Single-pass wipe su...
 
Notifications
Clear all

Single-pass wipe sufficient?

54 Posts
16 Users
0 Reactions
6,632 Views
PaulSanderson
(@paulsanderson)
Honorable Member
Joined: 19 years ago
Posts: 651
 

And again, whatever fragments you can maybe recover with specialized hardware such a MFM is NOT "data" but "probabilities of data".

jaclaz

Not necessarily - As I mentioned above the data is encoded with an ECC. If you recover a complete sector and associated ECC then you can verify that the data is good.

This was the step we took when we developed our system.

Short version

We took the platters out of a drive and mounted them on an air bearing spindle mounted on a great big lump of granite. As we could not get the platter perfectly central on our spindle (the hole in the platter was slightly bigger than the spindle) when the platter span and the heads remained stationary the heads passed over a number of tracks on each revolution (normally about 5).

What we had to do was 1st read the index from each sector (the CHS number) work out which tracks we were crossing and then oscillate the heads at the frequency of rotation and an amplitude that was equiavlent to half the number of tracks crossed so that we could "track follow". This of course needed to be synchronised with the rotation of the platter so that at the peak of our oscillation we were at the outermost of innermost track.

We then read the data under the heads. In order to read the index and the data we needed to utilise the ECC to make sure what we were decoding was 'good' data (both the index marka nd the data have their own ECC - the polynomila of which needed to be reverse engineered). Of course all of this needed to be done in real time.

The upshot was that when we got a sector of data we knew it was a good sector. To determine whether it was a current sector or an old sector we would image the drive before processing on the spin stand and then compare the recovered sector with what the drive was returning before we took it apart.

For the record I had an engineer build the system for me but I wrote the software to drive it and the software to decode the data.

The process was a lot more complex than it sounds as we had masses of data for each track including all of the embedded clock pulse, sector marks (the index), data marks, synchronisatiion bytes, ECC's and inter sector gaps - we would usually need to 'step' the heads about 10-20 increments for each track.


   
ReplyQuote
PaulSanderson
(@paulsanderson)
Honorable Member
Joined: 19 years ago
Posts: 651
 

Given that there is no evidence as far as I can tell that anyone has successfully recovered any useful data whatsoever from an overwritten data area on a disk, why do you think this is possible?

Because a) I have done it on older drives - see post above and b) although modern drives are much more complex the techniques available are correspondingly so.

So the upshot is that based on probably more experience in this field than anyone else on this board (not bragging just setting the scene) I don't KNOW that it can still be done and I THINK that only small fragments of data would be recovered but I am will to be corrected by someone who has more current knowledge.

What I do know is that data recovery companies are not doing this and therefore Joe criminal is pretty unlikely to be doing so - unless the potential gains are massive AND can't be achieved some other way. Or put it another way, is someone going to go through a skip pick up all the hard disk drives and run them all through the expensive recovery mill on the off chance that the few sectors recovered will contain some of my confidential data.

On the other hand in a previous life I used to deal with Top Secret info in various guises and if I needed to destroy a drive with that on it I would not trust a single pass because the consequences if I was wrong (and the drive got into the wrong hands) were pretty major.

Weigh up the consequences of data recovery againts the cost of ensuring it can't be recovered.


   
ReplyQuote
(@steve2096)
Eminent Member
Joined: 17 years ago
Posts: 33
 

Given that there is no evidence as far as I can tell that anyone has successfully recovered any useful data whatsoever from an overwritten data area on a disk, why do you think this is possible?

Because a) I have done it on older drives - see post above and b) although modern drives are much more complex the techniques available are correspondingly so.

Am I reading it wrong? What you wrote sounds like you are getting misregistered data, NOT overwritten data.

To summarize

A single pass overwriting a disk with zeroes is sufficient to prevent recovery of data within the bounds of reasonable cost and effort. In normal forensic cases, the cost and expense of going beyond that is highly unlikely, nor would the small amount of potential data to be recovered be worth the cost burden.

Does that about do it? )

I'm still not sold. The only data recovered I've heard about is when it is misregistered, or "wandered off the track", on really old hardware. This is not overwritten data.


   
ReplyQuote
PaulSanderson
(@paulsanderson)
Honorable Member
Joined: 19 years ago
Posts: 651
 

Am I reading it wrong? What you wrote sounds like you are getting misregistered data, NOT overwritten data.

Does it matter - the gist of the thread is recovering data from a drive that has been overwritten.


   
ReplyQuote
PaulSanderson
(@paulsanderson)
Honorable Member
Joined: 19 years ago
Posts: 651
 

Gromit

Just a bit more on the above. The point of the above post was that we did recover data from drives by reading the side of a track at a time when people were saying it couldn't be done. Although modern drives use emebedded servo and therefore the head positioning is much more accurate it is still possible, if unlikely, that due to tolerances within the system or even more esoteric issues such as domain migration that you can recover data from the side of a track.

If you can read a full sectors worth of data then the ECC will allow you to verify that the sector recovered is a good one. What you don't know is whetehr this data was overwritten at the previous write or 10 before that.

In the case were you are looking at what you are calling overwritten data (note that the above still falls into this category) to try and determine what magentic domain was beneath the current domain then I believe that the likelohood of recover is much less - but I do not have first hand experience of this as I do in the previous scenario. I say much less because of modern advances such as PRML and vertical recording.

The likelihood of recovery would depend not just on how many times something has been overwritten but also on what was there before the data you are after, this could be described as how many times the data has been underwritten ). The 35 times theory has been debunked but in truth no one really knows, or rather no one who knows anything.

I do believe that you would never recover a complete drive this way but rather recover a few sectors here and there and a few more fragments of maybe textual data but with no corresponding ECC/CRC to hang your hat on.

Hence my stance that for personal data I would be happy for a single overwrite. As I said above though I am happy to be proven wrong.

Note that some of the above is based on my first hand experience and is proven fact, and some of the above is my opinion based on previous experience and possibly an above average knowledge of modern disk drives.


   
ReplyQuote
(@steve2096)
Eminent Member
Joined: 17 years ago
Posts: 33
 

Gromit

Just a bit more on the above. The point of the above post was that we did recover data from drives by reading the side of a track at a time when people were saying it couldn't be done. Although modern drives use emebedded servo and therefore the head positioning is much more accurate it is still possible, if unlikely, that due to tolerances within the system or even more esoteric issues such as domain migration that you can recover data from the side of a track.

I would be interested in reading about it should you try this on modern drives. After all, I don't recall the last time I saw a drive from the MFM-encoding days in my job.
Given that misregistration seems fairly random in nature, and I defer to your experience here, what is the likelihood that any given sector that was recovered and ECC checked okay is related to any other? I mean, that sector could contain misregistered data from numerous write ago, not just the last one. Obviously I'm ignoring fragmentation here.

In the case were you are looking at what you are calling overwritten data (note that the above still falls into this category)…

Perhaps my idea of overwritten data is too literal. I do not include misregistration as overwritten.

…to try and determine what magentic domain was beneath the current domain then I believe that the likelohood of recover is much less - but I do not have first hand experience of this as I do in the previous scenario. I say much less because of modern advances such as PRML and vertical recording.

Actually getting at the previous domain information, as far as I know from reading material by Prof Gomez at the Uni of Maryland, requires a STEM which produces images that must be processed. That's a lot of images for any reasonable amount of data, considering each image covers only a very small physical area of the disk surface. Apart from processing this information, you also have the fact that the underlying data could be from the write before last, or the one before that etc. There are a lot of variables which reduce the accuracy hugely.
This has also never been performed on modern drives.


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
 

[
Actually getting at the previous domain information, as far as I know from reading material by Prof Gomez at the Uni of Maryland, requires a STEM which produces images that must be processed. That's a lot of images for any reasonable amount of data, considering each image covers only a very small physical area of the disk surface. Apart from processing this information, you also have the fact that the underlying data could be from the write before last, or the one before that etc. There are a lot of variables which reduce the accuracy hugely.
This has also never been performed on modern drives.

Yes, the point I was trying to make is that sandy771's experience, as well as the original "Gutmann paper" is about a technology that has become obsolete and is not used anymore.
With modern drives, as stated by Prof. Gutmannn himself, the chances of finding something is very, very low, and once you have found that something, all you get is probabilities about what was written there before (last time before single pass).

A normal, SMALLish, common size is 80 Gbytes, that makes (I won't start be picky about Gb and GiB, i.e. x1000 or x1024 factors), i.e. something like
80x1,000x1,000x1,024= 81,920,000,000 bytes, i.e. roughly
81,920,000,000/512=160,000,000

How long does it take to analyze a single sector? ? (including all the other related data involved, i.e. finding the "items", sandy771 listed

The process was a lot more complex than it sounds as we had masses of data for each track including all of the embedded clock pulse, sector marks (the index), data marks, synchronisatiion bytes, ECC's and inter sector gaps - we would usually need to 'step' the heads about 10-20 increments for each track.

Let's try the math.

If 1 second/sector
160,000,000 seconds/60=2,666,666.67 minutes
2,666,666.67 minutes/60= 44,444.44 hours
44,444.44 hours/24=1,851.85 days
1,851.85/30=61.73 months

60*60*60*24*30=155,520,000

To have the recovered data or evidence in a reasonable time, say one month, the apparatus would need to have a throughput of slightly more than 60 sectors per second.
60*60*60*24*30=155,520,000

The apparatus could analyze, at the most, 12 hard disks per year, working 24/7 with no downtimes.

Now, assuming that the apparatus and technology does exist roll , which is not given for modern hard disks, but possible, it surely would be
1. expensive
2. needing highly specialized personnel to use it
which limits the total amount of such machines to a handful, say 100 in all the world, of which maybe, and at the most, just one in the hands of the Government Agency, Police department or Business Competitor that may be interested in the particular data your single hard disk held before the single pass wipe.

Now what would you estimate the chances that your hard disk is "eligible" to be one of this year's twelve "elected" ones? 😯

And since "imprtant" data is likely to be held on "recent" hardware, it is very probable that it was on a much larger hard disk, a 250, 320, 500 or even 1,000 Gb one.

With the proposed 60 sectors/second, one single Terabyte drive would have the machine busy for more than one year, making the probabilities lower from
<whatever you think fit>12
to
<whatever you think fit>1

jaclaz


   
ReplyQuote
PaulSanderson
(@paulsanderson)
Honorable Member
Joined: 19 years ago
Posts: 651
 

and once you have found that something, all you get is probabilities about what was written there before (last time before single pass).

I am too busy at the moment to deal with this fully but I will address the above one last time.

YOU DO NOT get a probability - by using the ECC you get a real verifiable sector of data back. The kit we designed was for data recovery purposes and customers did not want something that might have resembled their accounst data - they wanted assurances.

In relation to speed we were spending a day on a drive back then - modern drives are bigger but then modern computers are much faster.

One other quick point. If you are reading data from down the side of the track you tend to get the complete track back - if the heads were misalligned then they would generally be misalligned for a complete write. So as data is written in clusters you normally get one or more clusters of good data back - using the techniques we used.


   
ReplyQuote
(@computerforensics911)
Active Member
Joined: 18 years ago
Posts: 16
 

A three letter agency wrote a For Official Use Only Memo. The Memo stated that 1 Pass is fine.


   
ReplyQuote
PaulSanderson
(@paulsanderson)
Honorable Member
Joined: 19 years ago
Posts: 651
 

I bit more time now as I am carving some data from some large files )

I don't recall the last time I saw a drive from the MFM-encoding days in my job.

This technology post dated MFM drives by a good while - we were looking at SCSI and IDE drives. The data was written using RLL we stopped playing just as PRML was making an appearance.

what is the likelihood that any given sector that was recovered and ECC checked okay is related to any other? I mean, that sector could contain misregistered data from numerous write ago, not just the last one. Obviously I'm ignoring fragmentation here

Very good - as stated in the above post when a head is slightly misallingned it stays so. So you tend to get adjacent sectors of data.

Perhaps my idea of overwritten data is too literal. I do not include misregistration as overwritten.

The data is overwritten in that the drive has attempted to write a new sector of data over an older one - it is just over written badly.

That's a lot of images for any reasonable amount of data, considering each image covers only a very small physical area of the disk surface

Agreed thats why at the time we were also playing with transputers for our decoding algorithms. The task is massively parallel and ideal for dumping to multiple idle computers. The bottleneck is reading the data, once read then the processing is as quick as the resources you give to it.

is about a technology that has become obsolete and is not used anymore

The techniques *may* still bear fruit on a modern drive - magnetic domains are known to migrate, this is one of the problems over come by vertical recording. You may not get a whole host of data back but for National security it *may* be that for a given drive it is worth having a go. If you seriously want to get data back then you are not going to limit yourself to just one technique.

Let's try the math.

A bit pointless given what I said above about parallelism

If 1 second/sector

We were processing about a hundred sectors a second even back then (on one CPU)

needing highly specialized personnel to use it

It needed specialised people to design it - once designed it needed a competent engineer to take the platters out and put them on the spindle - you then went to lunch and came back to see how many sectors of data had been extracted. The program once running looked after itself, as most do.

I have never operated a STEM but my guess is that the STEM operation may be reasonably complex but not necessarily as difficult as you make out. Processing the data (the larger part of the task) is still going to be a case of point a program at it - by the very nature of the task it cannot require much human intervention because at human speeds it is way to big..


   
ReplyQuote
Page 5 / 6
Share: