Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
21533 posts

Uber Geek
+1 received by user: 4386

Trusted
Subscriber

  Reply # 206339 10-Apr-2009 13:23
Send private message

nate: Interesting competition here, basically a prize if you are able to recover data from the hard-drive they have erased:

A challenge to confirm whether or not a  professional data recovery firm or any individual(s) or organization(s) can recover data from a hard drive that has been overwritten with zeros once. We used the 32 year-old Unix dd command using  /dev/zero as input to  overwrite the drive.


they disallow drive disassembaly which I would have thought was a pre-requisite to getting to data that the heads cant touch, so IMO is an invalid competition.

Also there is no incentive to do so - $40 - come on, the recovery places make more then that just finding someones lost email from a corrupt PST etc.




Richard rich.ms

6328 posts

Uber Geek
+1 received by user: 391

Moderator
Trusted
Lifetime subscriber

  Reply # 206394 10-Apr-2009 21:00
Send private message

richms: Also there is no incentive to do so - $40 - come on, the recovery places make more then that just finding someones lost email from a corrupt PST etc.


The part that interested me was this:

According to our Unix team, there is less than a zero percent chance of data recovery after that dd command. The drive itself has been overwritten in a very fundamental manner.


Can any of our elite unix admins here confirm/deny?

1539 posts

Uber Geek
+1 received by user: 39

Trusted

  Reply # 206397 10-Apr-2009 22:13
Send private message

Running Kill disk 3 - 4 times seems to do the trick for me,


Tho Putting the hardddrive under some thermite would be alot faster and exciting way of destroying it :D


http://www.youtube.com/watch?v=ai2i2fKsy-k&feature=related

4 posts

Wannabe Geek


  Reply # 208381 21-Apr-2009 15:59
Send private message

the recovery places make more then that just finding someones lost email from a corrupt PST etc.



You're not wrong.  I wouldn't be surprised if that was a large portion of there work.  Still, how much would you be prepared to pay to recover lost e-mail?

3290 posts

Uber Geek
+1 received by user: 209

Trusted

  Reply # 208492 22-Apr-2009 09:44
Send private message

richms: they disallow drive disassembaly which I would have thought was a pre-requisite to getting to data that the heads cant touch, so IMO is an invalid competition.

Also there is no incentive to do so - $40 - come on, the recovery places make more then that just finding someones lost email from a corrupt PST etc.

That is not correct.  From the website: " If the challenger is an established data recovery business located in the United States of America (We would need to see Articles of Incorporation, a current business license and one other form of business identification in order to determine that they are indeed a professional, for-profit, established data recovery business) or a National government law enforcement or intelligence agency (NSA, CIA, FBI), then we will allow these type of organizations to disassemble the drive and to keep the drive for thirty (30) consecutive days."

And the fact that the prize is small is irrelevant.  It's a token.  Don't you think that if the data recovery businesses or government agencies were able to do it, that they would, regardless of the monetary incentive to do so.  It proves that they can do what they say, that is the point.

643 posts

Ultimate Geek


  Reply # 208517 22-Apr-2009 11:52

I'd put my money on dd if=/dev/zero of=/dev/sda working suitably for any disk with a density of 36GB or more.


Density is probably the most important consideration, a 40MB MFM disk has a much greater chance of data recovery than a 750GB SATA. The Guttman techniques are interesting but written at a time before such high densities, modern (2009) disk firmware is pushed to it's limit with error correction and in fact, disk sizes are chosen at the factory by firmware measuring what density can be achieved under an error correction limit. Data recovery is becoming less practical with the increase of density.


Even some of the Police's expensive data surveying software: EnCase Forensic will not cope with a simple dd of a modern disk (or even healthy Linux filesystems for that matter).





Sniffing the glue holding the Internet together

626 posts

Ultimate Geek
+1 received by user: 82

Trusted
Subscriber

  Reply # 208546 22-Apr-2009 13:36
Send private message

Around an year ago we had a debate in a community, where this guy (who took a forensics class) claimed that a single or even 3 pass wipes isn't nearly enough to destroy all data. According to him, they could recover useable info even from a 5 pass wipe.
I don't remember exactly how he said they recovered the data, but ever since that debate took place, I set out verify whether data can really be recovered from wiped drives.

Peter Gutmann of University of Auckland (yes, of the '35-pass Gutmann method' fame!), in his paper, claimed that intelligence agencies can indeed read overwritten data from disk drives. According to him, recovery from the so called layers is possible because "when a 1 is written to disk the media records a 1, and when a zero is written the media records a zero. However the actual effect is closer to obtaining a 0.95 when a zero is overwritten with a 1, and a 1.05 when a one is overwritten with a one."

Since the paper had been published, critics have dismissed it saying that the experiments didn't actually recover any sensitive information, but rather, just evidence of previously written bits. Other experts like Charles Sobey have stated that simply scanning a single disc platter using an MFM would take more than an year, resulting in "tens of terabytes of image data" to be processed. Finally, neither private companies nor government agences have ever claimed to be able recover or reconstruct overwritten data.

Gutmann has since updated ("Epilogue") his paper to state that on modern drives (since 1996), even a few passes of random data would be enough to securely wipe data, and his 35-pass method was meant to cover all sorts of drive encoding technologies, even dating back to 30 year old MFM-drives.

More recently (Jan 15 2009), a paper by Dr. Craig Wright concludes that even a single wipe makes it impossible to recover data. His calculated probabilities show that chances of recovering even ONE byte of old data from an entire wiped drive is less than 1%. Recovering something like 4 bytes of data would have a 9 in a million chances.

On Jan 26 2009, Gutmann again updated ("Further Epilogue") the paper to comment on the Wright paper. He says that the paper confuses two unreleated techniques discussed by Gutmann, and thus Wright would have never been able to recover any data. He says that the article also confuses between an electron microsope and a MFM, and if they had indeed used an electron microscope then the chances of recovery would always have been negligible.

However, the final word by Mr. Gutmann is that trying to recover overwritten data from any modern drive using an MFM is a "hopeless task."

Personally, I have tested many popular data recovery software (R-studio, GetDataBack, Phoenix, RMF) and some forensic programs (like WinHex forensic) and found that, atleast from a software-only point of view, it was impossible to recover even a single-pass wiped data. (Both by dedicated programs like DBAN or the dd if=/dev/urandom command)

There is however this one insane software, EnCase, that can recover (atleast traces of) wiped files by digging through metadata, page files, application logs, etc. It would piece together all the information and present it in a way that can be used against you in a court of law, infact, it is indeed used by Government and Law Enforcement agencies. However, EnCase would be of no use if the entire drive and related media have been wiped clean.

As far as the OP is concerned, the answer to his question, in a nutshell, is a big NO.


1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.