RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?

["Jack Crone" <jcrone () jdca com>]

About fifteen years ago I was associated with a highly classified
military program. We had a very real need to know whether overwritten
data could be recovered and I believe we learned all that was known at
the time. We learned that it was theoretically possible to recover
data, but the theory had yet to be put to practical use. However,
should such recovery become practical then, *theoretically*,
overwriting a certain number of times with certain patterns would
thwart the recovery. Hence the DoD standard -- protection against
something which might become possible at some future date. I see no
evidence to indicate that that future date has arrived. My personal
experience is quite old, but consider the following:

1. Recovery of overwritten data has been considered possible for over
20 years, but I am not aware of a single disk ever being recovered by
anyone anywhere. This strongly implies that it still isn't
possible/practical or that the technology is locked up in some top
secret laboratory and not available to mere mortals.

2. One might reasonably assume that improvements in technology will
someday make such recovery possible, but there is a problem. Efforts
started ten years ago might be producing useful output today -- using
the ten year old disk. Today's disk with its much higher density would
be orders of magnitude more difficult to recover. The target keeps
moving.

3. Assuming that such a recovery is possible, it would be frighteningly
expensive and time consuming. The process would probably require access
to some government laboratory and a budget of hundreds of thousands of
dollars per disk.

4. If your data is so valuable that someone would go to these lengths
to recover it (assuming that such a recovery is even possible) then the
only responsible way to delete the data is by physically destroying the
disk. Worrying about how many overwrites are necessary is about as
meaningful as debating how many angels can dance on the head of a pin.

5. If you consider your data to be a bit less valuable, then a single
pass overwrite is all you need. Just be sure that you have the right
tool to do this and that you know how to use it.

If anyone on the list is aware of an actual, documented recovery I
would really like to know about it. Demonstrations which show how to
retrieve a few bits don't count. Neither do the claims of some data
recovery companies who, when pressed, admit that they didn't really
mean it.

Jack Crone

JD Crone Associates
Computer Forensics




---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------