Why is data recoverable?

dejitaru

Banned
Sep 29, 2002
627
0
0
How can you recover data from hard drives, not after it's been deleted, but after it's been overwritten several times?
Why does the hard drive retain the information, and how can you distinguish the old data from the new?
 

zayened

Diamond Member
Feb 28, 2001
3,931
0
0
cuz data on an hdd is not physically written over, the address in the info tables just stops pointing to where on the drive the data is...so if you have a 10 gb file on a hard drive, there is an index telling windows/DOS where that file is. if you delete the index, your not deleting the physical data. get a program that looks on the hdd, not through the index, and you'll find the data.
 

ChampionAtTufshop

Platinum Member
Nov 15, 2002
2,667
0
0
on the same note
do low level harddrive formats erase the recoverable data?
or the utilities which write zero's to the hd? (or are low level format and writing zeros to teh hd the same thing lol ?)
 

dejitaru

Banned
Sep 29, 2002
627
0
0
Originally posted by: zayened
cuz data on an hdd is not physically written over, the address in the info tables just stops pointing to where on the drive the data is...so if you have a 10 gb file on a hard drive, there is an index telling windows/DOS where that file is. if you delete the index, your not deleting the physical data. get a program that looks on the hdd, not through the index, and you'll find the data.
No, I mean when you write over the file. Why is it necessary to over write the file several times in a secure delete?
 

Walleye

Banned
Dec 1, 2002
7,939
0
0
so that yuou get nice little figure 8's all over the media. makes it look real pretty.
 

zayened

Diamond Member
Feb 28, 2001
3,931
0
0
Originally posted by: ChampionAtTufshop
on the same note
do low level harddrive formats erase the recoverable data?
or the utilities which write zero's to the hd? (or are low level format and writing zeros to teh hd the same thing lol ?)

lol

 

zayened

Diamond Member
Feb 28, 2001
3,931
0
0
Originally posted by: dejitaru
Originally posted by: zayened
cuz data on an hdd is not physically written over, the address in the info tables just stops pointing to where on the drive the data is...so if you have a 10 gb file on a hard drive, there is an index telling windows/DOS where that file is. if you delete the index, your not deleting the physical data. get a program that looks on the hdd, not through the index, and you'll find the data.
No, I mean when you write over the file. Why is it necessary to over write the file several times in a secure delete?

just to make sure...if you physically write over the data once, its gone...no matter how many more times you write over it...
 

neo4s

Member
Dec 21, 2002
83
0
0
There was thread a couple weeks ago about programs that write zeros and ones over the info to make it unrecoverable. Apparently just writing over once isnt good enough - for some reason. Can some explain why you have to write over data many times to make it unrecoverable? It dosnt make sence to me
 

dejitaru

Banned
Sep 29, 2002
627
0
0
Originally posted by: zayened
Originally posted by: dejitaru
Originally posted by: zayened
cuz data on an hdd is not physically written over, the address in the info tables just stops pointing to where on the drive the data is...so if you have a 10 gb file on a hard drive, there is an index telling windows/DOS where that file is. if you delete the index, your not deleting the physical data. get a program that looks on the hdd, not through the index, and you'll find the data.
No, I mean when you write over the file. Why is it necessary to over write the file several times in a secure delete?

just to make sure...if you physically write over the data once, its gone...no matter how many more times you write over it...
Paranoia, eh? So why do techs and programmers insist on wiping data 3 (or even 20, wtf?) times? There are no decipherable remnants of magnetism remaining?
 

Mark R

Diamond Member
Oct 9, 1999
8,513
16
81
So why do techs and programmers insist on wiping data 3 (or even 20, wtf?) times? There are no decipherable remnants of magnetism remaining?

Because some of the preceeding magnetic field remains. When a hard drive overwrites data, it is only sufficient to remagnetise the platter so that the 1s and 0s are recognisable - the old data does not have to be completely overwritten.

Say for instance a disk platter contained the data: 1 0 0 1 1 1

When read back the head might read this as 0.9 0.2 0.1 0.8 0.8 0.9

When recorded with 0 0 0 0 0 0, because the platter is not completely remagnetised, this might be read as 0.2 0.05 0.1 0.2 0.3 0.3. To the hard drive this would be all zeros, but remnants of the data are still there and could be extracted with specialist equipment.

There is a limit to the strength of the writing field - too strong and the drive could potentially affect the data in neighbouring sectors.

Remnants of the data could also be left because the heads are not always perfectly aligned on a cylinder - sometimes leaving a thin strip of data on a cylinder unerased. This won't be enough to affect the operation of the drive, but with a magnetic force microscope, this data could potentially be read (possibily even after having been 'overwritten' 10 times or more).
 

Saltin

Platinum Member
Jul 21, 2001
2,175
0
0
There is only one way to be completely sure your data is permanently erased, and that is to drill a hole or two through the haddrive. In situations where it is absolutely necessary that data be unrecoverable, that's usually what happens.
Not very high tech, but it works.
 

Mark R

Diamond Member
Oct 9, 1999
8,513
16
81
There is only one way to be completely sure your data is permanently erased, and that is to drill a hole or two through the haddrive. In situations where it is absolutely necessary that data be unrecoverable, that's usually what happens.

It depends how sure you want to be.

Sure, this method will stop minor agencies like the FBI from accessing your data - but the big boys (like the NSA or CIA) could certainly recover parts of the data. Magnetic force microscopes are an incredibly powerful tool - very, very expensive, and very very labour intensive to retrieve data, but they can retrieve small data fragments (even from an HD platter which had been smashed into hundreds of pieces).

If you want to be absolutely sure that no one finds out about (e.g. you're plotting to nuke Silcon valley), then you're best off incinerating your HDs.
 

figgypower

Senior member
Jan 1, 2001
247
0
0
Originally posted by: Mark R
There is only one way to be completely sure your data is permanently erased, and that is to drill a hole or two through the haddrive. In situations where it is absolutely necessary that data be unrecoverable, that's usually what happens.

It depends how sure you want to be.

Sure, this method will stop minor agencies like the FBI from accessing your data - but the big boys (like the NSA or CIA) could certainly recover parts of the data. Magnetic force microscopes are an incredibly powerful tool - very, very expensive, and very very labour intensive to retrieve data, but they can retrieve small data fragments (even from an HD platter which had been smashed into hundreds of pieces).

If you want to be absolutely sure that no one finds out about (e.g. you're plotting to nuke Silcon valley), then you're best off incinerating your HDs.

LOL! Incinerate my hard drive, ahh... well, I'm not plotting to nuke SV, but since I'm paranoid I might as well. :D
 

Ipno

Golden Member
Apr 30, 2001
1,047
0
0
Its absolutely fascinating what can be recovered.

Consider this, the Department of Defense's standard is to overwrite the data with random bits 7 times.

7 times! That would kindof hint at the fact that maybe after 6 times they can still get the data off ...

How do they do it? here is a fascinating read on the subject. After you read that you'll most likely decide to just demolish your used hard drive if you have anything really sensitive on there.

Of course, one wonders what you might want to protect that someone would go through _that_ much effort to get at.

Personally, if I sold my drive a simple 7 pass wipe would make me feel fine about selling it. Although I do have some files that I wouldn't give to a random stranger, I doubt anyone is going to spend the money it would take to get the data off to get at my meager bank account information. Trust me, it wouldn't be profitable to them. :)
 

dejitaru

Banned
Sep 29, 2002
627
0
0
Originally posted by: Mark R
There is only one way to be completely sure your data is permanently erased, and that is to drill a hole or two through the haddrive. In situations where it is absolutely necessary that data be unrecoverable, that's usually what happens.

It depends how sure you want to be.

Sure, this method will stop minor agencies like the FBI from accessing your data - but the big boys (like the NSA or CIA) could certainly recover parts of the data. Magnetic force microscopes are an incredibly powerful tool - very, very expensive, and very very labour intensive to retrieve data, but they can retrieve small data fragments (even from an HD platter which had been smashed into hundreds of pieces).

If you want to be absolutely sure that no one finds out about (e.g. you're plotting to nuke Silcon valley), then you're best off incinerating your HDs.
Eh, why not just scrape off the magnetic layer? And couldn't waving a large neodymium-type magnet (or the electromagnet used to make it) over the platter cause total erasure?
 

sao123

Lifer
May 27, 2002
12,653
205
106
There are no decipherable remnants of magnetism remaining...

.... Wrong Try Again.

Have you ever recorded a song on a audio cassette tape? then rerecorded over it a few times...
Then when the tape gets older...some time you play it you might hear 2 or 3 overlapping songs/voices playing at the same time?

Hard Drives and Cassettes are made of the same magnetic material. Same reason why data isnt always deleted from your hard drive.
 

dejitaru

Banned
Sep 29, 2002
627
0
0
Originally posted by: sao123
There are no decipherable remnants of magnetism remaining...

.... Wrong Try Again.

Have you ever recorded a song on a audio cassette tape? then rerecorded over it a few times...
Then when the tape gets older...some time you play it you might hear 2 or 3 overlapping songs/voices playing at the same time?

Hard Drives and Cassettes are made of the same magnetic material. Same reason why data isnt always deleted from your hard drive.
Misquote. That had a question mark at the end of it, also was explained above.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: Ipno
Its absolutely fascinating what can be recovered.

Consider this, the Department of Defense's standard is to overwrite the data with random bits 7 times.

7 times! That would kindof hint at the fact that maybe after 6 times they can still get the data off ...

How do they do it? here is a fascinating read on the subject. After you read that you'll most likely decide to just demolish your used hard drive if you have anything really sensitive on there.

Of course, one wonders what you might want to protect that someone would go through _that_ much effort to get at.

Personally, if I sold my drive a simple 7 pass wipe would make me feel fine about selling it. Although I do have some files that I wouldn't give to a random stranger, I doubt anyone is going to spend the money it would take to get the data off to get at my meager bank account information. Trust me, it wouldn't be profitable to them. :)

Thanks! I lost the link to that paper and couldnt remember where it was. Been looking for that... :p
 

zephyrprime

Diamond Member
Feb 18, 2001
7,512
2
81
There is only one way to be completely sure your data is permanently erased, and that is to drill a hole or two through the haddrive. In situations where it is absolutely necessary that data be unrecoverable, that's usually what happens.
I doubt that that would really work. Only the sections that were actually drilled out would be unrecoverable. The rest of the disk should still be recoverable.
 

JafCo

Senior member
Mar 28, 2001
461
0
0
MarkR is right on. Especially with this:

>>>
Remnants of the data could also be left because the heads are not always perfectly aligned on a cylinder - sometimes leaving a thin strip of data on a cylinder unerased. This won't be enough to affect the operation of the drive, but with a magnetic force microscope, this data could potentially be read (possibily even after having been 'overwritten' 10 times or more).
>>>

This is the most valuable technique, really, because it allows data to be retrieved irrespective of the pattern that has been written over. As an attorney, I can tell you that on cases where it's worth it, there are companies that can pull data off of hard drives that have been completely filled with garbage.

Honestly and truly, hammers and blowtorches are the only way to completely protect the most sensitive of data.



On a related note, you'd be amazed at what you can find on old hard drives. See this study by some MIT types, who bought 150 old hard drives and ended up with a ton of data, including a whole year's data from an ATM machine!


BBC Story
 

f95toli

Golden Member
Nov 21, 2002
1,547
0
0
Originally posted by: Mark R
There is only one way to be completely sure your data is permanently erased, and that is to drill a hole or two through the haddrive. In situations where it is absolutely necessary that data be unrecoverable, that's usually what happens.
It depends how sure you want to be. Sure, this method will stop minor agencies like the FBI from accessing your data - but the big boys (like the NSA or CIA) could certainly recover parts of the data. Magnetic force microscopes are an incredibly powerful tool - very, very expensive, and very very labour intensive to retrieve data, but they can retrieve small data fragments (even from an HD platter which had been smashed into hundreds of pieces). If you want to be absolutely sure that no one finds out about (e.g. you're plotting to nuke Silcon valley), then you're best off incinerating your HDs.

Just a comment about the MFM (magnetic force microscopes). They are NOT expensive anymore. In fact, at any university you a very likely to find a few of them around (most of them AFMs but they can usuallly be converted to MFM simply by changing the tip). You can even buy very cheap models designed to be used in teaching. Sure you need extra equipment to be able to read data from a hard drive but the price would still not be very high.
 

PowerMacG5

Diamond Member
Apr 14, 2002
7,701
0
0
They discussed this on TechTV (yeah, I know) last night. Basically, you can recover data on a HDD, no matter how many times it is overwritten. You can use an Electron Microsope to peer (for lack of a better word) at the actual makeup of the disk, and reconstruct the data. Even overwriting the data 30-100's of times with zero's will not completely erase this. The only true way to destroy all the data is to destroy the HDD, and then store the parts from no one else getting to them. The British Secret service takes HDD's with confidential info on them, grinds them into dust, and then stores this dust in a secure vault, to keep others from possibly reconstructing it. I personally prefer the thermite :p approach. But with newer HDD's using a glass platter, you can just open it up, and smash it with a hammer to shatter the platters. But make sure to burn the platters, and smelt them into whatnot, then store the whatnot in a vault, or bank box, or something to keep others from it. Basically, no software format, or utility can fully erase data on a HDD. The only way to protect your data us to not allow others access to it by either locking it up, or destroy it at the atomic level.

Edit: Here is the link to the techtv story, but I wouldn't trust software to erase my data fully. Software may stop Joe Average, but if Joe Somebody wants at your data, they can get at. Here is the link: http://www.techtv.com/screensavers/howto/story/0,24330,3416110,00.html