Home page logo

basics logo Security Basics mailing list archives

RE: Interesting One
From: Rygg Christian <christian.rygg () edb com>
Date: Thu, 31 Oct 2002 09:27:53 +0100

Any chance of making it less maths independant, for those of us who prefer
that? :)

-----Original Message-----
From: Dora Furlong [mailto:sparrowh () deathstar org]
Sent: Wednesday, October 30, 2002 4:48 AM
To: security-basics () security-focus com
Subject: RE: Interesting One

Hmm this is an interesting topic.....considering overwrites are dependant
upon one frequency signal overwriting the previously written pattern.
If the write current is too high it produces fringing fields at edge of
the head pole track widths... typically overwrite values kept below

IE A pattern of f1 is written at low freq amplitude averages a1
A pattern of F2 now written at higher freq and on same track over old

residual signal at freq f1 is measured with band pass filter or a spec
analyzer.... Now we have average amplitude of a2

overwrite ratio calculated as 20log(a2/a1), which reflects the ability of
a new data patern to supress the old data previously overwritten on the

Given today's technology and working the above calculation at 30
overwrites....Noise is left...

Also any sideband harmonics that could be picked up by that point are
completely destroyed and after the second overwrite the original
harmonics disappear from the spectrum.

As for track edge effect it becomes jumbled after 30 overwrites...it is
frequency dependant it would be impossible to determine the original
frequency written there.

(Trying to keep this relatively math independant.)


On Tue, 29 Oct 2002, Michael Cunningham wrote:

Anyway, to get to the point, the guy that came to see me said that their
forensics guys could read data off a hard drive that had been written
up to thirty times. I find this very hard to believe and told him I
he was mistaken but the guy was adamant that it could be done.

Yes, it can be done.. it would cost about 100k per drive and the ability
access an electron scanning microscope. At 30 times I highly doubt they
could recover anything of any value anyway. Using most commercially
available products like "Encase", you can recover files that have been
deleted, but not overwritten. Once the data is overwritten you are getting
into using tools which are not available to the general public
as far as I am aware.


                        One net to rule them all
                          One net to find them
                        One net to bring them all
                         Using Unix to bind them

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]