Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Disk wiping -- An alternate approach?
From: T Biehn <tbiehn () gmail com>
Date: Tue, 26 Jan 2010 13:32:08 -0500

I should have brought up the increased density problem Valdis, excellent points.


On Tue, Jan 26, 2010 at 1:26 PM,  <Valdis.Kletnieks () vt edu> wrote:
On Tue, 26 Jan 2010 11:11:52 EST, T Biehn said:
Overwritten files require analysis with a 'big expensive machine.'

Assuming a disk drive made this century, if the block has actually been
overwritten with any data even *once*, it is basically unrecoverable using any
available tech.

Proof: In a decade of looking, I haven't found a *single* data-recovery outfit
that claimed to recover from even a single overwrite.  Blown partition table?
No problem. Metadata overwritten, data not? We can scavenge the blocks. Disk
been in a fire? Flood? Run over by truck? Sure. We can go in and scavenge the
individual intact bits with big expensive machines. Overwritten? <crickets>.

Seriously - lot of companies can recover data by reading the magnetic fields of
intact data.  But anybody know of one that claims it can recover actual
over-writes, as opposed to "damn we erased it" or "damn the first part of the
disk is toast"?

No?  Nobody knows of one?  I didn't think so.

20 or 25 years ago, it may still have been feasible to use gear to measure the
residual magnetism in the sidebands after an over-write.   However, those
sidebands have shrunk drastically, as they are the single biggest problem when
trying to drive densities higher.  You can't afford a sideband anymore - if
you have one, it's overlapping the next bit.

There *may* be some guys inside the spook agencies able to recover overwrites.
But you don't need to worry about any evidence so recovered ever being used
against you in a court of law - as then they'd have to admit they could do it.
Just like in WWII we allowed the German U-boats to sink our convoys rather
than let them figure out we had broken Enigma, they'll let the prosecution
fail rather than admit where the data came from.

FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]