-
May 8th, 2006, 08:55 PM
#11
Junior Member
Originally posted here by gore
That's not fool proof.
You are correct, according to this :
http://en.wikipedia.org/wiki/Gutmann_method
However, I've read that formatting a drive isn't foolproof either.
-
May 8th, 2006, 09:06 PM
#12
NIST states that seven passes is sufficient to prevent recovery of residual data.
Note that while it is rare, I have seen cases where even this has not been enough.
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
May 8th, 2006, 09:35 PM
#13
And I've seen a bullet go through a HD and Data recovered from it.
-
May 8th, 2006, 09:43 PM
#14
Try BC Wipe. It'll do Guttman wipes (35x) but it takes forever. It has one nice feature: you can encrypt your swap file. I wouldn't swear by the effectiveness of wiping software though.
The only sure way to foil a forensic recovery is...clean living.
“Everybody is ignorant, only on different subjects.” — Will Rogers
-
May 8th, 2006, 09:45 PM
#15
Well, our data center, as part of their removable media destruction policy, melt down the HD platters. As long as our procedure is followed, there is zero chance of recovery.
Note that this is done on HDs that held data at a specific classification level. No one is melting down HDs that came in from kiosks, etc.
--Th13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
May 8th, 2006, 09:52 PM
#16
Member
Okay...all this 'wiping' and 'erasing' is making me a little nervous.
Mainly I just wanted to know if my friend could find his old deleted emails without paying some computer guy a small fortune. If this isn't something he can easily do without the wipe and erase method, please tell me because I already told him it couldn't be done at all. Sounds like from you guys I'm definitely wrong about that. Dalek sent me this link to an interesting spot where you can find the dat files, but you can't read any deleted emails from what I could find on my own computer. So still kind of confused on exactly what this computer guy thinks he might be able to find.
I do find the wiping and erasing threads interesting...I looked at eraser and it sounds like you can erase only some parts you want without erasing the whole hard drive. Now THAT sounded interesting! Is the same true with the 'wiping' program? Or would that entail wiping the entire hard drive?
-
May 8th, 2006, 09:56 PM
#17
Oh it most certainly can be done and as thehorse13 mentioned, it is trivial. Not to indicate that I am simple , but I thought I'd go ahead and explain the basic file deletion process.
When someone retrieves a precious file that we may have inadvertently deleted, we are probably going to be impressed or at least thankful. Regardless, Windows file deletion/recovery is not magic, so that doesn't make them 'uber'. Since we are already aware that we can restore files that are placed in the Recycle Bin, this is Post-Recycle Bin.
I believe the first thing we need to know is that after we delete a file and it is placed into the Recycle Bin, if we then empty the Bin or delete the individual file(s) while it is in the Recycle Bin, the Windows OS (95 thru XP) does not have a feature to recover the file. It's probably safe to assume that they have already given us ample opportunities and warnings to prevent non-deliberate file deletion.
In this particular case, to recover the file(s) third party software will be required. There are many out there so I'm not going to specifically list any. However, as a caution I would use one that can be employed from a CD vice downloading one. The reason will be more apparent soon, but obviously we don't want to overwrite a file you are attempting to recover. The exception being if the recovery program was already installed on the hard disk before you deleted the file(s).
Since files can be recovered obviously they are not really deleted. What does happen to them is this. The logical path (the reference) to the file and the file name is changed and the original path and filename is tucked away into another file. With the reference to that particular disk space removed, the operating system may now assign another file or data to that space. Thus the overwriting of the original data may commence. The extent the file is overwritten will determine what file fragments can be recovered. Even with fragments you may (Law Enforcement can) reconstruct the file.
So where is the original reference and file name? There are hidden In the Recycled Directory. To locate the specific folder ("INFO" or "INFO2" for XP), obtain a Command Prompt and change directories to the RECYCLED Directory.
Start > All Programs > Accessories > Command Prompt
or
Start > Run > type in "cmd.exe" and hit enter.
At the Command Prompt, type in CD \RECYCLED and then press enter. It should look like:
C:\RECYCLED>
To make the file visible type in: ATTRIB -H INF* and press enter. Then type in: DIR and press enter. The file "INFO" or "INFO2" should now be visible. That's where they are stored! Within that same directory you will also notice any files names that are currently listed in the Recycle Bin but have not been "emptied" or "deleted". Before you exit, to restore the original attributes to the file type: ATTRIB +H INF* and press enter.
That's as far as we can go since the info in that file is only the original path and filename. This is where the third party software takes over. It will restore the path and filename to the specific location of the file data on the hard drive.
cheers
Connection refused, try again later.
-
May 8th, 2006, 09:59 PM
#18
I use Hotmail and always via a webbrowser, so the emails never make it to my harddrive except a temporary internet files. You're going to have a lot of data to sort out recovering those. If he was running his Hotmail thru a client like Outlook Express it'd be a bit easier.
My guess is the computer guy is going to find out which pocket your friend keeps his wallet in...
“Everybody is ignorant, only on different subjects.” — Will Rogers
-
May 17th, 2006, 02:37 PM
#19
Member
Hey Relyt,
I triedn those dos commands you gave me, got to the recycled dir then typed in the attrib -h inf* command and got nothing. Am I doing something wrong or is there nothing recoverable on my harddrive?
-
May 17th, 2006, 02:41 PM
#20
Originally posted here by gore
There is a chance he's right. When you log into hotmail it puts a cookie on your computer. I have apps here that allow me to find images I've viewed online months ago and if he has data recovery tools, he'd be able to find them long after they have been deleted.
This is how Hackers sometimes get caught.They delete the files they took, but unless you overwrite that part of your HD like 50 times, someone can still dig it up long after it's been deleted.
However, if the attacker gets into a descent server, it should have raid hard drives and backup images............right? *trying to think logically*
there's always a way in...
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|