Hard Drive Paper
Zac Slade
Jason Kindall
__________
" [snip] It all makes for great debating material, but what it comes down to in the real world is this: is the data usable and could it stand up in a court of law? The most I have seen something wiped is about 8 times an still be able to recover some tid bit of data. Most of the time you end up with garbled junk which any attorney will argue to be thrown out. And if you do get it past the evidence introduction try to explain to a jury from Cherokee Co. or Northwest AR, just exactly how you got that data in a way they can understand. The fact is there is always probably going to be some type of "ghost" data because of the imprecise nature of the mechanics of writing data to magnetized platters. I have software that can recover images and data from any hard disk it can be hooked up to. Most of the time its so badly damaged or incomplete that its useless for evidence, but it gives us some place to start looking or ideas on what to look for. So in short, if you can't prove its kiddy porn then you're still out of luck. [snip]
___________
Cheers,
Jason
Boyd Stephen Smith Jr.
> Thanks for the paper, Zac. This stuff is pretty fascinating - and the
> reality of it is that the average Joe has no idea recovery is even
> possible.
The paper is pretty explicit that data recovery is impossible from sectors on
modern drives that have been overwritten even once, and supports it with both
theoretical underpinnings and practical tests.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
Boyd.Steph...@gmail.com ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.org/ \_/
Rix
the mythology that has sprung up since 1996.
Jason Kindall
My point in passing along my buddies words was to provide the group with input from someone who does this sort of thing 'on the ground'. He does recovery for a living for LEOs and deals primarily with in-situ data recovery and computer investigation as well as post-seizure analysis of drives. Most of his work is on machines that have simply been overwritten or had simple file deletions - not full wiping protocols. The message I take away from it all (and it is a moot point for anyone who doesn't dabble in the illegal) is that while data may not be recoverable with any degree of usefulness in a court of law, the law enforcement folks may still get a sniff of something and decide it is enough to dig deeper. Data may not get you convicted as evidence, but it could get the investigators interested in looking for more that they can use.
Jason
Boyd Stephen Smith Jr.
> I agree that this paper pretty much shoots holes all in data recovery from
> drives that have been wiped properly.
If by "wiped properly", you having the bytes written over even a single time
with a fixed pattern (e.g. all zeros), with standard tools, I agree.
I don't think anyone has ever claimed that data that is not overwritten
magically disappears because the OS isn't referencing it. Although I suppose
that ("the data is gone") is the impression you are supposed to get from the
OS.
Tales from "on the ground" is generally more noisy AND more biased then
studies[1] -- "The plural of 'anecdote' is not 'data'.". It's more noisy
just because the monitoring equipment generally isn't as good. It's usually
low-precision not necessarily low-accuracy and accumulation of error causes
problems. It's more biased because of documented "re-enforcement bias":
people tend to remember events that match their bias and forget ones that
don't. In short, tales from "on the ground" rarely reflect reality as well
as studies[1] using an appropriate model.
[1] "study" being defined as: analysis of data from repeated (and
independently-repeatable), controlled and monitored experiments.