attacks for recovering digital evidence.
Class 1 The typical methods of recovering evidence.
Class 2 Uses special signal processing and amplifiers to recover previously overwritten data. It's similar to how the French protected their art during WWII by painting over it and then after the war they removed the new layer of paint, revealing the original painting. I had never heard of this technique for recovering digital evidence before…
Class 3 Can get by any software countermeasures such as overwriting data by using a Magnetic Force Microscope. I wasn't aware that a MFM could recover data from multiple overwrites…
Does anyone have any more info on this, or know where I can find more info? I tried google, but it wasn't of any help.
Yes, many layers of data can be recovered. This *used* to be called shadow data. Try this as an experiment. Take a piece of paper and a pen. Draw a circle - about 3 inches in diameter. Pick up your pen, then draw another circle on top of the other one. Unless you are some scientific freak of nature that can draw multiple perfect circles on top of each other, you'll have some idea of what happens when a hard drive is written to. Each pass is slightly off from the the previous one. Now add some magnetic force to this and you should be able to determine what the last write was (a 1 or 0). I've really oversimplified and understated this, but this was just to give you an example.
Read gutmann's paper and this one http//
That answers a lot, thanks hogfly!