Recovering overwritten data - can software alone do it?

[kythe]

Hmmmm,

One thing to remember is that Peter Gutmann's thesis was written some 10 years ago. Modern drives are different............higher density, more accurate and so on.

All true. It's also true that, though Gutmann described theoretical methods of recovering overwritten data, to date no one has actually demonstrated the practical ability to do so. There are no data recovery companies that do this (though there'd be big money in it for any that did), and researchers attempting it have had to use some pretty major crutches to recover data overwritten by even one pass.

People who have tried to find someone who can actually recover overwritten data have invariably come up empty-handed, and most have concluded that it's an urban legend.

There are two basic methodologies:

1. Magnetic Remnance

This works on the principle that different patterns of 0 and 1 will result in slightly different magnetic values. The problem is that the more a drive has been used and the more it is overwritten, the more subtle these differences will become, and that harder to detect.

The situation is further complicated by not knowing the overwriting sequence or which "layer" you are interested in.

"Subtle" is a good word for it. The biggest problem with this methodology is that the signal is never clean -- there's random electrical noise both in all the written data (the write heads have noise in their signal when originally laying down data) and in the read pick-up heads.

After only one overwrite pass, the signal from old data is reduced 50-60 dB. That's a very large loss. To detect such faint, in-the-noise signals, you have to re-read the same disk area again and again -- perhaps 100 times (anyone who's ever overwritten a large modern disk multiple times knowns how long that could take). You also have to know the overwrite pattern and the original data you're looking for.

After two overwrite passes, there simply isn't any signal that can be discerned out of the noise.

2. Track Overlay

This is based on the principle that the heads don't write to exactly the same place on each "pass" so some residual data remains at the edges. Once again the greater the number of overwriting passes, the more difficult it is to recover anything useful.

It's also been noted that actual investigations find most of the track-edge signal is actually switching noise from the write heads (from the overwritten and overwriting data), not the data you're looking for.

Anything's possible -- maybe there's some secret technology out there that can recover such data. But my experience in microelectronics fabrication and test methods leads me to believe it's probably not feasible, given the research that has been published so far.

Where people make mistakes is in not properly overwriting the drive and trying to preserve the installed operating system and applications. They also forget that the HDD has cache memory and that there is a page/swap file

VERY, VERY true. The single biggest problem with overwriting data is missing copies of it. Those copies could be in the page file, in temporary files (both current and deleted), in the filesystem journal file if that's the kind of filesystem you're using, etc.

It's also important to note that overwriting programs, DBAN included, can't overwrite bad sectors that have been re-allocated. If your drive is showing bad sector errors, it's probably a good idea to trash it anyway and get a new one.