nvmd i think i found my answer,, can delete if you want
Printable View
nvmd i think i found my answer,, can delete if you want
Don't use the HDD............not ever...............nohow............noway............nowhen...........
Now, you need a backup.............
Please explain the situation for your question............or just use some C4
I can tell you how to recover stuff, but it might take a bit of effort.......I can also tell you how to destroy it.............
"encase"................. well you are entitled to your sense of humour I suppose?
It all depends how well it was wiped in the first instance?...................... (but you won't turn a sow's (pig's) ear into a silk purse ;))
And very much on how much they are prepared to pay to get ya :D
I'm realy curious and somewhat shocked after I did a little search about this topic. I knew it was somehow possible to retrieve some deleted files, but I didn't know you can bring them back completely even after you formated your hard drive.
Do you need additional software to "permantly, as in wipe from the world forever" delete files from your computer, or can you do it by hand?
I find a six pound sledge hammer the best.Quote:
Originally Posted by Unimatrix 2
:D
Cheers:
Or, you can try out DBAN.Quote:
Originally Posted by DjM
http://dban.sourceforge.net
((note: not complaining, just informing you))
FYI, it is considered bad form to start a thread, then edit the original information out of the original topic; much better to reply with your "nevermind, I found a solution" to the thread. In fact, part of being a member of a forum kind of suggests one would post their findings if they had any, so others in the future who may have related problems can learn from your experience.
Just so you know. :)
Hi zen~
I can't remember the original question, but it was something like "can overwritten data be recovered?"
The answer is "yes, but not easily"
It depends on whether it really was overwritten with something else. If it was, then normal software won't do it............. otherwise you computer wouldn't work?
Encase is an evidence collection tool........... not a data recovery one :D
There are lots of considerations. The bottom line, though, is that data overwritten is pretty much unrecoverable by ANY means, episodes of "NCIS" notwithstanding.
The trick is to actually overwrite it. There are some very good tools out there (e.g. DBAN, Eraser) that will do this. As far as I know, only the Host Protected Area on a disk is beyond such overwriting. A normal format, even a low-level one, might not do the job.
There have been rumors of more exotic methods of data recovery post-overwriting (they involve imaging the platters with scanning microscopes and/or analyzing the raw signal output from the read heads), but actual attempts to do this by researchers have usually only succeeded under some pretty strict assumptions, such as already knowing the data to be recovered, knowing the overwrite pattern and only one overwrite pass.
Whenever I want to start fresh on a drive or take it out of commission permanently, I always start with DBAN.
well, over written data can be recovered with special hardware. Most easily if you know what it was over written with. For example say a 0 on a hard drive all the particles are aligned - and a 1 is |. If you over write all data on a drive with a single pass of just 0s, most of the particles will be -, however just a few will be | still where the 1s were. Get sensetive enough equipment and you can detect that.
Theoretically, it's possible. But again, when researchers have actually tried to do it, the signal is buried in the noise--more sensitivity doesn't help.Quote:
Originally Posted by Aardpsymon
Usually, what's done is to attach the raw analog signal output from the read heads to a spectrum analyzer or oscilloscope (or similar test equipment). If you do that, you can see the old data if there's only been one overwrite pass. Of course, you have to read the same area 100 times to get the noise low enough to see the signal, the old data has to be a repeating pattern, and again, you have to know the overwrite pattern (always use a pseudo-random overwrite pattern!). And after more than one overwrite pass, the signal disappears, no matter what crutches you may have for finding it.
Here's a great example:
http://www.tomcoughlin.com/Techpaper...,%20042502.pdf
This is one of those things that's often been rumored, but never demonstrated in practice. Everyone who has tried to find someone who can actually recover data in this way has come up disappointed, and most conclude it's an urban legend.
The government, out of an abundance of caution, recommends overwriting with multiple passes. If that makes you more comfortable, do that.
the odd few times I've chucked out hardware with critical data I do just go for the hammer option. For normal use I don't bother either way. I mean, if someone has hacked in my computer enough to run an undelete program my deleted files are probably the least of my worries.
Very true. And for the most part, even if overwritten data can be recovered, it's not likely that anyone will face that sort of thing. There are probably other, less expensive ways to get the data in the first place.Quote:
Originally Posted by Aardpsymon
To answer the initial question: no, software methods cannot recover overwritten data (meaning data that's been physically overwritten or wiped on a hard drive), unless there's a copy of it somewhere else.
Yes over written data can be recovered even after its been deleted, formatted and written back over again. There is software out there that can reconstruct a file by what bits are recovered of the hard drive that is if there is enough of them. The other way data is recovered is by removing the plates and then read with some other high dollar machine. The Goverment has software that will format the drive and write to it like 7 times first with all 1s and the with all 0s. that way the disk has been completely written over.
Hmmmm,
One thing to remember is that Peter Gutmann's thesis was written some 10 years ago. Modern drives are different............higher density, more accurate and so on.
Suffice it to say that there is no software solution to recovering overwritten data. This seems fairly obvious or how would your system determine which was the current data image?
You do need hardware to "read" the media and specialised software to interpret the results and attempt a reconstruction.
There are two basic methodologies:
1. Magnetic Remnance
This works on the principle that different patterns of 0 and 1 will result in slightly different magnetic values. The problem is that the more a drive has been used and the more it is overwritten, the more subtle these differences will become, and that harder to detect.
The situation is further complicated by not knowing the overwriting sequence or which "layer" you are interested in.
2. Track Overlay
This is based on the principle that the heads don't write to exactly the same place on each "pass" so some residual data remains at the edges. Once again the greater the number of overwriting passes, the more difficult it is to recover anything useful.
Where people make mistakes is in not properly overwriting the drive and trying to preserve the installed operating system and applications. They also forget that the HDD has cache memory and that there is a page/swap file;)
Removing the platters is pretty much a one off thing. Not only is the machine highly expensive but the exposure from removing them rapidly ruins them. Once they are removed its read once then bin because they will never be read again.
Absolutely!
You need a "clean room", the right equipment and people who know how to use it.
It is also a very laborious and time consuming process............which translates as very expensive :)
All true. It's also true that, though Gutmann described theoretical methods of recovering overwritten data, to date no one has actually demonstrated the practical ability to do so. There are no data recovery companies that do this (though there'd be big money in it for any that did), and researchers attempting it have had to use some pretty major crutches to recover data overwritten by even one pass.Quote:
Originally Posted by nihil
People who have tried to find someone who can actually recover overwritten data have invariably come up empty-handed, and most have concluded that it's an urban legend.
"Subtle" is a good word for it. The biggest problem with this methodology is that the signal is never clean -- there's random electrical noise both in all the written data (the write heads have noise in their signal when originally laying down data) and in the read pick-up heads.Quote:
There are two basic methodologies:
1. Magnetic Remnance
This works on the principle that different patterns of 0 and 1 will result in slightly different magnetic values. The problem is that the more a drive has been used and the more it is overwritten, the more subtle these differences will become, and that harder to detect.
The situation is further complicated by not knowing the overwriting sequence or which "layer" you are interested in.
After only one overwrite pass, the signal from old data is reduced 50-60 dB. That's a very large loss. To detect such faint, in-the-noise signals, you have to re-read the same disk area again and again -- perhaps 100 times (anyone who's ever overwritten a large modern disk multiple times knowns how long that could take). You also have to know the overwrite pattern and the original data you're looking for.
After two overwrite passes, there simply isn't any signal that can be discerned out of the noise.
It's also been noted that actual investigations find most of the track-edge signal is actually switching noise from the write heads (from the overwritten and overwriting data), not the data you're looking for.Quote:
2. Track Overlay
This is based on the principle that the heads don't write to exactly the same place on each "pass" so some residual data remains at the edges. Once again the greater the number of overwriting passes, the more difficult it is to recover anything useful.
Anything's possible -- maybe there's some secret technology out there that can recover such data. But my experience in microelectronics fabrication and test methods leads me to believe it's probably not feasible, given the research that has been published so far.
VERY, VERY true. The single biggest problem with overwriting data is missing copies of it. Those copies could be in the page file, in temporary files (both current and deleted), in the filesystem journal file if that's the kind of filesystem you're using, etc.Quote:
Where people make mistakes is in not properly overwriting the drive and trying to preserve the installed operating system and applications. They also forget that the HDD has cache memory and that there is a page/swap file;)
It's also important to note that overwriting programs, DBAN included, can't overwrite bad sectors that have been re-allocated. If your drive is showing bad sector errors, it's probably a good idea to trash it anyway and get a new one.
This simply isn't true. As Nihil noted, if it were true, disks would produce errors all the time, as they'd not be able to tell what data is current and which is old.Quote:
Originally Posted by Ghost_25inf
The normal hard drive reading process requires about 19 dB signal-to-noise ratio. A single overwrite pass reduces the signal from the old data by more than 50 dB -- up to perhaps 1000 times weaker than the drive electronics can process. Software recovery of overwritten data is just not possible.
You want to know what software the government uses to clear hard drives?Quote:
The other way data is recovered is by removing the plates and then read with some other high dollar machine. The Goverment has software that will format the drive and write to it like 7 times first with all 1s and the with all 0s. that way the disk has been completely written over.
Among others: DBAN.
I think we might have a little confusion creeping in here between:
1. Recovering the underlying data from an overwritten drive.
2. Recovering data.
People I have spoken to from data recovery outfits will gleefully have a go at #2, but #1 is beyond them.
To recover the data they first see if they can repair the drive. If not they try to read the platters with special heads and equipment, and if that doesn't work they will try scanning electron microscopy (if you will pay for it :eek:)
Obviously, this is a completely different situation, as you are only interested in the top layer, or "current" data.
The only thing that software tools are really useful for is recovering data from corrupted drives.
:)
EDIT: this is an interesting link on the subject
http://www.nber.org/sys-admin/overwr...a-guttman.html
I agree, it's important to keep definitions in mind when talking about this topic.Quote:
Originally Posted by nihil
Deleted data and other stray data on hard drives is recovered all the time -- this is one of the ways computer security professionals do their jobs. Software recovery tools (including forensic tools like Encase) are designed to do this.
As long as the platter surface is largely undamaged, data recovery outfits can remove the platters in a clean-room setting and mount them with new read heads and electronics. Very involved, but if your data is priceless, it can be done.
overwritten data, by contrast, is data in an area of the hard drive that has been physically rewritten with new data. The magnetic domains on the disk surface have been remagnetized by the hard drive write heads and now store new data. For all intents and purposes, the old data is pretty much gone (barring some highly secret methods that aren't in the public domain).
That NBER paper is very good. It looks like he hasn't updated it in a couple of years, but I suspect his conclusions are still right (otherwise, there wouldn't still be a debate about it!).
Well that is why there is a fat table this directs the computer where to see the data. So when people do quick formats all that is deleted is the fat table the data is still there but the directory isnt, until the data is completely written over it can still be seen. Im not an expert at hard drives but I do remember what I was taught back in my college days.Quote:
Originally Posted by kythe
I also understand it that even after a full format the magnetic charge only formats to all zeros and if the magnetic charge isnt at full charge there would still be evedence of the ones, making it somewhat readable. True this may be very old information and hard drives have changed but I thought it was worth noting.
I think Nihil had it right: we crossed definitions of "deleted" with "overwriting". A quick format, indeed, leaves the data itself intact and it can be recovered. My apologies for jumping all over you about it.Quote:
Originally Posted by Ghost_25inf
Ghost~ I am afraid that you have misunderstood me. When I said that
I meant in terms of chronological order or "layers" on the platters. Not which data was "live" and which had been flagged as deleted :) Obviously, if the new data doesn't overwrite the old with a much stronger magnetic image the machine will have serious problems reading it.Quote:
they'd not be able to tell what data is current and which is old.
Formatting is a different issue. It is true that a quick format will leave all the file contents on the drive. These could then be extracted with a data recovery program.
AFAIK, the "full format" is only available in Windows Vista, and will fill the drive with 0s. This would be virtually impossible to recover if the drive has been in use for some time as they would be overlaid over several previous "layers"
In other versions of Windows I believe that the only difference is that the regular format will also check the drive for bad sectors.
Incidentally, Encase is not a data recovery tool, it is an evidence gathering one. If you overwrite the drive thoroughly with even one pass, it is totally useless ;)
in terms of being physically able to read the disk it IS very possible to read data that has been over written. The trouble is translating it back into data. Reading edges of tracks or particles that were "missed" in the overwrites is definitely possible. However, unless you started with a brand new drive in perfect condition, wrote some data to it then wrote over it with nothing but 0s the problem of extracting the actual data becomes completely impractical.
Yes, I believe that is what kythe told us. The proof of concept experiments were in a very controlled and artificial environment?
In the real World life is rather different. I am sure many can recall the incident a while back where the Alaska Department of Revenue "lost" the records pertaining to a $38 billion fund?
Their system was having problems due to corrupt data in the storage array and the perceived solution was to reformat and reload the data.
It would seem that this process included writing 0s to the drives, which makes sense, as that would remove the danger of an application subsequently reading the corrupt data and giving an error?
Unfortunately, the technician also formatted the backup drives as well :eek:
The data was irrecoverable, and the ADR had to spend some $250,000 in getting it re-entered manually.
This raises some additional questions IMO:
1. How would you reconstruct an overwritten striped RAID array?
2. How would you reconstruct overwritten compressed data?
3. How would you reconstruct overwritten encrypted data?
4. How would you determine and reconstruct different file types?......... for example, Alaska were using scanned PDF image files :confused:
Just a few thoughts...................:)
Its like that other CSI computer fallacy. You know, where they take the low quaility CCTV tape, run it through an enhancement algorithm and read the numberplate on a car 3 miles away.