Jump to content

  • Log In with Google      Sign In   
  • Create Account


Files can always be recovered no matter what you do...


Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.

  • You cannot reply to this topic
34 replies to this topic

#21 dpadam450   Members   -  Reputation: 884

Posted 23 September 2011 - 03:59 PM

How do you know the history of bits though?

---- = blank space

----[FILE 1]----------
(delete file 1)
-------[FILE 2]-------

0000111222222000000 (how much history this memory has)


So they look at see no history for a few, then they see a history of 1 for the very first part of FILE 1, then they hit some bits that have a history of 2. And they just go back in time over bits that have different amounts of history? How much history is there anyway? Say I did that diagram 32 times deleting and adding file1 and file 2 in those same spaces with images of the same exact size. So if you dont know the history since the life of the HD, you cant know which history to grab, because you have no boundaries to know where a specific file had history. Right?

Sponsor:

#22 Antheus   Members   -  Reputation: 2397

Posted 23 September 2011 - 04:02 PM

It may be possible for very well funded governmental institutions or multinational corporations

Money can't buy what isn't there.

In the 90s the "Gibson" was a romantic take on what big companies and money had. But the reality was much more mundane. Sure, the Cray was stylish, the kid who brought O2 to the party was the chick magnet, but at the end of the day, it was just POSIX, same as 30 years ago and today, running ls and chmod.

As mentioned, I don't know of a single published case where an erased drive, even in perfect condition, were recovered, excluding the possibility of MFM (10MB or less drives).


Unfortunately, education should show the latest greatest, not old-wives lore of yesterday. Some 8 years ago I read a publication on scientists who managed to decode wire signal from LED on back of network card using a telescope (peek from across the street, read network traffic). Limited in application due to responses and network rates going higher, but still, a valid experiment. Recently, researchers managed to correlate smart meter readings with TV channel selection based on dark/bright image which cause power consumption fluctuations in TVs. Again of limited use, but an old and proven concept. A slightly different technique but also much more reliable was developed a decade or two ago and in some cases fell under privacy regulation, since meter could deduce individual appliance usage based on current phase changes completely accurately.

Yet there is not a single mention of erased HDD information ever successfully read, not even a single bit.

Ergo, it has never been done.

And as always, if something needs going away - industrial shredder. Cheap, reliable, fast. Will also dispose of witnesses.

The ultimate irony is discussing this in the age of Facebook, Google, Twitter, ad agencies and ISPs tracking every action you take (methods mentioned above can and are used by those to determine what you're doing).

how much history this memory has

It would depend on method. Since you know that head follows a circular path you could extrapolate to which track the sample belongs. You would then use CRC present in same track to correct for missing bits or other errors. But this is about the same as asking what kind of batteries light saber uses. One cannot ponder the details of something that isn't.

#23 Dragonsoulj   Crossbones+   -  Reputation: 2084

Posted 23 September 2011 - 04:15 PM

Use the DoD standard for wiping hard drives just for that the bits that contain the file. Then no one would be able to recover the actual file.

#24 Yann L   Moderators   -  Reputation: 1794

Posted 23 September 2011 - 04:46 PM

Money can't buy what isn't there.

It is extremely unlikely that there is nothing there. In fact, given the analog nature of the storage medium, it is almost guaranteed that residual magnetization is left to a certain degree. Reconstructing the data is extremely difficult and/or uneconomical with current publicly available technology. This does not mean that it is impossible given enough resources and/or time. A wiped disk may be recoverable 20 years from now, but the information it contains can still be highly relevant.

DoD mandates physical destruction or degaussing before disposal of harddrives with sensitive information. Overwriting is specifically not considered sufficient.

As mentioned, I don't know of a single published case where an erased drive, even in perfect condition, were recovered, excluding the possibility of MFM (10MB or less drives).

Such cases would most likely be classified or involve illegal activities (such as high profile industrial espionage). Wait 50 years and some may fall under the FOIA.

#25 cowsarenotevil   Crossbones+   -  Reputation: 2008

Posted 23 September 2011 - 06:48 PM

One thing I want to point out is that "physical destruction," short of burying the disk in a volcano, isn't secure at all: while there are no documented cases of data being recovered after a disk is wiped, there are cases of data being recovered from a disk that's shredded: you can just scan the pieces with an electron microscope, the reconstruct them with a computer (the data tracks follow a predictable curve so it's not at all hard to figure out where even a small piece belongs).

Also, the "just because there haven't been any published cases of data being recovered doesn't mean it's not happening! The government just keeps it secret" argument isn't compelling to me. To me it doesn't sound any different than the notion that the government uses people with psychic powers to solve crimes, but they don't acknowledge it because then people will be likely to hurt the psychics: In both cases, it seems like the government would have more to gain by publishing their ability to gain knowledge (e.g. as a deterrent; you'll stop a lot more people from committing computer crimes by making it clear that you have the technology to catch them than you will by actually trying to hunt them down after the fact) than by keeping it a secret.
-~-The Cow of Darkness-~-

#26 Yann L   Moderators   -  Reputation: 1794

Posted 23 September 2011 - 07:38 PM

Also, the "just because there haven't been any published cases of data being recovered doesn't mean it's not happening! The government just keeps it secret" argument isn't compelling to me.

I never said that. I don't know if anyone does it. I don't know if anyone is going to be able to do it in 20 years on a current day harddisk. But asserting with certainty that it is 'impossible' is dangerous and a bit naive.

Fact is, the physical processes behind magnetic storage are not controllable down to an atomic level in a device like a harddisk. Can you guarantee that your HDD does not leave any trace of the original data when you overwrote it with zeros ? Not the slightest area, even if its only a few molecules wide ? Can you guarantee that it still won't even after years of mechanical wear and tear, reduced servo precision or reduced magnetic writing energy due to slowly failing heads ? Would you bet your life on it ? I certainly wouldn't. That's why there are much stricter procedures for data that is so sensitive that people would go a very long way to get a hold of it and that could have significant consequences if compromised (think nuclear weapons construction data and similar). Comparing this to psychics is a bit ridiculous, to be honest.

Of course all that doesn't apply to a normal user or company. For all common use scenarios, a simple overwrite is perfectly fine.

#27 cowsarenotevil   Crossbones+   -  Reputation: 2008

Posted 23 September 2011 - 07:58 PM

Would you bet your life on it ? I certainly wouldn't.


Would you bet your life on the non-existence of psychics? I certainly wouldn't. I'd bet quite a bit of money on both, though. I also think it's highly unlikely that 50 years from now the government will reveal that they've been recovering wiped data all along and keeping it secret, as you seem to imply (or even that they'll be able to do it in the next 50 years). That said, I agree in that in most cases information on a macroscopic scale is theoretically recoverable.
-~-The Cow of Darkness-~-

#28 Antheus   Members   -  Reputation: 2397

Posted 24 September 2011 - 08:03 AM

there are cases of data being recovered from a disk that's shredded:

[Citation needed]

And they recover valid non-erased data. That is, in some cases of physical damage, possible. But it's a completely different game from reconstructing deleted data.

you can just scan the pieces with an electron microscope, the reconstruct them with a computer (the data tracks follow a predictable curve so it's not at all hard to figure out where even a small piece belongs).

[Citation needed]

Because... things just don't work that way.


It is extremely unlikely that there is nothing there.

Of course it is. In the same way the leaf I stepped on is now deformed.

But can this be used to reconstruct the data? I say no. Not deleted data.

...governments...NSA...DoD...

Again, let's be real here.

Governments and these agencies can't even find perfectly indexed data. They are bureaucrats. They contain politicians, senators, people with connections, friends of family. When work needs to be done, they outsource it to government contractors. To avoid corruption, these contractors need to file a lot of paperwork to prove that their bribes are legit. So they contain a lot of paper pushers. So they again delegate work to Joe's Computer Recovery Shop. Who does the work under lockdown.

Really. There are no secret labs in Pentagon, there is no elevator going down 5 miles in NSA headquarters. That's Hollywood.

There is another reason, a purely engineering one. Managers like to talk. But when dealing with such delicate and one-off work, you cannot risk. You cannot be agile and learn from mistakes, it needs to work for the first time.

So to perform such recovery, there is only a handful of shops in the world that employ people who have been doing nothing but for past 20 years. Not government work, but recovering disk of a CEO who sat on it. Or folded a floppy in half. Or spilled coffee over it. And since those mysterious agencies aren't running such shops in their secret labs under volcano, they are commercial ventures, which might have, before budget cuts, even have some standing orders with governments. But little more.

And the devices, work, etc. they do, has been developed at public universities, is publishes as thesis, there are patent applications, presentations were had on conferences.


Like I said, it's romantic, but things just don't work like that in real world. In real world, such discovery would get stonewalled because the junior researcher wouldn't properly attribute their mentoring professor who would then hold a grudge and discredit the guy and have them kicked off the faculty while destroying their paper out of jealousy.

#29 Yann L   Moderators   -  Reputation: 1794

Posted 24 September 2011 - 11:40 AM

Again, let's be real here.

Good idea. First step would be to get off this "OMG you said gov't, teh CONSPIRACY !!1" trip, shall we ? Governments are obvious candidates for data forensics. If that makes you feel better, replace every instance of "government" in my posts above with "bored student with access to a big lab and too much time on his hands who wants to use university resources to reconstruct his accidentally deleted porn collection".

Second, let's get back to the technical side. So on one hand we have a harddisk. A very low cost mass produced device that is subject to large environmental influences, manufacturing tolerances, considerable wear and tear, mechanical shock, possibly bad power supply, interferences, and much more. A device that is just as precise as it needs to keep data integrity in a more or less acceptable range. Do you operate your harddisk in a temperature, humidity and pressure controlled HF shielded cleanroom ? Does it come certified by the manufacturer that it will write down to molecular precision and that every write will induce exactly the same field strength ? Do you have it recalibrated every month ? No ? Well, your HD is going to spill its magnetic signal all around the intended write track. Magnetization is a stochastic operation. You will never get 100% repeatability unless you are using feedback on almost atomic level or subject the magnetic material to a very high power magnetic field (ie. degaussing). And the latter isn't even 100.00% certain either.

On the other hand we have devices that are capable of measuring this magnetization down to the molecular scale readily available on the market.

So your conclusion from this is that reading the data is categorically impossible. Proof by "because no one has yet published a paper on it". Right...

Oh well. Thankfully the organizations (evil conspiring big corporations and governments for example) with information that could actually impact our lives do not subscribe to your point of view :rolleyes:

#30 cowsarenotevil   Crossbones+   -  Reputation: 2008

Posted 24 September 2011 - 12:00 PM

And they recover valid non-erased data. That is, in some cases of physical damage, possible. But it's a completely different game from reconstructing deleted data.


Yes, that's exactly my point. If you overwrite your data, even once, then physically destroying your disk "just to be more sure" is a waste of time, because it's a lot easier to recover a hard drive that's been physically damaged than to recover one that's been overwritten.

you can just scan the pieces with an electron microscope, the reconstruct them with a computer (the data tracks follow a predictable curve so it's not at all hard to figure out where even a small piece belongs).

[Citation needed]


Here's a random link I found. If you're wondering, I originally heard the story of recovering a shredded (physically) hard drive from a Greg Kesden many years ago. He mentioned specific instances in which this has been done (for demonstration purposes); I can't recall them.
-~-The Cow of Darkness-~-

#31 Antheus   Members   -  Reputation: 2397

Posted 24 September 2011 - 01:00 PM

So your conclusion from this is that reading the data is categorically impossible.


No, my conclusion is that is hasn't been done.

Proof by "because no one has yet published a paper on it". Right...


It has to do with that thing called scientific method. But agreed, when it comes to IT, that is indeed a joke.

Fortunately, some people actually try to move beyond Feng Shui, voodoo and witchcraft and approach this in neutral manner - by publishing stuff. Even then, despite being sound, there is dire lack of evidence of any kind that such method ever successfully recovered erased data. And that is dealing with 30+ year old technology.

More papers (I'll trust that wiki summary is correct). "On the other hand, according to the 2006 NIST Special Publication 800-88 (p. 7): "Studies have shown that most of today’s media can be effectively cleared by one overwrite" and "for ATA disk drives manufactured after 2001 (over 15 GB) the terms clearing and purging have converged."[1] An analysis by Wright et al. of recovery techniques, including magnetic force microscopy, also concludes that a single wipe is all that is required for modern drives. They point out that the long time required for multiple wipes "has created a situation where many organisations ignore the issue all together – resulting in data leaks and loss. ""

The NIST report should be taken very seriously and it goes along with my original suggestion. At massive scale, wiping drives may be time consuming. And since companies hosting such data do not want to spend money on tasks like that, industrial shredder is by far most cost effective method. Grind 50 disks together and the data is, for all practical purposes, non-recoverable. Because alternative today is that these drives are, without any data destruction, physical or software, delivered in labeled bags to dump. To recover, one doesn't need effort, just an IDE or SATA connector.


Finally, on publishing. Researchers these days are in dire need of justifying their own existence. They fight tooth and nail for grants in oversaturated fields, they are scrambling to reword their "images in social networks" paper for the 12th time so they meet their quota.

And here is something that has never been done or apparently is done regularly or at least has been done - and nobody writes a single paper? The field could be milked for a lifetime. It's enough to fuel several tenures over. And nothing? Not even a single tiny footnote? Not even for a 30 year old MFM drive? A floppy? A patent?

----
Or maybe we should count each other's badges. I have 18, including knitting. So if anyone has more, then you are right and I'm wrong.

After all, it works for the OP's teacher, should work here as well.

bored student with access to a big lab and too much time on his hands who wants to use university resources to reconstruct his accidentally deleted porn collection


If you are a student, please do this. You have a career made. And the foundation for an incredibly reliable recession-proof business.

#32 Yann L   Moderators   -  Reputation: 1794

Posted 24 September 2011 - 01:26 PM


So your conclusion from this is that reading the data is categorically impossible.


No, my conclusion is that is hasn't been done.

So you know about every possible attempt by every possible individual with access to the required technology anywhere in the world, who may for whatever possible reason not have published a paper on it. Okay. That's quite some impressive knowledge you have there. I personally prefer to be a bit more cautious (even though my own data is nowhere near that sensitive, so a simple overwrite is indeed all I need).

This discussion isn't leading anywhere and incidentally I have an internal research report to read over for monday and I haven't even started. A paper that will never be published. So that means the experimental technology it describes probably doesn't even exist and I can safely throw it away. Phew, the weekend is saved !

Oh well, enough sarcasm. Peace :)

#33 cowsarenotevil   Crossbones+   -  Reputation: 2008

Posted 24 September 2011 - 02:41 PM

So you know about every possible attempt by every possible individual with access to the required technology anywhere in the world, who may for whatever possible reason not have published a paper on it. Okay. That's quite some impressive knowledge you have there. I personally prefer to be a bit more cautious (even though my own data is nowhere near that sensitive, so a simple overwrite is indeed all I need).


Since you're busy I won't hold it against you if you don't reply, but again, I don't see how this argument doesn't apply equally as well to "psychics." So how, exactly, is the comparison "ridiculous"? Surely there are more attempts by individuals to use psychic powers than there are to recover overwritten data, and people who are successful have just as much incentive to keep their abilities secret.

Such cases would most likely be classified or involve illegal activities (such as high profile industrial espionage). Wait 50 years and some may fall under the FOIA.


If I said this about governments secretly using psychics to catch criminals, would you take me seriously? Of course I can't rule out the possibility (either of psychics or data recovery), but it really seems hardly worth considering when there's no evidence at all anywhere.
-~-The Cow of Darkness-~-

#34 Rixter   Members   -  Reputation: 785

Posted 24 September 2011 - 05:54 PM

You can just overclock your hard drive so it spins real fast and all the bits fly off.

#35 HappyCoder   Members   -  Reputation: 2560

Posted 27 September 2011 - 10:31 PM

I would agree that you can erase a file beyond recovery. I would simply have a program write over the data a few times with actual data of the same file type randomly found on the internet. Then set all of the bits to 0. There would be no way of knowing if the recovered data came from the random data pulled from the internet or the original file. Those are my two bits.




Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.



PARTNERS