Login    Forum    Search    FAQ

Board index » Upgrading and Repairing Forum » Desktop PC Hardware




Post new topic Reply to topic  [ 16 posts ] 
Author Message
 Post subject: extreme erasure & preservation
 Post Posted: Sat Dec 22, 2007 3:45 pm 
Offline

Joined: Sat Jun 30, 2007 10:36 am
Posts: 208
To erase a hard drive and be certain, do this: Open it up; and grind every platter, both sides, with a grinder head on an electric drill, edge to edge, until there's no surface there. No part of the surface should be reflective anymore. Better yet, keep grinding until you grind through to the other side (however, depending on what a substrate is made of, grinding through may be impracticable and burning may be dangerous or unfeasible -- and don't have your hand holding the other side).

To erase a floppy and be certain: Burn it. (You can keep the case, slider, cleaning pad, etc.) I don't recommend breathing the stuff.

To erase RAM and be certain: Pulverize it into powder. To come pretty close: Heat it to 140 Celsius, well above the boiling point of water, for some hours. If the result is to destroy the RAM, that's the way the cookie crumbles. I don't know if burning releases toxins into the air you breathe. Don't breathe.

To preserve what's on RAM even without electricity: Do nothing; data might stay for hours or days. To retain for weeks, try cooling to 60 below 0 Celsius (60 degrees below the freezing point of water). Preservation is likelier the longer data, unchanged, was previously powered by electricity.

I guess that puts an end to a notion that RAM erases itself in 15 seconds after power-off, although probably most of its content is too weak to be in your way when you power on again. But that might explain an occasional boot failure: a bit in RAM might still be in the way.

What's supposed to be in RAM, including never-saved content, may be on your hard drive anyway, like in a swap file. Example: encryption passwords.

Other nooks of memory exist, like in the processor's onboard cache. Long ago, the Apple LaserWriter or LaserWriter Plus was reported to have ZRAM, for long-term storage. And, for the paranoid, one might consider that a BIOS can be flashed and therefore written to with something unofficial, with some planning.

Overwriting doesn't completely hide what's underneath. Hardware techniques of data recovery can sometimes recover one or two layers deep, and maybe more, especially if the deep content was there a long time.

Erasure software can't do all this.

If you're afraid of involuntarily being forced to take a Nobel Prize after developing the Unified Theory of Everything which is on your computer, this should protect you from such an embarrassment. You could hope that your enemy won't spend the money to recover what you erased without fire. Or you could buy a new computer every day.

These are my thoughts after reading Secure Deletion of Data from Magnetic and Solid-State Memory, by Peter Gutmann, Univ. of Auckland, http://www.cs.auckland.ac.nz/~pgut001/p ... e_del.html , as accessed Oct. 13, 2007, but largely based on a 1996 publication, and I have no idea what newer technologies mean for this context. My only critique of his paper (my expertise here is limited): He suggests the 35-pass erasure method isn't necessary because a subset of passes are enough for any given hard drive; but that supposes you'll know which technology describes the hard drive you're dealing with, so I'd say that if you don't know then all 35 are needed.

Software that makes a valiant attempt is freeware DBAN (Darik's Boot and Nuke). Scott suggested it and I've used floppy-based version 1.0.6 several times and now 1.0.7; it's slow (40GiB HDD in 28hr on 1 machine with 1.0.6 & 80GB HDD in 35hr+ on another with 1.0.7) but seems to get the job done, and once it starts it runs unattended till done (beware that it may not recognize ctrl-alt-del depending on when invoked). If you run it in a machine with more than one hard drive, it wipes all of them, giving you no choice. Version 1.0.7 (see http://dban.sourceforge.net/ or http://www.dban.org/ ) adds the ability to boot from CD, DVD, or USB flash, and may let you choose a partition to wipe. It includes the 35-pass option. The first home page also lists complementary products by other producers.

(This applies to any OS and to laptops, desktops, and, I assume, most servers below big iron (mainframes), thus posted in this forum.)

--
Nick


Top 
 Profile  
Reply with quote  
 Post subject:
 Post Posted: Sat Dec 22, 2007 5:09 pm 
Offline
Site Admin

Joined: Sun Feb 04, 2007 11:44 am
Posts: 5880
There are many more simple ways to destroy a hard disk than what you describe. For example, most modern drives use glass platters, which you can shatter with a single hammer blow. There are even machines that will destroy a hard drive without producing any cosmetic damage http://www.veritysystems.com/productdetails.asp?id=157 (note that device costs $5K US). However my preferred low-cost yet utterly simple and reliable method is to use a $30 BernzOmatic trigger start blowtorch http://tinyurl.com/ysrvhl with MAPP gas (which burns at 3,650 deg. F in air) to hit the nickel coated platters for a few seconds to raise the temperature well above the Curie point: http://jchemed.chem.wisc.edu/JCESoft/CC ... /CD2R1.HTM

Note that you don't have to actually melt the platters, only heat them up to a thousand degrees or so. This wipes the magnetic information on the drive, insuring that the data cannot possibly ever be read. Of course the intense heat also damages the lubricant coating, melts the flex cables, the heads, and warps the platters, but that only helps the cause. <g>

You can even do this in somewhat of a stealth manner by opening up the drive and heating the platters directly, which I've done on drives that need to be returned under warranty. If cosmetics aren't important, than you can just literally burn a hole through the top cover with the torch, heating the platters underneath in the process.

Note that there is no data remanance in SRAM or DRAM, which loses information mere milliseconds after removing power. No need to destroy it, please send it to me instead of destroying it, as I can use all the RAM I can get. <g>

Be advised that the Gutmann article you reference is full of flaws and misinformation. For example, one pass is sufficient to erase the data such that it is irrecoverable, despite what that article says. I classify that article as an urban legend, not to be confused with reality: http://www.nber.org/sys-admin/overwritt ... ttman.html

I consider myself to be an expert on data recovery, and yet when I use DBAN on my own drives I only use the *Quick Erase* function, which overwrites the entire drive in a single pass. Not only does it do a complete job that way, it only takes a few minutes to an hour or so. I defy anybody, anywhere, anyhow to recover even a single file from a drive that has been completely overwritten even with only one pass. It seems that is possible only in the world of urban legends, spy novels, or Gutmann articles. <g> Scott.


Top 
 Profile  
Reply with quote  
 Post subject:
 Post Posted: Fri Jan 18, 2008 1:20 am 
Offline

Joined: Wed Jan 16, 2008 2:35 am
Posts: 53
Location: Los Angeles, CA
Nick,

The problem with many Internet articles, such as the Gutmann paper you read, is that their high degree of technical vocabulary mixed with the Internet's capability to continually archive truly out-of-date information, leads the average reader into many false conclusions. Furthermore, the incessant perpetuation of those ideas by others who've never even understood what they were reading, or didn't even read in the first place, keeps the whole thing rolling along; especially when there's money to be made off of it! Fear of something vague has often fueled campaigns, both politically and for commercial profit.

One greatly misunderstood remedy, frequently touted on the Internet as a cure-all for boot-up problems, is the undocumented "/mbr" switch of the DOS command, FDISK. But unless you know both exactly what that will do, under the particular version of DOS you're using and why doing so might be the correct solution, you could actually make matters worse! Yet, those who can no longer boot their computer, often go into 'panic mode' and rather than THINK through a rational course of action, impatiently try any suggestion they happen to find on the Net or passed along by "well-meaning" friends.

Although I'd agree with most of what Scott has said above, I wouldn't come down so hard on the Gutmann article as much as I would fault those who continue to perpetuate a misunderstanding of his material; especailly those promoting "wipe" software or services that exceed even DoD standards! Those who start reading (and rarely finish, let alone understand) Gutmann's paper without ever reading his later 'Epilogue,' would probably be better off having never heard of the paper and other's misguided summaries of it. Daniel Feenberg, who wrote the NBER report Scott listed above ( http://www.nber.org/sys-admin/overwritt ... ttman.html ), contacted me after he'd found my web page ( http://mirror.href.com/thestarman/asm/mbr/WIPE.html ) mentioning Gutmann and 'wiping drives' in general. Quite some time earlier, I'd exchanged e-mails with Prof. Gutmann himself in which he noted his dismay over what he referred to as those who applied his work like a "voodoo incantation" rather than correctly using his technical analysis. By the way, the conclusion one should reach after a proper understanding of his early work plus research into the modern advances in hard disk technology is that a single verifiable "wipe" is quite sufficient for the majority of users and even DoD (7 passes) might be considered overkill for sensitive data on recent hard disks. Three passes (of either 00h or FFh then the other, followed by your favorite 'wipe byte' like F6h) should suffice in my opinion for even paranoid users.


Top 
 Profile  
Reply with quote  
 Post subject:
 Post Posted: Fri Jan 18, 2008 2:45 am 
Offline
Site Admin

Joined: Sun Feb 04, 2007 11:44 am
Posts: 5880
Epilogue shmepilogue. He was just covering. Bottom line: Wipe it once, the data is gone: PERIOD - end of story.

As a test, I'll wipe a drive once with a quick wipe (single pass), and I defy *anybody* to recover so much as a single file. I'd even offer a million dollar reward (if I had it). <g> Scott.

Bottom line: it simply *can't* be done, and come on people, stop being so gullible (and paranoid)... <g>


Top 
 Profile  
Reply with quote  
 Post subject:
 Post Posted: Sun Jan 20, 2008 3:18 pm 
Offline

Joined: Sat Jun 30, 2007 10:36 am
Posts: 208
Quick and incomplete answer:

I accept Scott's position on DBAN erasure for all but the most serious of situations since he knows more than I do in this general area. For the most serious, the extra hours of erasure, during which you can walk away till done, is not much cost. Much of my other advice, severe as it is, only applies to serious cases, and the labor and other considerations it entails (recall that my advice included this: "Don't breathe.") will discourage most people from undertaking it unless their concerns are serious enough.

Among people accepting Peter Gutmann's premises, many will need to do the 35 passes because they likely will not know enough about their system to know which lesser number will suffice. His Epilogue does not address, or effectively reject, this point, nor that 35 is relatively easy to execute. Also relevant is that inability to recover a file (discussed above) does not preclude recovering a bit, thus serious erasure would need to be bit-level, not file-level, and DBAN's 35 provides that. I'm not equipped to take up Scott's challenge, but, for some people, whether I could recover content is not the measure, whether anyone could is. Scott might win but consider that the DoD standard for 7 was probably not 7 because 6 would reveal content, but as insurance. I've run the 35 on hard drives I've acquired used, because I don't want other people's content in my systems and doing the 35, for me, is annoying but not a killer, and I'm open to updates on the science.

I have read a variety of materials, including some at The Starman's site before Daniel's post above, and am planning to read more before coming to more up-to-date conclusions, which, if sufficiently distinct or appropriate as self-corrective, I plan to post; but I'm not in a rush, as I don't think a rush is warranted, because enough information is on the Web for people to make good enough decisions.

One of Peter Gutmann's central points, that consecutive passes recording the same bit value result in an intensity in the magnetic medium different from that when consecutive passes record alternating bit values has been in security literature I read in the 1980s and published by McGraw-Hill for professionals. He didn't invent the point in 1996. Perhaps McGraw-Hill's author, whose name I don't have (and I don't know wasn't Peter), also got it wrong, but I don't know. If I have time, I will try to find out if the point is essentially true nowadays, including as relevant to transition recording often used in hard drives (recording not 0s and 1s as such but transitions between them of change and no-change). On first impression, to me, it seems plausible. Therefore, I think the principle of underwrite recovery is within reach and has been, budgets permitting.

I accept that advances in drive technology have tightened the difficulties of recovery. Whether detection technology hasn't more or less kept up is a separate question. Perhaps also detection of underwrites is so enormously expensive as to be impracticable even for most governmental nuclear-bomb-defense purposes. Or it may be less costly but still too expensive even for a thief of credit card numbers.

Daniel, your advice about reading old articles and being overimpressed by the complexity of language is misplaced. In my post starting this topic I qualified my Draconian advice of 2007 thus: "but largely based on a 1996 publication, and I have no idea what newer technologies mean for this context." I read his Epilogue before your post and did not feel that it warranted updating this thread. If you feel my comments were based on my misunderstanding his language, please point to any example of my error, if there is one. To dispute my advice is not to say that I misunderstood Peter's language insofar as relevant.

I read his article because a recent version of DBAN gave me a clue that it may still be authority. That it is challenged does not turn it into dust. As I read the challenges, it is partly wrong in terms of subsequent developments or lack thereof, but it is not entirely wrong, and I'm not sure it was wrong at the time of its authorship or publication, even if it is today.

Daniel Feenberg's article for NBER essentially admits that some such data recovery is possible, but perhaps not consistently and at considerable expense, and argues that it isn't likely necessary to go to that extent. Those qualifiers are not always relevant. To say that no one has proof of the CIA, NSA, et al. ever recovering data this way proves little. Most national governments would hardly tell us. Surmising who would care about a given drive and guessing what resources they have and are willing to apply leads to a policy discussion, not a science discussion, and the policy is up to the drive's owner. As to whether Peter Gutmann drew supportable inferences from references, that referent authors had other intentions didn't always seem relevant to the supportability of the references. In that urban legend should be disregarded (the Internet being a new urb), I'm not sure any of the papers involved here are urban legend. In that points and inferences may be selected, especially given new developments in technology, these papers all may be offering valuable content.

Choose your grounds of attack. A critic making money from a product that reflects their critique is not always critical. Were it so, Windows and MacOS should be shunned, and so should Linux, with which consultants and CPU makers are making money. You'd be hard-pressed to identify a money-making product that isn't a response to a criticism of something. How are your abacus skills? We often correctly shun the claims of the financially interested in favor of independent expertise, but in some cases many supposedly independent experts turn out not to be independent, so that other ways of judging intellectual quality become necessary, and we use them. Be careful with attacking impurity of motivation, because, when both sides depend on trust, I wonder whether someone wants to attack the essential points of the possibility of recovery not because the science is bad (if bad) but because they want data to remain so some can be recovered (you may know of an analogous Federal effort to inject escrow-key (in)security nationally for both institutions and individuals, an effort that was rightly defeated in the 1990s). I don't think this is a field where attacking motivations makes much sense, and I suggest selecting attacks. Critique the science.

While we're focusing on hard drives, the discussions and Peter Gutmann's paper touched on floppies and RAM. I've relied on wiping floppies with magnets, enough to force reformatting, and reusing; arguably that's inconsistent unless demagnetizing is powerful enough beyond forcing reformatting. On RAM, we have Peter's paper, Scott's response, and the fact that RAM technology and system board technology have evolved; but there seems less interest in attacking Peter's points there, perhaps because RAM contents that survive are likelier to be recent and overwritable, so less problematic than with drives; I have lots of old RAM I don't intend to destroy. I also raised the possibility of a user or prior owner storing something the manufacturer never intended in BIOS, not just CMOS. I haven't seen that rebutted. I also assume that partial recovery from optical media is possible even if shredded, so that prevention would require grinding, burning, or some such. I have two flash thumbs I haven't been able to erase in Win or Linux or with magnets or a small electromagnet.

Most people, in my observation, do not do just anything they hear about. Even the most frustrated of computer haters I've met don't do just anything. How they come to trust an information source may be a mystery to others, but almost everyone is selective. As an example, perhaps you'd like to collect all the good information on the /MBR switch and publish it. You may then find that you omit something someone else considers good information, or include as good what others deem bad, an issue especially common when a feature is undocumented, and then you'll see the trust issue.

A recent law enforcement news story included a computer crime law enforcer hinting, but not explicitly saying, that they could recover erased data. A careful listening told me that they were using unerased (and possibly undeleted if not overwritten) portions of Windows to determine what had been erased or had been the (or a) former state of a drive's contents, and not necessarily that they could determine what the bit value had been at a certain spot on a hard drive platter after one or more deletions or overwrites. Law enforcers sometimes exaggerate, and people debate whether that practice is wise, but you can see why many people would legitimately believe such a recovery capability exists. Discouraging people from reading the Internet is damaging and regressive; clay tablets weren't much better. Stick to sound critiques.

--
Nick


Top 
 Profile  
Reply with quote  
 Post subject:
 Post Posted: Sun Jan 20, 2008 10:04 pm 
Offline
Site Admin

Joined: Sun Feb 04, 2007 11:59 am
Posts: 429
Quick and incomplete?

I didn't even read it because it was so long.

Just take a hammer to the stuff and you'll be fine.

Nick, are you on the FBI's most wanted list? If so, you might need to worry about what's on your hard/floppy drives, if not, relax.

Mike.


Top 
 Profile  
Reply with quote  
 Post subject:
 Post Posted: Tue Jan 22, 2008 6:57 pm 
Offline

Joined: Sat Jun 30, 2007 10:36 am
Posts: 208
Yeah, I have difficulty being concise in response to mashed-in charges and claims that are erroneous but would look reasonable to others at first glance. A response limited to something like "Wrong. Right. Wrong. Wrong." probably doesn't inform very well or help dialogue. Didn't mean to tax your patience, Mike. Thanx.

--
Nick


Top 
 Profile  
Reply with quote  
 Post subject:
 Post Posted: Wed Jan 23, 2008 1:27 am 
Offline

Joined: Wed Jan 16, 2008 2:35 am
Posts: 53
Location: Los Angeles, CA
Scott,

If you handed me fairly recent hard disk to search after you truly wiped it; well, ... I wouldn't even bother trying! However, if I got to choose the disk drive myself, I'd ask someone who could manufacture an old MFM drive (the kind they had when they were only, say 10 MB in size) to share in my winnings from you! :wink: We wouldn't even need a magnifying glass let alone an ST electron microscope, because the head assemblies from that era (just like the old floppy drives) often left enough data on either side of the center of a track that with some manipulation (hardware and/or interface code) it could be possible to 'pick up' data that was never really completely overwritten. Later on, as hard disk technology advanced way past that of floppy drives, using much "tighter" tracks and better physical/electronic specs for head assemblies, it became impossible to simply 'tweak things' to pick up data that old drives were too 'sloppy' in overwriting.

But... and here's where I'll transition into writing to Nick too:


Top 
 Profile  
Reply with quote  
 Post subject:
 Post Posted: Wed Jan 23, 2008 3:53 am 
Offline

Joined: Wed Jan 16, 2008 2:35 am
Posts: 53
Location: Los Angeles, CA
Nick,

First, there was much in my reply above that certainly wasn't intended to imply you specifically have a problem with old material on the Net. I was writing for a much broader audience here as well, which is why I also mentioned the "/mbr" switch. Likewise, I'm sure not everything you recently wrote, was only in reply to my words.

However, you do seem to have missed the main point of what I'd written: That much of Gutmann's analyses regarding hard disks (I'm not commenting on anything else at this time), dealt with drive technology that has been old for quite some time! Do you still use an RLL or MFM drive? Especially one in which each sector on the drive has exactly the same angular width; just as a simple floppy diskette does!? Of course not! And more importantly, the microscopic sized magnetic domains which represent binary bits are now far removed from the actual data they're used to encode; key word being encoded there. They no longer use the simple encoding patterns described by Gutmann, but very complex ECC algorithms (think along the lines of encryption software) in which seeing the magnetic remnants -- even if you had every different level of those bits digitized for analysis -- isn't going to help one bit if you don't know exactly how each portion was encoded. I think too many people who've used some disk editor software or were told something like 'and here are the actual hex bytes or binary bits of data on your disk,' get the impression that's really bit-by-bit how the data is still stored on it too, so think it couldn't be very difficult to make sense of any strings of bytes we could see on the platters. Of course, that's not true at all.

I'm dead tired... already won't get much sleep... will have to finish this some other time! Do you have any comments on the Sobey paper (which I recommend everyone at least try to understand just to see how complex modern hard disks really are)?


Top 
 Profile  
Reply with quote  
 Post subject:
 Post Posted: Wed Jan 23, 2008 6:22 pm 
Offline
Site Admin

Joined: Sun Feb 04, 2007 11:44 am
Posts: 5880
In 1997 I received an email from Charles Coe, who was then the Lab Chief for the Air Force Office of Special Investigations (OSI) Forensic Media Analysis Lab. This lab was *the* benchmark in the Federal Law Enforcement community with regards to computer crime investigations, and became the official DOD Computer Forensics Lab (DCFL) http://www.dc3.mil/dcfl/dcfl.htm in 1998: http://www.fas.org/irp/news/1998/06/n19 ... 80954.html

The primary function of the DCFL is to recover, preserve, and present data off any type of magnetic media sent in for analysis. At the time, they were apparently using my "Guide to Data Recovery" book to help train new recruits, and they wanted to know if I had any copies left, as the book was out of print: viewtopic.php?p=1279#1279

In the ensuing correspondence Charles told me that if I was ever in the DC area, he'd be happy to give me a tour of the lab! While many invitations like this are rarely taken advantage of, in this case I *immediately* accepted the offer as I had a seminar scheduled in the area in just a few weeks time.

On the day of the visit, I finished teaching class, hurried up to my room to clean up a bit, then I got the call that there were two uniformed OSI Special Agents in the hotel lobby to meet me. As I sat in the back of the military issue Ford Taurus they were driving, they handed me a blind fold, and said "This is for your protection." (just kidding) <g>

The lab tour was fascinating to say the least, they had an enormous inventory of different types of PCs, disk controllers, and especially drives. In fact they had one or more examples of just about every hard drive ever sold, as they often need to cannibalize duplicate make/model drives for parts to facilitate a recovery.

I even got to meet one of the agents who worked on creating the floppy disk splicing technique that helped solve a famous murder case: http://www.csoonline.com/article/219226 ... f-evidence

He showed me the equipment they used as well as pieces of a disk they were splicing together at the time. It was there that I first learned about using Magnetic Developer, which I immediately started using in classes to show actual magnetic tracks on a disk: http://www.sprague-magnetics.com/library/sprgmag.pdf

There's a picture of a disk that I sprayed with developer in the 18th ed. of Upgrading and Repairing PCs (Fig. 8.12 on p. 656), where you can literally see the tracks and sectors exposed on the disk:

Image

During the course of the tour, there was one kind of funny incident. As we strolled up to one of the stations where an agent was working, I saw that he was examining disk sectors in raw hex mode using the Norton Diskedit tool: http://mirror.href.com/thestarman/DOS/bd98/SD1.htm

By glancing at his screen I could tell he was looking at the MBR (Master Boot Record, at Cyl 0, Head 0, Sector 1) of a drive, and that the code on the screen was *not* normal MBR code, but was in fact the first part of the infamous "Ripper" virus!

So I said: "Interesting, I see that this system is infected with the Ripper virus", whereupon they all looked at me kinda funny. The agent working on the system said "That's correct, but how did you know that?" I said "By reading this code", and pointed to the MBR code on the screen. They told me that they were astounded that I knew not only that it was a virus, but exactly which one, just by reading the code! I think one of them even said "we are not worthy" (ala Wayne's World), or something to that effect. <g>

Honestly though, the feat was more luck than skill. I had encountered Ripper on several client systems around that time, and had added it to my virus collection for study (I save a copy of every virus I encounter in the field). In fact the Ripper virus was one that I regularly trotted out in my seminars as an example, so much so that I literally knew the code by plain sight. But of course I wasn't about to tell them that, better to remain a legend instead. <g>

For the curious out there, an MBR infected with the Ripper virus looks like this:

Image

Those of you familiar with MBRs will note the standard signature bytes (55 AA) at 1FE, as well as the first partition table entry located at 1BE through 1CD, which will vary depending on the size, type and location of the partition. The code from 000 through 177 is the first part of the Ripper virus.

On a hard disk infected with Ripper, Cyl 0, Hd 0, Sec 1 (MBR) contains the main virus code. The virus continues in sector 0,0,8 and saves a copy of the original MBR in 0,0,9. I would initially recognize an MBR infection by running the MEM command, and noticing the Base system memory reduced by 2K. Once a system was infected, the stealth properties could prevent any virus detection program from seeing or reporting it. The only way to actually see (and eliminate) it was to cold start the system from a clean floppy or bootable CD.

I liked to demonstrate Ripper in my classes because it was one of the nastiest MBR viruses of all time. It was not only a "stealth" virus that was undetectable (while running), but it was especially malicious as it would slowly corrupt the files and volumes on the system: http://www.f-secure.com/v-descs/ripper.shtml

Ok, now I'm off on a tangent here. What's the point of all this?

My point is this: I *know* that with all of their skill and equipment, even the DCFL can't recover data from a hard disk that has been *overwritten*. Even if it has been overwritten just once, regardless of whether it is an older or newer HDD. Oh, and if the media in question has been burned (as in a fire or with a blowtorch), then they can't recover anything from that either.

And if *they* can't do it, nobody can... Remanence shmemanence <g> Scott.


Top 
 Profile  
Reply with quote  
 Post subject:
 Post Posted: Thu Jan 24, 2008 1:31 am 
Offline

Joined: Sat Sep 22, 2007 9:33 pm
Posts: 52
Location: Brisbane, Australia
LOL

Thats my boy!!!

There are many reasons I trust Scott over many others and this is just another example.

I take it this thread is done now <g> ?

Regards,
Rod


Top 
 Profile  
Reply with quote  
 Post subject:
 Post Posted: Thu Jan 24, 2008 6:26 pm 
Offline

Joined: Sat Jun 30, 2007 10:36 am
Posts: 208
Chuck Sobey's white paper, referenced above, supports underwrite recovery despite one wipe, provided you use some other equipment to do the recovery, i.e., provided someone cracks open the drive and goes to town with the platters. His paper discusses recovery from track shoulders (he says "in between tracks", p. 20) resulting from two writes not being exactly coincident. This method, using magnetic force microscopy, is far too costly for most customers and most criminal investigations and is slow, taking about a minute to image roughly 8 transitions (akin to a little short of a byte), multiplied by the drive's size, before multi-step analysis.

Citation: Recovering Unrecoverable Data: The Need for Drive-Independent Data Recovery, by Charles H. Sobey (Plano, Tex.: ChannelScience (ChannelScience White Paper (commissioned by ActionFront Data Recovery Labs)), April 14, 2004), http://www.actionfront.com/whitepaper/D ... 14Alrs.pdf as accessed Dec. 29, 2007.

His discussion is mostly limited to commercially viable recoveries, where the commercial limitations are the low price of replacement drives, institutional reliance on backups and mirrors, and competition in the industry against firms that consider recovery to be restoration from backups and against wildly variable recovery rates because abilities depend on stockpiling same-model drives for parts replacement and other techniques. He contrasts commercially viable recovery to high-value recoveries (p. 18). He refers more than once to recovery of home hard drives for, e.g., family photo collections. I interpret that as talking about recovery fees of no more than a few hundred dollars per drive.

Recovering from a shoulder is different from what I and Peter Gutmann had earlier envisioned: recovering an underwrite in the same locus. Chuck's paper doesn't discuss that.

Daniel, you're right that I wrote for several readers. I did acknowledge that Peter wrote about "drive technology that has been old for quite some time" (your words) when I wrote twice that "I have no idea what newer technologies mean for this context." I also acknowledged that recording is often not in the form of 0s and 1s when I wrote of "recording . . . transitions between them of change and no-change". I'm not sure the validity of his points depend on angular width being equal for all tracks, so I'm not sure that's relevant; I would think you could recover from a variety of loci and then determine how those loci fit into various schema of sides, tracks, and sectors (allowing for varying numbers of sectors per track, including a constant) and then how those sectors relate to possible files to establish the informational sequence the bits represent.

I have old hard drives. I recycle used stuff. I don't know what recording methods they use, although I probably could look them up. The drive in my Win95a tower likely dates from the 1990s. I have at least 1 retired Macintosh SE with a 20MiB drive, solar-system-sized in its day, restorable to service should I need it. Your point about old drives recording and erasing sloppily would seem applicable to new drives. Old drives were susceptible to gravitational effects on read-write arms of vertical vs. horizontal drive mounting that could risk data loss; perhaps new ones are hardly but I don't know. But the more general point would seem as true today as decades ago, just within a tighter tolerance. Head placement can never be assured precise in the sense a physics theoretician might envision; it has to be within a tolerance defined in engineering. Thus, a head may be sent to a given distance plus or minus a tolerance in order to write, then come back to read or write, and because of tolerance not return to the exact same place but to the place plus or minus a tolerance. So I'm unclear why a R/W system designed for recovery couldn't work to a tighter-than-production tolerance in order to read track edges and thus recover what was erased except at the edges. If today's newest production drives already use the tightest tolerances technologically possible, then we may have to wait for tolerances to improve to make a recovery device tighter than today's production standards, but history says waiting will be fruitful (the size of a bit "may be millions of atoms" (p. 24), suggesting there's room for future tolerance improvements); and I'd be skeptical that manufacturing processes for making ten thousand or a million new hard drives will use tolerances quite as tight as can be applied to a manufacturing run of ten or one for recovery equipment.

I also doubt that differences between RLL, ECC, and so on are all that critical. Any system used on a drive has to be understood outside the drive; and I doubt that every board is sending a unique password to the drive for use in decoding drive contents (assuming no drive-level encryption of files) (the password being key to encryptors creating unique ciphertexts from identical plaintexts with identical cipher types). I've moved a drive from one system board to another, not even the same brand, and dependence on unique passwords should have made the OS unbootable and files unreadable unless I could move the password, and the only way I could've done that is if the password was stored in the drive, which means recovery operators would have access to it as well (if passwords are in boards but are board-brand-independent, they likely are industry standards also available to recovery specialists). Magnetic media will still store data in discrete loci as norths and souths, that being what magnetism is about, even if norths and souths no longer correlate with bit values; I think how what's stored would be translated from raw readouts through recording methods in use into bytes would only require having expertise already available. If a recoverer doesn't know which recording method is in use, probably testing each mothod in turn will eventually reveal an intelligible result, thus pointing to the method to be used for the rest of the drive being analyzed. This is somewhat like not knowing which cipher was used for a message; each has telltale signs, and testing often reveals intelligible content, from which the cipher can be determined. True, people may think hex editors show what's on a platter's surface when it doesn't; ditto for binary translations of hex; but that has little to do with recovery success or failure. If norths and souths (and, more germanely, past norths and souths) can be recovered from known loci, that information can probably be translated into bits toward building what hex editors would show, thence into files or former files or parts thereof. That it'll be expensive is beside the point.

Thanx.

--
Nick


Top 
 Profile  
Reply with quote  
 Post subject:
 Post Posted: Thu Jan 24, 2008 7:46 pm 
Offline
Site Admin

Joined: Sun Feb 04, 2007 11:44 am
Posts: 5880
Bottom line: in the *real* world (i.e. planet Earth, in the Sol system, part of the Milky Way Galaxy...), even in the most advanced government "spook" shops (i.e. DCFL) with practically (if not totally) unlimited funding, it isn't happening. One overwrite is not only "sufficient", it is an absolute guarantee.

Only data (sectors) that are *not* overwritten can be recovered, period. While there are those who pontificate about other possibilities (FUD = job security <g>), not one real world example (i.e. recovery of even one complete overwritten sector out of billions on a single drive) has been demonstrated. What makes recovery possible is that as a rule people don't insure that the data they are trying to "erase" is actually overwritten at all, not even once.

If a drive is no longer capable of overwriting (i.e. one that has data on it, but which now no longer works due to head, actuator, or logic board failure), and you want to insure that some spook shop can't remove the platters and read them in an otherwise identical (but fully functional) drive, then all you have to do is *burn* the platters (as in with a blowtorch), then it's "case closed."

And what's this about recovering a "bit"? I mean all you have to do is guess what it is and you'd be right 50% of the time. <g> Means nothing in the real world though... Scott.


Top 
 Profile  
Reply with quote  
 Post subject:
 Post Posted: Fri Jan 25, 2008 12:38 am 
Offline
Site Admin

Joined: Sun Feb 04, 2007 11:59 am
Posts: 429
Scott,

You know nothing! Even if you've overwritten the drive 3,700 times, I can still read it. My old man is a television repairman, he's got this ultimate set of tools. I can fix it. <g>

Mike.


Top 
 Profile  
Reply with quote  
 Post subject:
 Post Posted: Sat Jan 26, 2008 11:06 am 
Offline

Joined: Sat Jun 30, 2007 10:36 am
Posts: 208
Bit recovery was referred to in distinguishing from file or sector recovery, because different methods might apply to recovery. Sectors may have error-correction data left and files might have structures left, and both can be content clues unavailable with bit recovery alone unless enough bits are recovered. And guessing bit values becomes quickly less useful the more bits you try to guess: guessing one byte without error correction is likely right less than half of one percent of the time.

Best wishes.

--
Nick


Top 
 Profile  
Reply with quote  
 Post subject:
 Post Posted: Sat Jan 26, 2008 3:44 pm 
Offline
Site Admin

Joined: Sun Feb 04, 2007 11:59 am
Posts: 429
Words... words... more words... I'm tired of words... I hope they stop.


Top 
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
 
Post new topic Reply to topic  [ 16 posts ] 

Board index » Upgrading and Repairing Forum » Desktop PC Hardware


Who is online

Users browsing this forum: No registered users and 2 guests

 
 

 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to: