Security Basics mailing list archives

RE: Interesting One

From: Dora Furlong <sparrowh () deathstar org>
Date: Tue, 29 Oct 2002 22:48:25 -0500 (EST)




Hmm this is an interesting topic.....considering overwrites are dependant
upon one frequency signal overwriting the previously written pattern.
If the write current is too high it produces fringing fields at edge of
the head pole track widths... typically overwrite values kept below
-30dB


IE A pattern of f1 is written at low freq amplitude averages a1
A pattern of F2 now written at higher freq and on same track over old
pattern

residual signal at freq f1 is measured with band pass filter or a spec
analyzer.... Now we have average amplitude of a2

overwrite ratio calculated as 20log(a2/a1), which reflects the ability of
a new data patern to supress the old data previously overwritten on the
media.

Given today's technology and working the above calculation at 30
overwrites....Noise is left...

Also any sideband harmonics that could be picked up by that point are
completely destroyed and after the second overwrite the original
harmonics disappear from the spectrum.

As for track edge effect it becomes jumbled after 30 overwrites...it is
frequency dependant it would be impossible to determine the original
frequency written there.

(Trying to keep this relatively math independant.)


-->Dora




On Tue, 29 Oct 2002, Michael Cunningham wrote:

Anyway, to get to the point, the guy that came to see me said that their
forensics guys could read data off a hard drive that had been written
over
up to thirty times. I find this very hard to believe and told him I
thought
he was mistaken but the guy was adamant that it could be done.


Yes, it can be done.. it would cost about 100k per drive and the ability to
access an electron scanning microscope. At 30 times I highly doubt they
could recover anything of any value anyway. Using most commercially
available products like "Encase", you can recover files that have been
deleted, but not overwritten. Once the data is overwritten you are getting
into using tools which are not available to the general public
as far as I am aware.

Mike





                        One net to rule them all
                          One net to find them
                        One net to bring them all
                         Using Unix to bind them

Current thread:

Interesting One Dave Adams (Oct 29)
- RE: Interesting One Michael Cunningham (Oct 29)
  - RE: Interesting One Dora Furlong (Oct 30)
  - RE: Interesting One Rory Savage (Oct 30)
- Re: Interesting One Reece Arnott (Oct 30)
- Re: Interesting One Thomas Sjögren (Oct 30)
  - RE: Interesting One Chris Chandler (Oct 31)
- RE: Interesting One Shayla Anthony (Oct 30)
- RE: Interesting One Dan Darden (Oct 30)
  - Re: Interesting One Meritt James (Oct 31)
- R: Interesting One Alessandro Bottonelli (Oct 30)
- <Possible follow-ups>
- Re: Interesting One Joe Yong (Oct 29)
- RE: Interesting One Nero, Nick (Oct 29)

(Thread continues...)