Recovering overwritten data - can software alone do it? - Page 3
Page 3 of 3 FirstFirst 123
Results 21 to 26 of 26

Thread: Recovering overwritten data - can software alone do it?

  1. #21
    IT Specialist Ghost_25inf's Avatar
    Join Date
    Sep 2001
    Location
    Michigan
    Posts
    648
    Quote Originally Posted by kythe
    This simply isn't true. As Nihil noted, if it were true, disks would produce errors all the time, as they'd not be able to tell what data is current and which is old.

    Among others: DBAN.
    Well that is why there is a fat table this directs the computer where to see the data. So when people do quick formats all that is deleted is the fat table the data is still there but the directory isnt, until the data is completely written over it can still be seen. Im not an expert at hard drives but I do remember what I was taught back in my college days.

    I also understand it that even after a full format the magnetic charge only formats to all zeros and if the magnetic charge isnt at full charge there would still be evedence of the ones, making it somewhat readable. True this may be very old information and hard drives have changed but I thought it was worth noting.
    S25vd2xlZGdlIGlzIHBvd2VyIQ

  2. #22
    Member
    Join Date
    May 2005
    Posts
    30
    Quote Originally Posted by Ghost_25inf
    Well that is why there is a fat table this directs the computer where to see the data. So when people do quick formats all that is deleted is the fat table the data is still there but the directory isnt, until the data is completely written over it can still be seen. Im not an expert at hard drives but I do remember what I was taught back in my college days.

    I also understand it that even after a full format the magnetic charge only formats to all zeros and if the magnetic charge isnt at full charge there would still be evedence of the ones, making it somewhat readable. True this may be very old information and hard drives have changed but I thought it was worth noting.
    I think Nihil had it right: we crossed definitions of "deleted" with "overwriting". A quick format, indeed, leaves the data itself intact and it can be recovered. My apologies for jumping all over you about it.

  3. #23
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Ghost~ I am afraid that you have misunderstood me. When I said that

    they'd not be able to tell what data is current and which is old.
    I meant in terms of chronological order or "layers" on the platters. Not which data was "live" and which had been flagged as deleted Obviously, if the new data doesn't overwrite the old with a much stronger magnetic image the machine will have serious problems reading it.

    Formatting is a different issue. It is true that a quick format will leave all the file contents on the drive. These could then be extracted with a data recovery program.

    AFAIK, the "full format" is only available in Windows Vista, and will fill the drive with 0s. This would be virtually impossible to recover if the drive has been in use for some time as they would be overlaid over several previous "layers"

    In other versions of Windows I believe that the only difference is that the regular format will also check the drive for bad sectors.

    Incidentally, Encase is not a data recovery tool, it is an evidence gathering one. If you overwrite the drive thoroughly with even one pass, it is totally useless


    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #24
    Senior Member Aardpsymon's Avatar
    Join Date
    Feb 2007
    Location
    St Annes (aaaa!)
    Posts
    434
    in terms of being physically able to read the disk it IS very possible to read data that has been over written. The trouble is translating it back into data. Reading edges of tracks or particles that were "missed" in the overwrites is definitely possible. However, unless you started with a brand new drive in perfect condition, wrote some data to it then wrote over it with nothing but 0s the problem of extracting the actual data becomes completely impractical.
    If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.

  5. #25
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Yes, I believe that is what kythe told us. The proof of concept experiments were in a very controlled and artificial environment?

    In the real World life is rather different. I am sure many can recall the incident a while back where the Alaska Department of Revenue "lost" the records pertaining to a $38 billion fund?

    Their system was having problems due to corrupt data in the storage array and the perceived solution was to reformat and reload the data.

    It would seem that this process included writing 0s to the drives, which makes sense, as that would remove the danger of an application subsequently reading the corrupt data and giving an error?

    Unfortunately, the technician also formatted the backup drives as well

    The data was irrecoverable, and the ADR had to spend some $250,000 in getting it re-entered manually.

    This raises some additional questions IMO:

    1. How would you reconstruct an overwritten striped RAID array?
    2. How would you reconstruct overwritten compressed data?
    3. How would you reconstruct overwritten encrypted data?
    4. How would you determine and reconstruct different file types?......... for example, Alaska were using scanned PDF image files

    Just a few thoughts...................
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  6. #26
    Senior Member Aardpsymon's Avatar
    Join Date
    Feb 2007
    Location
    St Annes (aaaa!)
    Posts
    434
    Its like that other CSI computer fallacy. You know, where they take the low quaility CCTV tape, run it through an enhancement algorithm and read the numberplate on a car 3 miles away.
    If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.

Similar Threads

  1. Practical Guide to Alternative Data Streams in NTFS
    By Irongeek in forum The Security Tutorials Forum
    Replies: 13
    Last Post: January 3rd, 2005, 06:35 PM
  2. Should I be worried....?
    By jerichoholic in forum Spyware / Adware
    Replies: 12
    Last Post: November 30th, 2004, 10:14 AM
  3. Spyware/Maleware User Agreements
    By moxnix in forum Spyware / Adware
    Replies: 7
    Last Post: July 8th, 2004, 01:42 PM
  4. Guide to computer cables
    By preep in forum Other Tutorials Forum
    Replies: 9
    Last Post: June 8th, 2002, 04:01 PM
  5. The Worlds Longest Thread!
    By Noble Hamlet in forum AntiOnline's General Chit Chat
    Replies: 1100
    Last Post: March 17th, 2002, 08:38 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides