HDD & Forensic recovery

[ZerO]

Archived from groups: comp.sys.ibm.pc.hardware.storage (More info?)

A) If drive A is copied to drive B just be normal ide cables and drag drop
so nothing clever - will the forensic left over magnetic signals be lost ?

I am thinking that the clever software that would normally be used in these
cases would
be able to record the exact values read of the disc surface before they are
approximated
to either 1 or 0 and from that be able to work out what was there previously

so . . .

if you drag & drop the exact values are lost and its either 1 or 0 and end
of story ?

in fact maybe a specific PC rig might be needed

any expert opinion welcomed

thanks

 

[Guest]

Archived from groups: comp.sys.ibm.pc.hardware.storage (More info?)

zero wrote:
> A) If drive A is copied to drive B just be normal ide cables and drag
> drop so nothing clever - will the forensic left over magnetic signals
> be lost ?
>
> I am thinking that the clever software that would normally be used in
> these cases would
> be able to record the exact values read of the disc surface before
> they are approximated

Here's a start:
http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

 

[Guest]

Archived from groups: comp.sys.ibm.pc.hardware.storage (More info?)

"zero" <zeroREMOVEnews2@hotmail.com> wrote in message news:1081442863.25291.0@doris.uk.clara.net...
> A) If drive A is copied to drive B just be normal ide cables and drag drop
> so nothing clever - will the forensic left over magnetic signals be lost ?
>
> I am thinking that the clever software that would normally be used in these
> cases would
> be able to record the exact values read of the disc surface before they are
> approximated
> to either 1 or 0 and from that be able to work out what was there previously
>
> so . . .
>
> if you drag & drop the exact values are lost and its either 1 or 0 and end
> of story ?
>
> in fact maybe a specific PC rig might be needed
>
> any expert opinion welcomed

Judging to layout and contents of your post I'm afraid an
expert opinion will most likely be completely wasted on you.

>
> thanks
>
>
>
>
>

 

[Guest]

Archived from groups: comp.sys.ibm.pc.hardware.storage (More info?)

Previously zero <zeroREMOVEnews2@hotmail.com> wrote:
> A) If drive A is copied to drive B just be normal ide cables and drag drop
> so nothing clever - will the forensic left over magnetic signals be lost ?

> I am thinking that the clever software that would normally be used in these
> cases would
> be able to record the exact values read of the disc surface before they are
> approximated
> to either 1 or 0 and from that be able to work out what was there previously

> so . . .

> if you drag & drop the exact values are lost and its either 1 or 0 and end
> of story ?

Yes. If you copy data from one drive to the other, you add a new
layer of data to the target drive on top of what was there
before. Any 'older data layers' on the source drive stay there and
are not copied.

Still, while it may be possible to remove data in layers and recover
older data that was in its space before, no commercial data recovery
company offers this service. (The german computer magazin c't
tried to get data recoverd that was overwritten once some time
ago. All data-recovery outfits they contacted said they could
not do this.) It might be impossible to actually do this, e.g.
because the overwritten signal is too close to the noise-level.
It used to be possible with older HDD technology, that did not
use the magnetic coating to its limits. It is likely possible with
floppy disks.

Arno
--
For email address: lastname AT tik DOT ee DOT ethz DOT ch
GnuPG: ID:1E25338F FP:0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
"The more corrupt the state, the more numerous the laws" - Tacitus

 

[Guest]

Archived from groups: comp.sys.ibm.pc.hardware.storage (More info?)

zero <zeroREMOVEnews2@hotmail.com> wrote in
message news:1081442863.25291.0@doris.uk.clara.net...

> A) If drive A is copied to drive B just be normal ide cables and drag drop
> so nothing clever - will the forensic left over magnetic signals be lost ?

They wont be on drive B, anyway.

> I am thinking that the clever software that would normally be
> used in these cases would be able to record the exact values
> read of the disc surface before they are approximated to either
> 1 or 0 and from that be able to work out what was there previously

Fraid not. Nothing 'clever software' can do about what the hardware cant do.

> so . . .

> if you drag & drop the exact values are lost
> and its either 1 or 0 and end of story ?

As far as drive B is concerned, yes.

Drive A is obviously unaffected.

> in fact maybe a specific PC rig might be needed

Nope.

 

[ZerO]

Archived from groups: comp.sys.ibm.pc.hardware.storage (More info?)

thanks for the response

it confirmed my thoughts on the subject but
nice to have them confirmed

i wonder whether the authorities are winding us up
with their claims of tracing previous data stored on drives
but i'll chase that other link up






"Rod Speed" <rod_speed@yahoo.com> wrote in message
news:c549ad$2lbc4r$1@ID-69072.news.uni-berlin.de...
>
> zero <zeroREMOVEnews2@hotmail.com> wrote in
> message news:1081442863.25291.0@doris.uk.clara.net...
>
> > A) If drive A is copied to drive B just be normal ide cables and drag
drop
> > so nothing clever - will the forensic left over magnetic signals be lost
?
>
> They wont be on drive B, anyway.
>
> > I am thinking that the clever software that would normally be
> > used in these cases would be able to record the exact values
> > read of the disc surface before they are approximated to either
> > 1 or 0 and from that be able to work out what was there previously
>
> Fraid not. Nothing 'clever software' can do about what the hardware cant
do.
>
> > so . . .
>
> > if you drag & drop the exact values are lost
> > and its either 1 or 0 and end of story ?
>
> As far as drive B is concerned, yes.
>
> Drive A is obviously unaffected.
>
> > in fact maybe a specific PC rig might be needed
>
> Nope.
>
>

 

[Guest]

Archived from groups: comp.sys.ibm.pc.hardware.storage (More info?)

On Fri, 09 Apr 2004 11:22:06 +0100, Mark M
<MarkM_csiphsCANT_RECEIVE_MAIL@yahoo.co.uk> wrote:

>"zero" <zeroREMOVEnews2@hotmail.com> wrote:
>
>> so the price of posting a friendly question and asking for
>> expert opinion is to be insulted - we'll i think the other
>> readers of my post will judge you , so i'll leave it to them
>>
>> to everyone else , thankyou !
>>
>I think Folkert is saying he is in a position to offer an expert
>opinion but chooses to deny you.

Yep, you just have to get used to that kind of thing around here.
Ignoring it works well for me.


Neil Maxwell - I don't speak for my employer

 

[Guest]

Archived from groups: comp.sys.ibm.pc.hardware.storage (More info?)

zero <zeroREMOVEnews2@hotmail.com> wrote in
message news:1081466361.40836.0@doris.uk.clara.net...

> thanks for the response

> it confirmed my thoughts on the subject
> but nice to have them confirmed

> i wonder whether the authorities are winding us up with
> their claims of tracing previous data stored on drives

I havent seen too many claims about
capabilitys there by the authoritys.

Its mostly speculation about what might be possible there.

There certainly havent been any examples of say
child porn being discovered that way being used
as evidence in any court that I have ever noticed.

Its possible that the authoritys are using that sort of
data from hard drives siezed from bin Laden cronys,
and its not surprising that they dont say much about
what they can do if they are actually doing much of that.

I think its more likely it isnt done much.

> but i'll chase that other link up


> "Rod Speed" <rod_speed@yahoo.com> wrote in message
> news:c549ad$2lbc4r$1@ID-69072.news.uni-berlin.de...
> >
> > zero <zeroREMOVEnews2@hotmail.com> wrote in
> > message news:1081442863.25291.0@doris.uk.clara.net...
> >
> > > A) If drive A is copied to drive B just be normal ide cables and drag
> drop
> > > so nothing clever - will the forensic left over magnetic signals be lost
> ?
> >
> > They wont be on drive B, anyway.
> >
> > > I am thinking that the clever software that would normally be
> > > used in these cases would be able to record the exact values
> > > read of the disc surface before they are approximated to either
> > > 1 or 0 and from that be able to work out what was there previously
> >
> > Fraid not. Nothing 'clever software' can do about what the hardware cant
> do.
> >
> > > so . . .
> >
> > > if you drag & drop the exact values are lost
> > > and its either 1 or 0 and end of story ?
> >
> > As far as drive B is concerned, yes.
> >
> > Drive A is obviously unaffected.
> >
> > > in fact maybe a specific PC rig might be needed
> >
> > Nope.
> >
> >
>
>

 

[ZerO]

Archived from groups: comp.sys.ibm.pc.hardware.storage (More info?)

thanks

again , looking at my noddy example

if drive B was brand new so no old signals etc. - it would only contain
the current values form the data copied over from A

whereas A of course would have those left over magnetic signatures
that could possibly giveaway past data values






"Arno Wagner" <me@privacy.net> wrote in message
news:c5514a$2olufm$2@ID-2964.news.uni-berlin.de...
> Previously zero <zeroREMOVEnews2@hotmail.com> wrote:
> > A) If drive A is copied to drive B just be normal ide cables and drag
drop
> > so nothing clever - will the forensic left over magnetic signals be lost
?
>
> > I am thinking that the clever software that would normally be used in
these
> > cases would
> > be able to record the exact values read of the disc surface before they
are
> > approximated
> > to either 1 or 0 and from that be able to work out what was there
previously
>
> > so . . .
>
> > if you drag & drop the exact values are lost and its either 1 or 0 and
end
> > of story ?
>
> Yes. If you copy data from one drive to the other, you add a new
> layer of data to the target drive on top of what was there
> before. Any 'older data layers' on the source drive stay there and
> are not copied.
>
> Still, while it may be possible to remove data in layers and recover
> older data that was in its space before, no commercial data recovery
> company offers this service. (The german computer magazin c't
> tried to get data recoverd that was overwritten once some time
> ago. All data-recovery outfits they contacted said they could
> not do this.) It might be impossible to actually do this, e.g.
> because the overwritten signal is too close to the noise-level.
> It used to be possible with older HDD technology, that did not
> use the magnetic coating to its limits. It is likely possible with
> floppy disks.
>
> Arno
> --
> For email address: lastname AT tik DOT ee DOT ethz DOT ch
> GnuPG: ID:1E25338F FP:0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
> "The more corrupt the state, the more numerous the laws" - Tacitus
>
>

 

[Guest]

Archived from groups: comp.sys.ibm.pc.hardware.storage (More info?)

I think all those scares about overwritten data recovery are just old wives
tales to support "data erasure" software sales, repeated many times by such
illiterate paranoid folks as Dvorak of PC mag.

It's quite a wonder that the _latest_ written data can be read at all, given
the current (and even not that current) recording density.

As the data is overwritten once with any disk-fill software, like a drive
write test, it becomes pretty much noise added to the latest signal, and as
noise, cannot be reliably separated from the signal to become another
decodable signal.

"Arno Wagner" <me@privacy.net> wrote in message
news:c5514a$2olufm$2@ID-2964.news.uni-berlin.de...
> Previously zero <zeroREMOVEnews2@hotmail.com> wrote:
> > A) If drive A is copied to drive B just be normal ide cables and drag
drop
> > so nothing clever - will the forensic left over magnetic signals be lost
?
>
> > I am thinking that the clever software that would normally be used in
these
> > cases would
> > be able to record the exact values read of the disc surface before they
are
> > approximated
> > to either 1 or 0 and from that be able to work out what was there
previously
>
> > so . . .
>
> > if you drag & drop the exact values are lost and its either 1 or 0 and
end
> > of story ?
>
> Yes. If you copy data from one drive to the other, you add a new
> layer of data to the target drive on top of what was there
> before. Any 'older data layers' on the source drive stay there and
> are not copied.
>
> Still, while it may be possible to remove data in layers and recover
> older data that was in its space before, no commercial data recovery
> company offers this service. (The german computer magazin c't
> tried to get data recoverd that was overwritten once some time
> ago. All data-recovery outfits they contacted said they could
> not do this.) It might be impossible to actually do this, e.g.
> because the overwritten signal is too close to the noise-level.
> It used to be possible with older HDD technology, that did not
> use the magnetic coating to its limits. It is likely possible with
> floppy disks.
>
> Arno
> --
> For email address: lastname AT tik DOT ee DOT ethz DOT ch
> GnuPG: ID:1E25338F FP:0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
> "The more corrupt the state, the more numerous the laws" - Tacitus
>
>

 

[Guest]

Archived from groups: comp.sys.ibm.pc.hardware.storage (More info?)

Previously zero <zeroREMOVEnews2@hotmail.com> wrote:

> thanks

> again , looking at my noddy example

> if drive B was brand new so no old signals etc. - it would only contain
> the current values form the data copied over from A

> whereas A of course would have those left over magnetic signatures
> that could possibly giveaway past data values

Correct.

Arno
--
For email address: lastname AT tik DOT ee DOT ethz DOT ch
GnuPG: ID:1E25338F FP:0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
"The more corrupt the state, the more numerous the laws" - Tacitus

 

[Guest]

Archived from groups: comp.sys.ibm.pc.hardware.storage (More info?)

Previously Alexander Grigoriev <alegr@earthlink.net> wrote:
> I think all those scares about overwritten data recovery are just old wives
> tales to support "data erasure" software sales, repeated many times by such
> illiterate paranoid folks as Dvorak of PC mag.

> It's quite a wonder that the _latest_ written data can be read at all, given
> the current (and even not that current) recording density.

> As the data is overwritten once with any disk-fill software, like a drive
> write test, it becomes pretty much noise added to the latest signal, and as
> noise, cannot be reliably separated from the signal to become another
> decodable signal.

For current HDDs, I think you are perfectly correct. For older HDDs
(several years), floppy disks, some tape variants, recovery of
overwritten data may be possible, since they use only part of
the available area (differences in positioning od different writes)
and part of the available "channel" (s/n ratio, Shannon).

However there is a second angle to this: Most people do not know how
to overwrite files/partitions/disks. They can only drag objects to
the "trash" folder and don't understand what this does. In addition
there is the problem of swap files/partitions. Carefully engineered
commercial solution may have some benefit for this type of user.
However these people should not put anything confidential on a
computer in the first place!

Arno
--
For email address: lastname AT tik DOT ee DOT ethz DOT ch
GnuPG: ID:1E25338F FP:0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
"The more corrupt the state, the more numerous the laws" - Tacitus

 

[Guest]

Archived from groups: comp.sys.ibm.pc.hardware.storage (More info?)

"Alexander Grigoriev" <alegr@earthlink.net> wrote in message newsuAdc.3311$A_4.1976@newsread1.news.pas.earthlink.net
> I think all those scares about overwritten data recovery are just old wives
> tales to support "data erasure" software sales, repeated many times by such
> illiterate paranoid folks as Dvorak of PC mag.
>
> It's quite a wonder that the _latest_ written data can be read at all, given
> the current (and even not that current) recording density.
>

Probably just as difficult as with every other generation, com-
pared to the state of development at that particular time.

> As the data is overwritten once with any disk-fill software, like a drive
> write test,

Which is not any different from normal use.

> it becomes pretty much noise added to the latest signal, and as noise, cannot
> be reliably separated from the signal to become another decodable signal.

Heenan's link pretty well describes how it's done.
http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

But you do need special hard- and software to make it work.

Btw, check your newsclient's settings, it's making a mess.

>
> "Arno Wagner" <me@privacy.net> wrote in message news:c5514a$2olufm$2@ID-2964.news.uni-berlin.de...
> > Previously zero <zeroREMOVEnews2@hotmail.com> wrote:
> > > A) If drive A is copied to drive B just be normal ide cables and drag drop
> > > so nothing clever - will the forensic left over magnetic signals be lost ?
> >

[wrecked quoting snipped]

 

[Guest]

Archived from groups: comp.sys.ibm.pc.hardware.storage (More info?)

Alexander Grigoriev <alegr@earthlink.net> wrote in message
newsuAdc.3311$A_4.1976@newsread1.news.pas.earthlink.net...

> I think all those scares about overwritten data recovery are just
> old wives tales to support "data erasure" software sales, repeated
> many times by such illiterate paranoid folks as Dvorak of PC mag.

Doesnt explain the DOD standards for wiping and the
obsession with melting drives that are being disposed of.

You can however certainly claim that thats just an ultra safe approach
which should ensure that the data cant be retrieved, and not saying
anything useful about how retrievable it is without that.

> It's quite a wonder that the _latest_ written data can be read at
> all, given the current (and even not that current) recording density.

> As the data is overwritten once with any disk-fill software,
> like a drive write test, it becomes pretty much noise added
> to the latest signal, and as noise, cannot be reliably separated
> from the signal to become another decodable signal.

Corse you could be a shill who knows that the data can be
retrieved and who is deliberately encouraging people to
not fully erase their drives, so the data can be retrieved |-)


> "Arno Wagner" <me@privacy.net> wrote in message
> news:c5514a$2olufm$2@ID-2964.news.uni-berlin.de...
> > Previously zero <zeroREMOVEnews2@hotmail.com> wrote:
> > > A) If drive A is copied to drive B just be normal ide cables and drag
> drop
> > > so nothing clever - will the forensic left over magnetic signals be lost
> ?
> >
> > > I am thinking that the clever software that would normally be used in
> these
> > > cases would
> > > be able to record the exact values read of the disc surface before they
> are
> > > approximated
> > > to either 1 or 0 and from that be able to work out what was there
> previously
> >
> > > so . . .
> >
> > > if you drag & drop the exact values are lost and its either 1 or 0 and
> end
> > > of story ?
> >
> > Yes. If you copy data from one drive to the other, you add a new
> > layer of data to the target drive on top of what was there
> > before. Any 'older data layers' on the source drive stay there and
> > are not copied.
> >
> > Still, while it may be possible to remove data in layers and recover
> > older data that was in its space before, no commercial data recovery
> > company offers this service. (The german computer magazin c't
> > tried to get data recoverd that was overwritten once some time
> > ago. All data-recovery outfits they contacted said they could
> > not do this.) It might be impossible to actually do this, e.g.
> > because the overwritten signal is too close to the noise-level.
> > It used to be possible with older HDD technology, that did not
> > use the magnetic coating to its limits. It is likely possible with
> > floppy disks.
> >
> > Arno
> > --
> > For email address: lastname AT tik DOT ee DOT ethz DOT ch
> > GnuPG: ID:1E25338F FP:0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
> > "The more corrupt the state, the more numerous the laws" - Tacitus
> >
> >
>
>