I have to presume that your reference to Spare sectors concerns the sectors used by the hard disk manufacturer to compensate for what is in effect 'bad clusters'.
Neddy I am not being nit picky here but a lot of people in our business seem to sprout snippets they have picked up from the internet as fact. These are then repeated by others and the story gets more confused.
Spare sectors and bad clusters arte totally different things.
A spare sector as you allude to is a sector that physically exists on a hard disk but is not initially intended to be used, it is intended to be used to when a poor quality sector is remapped.
After a drive is first manufactured the disk is scanned for defects and any defects found are recorded in the PList – the primary List of defective sectors. The sectors found in the list are swapped out invisibly by the hard disk drive when a read request is made and one of the spare sectors is used in its place. This is totally invisible to the operating system. You should not find any user data in sectors remapped in the PList because it is created before the drive is shipped.
When the drive is in use data is written to individual sectors and along with each 512 (usually) bytes of data an Error Correcting Code (ECC) is written. An ECC at one level is similar to an MD5 in that it is calculated on the data as it is written and can be used when the data is read back to confirm that no changes have occurred. The ECC goes further though in that it can be used to correct for small errors, for instance the old 56bit ECC used on RLL drives could (if memory serves) correct a run of up to 11 bits of corrupt data in 512 bytes or two smaller runs. Modern ECC’s are longer and more complex than this. An error that is correctable by the ECC is known as a soft error. If the corruption damage is greater than can be corrected it is known as a hard error.
Soft errors are almost designed into the system and they would not be notified to the host computer – why should they be, they have been corrected and the data is known to be OK.
If a sector is read back and a hard error occurs, or multiple reads are required before a soft error is corrected then the sector is designated as no longer reliable and the data that can be read is copied to a spare sector and the sector is added to the G List or Grown defect list. It is these sectors that can contain old user data.
As mentioned in my previous post these sectors can be wiped using the ATA enhanced security erase function.
All of the above is done internal to the hard drive.
Bad clusters are a concept that is only relevant at the operating system level and is only slightly related to spare sectors. A cluster is marked as bad when the OS decides that one or more of the sectors within the cluster can’t be relied upon. The OS will only know that a sector is bad when the disk drive has run out of bad sectors to allocate (there are only so many per track). Therefore when a computer starts to see bad sectors it is an indication that the drive has probably been failing for some time.
If I am correct, error correction within a modern hard drive results in sectors that may still contain data and are not addressable by the host, spare sectors are then used to make up for this loss.
Yes you are correct – they may. As described above the data from the sector that is going bad is copied to the spare sector and then the two sectors are logically swapped.
I happily admit that I am not a data recovery expert but I do think that a single-pass wipe over a disk is sufficient for now anyway!
This is still incorrect – a zone on a particular hard disk may be a few hundred or more tracks of data, the zone does not become invisible. ALL a zone is in reality is an area of a disk that is further or closer to the centre than another area – I would go so far as to say that a zone is totally irrelevant in relation to forensics.
I happily admit that I am not a data recovery expert but I do think that a single-pass wipe over a disk is sufficient for now anyway!
I think for most purposes a single write is enough and for my personal data – data that no one is going to put any real effort into recovering – would be safely erased by a single overwrite.
@neddy
If you re-read my previous post, you will see that there is a handy feature of ATA and SATA disks that allows to
completely erases all possible user data areas by overwriting, including the so-called g-lists that contain data in reallocated disk sectors (sectors that the drive no longer uses because they have hard errors in them).
jaclaz
Its possible to hide text in the PCB firmware, does that mean we need to rewrite the firmware three times as well?
Its possible to hide text in the PCB firmware, does that mean we need to rewrite the firmware three times as well?
The whole point of this thread is that ONE SINGLE PASS will make anything irrecoverable. 😯
About hiding text in firmware, yes, if you have hidden it there, you should wipe it with ONE SINGLE PASS - ANY subsequent rewrite is NOT needed, though I doubt that it is a handy place to store and retrieve anything.
jaclaz
I think for most purposes a single write is enough and for my personal data – data that no one is going to put any real effort into recovering – would be safely erased by a single overwrite.
So what you're saying is that if someone is going to put some real effort into recovering data that a single-pass wipe is not sufficient. Is that correct?
The amount of misinformation on this thread is amazing
Where did hiding data in firmware come into it.
The whole point of this thread is not that one pass will make anything irrecoverable. The point is that 35 passes are overkill and one pass is enough for MOST purposes. While I think that it is beyond the capabilities of most if not all data recovery labs to recover data that has been over written once by a string of zeroes, I cannot rule out that SOME data may be recoverable.
Do I think that the security services can completely recover a drive that has been overwritten once - No. Do I think that the *may* be able to get the odd sector or a few snippets of text - possibly.
Do I think they could recover snippets of text that have been overwritten by random data. Unlikely but I stand to be corrected (although I doubt anyone who truly knows would be in a position to post on an open forum).
Do I think that the *may* be able to get the odd sector or a few snippets of text - possibly.
Given that there is no evidence as far as I can tell that anyone has successfully recovered any useful data whatsoever from an overwritten data area on a disk, why do you think this is possible?
Where did hiding data in firmware come into it.
That would probably have been my input! Sorry oops
Thank you for your considered response Paul and I take all your points onboard.
I was concerned however that a discussion on 'Single-pass wipe sufficient?' that did not refer to firmware and disk controllers would give people the impression that it was a simple matter.
We both know that it is not a simple matter.
While I think that it is beyond the capabilities of most if not all data recovery labs to recover data that has been over written once by a string of zeroes, I cannot rule out that SOME data may be recoverable.
To summarize
A single pass overwriting a disk with zeroes is sufficient to prevent recovery of data within the bounds of reasonable cost and effort. In normal forensic cases, the cost and expense of going beyond that is highly unlikely, nor would the small amount of potential data to be recovered be worth the cost burden.
Does that about do it? )
To summarize
A single pass overwriting a disk with zeroes is sufficient to prevent recovery of data within the bounds of reasonable cost and effort. In normal forensic cases, the cost and expense of going beyond that is highly unlikely, nor would the small amount of potential data to be recovered be worth the cost burden.
Does that about do it? )
Yes. )
You may add "time" to the equation.
Usually data recovery is not a "Cold case" episode on TV, you need the data in a reasonable time, not months or years.
And again, whatever fragments you can maybe recover with specialized hardware such a MFM is NOT "data" but "probabilities of data".
jaclaz