Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Hard Drive Forensics Question

From: Matt <matt-martin () tx rr com>
Date: Wed, 08 Oct 2008 04:01:32 -0500
Murda Mcloud wrote:

Hello all,

I've been lurking here for the last 6 months or so and this thread
caught my eye.

I'd agree about most of the comments in this thread with the exception
of a few regarding data recovery after a file has been 'zeroed'
and whether there is any benefit to using random data during the overwrite.
The below thread/link was responded to by a senior engineer from a well known 
disk manufacturer, and according to him - data can be recovered after being
over-written with new data (several generations back).
Given Mr. Barila has decades of experience and plays an active role in the design 
and development of mass storage devices along with the supporting firmware,
I'll take his word for it...

http://www.osronline.com/showThread.cfm?link=92173

Regards,

m
(P.S. - First, I was the OP in the above thread, and second, do keep in mind that the responder (Mr. Barila) has access to a lot of lab equipment that very 
few people do... )


Which is more likely to appear on a normal hard drive that has not
been tampered with or set up: Entire blocks of 0s, or random malformed
data?
In the case of the OP, I get the feeling that if someone examined the drive 
they could easily draw the conclusion that the drive had been 'tampered'
with either way. Whether there were 0s or randoms on it.
It still doesn't matter which method you use. No-one is going to get any
data from it but I just wanted to see why you said random data were better. 
I don't agree that your reason makes it 'better'.
As Ansgar pointed out, finding a credible report on data recovery from a
zeroed(if that is a verb) drive is impossible.
You can always take the challenge if you believe otherwise:

http://16systems.com/zero/index.html


And I still don't understand why you said:


Delete it so as to be able to write over it again. Multiple write-overs

ensure that no data may be recovered.
My lack of understanding may be because I'm not seeing what benefit you are 
trying to gain from the 'deleting'. I thought that you could overwrite
something without the need for first deleting it but perhaps you know
something that I don't.










-----Original Message-----
From: Razi Shaban [mailto:razishaban () gmail com]
Sent: Monday, October 06, 2008 11:25 PM
To: Murda Mcloud
Cc: security-basics () securityfocus com
Subject: Re: Hard Drive Forensics Question

On Mon, Oct 6, 2008 at 7:00 AM, Murda Mcloud <murdamcloud () bigpond com>

I won't reply to the first part, as I feel that it doesn't really need
much more elaboration.


And why do you feel that random is better?

If it is actual files that are copied, they may be recovered.
Depending on the nature of those files, opinions could be made either 
way. If it's random data, nothing can be retrieved and they are left
with nothing to work with. If they are accusing him of wrong-doing
that he is innocent of, he should leave them with as little as
possible to work with, in my opinion.

Maybe I should have asked, "Why do you feel that random is better than
something else eg 0's?"
I don't think it matters whether it's random or not-overwrite something 
and

it's overwritten. Which means it's unrecoverable. Some apps will

overwrite

with random numbers. Eg DBAN
If someone sees a pattern in the hard drive after I do
dd if=/dev/zero of=/dev/hdax
because it's not random they would be right. It's not random. However,

can

they see any files I had on there before? No.


Which is more likely to appear on a normal hard drive that has not
been tampered with or set up: Entire blocks of 0s, or random malformed
data?

--
Razi
Previous By Date Next
Previous By Thread Next

Current thread: