-
April 28th, 2004, 02:16 AM
#1
Junior Member
Debate about Data Recovery after Format.
The following transcript was taken from a non-computer related message board. It was suggested that it be transferred word by word to a security forum in order to see who is right.
Who is right, SirHappyShoes or CheeseOnWaffles?
-----------------------------------------------------------------
Randomguy28: ok, if you format your pc, can things still be retrieved using hardware recovery t-o-o-ls?
RandomGuy34: Most definitely not.
RandomGuy53: Seconded. A formatted hard drive is gone gone gone. I forgot to save several homework assignments while reformatting and lost them for good.
Hopefully the data you want isn't that hard to get again.
RandomGuy93: Actually, some/most of the data is still there, because it has not been overwritten. I'm not too familiar with the process, but look for some "Data Recovery" software or a business dealing with the same name. The only way for everything to be gone is by overwriting the entire disk.
Patrick.
RandomGuy11: i think "data recovery" after you've reformatted is really hard. unless you know what yer doin. which means i can't do it.
SirHappyShoes: Formatted hard drives are NOT erased. Almost any data recovery software will be able to see and recover most of the information on the drive, provided that sector hasn't been overwritten by new data.
RandomGuy14: what do you mean, overwriting? how can you overwrite it? damn, are any recovery tools free? i lost an entire report on accident and i dont wanna do it again!!!
RandomGuy53: From RandomGuy93's post it looks as if the software is not free, and may require a seperate business.
By overwriting data I'm pretty sure it would refer to the data sectors of your hard drive, and it would be able to recover the data if it hasn't already been rewritten over by a different program or document.
RandomGuy77: Whenever you remove anything from your harddrive or reformat you are not actually deleting anything, you are giving the compute permission to use the space for new and different information. When you delete an mp3 that mp3 remains there until something new is placed where it was.
Recovering data can be aggravating for a couple of reasons: there is no program that can really make it "easy" for the average user and because unless you are attempting to recover something almost immediately after deletion the computer has likely already decided to use that space for something else or at least part of it leaving an incomplete file.
RandomGuy14: damn
CheeseOnWaffles: Formatting makes you lose everything. No data recovery software can help you get things back after you format. Unless... you use that software to do the formatting. For example, if you just do "format C:" at a command prompt, you're not going to be able to get anything back. The simple solution is, emailing your needed files to yourself, putting them on an FTP server, or burning them onto a CD-R or DVD-R.
RandomGuy5:
Quote:
CheeseOnWaffles wrote:
Formatting makes you lose everything. No data recovery software can help you get things back after you format. [...]
The voice of ignorance, ladies and gentlemen.
The only way to render data unretreivable is to write over it several times (some say a dozen, just to be safe). All formatting does is set the file tables to zero -- it doesn't actually remove the files. Even writing over the data dozens of times doesn't guarantee that the original files are unrecoverable.
There are reasons that groups like the DOD require hard drives to be *destroyed* before being released from their custody, not just to format them and throw them in the trash.
SirHappyShoes:
Quote:
there is no program that can really make it "easy" for the average user
Not true. There's tons of programs that do data recovery. Some are a flat fee and some you pay per MB of data recovered. I've used Restorer2000, which is $50 - it works fine and is simple to use.
Quote:
The only way to render data unretreivable is to write over it several times
Well, there are utilities that stream zeros across your hard drive.
CheeseOnWaffles: Voice of ignorance? I'm speaking to a mainstream computer user. I don't want him to buy some recovery toool, in hopes that their unbelievable marketeting schemes makes him think it will be no problem getting all the files on his computer back. 'Cause what will probably happen is... Some of his directories will probably be in tact but the majority of his files will be corrupted. Without hardcore tools like EnCase, the chance of recovery with popular applications is still a risk that is too high to take for valuable, mission-critical data. If I were speaking to someone willing to put in some real work or willing to run that hard drive as a slave, I'd still say that it's very difficult to recover data.
Anyways (RandomGuy5), even computer security experts can't recover your files dependant on how you've chosen to format your drive. If you use WinXP install to format, it's a High-level format. However, if you know who made your harddrive, you can possibly get a Low-level format application from their website. Low-level formatting makes it pretty much impossible to recover anything. Even if you can't find a Low-level format from your hard disk's manufacturer, you can use software such as "Active@ Killdisk" that will erase data by the U.S. Dept. of Defense's "DoD 5220.22-M" standard of cleaning and sanitizing.
(To)SirHappyShoes: you're right, writing zero's to every sector of the drive will do the trick.... as well as making the drive remap out it's sectors all over again with a Low-level format. However, this wears the
drive down.
SirHappyShoes:
Quote:
Voice of ignorance? I'm speaking to a mainstream computer user.
That still doesn't change the fact that your post was wrong.
Quote:
I don't want him to buy some recovery tool, in hopes that their unbelievable marketeting schemes makes him think it will be no problem getting all the files on his computer back.
Um...I'm guessing you haven't used any data recovery software(?). It really is quite easy to use, and quite successful. Off of a 10GB partition, I've recovered 6GB of data - almost the entire contents of the drive prior to it being formatted.
I'm curious as to why you think a format would corrupt all the files that used to appear on a drive.
CheeseOnWaffles: Experience.
My post was not wrong. It depends how you format, whether or not its even POSSIBLE to recover data. Either way, it's still highly difficult.
SirHappyShoes:
Quote:
My post was not wrong.
Quote:
For example, if you just do "format C:" at a command prompt, you're not going to be able to get anything back.
You were saying something?
Quote:
Either way, it's still highly difficult.
Well, apparently your "experience" is rather limited. Data recovery is both cheap and easy.
CheeseOnWaffles: Nevermind.
SirHappyShoes: I figured as much.
RandomGuy1: also from what Ive heard.. everything that has ever been on your hard drive will always be there unless you destroy the drive.. or there are some programs that supposedly get rid of all of everything
SirHappyShoes: That's basically what I've been saying, but CheeseOnWaffles, for some reason, believes otherwise.
RandomGuy1: well they can basically see anything youve ever had on your computer unless you crush or somehow destroy the platters
SirHappyShoes: Or write zeros to the drive.
-----------------------------------------------------------------
The following transcript was taken from a non-computer related message board. It was suggested that it be transferred word by word to a security forum in order to see who is right.
Who is right, SirHappyShoes or CheeseOnWaffles?
-
April 28th, 2004, 02:46 AM
#2
CheeseOnWaffles sounds like an idiot, excuse my blunt remarks. Formatting does very little, physically to a drive. Hell, on a Windows format, *nothing* is even done to the drive until about 97%, which is just the re-writing of the FAT tables, not the erasure of data. You can overwrite the data with 0's, and the data can *still* be retrieved by extremely extensive forensics measures that look for "data shadows."
Data shadows are produced by the spinning hard disks, the magnetic "blip" made by the read/write head is not perfect, and when overwritten, some of it is usually there, and retrievable by a very determined computer forensics expert. Rarely, is the data complete, but sometimes there is enough to use as evidence in a trial, or to rebuild said file. I will post quotes from a rather recent magazine (or maybe an e-book, i forget which) that goes quite in depth with data destruction and recovery when I can find it.
As an added tid-bit, the Department Of Defense, requires a hard drive to be overwritten, first with the opposite (if a 0, then a 1, or vice versa), then with that opposite, for a 6 cycle data destruction process. The 7th time, all of the space on the disk is overwritten with 0's, and the hard drive can be used within the DoD again, or destroyed physically (i.e. incinerated).
This post is giving me the urge to write a data destruction/recovery tutorial...
AxessTerminated
[EDIT]
BTW, a low level format is impossible outside of the factory. In the factory a serial number, one that doesn't change by format, is written to the disk, along with other useless crap. A "low-level format" provided via BIOS, or other such software, only remaps the sectors on the platters, but still leaves the data in tact, once again, to a determined individual.
[/EDIT]
Geek isn't just a four-letter word; it's a six-figure income.
-
April 28th, 2004, 02:47 AM
#3
Yes you can recover data following a format.
Yes you can recover data that is over written. Although this is not so easy.
Yes there are plenty of applications that will recover deleted data.
Yes there are plenty of "secure file and data erasers" Yes they over wright the data from one times to many depending on the level of security you require. Having said that the British Security and Armed Forces destroy beyond salvage HDD. To prevent data recovery.
Some Recovery applications are very simple to use. Some not so simple.
There are companies and agenceys who specialise in recoveing data and they can use very high tech and laboritory methods that can recover very well over written data.
If you want to see a company who make recovery software go here:
http://www.guidancesoftware.com/
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
-
April 28th, 2004, 02:53 AM
#4
Junior Member
thank you
Thank you for your replies. But who would you say is right... ?
-
April 28th, 2004, 03:11 AM
#5
Just thought I'd add in that FDISK deleting a partition actually reformatts 0.01% of the drive, which is nothing more than the allocation tables. Read that straight from the Garfinkel's "Remembrance of Data Passed: A Study of Disk Sanitization Practices" which can be found Here!
The BEST way to delete ALL data off of a drive in my opinion, is to find a drive in an old computer (say a 286 or younger) and use the incredibly powerful Earth magnetics inside to completely wipe the drive. This is the best way if you want to be able to use it again. Otherwise, attach 15 m80s to it and watch the silicon fly!
[EDIT] I read your post, and if someone really doesn't want to trust garfinkel at least a little bit, then they are pretty stupid. Also, http://securityfocus.com has a new article up about data destruction, go look at it and link to it if you need to.
-
April 28th, 2004, 03:20 AM
#6
TechTV's "The ScreenSavers" aired a show in February of last year. I quick text clip can be found here:
http://www.techtv.com/screensavers/h...416110,00.html
And to answer your question, SirHappyShoes is correct.
Geek isn't just a four-letter word; it's a six-figure income.
-
April 28th, 2004, 03:26 AM
#7
I still have an old version of Norton diskedit. Nice lil' tool. Too bad they didn't keep in past version 4.
Nuff said. Formatting does very little to the drive.
SirHappyShoes is correct.
Even some of those shredder programs don't get rid of all of the data, it can still be read even after being overwritten, just ask the DOJ.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
-
April 30th, 2004, 08:06 PM
#8
Junior Member
My analysis:
SirHappyShoes is correct. However, CheeseOnWaffles gets an honorary mention for sounding like he really knows what he is talking about, even though he is completely wrong. He seems to know all of the terms, but has no idea how they really work. Perhaps he is deliberatly lying? Both contestents loose points for dumb names (I hope these are aliases used to protect the not-so-innocent and not actual nicks).
AxessTerminated:
Wouldn't every 2 of these cycles where the bits are all reversed bring the hard drive back to its original state?
1110010101 <--original
0001101010 <--after 1st cycle
1110010101 <--after 2nd cycle
and so on, so that after 6 it would be exactly the same data. Or did you mean that the first cycle would write all '1's, the second would write all '0's and so on?
Either way, you'd think it would be more effective to do six cycles of random bits, wouldn't it?
If you do the same operations to every bit on the drive, it would be easier to determine which ones had started off as '1's as they would be slightly more positive than the ones that had started as '0's. With random bits written in each cycle the forensic analysts would have to determine for each bit the last 6 random modifications before they could tell what the original data was.
Of course I know very little about the subject, and am just going on common sense. If you know why they do it the other way, could you enlighten us?
A voice out of chaos spoke to me, saying \"Laugh and be happy, for it cannot get any worse.\" So I laughed, and was happy, and it got worse.
-
April 30th, 2004, 08:25 PM
#9
"....DoD contractors three government-approved
techniques for sanitizing rigid disk drives:
• Degauss with a Type I or Type II degausser
• Destroy by disintegrating, incinerating, pulverizing,
shredding, or melting
• Overwrite all addressable locations with a random character,
overwrite against with the character’s complement,
and then verify. (However, as the guidelines
state—in all capital letters no less—this method is not
approved for sanitizing media that contains top-secret
information.)
The DoD’s overwriting strategy is curious, both because
it does not recommend writing a changing pattern,
and because the method is specifically not approved for
top-secret information."
I apologize, it is overwritten with random bits first, then written with the opposite character. They released that to the public and won't release the information on how Top Secret information is sanitized, probably not wanting the public to have that in their grubby little paws.
Geek isn't just a four-letter word; it's a six-figure income.
-
April 30th, 2004, 08:25 PM
#10
All 1's, all 0's, all random..........and so on...............I could still find the data, but each cycle makes it more difficult?
Please check out the "forensics" forum, particularly for stuff by "Groovicus"..............he will set you straight
Cheers
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|