HDD & Forensic recovery

zero · Apr 8, 2004

A) If drive A is copied to drive B just be normal ide cables and drag drop
so nothing clever - will the forensic left over magnetic signals be lost ?

I am thinking that the clever software that would normally be used in these
cases would
be able to record the exact values read of the disc surface before they are
approximated
to either 1 or 0 and from that be able to work out what was there previously

so . . .

if you drag & drop the exact values are lost and its either 1 or 0 and end
of story ?

in fact maybe a specific PC rig might be needed

any expert opinion welcomed

thanks

S.Heenan · Apr 8, 2004

zero said:
A) If drive A is copied to drive B just be normal ide cables and drag
drop so nothing clever - will the forensic left over magnetic signals
be lost ?

I am thinking that the clever software that would normally be used in
these cases would
be able to record the exact values read of the disc surface before
they are approximated

Here's a start:
http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

Rod Speed · Apr 8, 2004

A) If drive A is copied to drive B just be normal ide cables and drag drop
so nothing clever - will the forensic left over magnetic signals be lost ?

They wont be on drive B, anyway.

I am thinking that the clever software that would normally be
used in these cases would be able to record the exact values
read of the disc surface before they are approximated to either
1 or 0 and from that be able to work out what was there previously

Fraid not. Nothing 'clever software' can do about what the hardware cant do.

so . . .

if you drag & drop the exact values are lost
and its either 1 or 0 and end of story ?

As far as drive B is concerned, yes.

Drive A is obviously unaffected.

in fact maybe a specific PC rig might be needed

Nope.

Folkert Rienstra · Apr 8, 2004

zero said:
A) If drive A is copied to drive B just be normal ide cables and drag drop
so nothing clever - will the forensic left over magnetic signals be lost ?

I am thinking that the clever software that would normally be used in these
cases would
be able to record the exact values read of the disc surface before they are
approximated
to either 1 or 0 and from that be able to work out what was there previously

so . . .

if you drag & drop the exact values are lost and its either 1 or 0 and end
of story ?

in fact maybe a specific PC rig might be needed

any expert opinion welcomed

Judging to layout and contents of your post I'm afraid an
expert opinion will most likely be completely wasted on you.

zero · Apr 9, 2004

well !!!!!!!!!!!!!!!!!!!!!

sorry einstein but other people seemd to have understood the drift
of my question , sorry it wasnt technical enough for you

maybe its down to you and your actually too stupid to have an opinion
so you just insult me ?

so the price of posting a friendly question and asking for expert opinion
is to be insulted - we'll i think the other readers of my post
will judge you , so i'll leave it to them

to everyone else , thankyou !

zero · Apr 9, 2004

thanks for the response

it confirmed my thoughts on the subject but
nice to have them confirmed

i wonder whether the authorities are winding us up
with their claims of tracing previous data stored on drives
but i'll chase that other link up

Rod Speed · Apr 9, 2004

thanks for the response

it confirmed my thoughts on the subject
but nice to have them confirmed

i wonder whether the authorities are winding us up with
their claims of tracing previous data stored on drives

I havent seen too many claims about
capabilitys there by the authoritys.

Its mostly speculation about what might be possible there.

There certainly havent been any examples of say
child porn being discovered that way being used
as evidence in any court that I have ever noticed.

Its possible that the authoritys are using that sort of
data from hard drives siezed from bin Laden cronys,
and its not surprising that they dont say much about
what they can do if they are actually doing much of that.

I think its more likely it isnt done much.

Arno Wagner · Apr 9, 2004

Previously zero said:
A) If drive A is copied to drive B just be normal ide cables and drag drop
so nothing clever - will the forensic left over magnetic signals be lost ?

I am thinking that the clever software that would normally be used in these
cases would
be able to record the exact values read of the disc surface before they are
approximated
to either 1 or 0 and from that be able to work out what was there previously

so . . .

if you drag & drop the exact values are lost and its either 1 or 0 and end
of story ?

Yes. If you copy data from one drive to the other, you add a new
layer of data to the target drive on top of what was there
before. Any 'older data layers' on the source drive stay there and
are not copied.

Still, while it may be possible to remove data in layers and recover
older data that was in its space before, no commercial data recovery
company offers this service. (The german computer magazin c't
tried to get data recoverd that was overwritten once some time
ago. All data-recovery outfits they contacted said they could
not do this.) It might be impossible to actually do this, e.g.
because the overwritten signal is too close to the noise-level.
It used to be possible with older HDD technology, that did not
use the magnetic coating to its limits. It is likely possible with
floppy disks.

Arno

Mark M · Apr 9, 2004

zero said:
well !!!!!!!!!!!!!!!!!!!!!

sorry einstein but other people seemd to have understood the
drift of my question , sorry it wasnt technical enough for you

maybe its down to you and your actually too stupid to have an
opinion so you just insult me ?

so the price of posting a friendly question and asking for
expert opinion is to be insulted - we'll i think the other
readers of my post will judge you , so i'll leave it to them

to everyone else , thankyou !

I think Folkert is saying he is in a position to offer an expert
opinion but chooses to deny you.

zero · Apr 9, 2004

thanks

again , looking at my noddy example

if drive B was brand new so no old signals etc. - it would only contain
the current values form the data copied over from A

whereas A of course would have those left over magnetic signatures
that could possibly giveaway past data values

Neil Maxwell · Apr 9, 2004

I think Folkert is saying he is in a position to offer an expert
opinion but chooses to deny you.

Yep, you just have to get used to that kind of thing around here.
Ignoring it works well for me.

Neil Maxwell - I don't speak for my employer

Alexander Grigoriev · Apr 9, 2004

I think all those scares about overwritten data recovery are just old wives
tales to support "data erasure" software sales, repeated many times by such
illiterate paranoid folks as Dvorak of PC mag.

It's quite a wonder that the _latest_ written data can be read at all, given
the current (and even not that current) recording density.

As the data is overwritten once with any disk-fill software, like a drive
write test, it becomes pretty much noise added to the latest signal, and as
noise, cannot be reliably separated from the signal to become another
decodable signal.

Arno Wagner · Apr 9, 2004

Previously zero said:
thanks

again , looking at my noddy example

if drive B was brand new so no old signals etc. - it would only contain
the current values form the data copied over from A

whereas A of course would have those left over magnetic signatures
that could possibly giveaway past data values

Correct.

Arno

Rod Speed · Apr 9, 2004

I think all those scares about overwritten data recovery are just
old wives tales to support "data erasure" software sales, repeated
many times by such illiterate paranoid folks as Dvorak of PC mag.

Doesnt explain the DOD standards for wiping and the
obsession with melting drives that are being disposed of.

You can however certainly claim that thats just an ultra safe approach
which should ensure that the data cant be retrieved, and not saying
anything useful about how retrievable it is without that.

It's quite a wonder that the _latest_ written data can be read at
all, given the current (and even not that current) recording density.

As the data is overwritten once with any disk-fill software,
like a drive write test, it becomes pretty much noise added
to the latest signal, and as noise, cannot be reliably separated
from the signal to become another decodable signal.

Corse you could be a shill who knows that the data can be
retrieved and who is deliberately encouraging people to
not fully erase their drives, so the data can be retrieved |-)

Arno Wagner · Apr 9, 2004

Previously Alexander Grigoriev said:
I think all those scares about overwritten data recovery are just old wives
tales to support "data erasure" software sales, repeated many times by such
illiterate paranoid folks as Dvorak of PC mag.

It's quite a wonder that the _latest_ written data can be read at all, given
the current (and even not that current) recording density.

As the data is overwritten once with any disk-fill software, like a drive
write test, it becomes pretty much noise added to the latest signal, and as
noise, cannot be reliably separated from the signal to become another
decodable signal.

For current HDDs, I think you are perfectly correct. For older HDDs
(several years), floppy disks, some tape variants, recovery of
overwritten data may be possible, since they use only part of
the available area (differences in positioning od different writes)
and part of the available "channel" (s/n ratio, Shannon).

However there is a second angle to this: Most people do not know how
to overwrite files/partitions/disks. They can only drag objects to
the "trash" folder and don't understand what this does. In addition
there is the problem of swap files/partitions. Carefully engineered
commercial solution may have some benefit for this type of user.
However these people should not put anything confidential on a
computer in the first place!

Arno

Arno Wagner · Apr 9, 2004

I think Folkert is saying he is in a position to offer an expert
opinion but chooses to deny you.

LOL! This analysis convionces me! :-)

=)

I could now claim that I also add a typo here and there to
keep Folkert happy (...and thinking that I am a complete idiot.).

Arno

Folkert Rienstra · Apr 10, 2004

Alexander Grigoriev said:
I think all those scares about overwritten data recovery are just old wives
tales to support "data erasure" software sales, repeated many times by such
illiterate paranoid folks as Dvorak of PC mag.

It's quite a wonder that the _latest_ written data can be read at all, given
the current (and even not that current) recording density.

Probably just as difficult as with every other generation, com-
pared to the state of development at that particular time.

As the data is overwritten once with any disk-fill software, like a drive
write test,

Which is not any different from normal use.

it becomes pretty much noise added to the latest signal, and as noise, cannot
be reliably separated from the signal to become another decodable signal.

Heenan's link pretty well describes how it's done.
http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

But you do need special hard- and software to make it work.

Btw, check your newsclient's settings, it's making a mess.

[wrecked quoting snipped]

Folkert Rienstra · Apr 10, 2004

Arno Wagner said:
LOL! This analysis convionces me! =)

I could now claim that I also add a typo here and there to keep Folkert happy

Yes, but then that would be a lie, now wouldn't it.

(...and thinking that I am a complete idiot.).

You're not? Bummer.

HDD & Forensic recovery

zero

S.Heenan

Rod Speed

Folkert Rienstra

zero

zero

Rod Speed

Arno Wagner

Mark M

zero

Neil Maxwell

Alexander Grigoriev

Arno Wagner

Rod Speed

Arno Wagner

Arno Wagner

Folkert Rienstra

Folkert Rienstra