Low level format recovery

[Juddog]

I remember the past few years hearing about "even if all of the data is zero'd out, the data can still be recovered".

So the question is this - if someone decided to low-level format their hard drive using the manufacturer software, so literally every single byte of data shows as 00, is it still possible for someone to recover the data?

 

[Rebel44]

It is possible but very expensive.

 

[Juddog]

Originally posted by: Rebel44
It is possible but very expensive.

How expensive are we talking?

 

[bsobel]

Originally posted by: Juddog

Originally posted by: Rebel44
It is possible but very expensive.

How expensive are we talking?

Goverment labs expensive (e.g. your not doing this at home, you need a whiteroom and specialized equipment)

 

[BlueAcolyte]

This is why most programs will write 0's and 1's multiple times and then randomly write 0's and 1's the final run.

 

[Juddog]

Originally posted by: bsobel

Originally posted by: Juddog

Originally posted by: Rebel44
It is possible but very expensive.

How expensive are we talking?

Goverment labs expensive (e.g. your not doing this at home, you need a whiteroom and specialized equipment)

Are we talking under $10k or over $10k?

 

[pallejr]

Originally posted by: bsobel

Goverment labs expensive (e.g. your not doing this at home, you need a whiteroom and specialized equipment)

Do you have some kind of proff that the government can restore a harddrive that has been overwritten just once? Because normal recovery companies cannot do it.

 

[bsobel]

Originally posted by: pallejr

Originally posted by: bsobel

Goverment labs expensive (e.g. your not doing this at home, you need a whiteroom and specialized equipment)

Do you have some kind of proff that the government can restore a harddrive that has been overwritten just once? Because normal recovery companies cannot do it.

Look up Magnetic Force Microscopy. Here is a Aukland Universtiy paper on recovery methds http://www.cs.auckland.ac.nz/~...1/pubs/secure_del.html

There is a reason the DOD overwrite standards are so stringent

 

[pallejr]

I know of that already. And surely there exists ways to recover magnetic data that has been overwritten. But in the real world today, with modern harddrives, the data density and precision makes it a no go.

One reason why the government might a bit paranoid, is because you never know what the future holds. Some day it might be possible. Or that they know of something that the rest of us don't.

 

[QuixoticOne]

Keep in mind that the data isn't necessarily perfectly aligned on the track either. So maybe if the head is offset a little bit during the overwrite you might get an effect like this:

ORIGINAL
ORIGINAL
ORIGINAL

ORIGINAL
OVERWRITE
OVERWRITE
OVERWRITE

with a little strip of the original data still left intact off to the side a little bit.

Also as magnetization gets left alone for a longer time it is possible in an analogous way to 'soak in' wider / deeper physically into the media. So if you had something that was secret that had sat there for a year, and just last week you overwrite it, there will probably still be depth and width and bulk related traces of the original data in the physical magnetic statistics of the media.

Also keep in mind drives don't GIVE you physical access to the media anymore, not at least without very low level test/control software. Typically the drive decides how to map the physical surface into logical blocks.

So what happens if you write a full track of VERYSECRETSTUFF................VERYSECRETSTUFF......
and then you bump the drive and it gets a scratch / glitch in one of the blocks of that track? Typically then the drive will automatically relocate via remapping the 'bad sectors' to a new spare spot on the disc saved for this purpose. So now realize that the bit error that caused it to go bad might only be as little as one bit, or maybe even an intermittent problem. But the entire BLOCK (or multiple blocks) have been remapped. So now you CAN'T overwrite the VERYSECRETSTUFF......VERYSECRETSTUFF.... blocks because the drive doesn't even give them a logical block address anymore, it is just off limits in the "bad sector" list. But if someone with the right low level recovery software / hardware comes along and asks to read the bad sectors, chances are they'll be able to read back that data no problem.

Most data recovery software / hardware companies will generally milk you for whatever they can get, so almost anything costs over/near $10k, even the software tools. The hardware stuff can be up into the quarter million or more range. But people do buy / use this stuff. Heck there are even tools to take semiconductor IC chips apart atomic layer by atomic layer to reverse engineer the chip and the process technology. If they can do that, they can do a lot worse to a disc drive.

Also technology changes. What was state of the art 25 years ago, a 20MB MFM drive now would be just childs play to totally recover, it'd be less than 1/10,000 as precisely structured as the modern equipment commonly is. So what is a little difficult to do today, give it 5-10 years, and ......

 

[Juddog]

Originally posted by: QuixoticOne
Keep in mind that the data isn't necessarily perfectly aligned on the track either. So maybe if the head is offset a little bit during the overwrite you might get an effect like this:

ORIGINAL
ORIGINAL
ORIGINAL

ORIGINAL
OVERWRITE
OVERWRITE
OVERWRITE

with a little strip of the original data still left intact off to the side a little bit.

Also as magnetization gets left alone for a longer time it is possible in an analogous way to 'soak in' wider / deeper physically into the media. So if you had something that was secret that had sat there for a year, and just last week you overwrite it, there will probably still be depth and width and bulk related traces of the original data in the physical magnetic statistics of the media.

Also keep in mind drives don't GIVE you physical access to the media anymore, not at least without very low level test/control software. Typically the drive decides how to map the physical surface into logical blocks.

So what happens if you write a full track of VERYSECRETSTUFF................VERYSECRETSTUFF......
and then you bump the drive and it gets a scratch / glitch in one of the blocks of that track? Typically then the drive will automatically relocate via remapping the 'bad sectors' to a new spare spot on the disc saved for this purpose. So now realize that the bit error that caused it to go bad might only be as little as one bit, or maybe even an intermittent problem. But the entire BLOCK (or multiple blocks) have been remapped. So now you CAN'T overwrite the VERYSECRETSTUFF......VERYSECRETSTUFF.... blocks because the drive doesn't even give them a logical block address anymore, it is just off limits in the "bad sector" list. But if someone with the right low level recovery software / hardware comes along and asks to read the bad sectors, chances are they'll be able to read back that data no problem.

Most data recovery software / hardware companies will generally milk you for whatever they can get, so almost anything costs over/near $10k, even the software tools. The hardware stuff can be up into the quarter million or more range. But people do buy / use this stuff. Heck there are even tools to take semiconductor IC chips apart atomic layer by atomic layer to reverse engineer the chip and the process technology. If they can do that, they can do a lot worse to a disc drive.

Also technology changes. What was state of the art 25 years ago, a 20MB MFM drive now would be just childs play to totally recover, it'd be less than 1/10,000 as precisely structured as the modern equipment commonly is. So what is a little difficult to do today, give it 5-10 years, and ......

In this case it was a very new 80 GB small form (1.8") hard drive that was completely overwritten with 00's, apparently with the manufacturer low level format utility. Mounting the drive with another OS shows that even the initial boot sector, MBR etc. was overwritten completely. The drive was also fully encrypted before it was overwritten using the manufacturer low level format utility. So I'm guessing based upon the reactions here that it's a lost cause.

Quarter of a million... yeesh!

 

[Modelworks]

Originally posted by: pallejr

Originally posted by: bsobel

Goverment labs expensive (e.g. your not doing this at home, you need a whiteroom and specialized equipment)

Do you have some kind of proff that the government can restore a harddrive that has been overwritten just once? Because normal recovery companies cannot do it.

A hard drive can be recovered even if it has been erased multiple times. The process is very difficult and it literally cost in the millions of dollars range. The platters are removed and placed in an electron scanning microscope . The sectors are read at the atomic level and the data fed into a program that tries to figure out what combination would be most likely to produce readable data..


It is not something the average person needs to worry about.

You only need to erase a sector ONE time with a 0. All these programs that write each sector 10 times are only wasting time, power, and putting more wear on the drive.
If a hard drive reads a sector back as anything but what was last written, it would be useless as a storage device. That is why you only need erase it one time.

The thing to watch out for is the format commands.
Format does not erase the data on the drive.
Be especially cautious with flash drives you pass around friends. Even if you format the drive those files are still there. It takes about 2 minutes to recover them. Best thing to do with flash drives is either 0 them out with a program or overwrite the old data with new data.

 

[pallejr]

Originally posted by: Modelworks

A hard drive can be recovered even if it has been erased multiple times. The process is very difficult and it literally cost in the millions of dollars range. The platters are removed and placed in an electron scanning microscope . The sectors are read at the atomic level and the data fed into a program that tries to figure out what combination would be most likely to produce readable data..

Like I asked earlier in the thread. Can you tell me of anyone in the real world that has done that with a modern harddrive?

 

[Smilin]

Originally posted by: pallejr

Originally posted by: Modelworks

A hard drive can be recovered even if it has been erased multiple times. The process is very difficult and it literally cost in the millions of dollars range. The platters are removed and placed in an electron scanning microscope . The sectors are read at the atomic level and the data fed into a program that tries to figure out what combination would be most likely to produce readable data..

Like I asked earlier in the thread. Can you tell me of anyone in the real world that has done that with a modern harddrive?

See first reply.

 

[pallejr]

Originally posted by: Smilin
See first reply.

I see it. Where is the proof? People is these forums like very much to say all this, but they can never referer to a source. The recovery companies themselves say they cannot do it. So who can?

http://blogs.computerworld.com/node/5687 for example

 

[Smilin]

Originally posted by: pallejr

Originally posted by: Smilin
See first reply.

I see it. Where is the proof? People is these forums like very much to say all this, but they can never referer to a source. The recovery companies themselves say they cannot do it. So who can?

http://blogs.computerworld.com/node/5687 for example

"Where is the proof?"

Christ you are annoying.

See Section 4.2.2 and Go do your own research next time...
http://www.actionfront.com/whi...covery%20Ver14Alrs.pdf

 

[compman25]

Originally posted by: Juddog

Originally posted by: bsobel

Originally posted by: Juddog

Originally posted by: Rebel44
It is possible but very expensive.

How expensive are we talking?

Goverment labs expensive (e.g. your not doing this at home, you need a whiteroom and specialized equipment)

Are we talking under $10k or over $10k?

Send Tim an email at tlider@adv-data.com and check their website. See if he can get the info back.

 

[pallejr]

Originally posted by: Smilin

Christ you are annoying.

See Section 4.2.2 and Go do your own research next time...
http://www.actionfront.com/whi...covery%20Ver14Alrs.pdf

Try and read what you link to yourself.

"4.2.4 Exotic Recovery

It is *theoretically* possible to read some overwritten data.

I have found no evidence of commercially viable recoveries being perfomed with them... Furthermore, I have seen no public demonstrations of any of these methods that show the recovery of files or even user data."

And research what the recovery companies says about the subject. Is it pratically possible with modern harddrives? The answer they give is "no".

 

[Juddog]

Originally posted by: compman25

Originally posted by: Juddog

Originally posted by: bsobel

Originally posted by: Juddog

Originally posted by: Rebel44
It is possible but very expensive.

How expensive are we talking?

Goverment labs expensive (e.g. your not doing this at home, you need a whiteroom and specialized equipment)

Are we talking under $10k or over $10k?

Send Tim an email at tlider@adv-data.com and check their website. See if he can get the info back.

I called them up and they've never even heard of Magnetic force microscopy (MFM). He just kept saying send in the drive and they'll take a look, and also mentioned that he hasn't personally seen a drive that was overwritten using a zero-fill technique, although he was very general in stating that they've recovered from all sorts of things.

 

[Smilin]

Originally posted by: pallejr

Originally posted by: Smilin

Christ you are annoying.

See Section 4.2.2 and Go do your own research next time...
http://www.actionfront.com/whi...covery%20Ver14Alrs.pdf

Try and read what you link to yourself.

"4.2.4 Exotic Recovery

It is *theoretically* possible to read some overwritten data.

I have found no evidence of commercially viable recoveries being perfomed with them... Furthermore, I have seen no public demonstrations of any of these methods that show the recovery of files or even user data."

And research what the recovery companies says about the subject. Is it pratically possible with modern harddrives? The answer they give is "no".

You asked if this is an urban legend or not. No it is not. You can read data that has been overwritten. It's not theoretical, it's been done.

Want me to draw you a picture? Oh wait that's right...there's a picture in that document I sent you! It shows an actual MFM scan of an overwriten nibble that is still readable.

So did you come to find an answer or have a pissing contest? The answer has been given several times.

 

[Juddog]

Originally posted by: Smilin

Originally posted by: pallejr

Originally posted by: Smilin

Christ you are annoying.

See Section 4.2.2 and Go do your own research next time...
http://www.actionfront.com/whi...covery%20Ver14Alrs.pdf

Try and read what you link to yourself.

"4.2.4 Exotic Recovery

It is *theoretically* possible to read some overwritten data.

I have found no evidence of commercially viable recoveries being perfomed with them... Furthermore, I have seen no public demonstrations of any of these methods that show the recovery of files or even user data."

And research what the recovery companies says about the subject. Is it pratically possible with modern harddrives? The answer they give is "no".

You asked if this is an urban legend or not. No it is not. You can read data that has been overwritten. It's not theoretical, it's been done.

Want me to draw you a picture? Oh wait that's right...there's a picture in that document I sent you! It shows an actual MFM scan of an overwriten nibble that is still readable.

So did you come to find an answer or have a pissing contest? The answer has been given several times.

Hey Smilin, it was actually me who asked about the urban legend. I would like to thank everyone in this thread for their input, however, as it has helped what I was doing a great deal.

 

[pallejr]

Originally posted by: Smilin

You asked if this is an urban legend or not. No it is not. You can read data that has been overwritten. It's not theoretical, it's been done.

You are right, the OP asked if this was urban legend. It is. It is true that researches have been able to recover a bit here and there on old harddrives. I'm puzzled, what will you do with those few random bits? Read your own paper again, and the link I provided. The data density and precision of modern harddrives make it even harder, next to impossible, to restore any bits, let alone an entire drive.

 

[VirtualLarry]

For this, we need nanobots!

 

[LS8]

Degausser...

We had one when I did corporate IT security.

 

[blackangst1]

The problem here is how much magnetic data can actually be "saved" on the tracks? I havent seen anything that states even a guess. Another methed of wiping a drive that hasnt been mentioned is slack space. Its been touched on, but its important. Most good drive wipes have the option of slack space overwrite.

Based on everything *I* have read, including white hat papers, a modern drive 3 passsed with slack space will leave a drive NSA cant recover. For the VERY paranoid, simply encrypt the drive, then one pass it with 0's. Unrecoverable by anyone.