|
-
October 17th, 2002, 07:20 PM
#1
Senior Member
formatted hard disk
Actually I am new to this place, and there is something that is bothering for a long time.
After formatting the hard disk, we can still retrieve the data. How is this ting possible. Can anyone help me out, I want to know about it.
-
October 17th, 2002, 07:27 PM
#2
I'm by no means a forensic expert, but this is how I explain this kind of data-recovery to myself. Please, correct me if I'm wrong, but I think it goes something like this:
By formatting your harddisk, you don't remove all data. The only thing you do is remove all data-entries (compare it to removing your housenumber from your house). Your computer can't find the data anymore, and flags that section of your harddrive as 'empty, I can overwrite this stuff', but the actual data still resides on that spot (as long as it isn't overwritten). If you, somehow, restore the 'housenumbering', you'll be able to restore your data.
I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.
-
October 17th, 2002, 07:29 PM
#3
It depends on the type of formating that was done. Most formats are "quick" formats. They only rewrite the allocation tables and leave the information out on the disk. Because the allocation tables are empty the data area is "considered" empty so new files can be created and the old information is overwitten. There are utilities and formating options that will overwite the data and make it unavailable or at least harder to retrieve. If you want to make the data go away permanently you can get a "wipedisk" utility that will overwrite the data multiple times. This is may be required as there are companies that can retreive data from a wiped disk if the data has not been overwriten sufficiently.
Work... Some days it's just not worth chewing through the restraints... 
-
October 17th, 2002, 07:59 PM
#4
Just to add to what mmelby has said, the nsa considers data only truly unrecoverable after overwriting the data seven times, but it takes a dedicated program to recover data after it has been overwritten twice.
Something that i would like to know though on the same subject, is what type of format dos does, i recently had to format my win 98 computer and did so by going into dos and using format.exe. Is it a quick format or a full one?
-
October 17th, 2002, 08:15 PM
#5
i believe there is also a way to identify what was on it by actually opening the hard drive itself.
but i'm bar far not an expert, either.
i thought this might be an intersting read:
http://www.computer-data-forensics-e...discovery.com/
just like water off a duck\'s back... I AM HERE.
for CMOS help, check out my CMOS tut?
-
October 17th, 2002, 10:03 PM
#6
If you are looking for some tools to unformat or undelete HDD's contents, search the www.webattack.com and www.google.com for something like "unformat" or "recover hard disk".
Cheers
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe."
- Albert Einstein
-
October 17th, 2002, 10:29 PM
#7
Data can be recovered from a hard drive because of residual magnetic fluctuation. While data on a hard drive is digital magnetism is not, it is a field so instead of having pure 1's and 0's you get sharp rises and falls. Moving a 1 to a 0 or vice versa reverses the magnetic field however it leaves a residue.
Most of the recovery programs focus on possibilities of these residues. Recovering them and then trying to rearrange them into logical useable forms. This is especially easy if it is a single wipe since everything is converted to one data type so those data bits with the least residual are that type, those with secondary residual are probably of the other. The more times you rewrite and reverse the bit types the less residual can be detected.
mmelby stated the NSA says 7=clean. When I worked for the DOD 1 rewrite was acceptable for proprietary and confidential, 3 for Secret, and total destruction was required for TS and above.
Quick formats, as stated, only wipe the allocation table referring to the location of data. This makes recovery from a quick format fairly easy. Even deleting files is merely a rewrite of the allocation table freeing up the space but the data isn't really lost until that space is used.
Do not hold me to this but I believe that DOS format is a single full write format. However it was not accepted as a full write by the DOD, a program that ensured full bit by bit writing was required. I do know though that when I contacted one of the recovery companies about recovering data from a re-formated disk the cost was quite eye opening and my client decided the data was not as valuable as they had initially indicated 
Hope this helps.
SodaMoca5
\"We are pressing through the sphincter of assholiness\"
-
October 22nd, 2002, 03:51 PM
#8
Junior Member
hello harbir there are many programms to use in order to restore ur data after formating ur hard disk and i think there is a dos command do the same think i don't know it but you can search for it bye
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
