Security Basics mailing list archives
RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?
From: "Jack Crone" <jcrone () jdca com>
Date: Fri, 27 Jun 2003 20:06:52 -0700
About fifteen years ago I was associated with a highly classified military program. We had a very real need to know whether overwritten data could be recovered and I believe we learned all that was known at the time. We learned that it was theoretically possible to recover data, but the theory had yet to be put to practical use. However, should such recovery become practical then, *theoretically*, overwriting a certain number of times with certain patterns would thwart the recovery. Hence the DoD standard -- protection against something which might become possible at some future date. I see no evidence to indicate that that future date has arrived. My personal experience is quite old, but consider the following: 1. Recovery of overwritten data has been considered possible for over 20 years, but I am not aware of a single disk ever being recovered by anyone anywhere. This strongly implies that it still isn't possible/practical or that the technology is locked up in some top secret laboratory and not available to mere mortals. 2. One might reasonably assume that improvements in technology will someday make such recovery possible, but there is a problem. Efforts started ten years ago might be producing useful output today -- using the ten year old disk. Today's disk with its much higher density would be orders of magnitude more difficult to recover. The target keeps moving. 3. Assuming that such a recovery is possible, it would be frighteningly expensive and time consuming. The process would probably require access to some government laboratory and a budget of hundreds of thousands of dollars per disk. 4. If your data is so valuable that someone would go to these lengths to recover it (assuming that such a recovery is even possible) then the only responsible way to delete the data is by physically destroying the disk. Worrying about how many overwrites are necessary is about as meaningful as debating how many angels can dance on the head of a pin. 5. If you consider your data to be a bit less valuable, then a single pass overwrite is all you need. Just be sure that you have the right tool to do this and that you know how to use it. If anyone on the list is aware of an actual, documented recovery I would really like to know about it. Demonstrations which show how to retrieve a few bits don't count. Neither do the claims of some data recovery companies who, when pressed, admit that they didn't really mean it. Jack Crone JD Crone Associates Computer Forensics --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Jack Crone (Jun 30)