- Feb 23, 2005
- 22,902
- 2,359
- 126
In security circles (some anyway) its been a point of contention of how many times must data be wiped to completely make it unrecoverable. Most in the circles I know say once if done properly, but many people still think the <insert favorite 3 lettered agency here> has the means to recover anything. Well folks...it aint true.
Here is the full test here but I will give you the highlights as the paper is very dry and technical. The testing was done with 17 various hard drives, a numer of different write patterns, and data was attempted to be recovered via MFM (Magnetic Force Microscopy). MFM is a variety of what most people simply term an electron microscope.
Testbed:
To test the hypothesis, a number of drives of various ages and types and from several vendors were tested. In order to completely validate all possible scenarios, a total of 15 data types were used in 2 categories.
Category A divided the experiment into testing the raw drive (this is a pristine drive that has never been used), formatted drive (a single format was completed in Windows using NTFS with the standard sector sizes) and a simulated used drive (a new drive was overwritten 32 times with random data from /dev/random on a Linux host before being overwritten with all 0?s to clear any residual data).
The experiment was conducted in order to test a number of write patterns. There are infinitely many possible ways to write data, so not all can be tested. The idea was to ensure that no particular pattern was significantly better or worse than another.
Category B consisted of the write pattern used both for the initial write and for the subsequent overwrites.
This category consisted of 5 dimensions:
all 0?s,
all 1?s,
a ?01010101 pattern,
a ?00110011? pattern, and
a ?00001111? pattern.
The Linux utility ?dd? was used to write these patterns with a default block size of 512 (bs=512). A selection of 17 models of hard drive where tested. These varied from an older Quantum 1 GB drive to current drives (at the time the test started) dated to 2006.
The data patterns where written to each drive in all possible combinations. Each data write was a 1 kb file (1024 bits). It was necessary to carefully choose a size and location. Finding a segment on a drive without prior knowledge is like looking for the proverbial needle in the haystack. To do this, the following steps where taken:
Both drive skew and the bit was read.
The process was repeated 5 times for an analysis of 76,800 data points.
The likelihood calculations were completed for each of the 76,800 points with the distributions being analyzed for distribution density and distance.
This calculation was based on the Bayesian likelihood where the prior distribution was known.
As has been noted, in real forensic engagements, the prior distribution is unknown. When you are trying to recover data from a drive, you generally do not have an image of what you are seeking to recover. Without this forensic image, the experiment would have been exponentially more difficult. What we found from this is that even on a single write the overlap at best gives a probability of as low as just over 50% of choosing a prior bit (the best read being a little over 56%).
This caused the issue to arise, that there is no way to determine if the bit was correctly chosen or not.
Therefore, there is a chance of correctly choosing any bit in a selected byte (8-bits) ? but this equates a probability around 0.9% (or less) with a small confidence interval either side for error.
The results:
The purpose of this paper was a categorical settlement to the controversy surrounding the misconceptions involving the belief that data can be recovered following a wipe procedure. This study has demonstrated that correctly wiped data cannot reasonably be retrieved even if it is of a small size or found only over small parts of the hard drive. Not even with the use of a MFM or other known methods. The belief that a tool can be developed to retrieve gigabytes or terabytes of information from a wiped drive is in error.
Although there is a good chance of recovery for any individual bit from a drive, the chances of recovery of any amount of data from a drive using an electron microscope are negligible. Even speculating on the possible recovery of an old drive, there is no likelihood that any data would be recoverable from the drive. The forensic recovery of data using electron microscopy is infeasible. This was true both on old drives and has become more difficult over time.
Here is the full test here but I will give you the highlights as the paper is very dry and technical. The testing was done with 17 various hard drives, a numer of different write patterns, and data was attempted to be recovered via MFM (Magnetic Force Microscopy). MFM is a variety of what most people simply term an electron microscope.
Testbed:
To test the hypothesis, a number of drives of various ages and types and from several vendors were tested. In order to completely validate all possible scenarios, a total of 15 data types were used in 2 categories.
Category A divided the experiment into testing the raw drive (this is a pristine drive that has never been used), formatted drive (a single format was completed in Windows using NTFS with the standard sector sizes) and a simulated used drive (a new drive was overwritten 32 times with random data from /dev/random on a Linux host before being overwritten with all 0?s to clear any residual data).
The experiment was conducted in order to test a number of write patterns. There are infinitely many possible ways to write data, so not all can be tested. The idea was to ensure that no particular pattern was significantly better or worse than another.
Category B consisted of the write pattern used both for the initial write and for the subsequent overwrites.
This category consisted of 5 dimensions:
all 0?s,
all 1?s,
a ?01010101 pattern,
a ?00110011? pattern, and
a ?00001111? pattern.
The Linux utility ?dd? was used to write these patterns with a default block size of 512 (bs=512). A selection of 17 models of hard drive where tested. These varied from an older Quantum 1 GB drive to current drives (at the time the test started) dated to 2006.
The data patterns where written to each drive in all possible combinations. Each data write was a 1 kb file (1024 bits). It was necessary to carefully choose a size and location. Finding a segment on a drive without prior knowledge is like looking for the proverbial needle in the haystack. To do this, the following steps where taken:
Both drive skew and the bit was read.
The process was repeated 5 times for an analysis of 76,800 data points.
The likelihood calculations were completed for each of the 76,800 points with the distributions being analyzed for distribution density and distance.
This calculation was based on the Bayesian likelihood where the prior distribution was known.
As has been noted, in real forensic engagements, the prior distribution is unknown. When you are trying to recover data from a drive, you generally do not have an image of what you are seeking to recover. Without this forensic image, the experiment would have been exponentially more difficult. What we found from this is that even on a single write the overlap at best gives a probability of as low as just over 50% of choosing a prior bit (the best read being a little over 56%).
This caused the issue to arise, that there is no way to determine if the bit was correctly chosen or not.
Therefore, there is a chance of correctly choosing any bit in a selected byte (8-bits) ? but this equates a probability around 0.9% (or less) with a small confidence interval either side for error.
The results:
The purpose of this paper was a categorical settlement to the controversy surrounding the misconceptions involving the belief that data can be recovered following a wipe procedure. This study has demonstrated that correctly wiped data cannot reasonably be retrieved even if it is of a small size or found only over small parts of the hard drive. Not even with the use of a MFM or other known methods. The belief that a tool can be developed to retrieve gigabytes or terabytes of information from a wiped drive is in error.
Although there is a good chance of recovery for any individual bit from a drive, the chances of recovery of any amount of data from a drive using an electron microscope are negligible. Even speculating on the possible recovery of an old drive, there is no likelihood that any data would be recoverable from the drive. The forensic recovery of data using electron microscopy is infeasible. This was true both on old drives and has become more difficult over time.
Facebook
Twitter