Security Basics mailing list archives

RE: Interesting One

From: "Trevor Cushen" <Trevor.Cushen () sysnet ie>
Date: Wed, 30 Oct 2002 10:29:08 -0000


I believe the DOD level is 7 overwrites before the data is deemed
unrecoverable.  Bear in mind however that the DOD practise is to burn
the hard drive as part of the disposal procedure.  

I used @Stake autopsy and found it very quick and easy to use for
recovery of deleted files.

BackByte is another good tool but not free like Autopsy.  The 30
overwrites and still getting data I don't believe however.  I would
imagine the disk was used again about 30 times but the recovered data
was on a section of disk that had not been reused.  I don't rule out
that it can be done but not by anything on the market.  If you are
really unsure try posting your query to the people at Vogon.
www.vogon.co.uk

They are the best at this stuff bar none.  Read some of their news
stories for just how realistic computer forensics is.


Trevor Cushen
Sysnet Ltd

www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499



-----Original Message-----
From: Michael Cunningham [mailto:crayola () optonline net] 
Sent: 29 October 2002 19:43
To: Dave Adams; security-basics () security-focus com
Subject: RE: Interesting One

Anyway, to get to the point, the guy that came to see me said that 
their forensics guys could read data off a hard drive that had been 
written over up to thirty times. I find this very hard to believe and 
told him I thought
he was mistaken but the guy was adamant that it could be done.


Yes, it can be done.. it would cost about 100k per drive and the ability
to access an electron scanning microscope. At 30 times I highly doubt
they could recover anything of any value anyway. Using most commercially
available products like "Encase", you can recover files that have been
deleted, but not overwritten. Once the data is overwritten you are
getting into using tools which are not available to the general public
as far as I am aware.

Mike



**************************************************************************************

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 

If you have received this message in error please notify SYSNET Ltd., at
telephone no: +353-1-2983000 or postmaster () sysnet ie

**************************************************************************************

Current thread:

RE: Interesting One, (continued)
- - RE: Interesting One Greg van der Gaast (Oct 30)
  - Re: Interesting One James Taylor (Oct 30)
  - Re: Interesting One ATD (Oct 31)
- RE: Interesting One Dozal, Tim (Oct 29)
  - RE: Interesting One Tom Matthews (Oct 30)
- RE: Interesting One Paul Carroll (Oct 30)
  - Basic Question only Christopher Rea (Oct 31)
  - RE: Interesting One David (Oct 31)
- Re: Interesting One Jack Crone (Oct 30)
- RE: Interesting One Martijn Dunnebier (Oct 30)
- RE: Interesting One Trevor Cushen (Oct 30)
- RE: Interesting One Nero, Nick (Oct 30)
- RE: Interesting One Tim Donahue (Oct 30)
- Re: Interesting One Carlos . (Oct 30)
- RE: Interesting One John Orr (Oct 31)
- Interesting one Trevor Cushen (Oct 31)
- RE: Interesting One Trevor Cushen (Oct 31)