Main

Forensic data recovery?

13 April 2008


I couldn't help but notice that many firms and agencies claim to be able to recover data from HDDs that were "wiped clean".

The rumor is that it's possible to recover traces of magnetization by "digging" deeper into the physical "layers" of a HDD platter. Or better, that you can find traces of previous magnetization "around" existing bits.

While this may sound sensible, I don't think that these recovery methods are practical, used, or even possible. About a week ago I found a test project that supports my line of thought.

http://16systems.com/zero/index.html

"The Great Zero Challenge" will reward anyone who would recover a small amount of data from a drive that had been wiped clean by the UNIX dd command.

Basically, what you can make dd do, is to overwrite *every bit* of the drive with random data or just lots of zeroes. The actual command looks like this:

sudo dd if=/dev/urandom of=/dev/hda
You can also set a different block-size, as this would improve the write speed (for this, see the man page). This command is going to take a LONG time. And this is exactly what you want, because it actually writes to every part of the drive, leaving no data left.

According to the "Great Zero Challenge", no one had recovered the data yet. When asking recovery firms for their service, they declined the request. Saying that the dd command "is a pretty good command".

Consequently, as I see it, all those feared data recovery methods simply don't exist (or aren't used, for that matter).

Recovering data from a "formatted" HDD is possible, and you could do it fairly quick with software tools. This is probably what all the "forensic data recovery" hype is all about. The dd-wipe, however, seems to be good enough in order to sustain any realistic kind of recovery.


No more need for exploding hard drives! As long as you use the right software, your data will be truly "lost forever".

Posted by: kGen | In category: General Security | Comments (2)