Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 26

Thread: Recovering overwritten data - can software alone do it?

  1. #11
    Senior Member Aardpsymon's Avatar
    Join Date
    Feb 2007
    Location
    St Annes (aaaa!)
    Posts
    434
    the odd few times I've chucked out hardware with critical data I do just go for the hammer option. For normal use I don't bother either way. I mean, if someone has hacked in my computer enough to run an undelete program my deleted files are probably the least of my worries.
    If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.

  2. #12
    Quote Originally Posted by Aardpsymon
    the odd few times I've chucked out hardware with critical data I do just go for the hammer option. For normal use I don't bother either way. I mean, if someone has hacked in my computer enough to run an undelete program my deleted files are probably the least of my worries.
    Very true. And for the most part, even if overwritten data can be recovered, it's not likely that anyone will face that sort of thing. There are probably other, less expensive ways to get the data in the first place.

    To answer the initial question: no, software methods cannot recover overwritten data (meaning data that's been physically overwritten or wiped on a hard drive), unless there's a copy of it somewhere else.

  3. #13
    IT Specialist Ghost_25inf's Avatar
    Join Date
    Sep 2001
    Location
    Michigan
    Posts
    648
    Yes over written data can be recovered even after its been deleted, formatted and written back over again. There is software out there that can reconstruct a file by what bits are recovered of the hard drive that is if there is enough of them. The other way data is recovered is by removing the plates and then read with some other high dollar machine. The Goverment has software that will format the drive and write to it like 7 times first with all 1s and the with all 0s. that way the disk has been completely written over.
    S25vd2xlZGdlIGlzIHBvd2VyIQ

  4. #14
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hmmmm,

    One thing to remember is that Peter Gutmann's thesis was written some 10 years ago. Modern drives are different............higher density, more accurate and so on.

    Suffice it to say that there is no software solution to recovering overwritten data. This seems fairly obvious or how would your system determine which was the current data image?

    You do need hardware to "read" the media and specialised software to interpret the results and attempt a reconstruction.

    There are two basic methodologies:

    1. Magnetic Remnance

    This works on the principle that different patterns of 0 and 1 will result in slightly different magnetic values. The problem is that the more a drive has been used and the more it is overwritten, the more subtle these differences will become, and that harder to detect.

    The situation is further complicated by not knowing the overwriting sequence or which "layer" you are interested in.

    2. Track Overlay

    This is based on the principle that the heads don't write to exactly the same place on each "pass" so some residual data remains at the edges. Once again the greater the number of overwriting passes, the more difficult it is to recover anything useful.

    Where people make mistakes is in not properly overwriting the drive and trying to preserve the installed operating system and applications. They also forget that the HDD has cache memory and that there is a page/swap file

  5. #15
    Senior Member Aardpsymon's Avatar
    Join Date
    Feb 2007
    Location
    St Annes (aaaa!)
    Posts
    434
    Removing the platters is pretty much a one off thing. Not only is the machine highly expensive but the exposure from removing them rapidly ruins them. Once they are removed its read once then bin because they will never be read again.
    If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.

  6. #16
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Absolutely!

    You need a "clean room", the right equipment and people who know how to use it.

    It is also a very laborious and time consuming process............which translates as very expensive

  7. #17
    Quote Originally Posted by nihil
    Hmmmm,

    One thing to remember is that Peter Gutmann's thesis was written some 10 years ago. Modern drives are different............higher density, more accurate and so on.
    All true. It's also true that, though Gutmann described theoretical methods of recovering overwritten data, to date no one has actually demonstrated the practical ability to do so. There are no data recovery companies that do this (though there'd be big money in it for any that did), and researchers attempting it have had to use some pretty major crutches to recover data overwritten by even one pass.

    People who have tried to find someone who can actually recover overwritten data have invariably come up empty-handed, and most have concluded that it's an urban legend.

    There are two basic methodologies:

    1. Magnetic Remnance

    This works on the principle that different patterns of 0 and 1 will result in slightly different magnetic values. The problem is that the more a drive has been used and the more it is overwritten, the more subtle these differences will become, and that harder to detect.

    The situation is further complicated by not knowing the overwriting sequence or which "layer" you are interested in.
    "Subtle" is a good word for it. The biggest problem with this methodology is that the signal is never clean -- there's random electrical noise both in all the written data (the write heads have noise in their signal when originally laying down data) and in the read pick-up heads.

    After only one overwrite pass, the signal from old data is reduced 50-60 dB. That's a very large loss. To detect such faint, in-the-noise signals, you have to re-read the same disk area again and again -- perhaps 100 times (anyone who's ever overwritten a large modern disk multiple times knowns how long that could take). You also have to know the overwrite pattern and the original data you're looking for.

    After two overwrite passes, there simply isn't any signal that can be discerned out of the noise.

    2. Track Overlay

    This is based on the principle that the heads don't write to exactly the same place on each "pass" so some residual data remains at the edges. Once again the greater the number of overwriting passes, the more difficult it is to recover anything useful.
    It's also been noted that actual investigations find most of the track-edge signal is actually switching noise from the write heads (from the overwritten and overwriting data), not the data you're looking for.

    Anything's possible -- maybe there's some secret technology out there that can recover such data. But my experience in microelectronics fabrication and test methods leads me to believe it's probably not feasible, given the research that has been published so far.

    Where people make mistakes is in not properly overwriting the drive and trying to preserve the installed operating system and applications. They also forget that the HDD has cache memory and that there is a page/swap file
    VERY, VERY true. The single biggest problem with overwriting data is missing copies of it. Those copies could be in the page file, in temporary files (both current and deleted), in the filesystem journal file if that's the kind of filesystem you're using, etc.

    It's also important to note that overwriting programs, DBAN included, can't overwrite bad sectors that have been re-allocated. If your drive is showing bad sector errors, it's probably a good idea to trash it anyway and get a new one.

  8. #18
    Quote Originally Posted by Ghost_25inf
    Yes over written data can be recovered even after its been deleted, formatted and written back over again. There is software out there that can reconstruct a file by what bits are recovered of the hard drive that is if there is enough of them.
    This simply isn't true. As Nihil noted, if it were true, disks would produce errors all the time, as they'd not be able to tell what data is current and which is old.

    The normal hard drive reading process requires about 19 dB signal-to-noise ratio. A single overwrite pass reduces the signal from the old data by more than 50 dB -- up to perhaps 1000 times weaker than the drive electronics can process. Software recovery of overwritten data is just not possible.

    The other way data is recovered is by removing the plates and then read with some other high dollar machine. The Goverment has software that will format the drive and write to it like 7 times first with all 1s and the with all 0s. that way the disk has been completely written over.
    You want to know what software the government uses to clear hard drives?

    Among others: DBAN.
    Last edited by kythe; April 19th, 2007 at 05:47 PM.

  9. #19
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    I think we might have a little confusion creeping in here between:

    1. Recovering the underlying data from an overwritten drive.
    2. Recovering data.

    People I have spoken to from data recovery outfits will gleefully have a go at #2, but #1 is beyond them.

    To recover the data they first see if they can repair the drive. If not they try to read the platters with special heads and equipment, and if that doesn't work they will try scanning electron microscopy (if you will pay for it )

    Obviously, this is a completely different situation, as you are only interested in the top layer, or "current" data.

    The only thing that software tools are really useful for is recovering data from corrupted drives.


    EDIT: this is an interesting link on the subject

    http://www.nber.org/sys-admin/overwr...a-guttman.html
    Last edited by nihil; April 19th, 2007 at 08:24 PM.

  10. #20
    Quote Originally Posted by nihil
    I think we might have a little confusion creeping in here between:

    1. Recovering the underlying data from an overwritten drive.
    2. Recovering data.

    People I have spoken to from data recovery outfits will gleefully have a go at #2, but #1 is beyond them.

    To recover the data they first see if they can repair the drive. If not they try to read the platters with special heads and equipment, and if that doesn't work they will try scanning electron microscopy (if you will pay for it )

    Obviously, this is a completely different situation, as you are only interested in the top layer, or "current" data.

    The only thing that software tools are really useful for is recovering data from corrupted drives.


    EDIT: this is an interesting link on the subject

    http://www.nber.org/sys-admin/overwr...a-guttman.html
    I agree, it's important to keep definitions in mind when talking about this topic.

    Deleted data and other stray data on hard drives is recovered all the time -- this is one of the ways computer security professionals do their jobs. Software recovery tools (including forensic tools like Encase) are designed to do this.

    As long as the platter surface is largely undamaged, data recovery outfits can remove the platters in a clean-room setting and mount them with new read heads and electronics. Very involved, but if your data is priceless, it can be done.

    overwritten data, by contrast, is data in an area of the hard drive that has been physically rewritten with new data. The magnetic domains on the disk surface have been remagnetized by the hard drive write heads and now store new data. For all intents and purposes, the old data is pretty much gone (barring some highly secret methods that aren't in the public domain).

    That NBER paper is very good. It looks like he hasn't updated it in a couple of years, but I suspect his conclusions are still right (otherwise, there wouldn't still be a debate about it!).

Similar Threads

  1. Practical Guide to Alternative Data Streams in NTFS
    By Irongeek in forum The Security Tutorials Forum
    Replies: 13
    Last Post: January 3rd, 2005, 07:35 PM
  2. Should I be worried....?
    By jerichoholic in forum Spyware / Adware
    Replies: 12
    Last Post: November 30th, 2004, 11:14 AM
  3. Spyware/Maleware User Agreements
    By moxnix in forum Spyware / Adware
    Replies: 7
    Last Post: July 8th, 2004, 01:42 PM
  4. Guide to computer cables
    By preep in forum Other Tutorials Forum
    Replies: 9
    Last Post: June 8th, 2002, 04:01 PM
  5. The Worlds Longest Thread!
    By Noble Hamlet in forum AntiOnline's General Chit Chat
    Replies: 1100
    Last Post: March 17th, 2002, 09:38 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •