Thanks for the paper, Zac. This stuff is pretty fascinating - and the
reality of it is that the average Joe has no idea recovery is even
possible. I forwarded the paper to a buddy of mine that does data recovery
for various narc teams and other law enforcement agencies in AR and OK.
Here's his "practical take" on data wiping.
__________
" [snip] It all makes for great debating material, but what it comes down to
in the real world is this: is the data usable and could it stand up in a
court of law? The most I have seen something wiped is about 8 times an still
be able to recover some tid bit of data. Most of the time you end up with
garbled junk which any attorney will argue to be thrown out. And if you do
get it past the evidence introduction try to explain to a jury from Cherokee
Co. or Northwest AR, just exactly how you got that data in a way they can
understand. The fact is there is always probably going to be some type of
"ghost" data because of the imprecise nature of the mechanics of writing
data to magnetized platters. I have software that can recover images and
data from any hard disk it can be hooked up to. Most of the time its so
badly damaged or incomplete that its useless for evidence, but it gives us
some place to start looking or ideas on what to look for. So in short, if
you can't prove its kiddy porn then you're still out of luck. [snip]
___________
On Wednesday 2008 December 17 15:45:42 Jason Kindall wrote:
> Thanks for the paper, Zac. This stuff is pretty fascinating - and the > reality of it is that the average Joe has no idea recovery is even > possible.
The paper is pretty explicit that data recovery is impossible from sectors on modern drives that have been overwritten even once, and supports it with both theoretical underpinnings and practical tests. -- Boyd Stephen Smith Jr. ,= ,-_-. =. Boyd.Stephen.Smith...@gmail.com ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.org/ \_/
I agree that this paper pretty much shoots holes all in data recovery from
drives that have been wiped properly. And like Rix, I think it is good news
to get some clarity on the issue. From a technology standpoint, case
closed.
My point in passing along my buddies words was to provide the group with
input from someone who does this sort of thing 'on the ground'. He does
recovery for a living for LEOs and deals primarily with in-situ data
recovery and computer investigation as well as post-seizure analysis of
drives. Most of his work is on machines that have simply been overwritten
or had simple file deletions - not full wiping protocols. The message I
take away from it all (and it is a moot point for anyone who doesn't dabble
in the illegal) is that while data may not be recoverable with any degree of
usefulness in a court of law, the law enforcement folks may still get a
sniff of something and decide it is enough to dig deeper. Data may not get
you convicted as evidence, but it could get the investigators interested in
looking for more that they can use.
Jason
On Wed, Dec 17, 2008 at 4:22 PM, Boyd Stephen Smith Jr. <
> On Wednesday 2008 December 17 15:45:42 Jason Kindall wrote:
> > Thanks for the paper, Zac. This stuff is pretty fascinating - and the
> > reality of it is that the average Joe has no idea recovery is even
> > possible.
> The paper is pretty explicit that data recovery is impossible from sectors
> on
> modern drives that have been overwritten even once, and supports it with
> both
> theoretical underpinnings and practical tests.
> --
> Boyd Stephen Smith Jr. ,= ,-_-. =.
> Boyd.Stephen.Smith...@gmail.com ((_/)o o(\_))
> ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
> http://iguanasuicide.org/ \_/
On Thursday 2008 December 18 08:39:36 Jason Kindall wrote:
> I agree that this paper pretty much shoots holes all in data recovery from > drives that have been wiped properly.
If by "wiped properly", you having the bytes written over even a single time with a fixed pattern (e.g. all zeros), with standard tools, I agree.
I don't think anyone has ever claimed that data that is not overwritten magically disappears because the OS isn't referencing it. Although I suppose that ("the data is gone") is the impression you are supposed to get from the OS.
Tales from "on the ground" is generally more noisy AND more biased then studies[1] -- "The plural of 'anecdote' is not 'data'.". It's more noisy just because the monitoring equipment generally isn't as good. It's usually low-precision not necessarily low-accuracy and accumulation of error causes problems. It's more biased because of documented "re-enforcement bias": people tend to remember events that match their bias and forget ones that don't. In short, tales from "on the ground" rarely reflect reality as well as studies[1] using an appropriate model.
[1] "study" being defined as: analysis of data from repeated (and independently-repeatable), controlled and monitored experiments. -- Boyd Stephen Smith Jr. ,= ,-_-. =. Boyd.Stephen.Smith...@gmail.com ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.org/ \_/
|
