Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
I think it's safe to say that none of us really knows what resources are available to certain organizations to aid in data forensics. I have personal experience with data recovery, at least peripherally. A company I worked for was the subject of an attack by a disgruntled ex-employee who managed to erase a LOT of crucial corporate data, but mostly just using rm -rf type techniques. The data was nearly 100% recovered over the course of three weeks or so. I can't say much more about the specifics of the situation, as it became a criminal matter and law enforcement was involved and I don't want to put myself in the position of having to answer to the FBI and Treasury Dept. A friend who worked for the same company was a submariner in the US Navy - what his exact role was, I don't know (he was very secretive about it) but he did say that the "unofficial" rule with his Navy colleagues was that the only way to guarantee a disk to be unrecoverable was to put a bullet through it. I think that various government agencies and corporate entities have far more ability to recover data than we're aware. I had read somewhere several years ago that the NSA considered magnetic media to be unrecoverable if it was completely overwritten with random data, and then all zeroes, three times. Best guess really is that none of us truly knows, and if somebody is looking to destroy data, the media should be physically destroyed. cheers, Chris -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
All very interesting, the fact is that a hard drive is a physical medium and the magnetic field is very malleable. It is very possible to recover the data even if some random trash has been written over it. The way hard drives use elaborate algorithyms to 'guess' the contents with huge accuracy suggests that any approach is possible. This one reason why real security experts run multiple ie 14 passes at least with random data and very likely use Electromagnets of extreme power to reduce the chance of data recovery. While the practicality is not there to recover data that has been overwritten a couple of times is economically untennable, I'm sure the NSA can do it if it really wanted your data, of course you would have to REALLY PISS THEM OFF to force their hand. Data recovery firms could do it if you paid them enough. On 2/2/06, Alexander Skwar <[EMAIL PROTECTED]> wrote: > Dale wrote: > > Alexander Skwar wrote: > >>Dale wrote: > >>>Grant wrote: > > >>>I think we all know it can be done. > >>> > >> > >>No, we don't. > >> > > > > Yes, some of us do. > > Well, some believe it to be possible. But not "we all" do think > so and much less "know" it. > > >>>Data recevery people do it too. > >>> > >> > >>Do they? Why don't they advertise this? > >> > > > > They didn't advertize the U2 spy plane either. It existed though. They > > don't always tell us everything. > > But why should data recovery people not advertize this? It > would or at least could generate some business. > > Alexander Skwar > -- > Today is a good day for information-gathering. Read someone else's mail file. > -- > gentoo-user@gentoo.org mailing list > > -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
Stroller wrote: > On 2 Feb 2006, at 11:28, Alexander Skwar wrote: >>> >>> This is not what normally (or at least, _always_) happens when you >>> format a hard-drive. >> >> Well, depends on the definition of "format". If you >> define format as "overwrite partition table", than >> you're right. But that's hardly what I'd call "format". > > I was referring to the definition of "format" generally used by the > authors & suppliers of formatting utilities. If you format a disk in > Windows, or certainly if you "quick format" it, it doesn't run a > quick call to `dd if=/dev/zero of=/de/hdX`; it merely overwrites the > partition table so the data IS often recoverable after a format. Yes, that's correct, as you are referring to quick format. > If you were merely formatting a disk for your own use, had no > expectation that it would fall into anyone else's hands, and were in > a hurry to use the disk with its new filesystem on it, you would > surely be wasting time were you to insist on blanking every single > bit on the device - it's simply not necessary. But with normal hardware, you cannot be sure that you overwrite every single bit on the harddrive when you "shred" it with some software tool. I'm referring to mapped away bad sectors. Those sectors might contain interesting data. But with normal tools, you won't be able to ever get to those sectors. > I am not qualified to comment on recovery of data from a disk that > has been wiped with zeros in the way you describe, nor from one which > has been shredded properly with repeated iterations of random & non- > random bits, but there certainly does seem to be a lot of hearsay on > the subject. Yes, that's absolutely correct. And, once again, it totally baffles me, that there are so extremely few reports of overwritten data being recovered. Be it once with "0", be it multiple times with a Gutman algorithm. > I would consider the a disk that's been comprehensively > overwritten once to be unrecoverable from the practical perspective > of the original discussion (a mate in the pub) but do consider a disk > that's been over-written with shred to be unrecoverable as far as my > customers' commercial data is concerned. Well. If you believe in data recovery to be possible, than you cannot be sure that a shredded disk is not recoverable. I most certainly do agree, that a shredded disk is not recoverable - but IMO even a drive overwritten once with 0 is not recoverable, if we disregard mapped away sectors. > Whilst writing this I looked up `info shred` which claims: > > If you have sensitive data, you may want to be sure that recovery > is not possible by actually overwriting the file with non-sensitive > data. However, even after doing that, it is possible to take the > disk back to a laboratory and use a lot of sensitive (and expensive) > equipment to look for the faint "echoes" of the original data > underneath the overwritten data. If the data has only been > overwritten > once, it's not even that hard. How old is that? I don't think that this is still true wrt. modern drives. > The best way to remove something irretrievably is to destroy the > media it's on with acid, melt it down, or the like. Yep. > The info page references Peter Gutmann's paper `Secure Deletion of > Data from Magnetic and Solid-State Memory'. Which is *extremely* old now and refers to technologies that are long gone. Modern drives don't resemble MFM much anymore. Because of that, I've got my doubts about how much of the Gutman paper is still valid. > I'm not qualified to > assess this paper fully, and hard-drives have progressed considerably > in the last decade, Exactly. Development in hard drive technology has progressed enourmously. > I state once again that I'm not really qualified to comment on the > subject to this depth, Me neither. > I would be grateful if you refrained in any future responses > from the sneering manner you have employed in those to date. Pardon? Alexander Skwar -- "What was the worst thing you've ever done?" "I won't tell you that, but I'll tell you the worst thing that ever happened to me... the most dreadful thing." -- Peter Straub, "Ghost Story" -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
Dale wrote: > Alexander Skwar wrote: >>Dale wrote: >>>Grant wrote: >>>I think we all know it can be done. >>> >> >>No, we don't. >> > > Yes, some of us do. Well, some believe it to be possible. But not "we all" do think so and much less "know" it. >>>Data recevery people do it too. >>> >> >>Do they? Why don't they advertise this? >> > > They didn't advertize the U2 spy plane either. It existed though. They > don't always tell us everything. But why should data recovery people not advertize this? It would or at least could generate some business. Alexander Skwar -- Today is a good day for information-gathering. Read someone else's mail file. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
On 2 Feb 2006, at 11:28, Alexander Skwar wrote: This is not what normally (or at least, _always_) happens when you format a hard-drive. Well, depends on the definition of "format". If you define format as "overwrite partition table", than you're right. But that's hardly what I'd call "format". I was referring to the definition of "format" generally used by the authors & suppliers of formatting utilities. If you format a disk in Windows, or certainly if you "quick format" it, it doesn't run a quick call to `dd if=/dev/zero of=/de/hdX`; it merely overwrites the partition table so the data IS often recoverable after a format. If you were merely formatting a disk for your own use, had no expectation that it would fall into anyone else's hands, and were in a hurry to use the disk with its new filesystem on it, you would surely be wasting time were you to insist on blanking every single bit on the device - it's simply not necessary. I am not qualified to comment on recovery of data from a disk that has been wiped with zeros in the way you describe, nor from one which has been shredded properly with repeated iterations of random & non- random bits, but there certainly does seem to be a lot of hearsay on the subject. I would consider the a disk that's been comprehensively overwritten once to be unrecoverable from the practical perspective of the original discussion (a mate in the pub) but do consider a disk that's been over-written with shred to be unrecoverable as far as my customers' commercial data is concerned. Whilst writing this I looked up `info shred` which claims: If you have sensitive data, you may want to be sure that recovery is not possible by actually overwriting the file with non-sensitive data. However, even after doing that, it is possible to take the disk back to a laboratory and use a lot of sensitive (and expensive) equipment to look for the faint "echoes" of the original data underneath the overwritten data. If the data has only been overwritten once, it's not even that hard. The best way to remove something irretrievably is to destroy the media it's on with acid, melt it down, or the like. The info page references Peter Gutmann's paper `Secure Deletion of Data from Magnetic and Solid-State Memory'. I'm not qualified to assess this paper fully, and hard-drives have progressed considerably in the last decade, but my naive reading of the conclusion seems to support the suggestion that a single write may not be sufficient to thwart a determined attacker: Data overwritten once or twice may be recovered by subtracting what is expected to be read from a storage location from what is actually read... it is effectively impossible to sanitise storage locations by simple overwriting them, no matter how many overwrite passes are made or what data patterns are written. However by using the relatively simple methods presented in this paper the task of an attacker can be made significantly more difficult, if not prohibitively expensive. http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html which concludes: I state once again that I'm not really qualified to comment on the subject to this depth, so I offer these references merely for your perusal. I would be grateful if you refrained in any future responses from the sneering manner you have employed in those to date. Stroller. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
On Thu, 02 Feb 2006 12:32:16 +0100, Alexander Skwar wrote: > > Governments do it all the time. > > Data recevery people do it too. > > Do they? Why don't they advertise this? For the same reason the British government sold Enigma machines to Commonwealth countries for almost thirty years after they had cracked the code. If you tell people you can break their security, they are more likely to upgrade it. -- Neil Bothwick Death to all fanatics! signature.asc Description: PGP signature
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
Alexander Skwar wrote: >Dale wrote: > > >>Grant wrote: >> >> >> >>>Thanks Peter. That is quite contrary to what most of the other posts >>>in this thread are saying. Those are all just rumors and myths? >>> >>>- Grant >>> >>> >>> >>> >>> >>I think we all know it can be done. >> >> > >No, we don't. > > Yes, some of us do. > > >>Governments do it all the time. >>Data recevery people do it too. >> >> > >Do they? Why don't they advertise this? > > They didn't advertize the U2 spy plane either. It existed though. They don't always tell us everything. > > >Interesting point, though - if your data is worth just a >few thousand bucks, than it will most of the time not make >sense to waste the money on it. > > >Alexander Skwar > > Dale :-) -- To err is human, I'm most certainly human. I have four rigs: 1: Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now two 80GB hard drives. Named Smoker 2: Home built; Iwill KK266-R w/ AMD 1GHz CPU, 256MBs of ram and a 4GB drive. Named Swifty 3: Home built; Gigabyte GA-71XE4 w/ 800MHz CPU, 224MBs of ram and a 2.5GB drive. Named Pokey 4: Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram and a 4.3GB SCSI drive. Named Putput All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are set up as servers. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
Dale wrote: > Grant wrote: > >> >>Thanks Peter. That is quite contrary to what most of the other posts >>in this thread are saying. Those are all just rumors and myths? >> >>- Grant >> >> >> > > > I think we all know it can be done. No, we don't. > Governments do it all the time. > Data recevery people do it too. Do they? Why don't they advertise this? > Years ago I worked at a computer place > and the hard drive crashed. The heads physically pulled up the magnetic > media in a couple places. They still got almost 80% of the data back. AGAIN: That's a died hard disk. That's *COMPLETELY* different matter. And if you read what he wrote, you'll find that he also said that recovering data from died hardware is possible. > I'm sure the NSA, CIA and a few others can get data back off just about > anything. It's just a matter of how much money you want to spend and > how much time you want to put into it. Interesting point, though - if your data is worth just a few thousand bucks, than it will most of the time not make sense to waste the money on it. Alexander Skwar -- I owe the government $3400 in taxes. So I sent them two hammers and a toilet seat. -- Michael McShane -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
Grant wrote: > Thanks Peter. That is quite contrary to what most of the other posts > in this thread are saying. Too bad. But it's very much to what makes sense and what I've heard. > Those are all just rumors and myths? I'd say so, yes. Or do you have SOLID FACTS that they are not rumors? Alexander Skwar -- I owe the government $3400 in taxes. So I sent them two hammers and a toilet seat. -- Michael McShane -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
Stroller wrote: > On 1 Feb 2006, at 18:27, Peter Volkov (pva) wrote: > >> On Пнд, 2006-01-30 at 17:03 -0800, Grant wrote: >>> I've heard that data can be recovered from a formatted hard >>> diskIs it true? >> >> Short answer for your question is... No. It's not true. > ... >> suppose you have deleted file. This operation only >> removes entry in you directory table, but not the file itself. Or you >> did format you hard drive. That will rebuild only file structure on >> you >> hard drive. Normally that means that you overwrite about 5% of you >> drive. All other data is intact. Just read it. > > I think you just contradicted yourself. No, I don't think he has. >> ...If you do `dd if=/dev/zero of=/dev/hdd then there is no >> chances you'll get you data. Why? Because all byte and bits on your >> hard >> drive became 0. > > This is not what normally (or at least, _always_) happens when you > format a hard-drive. Well, depends on the definition of "format". If you define format as "overwrite partition table", than you're right. But that's hardly what I'd call "format". Alexander Skwar -- I owe the government $3400 in taxes. So I sent them two hammers and a toilet seat. -- Michael McShane -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
Stroller wrote: > On 31 Jan 2006, at 16:32, Alexander Skwar wrote: >> Stroller wrote: >>> ... a data recovery >>> specialist last year offered to return 17gigs worth of data from a >>> hard drive that had died containing only 8 gigs of files. >> >> Died hard drives are a *COMPLETELY* different matter. > > The additional 9gigs of data were files that had been deleted and not > over-written. Okay. > Not a "completely different matter" at all, Yes, it is. > as > formatting may only delete & replace the partition table. Depends on how you define "format". My definition of format is "dd if=/dev/zero of=/dev/hda". So, yes, it is a completely different matter. Alexander Skwar -- I owe the government $3400 in taxes. So I sent them two hammers and a toilet seat. -- Michael McShane -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
On Wed, 1 Feb 2006 21:56:16 -0700, Richard Fish wrote: > Again, my *guess* is that with a *very* modern drive where the > manufacturers simply cannot squeeze any more data onto the platter, > that even the NSA would not be able to recover any data. But it may > be that is just what they /want/ us to think... There is always room for more data on the platter, simply because the manufacturers cannot push things right to the limit and still guarantee that the drives will still run reliably three years later. Of course, as manufacturing techniques become more sophisticated, tolerances become smaller, so it will be more difficult, but not impossible. I'm sure you won't find the NSA HOWTO on recovering data on Google :) -- Neil Bothwick ST:TNG Diner - Now Featuring Our All You Can Assimilate SmorgasBORG! signature.asc Description: PGP signature
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
On 2/1/06, Grant <[EMAIL PROTECTED]> wrote:
> Thanks Peter. That is quite contrary to what most of the other posts
> in this thread are saying. Those are all just rumors and myths?
I think for what would be available for you, me, or ${megacorp} to
use, yes, it is rumor and myth. As I mentioned previously, the
density of data on modern drives makes surface analysis (by which I
mean anything that does not simply read the drive with standard drive
electronics and and search the resulting data) very difficult. I
would say impossible, but we simply don't know what techniques are
available to the NSA or other government agencies to use.
Again, my *guess* is that with a *very* modern drive where the
manufacturers simply cannot squeeze any more data onto the platter,
that even the NSA would not be able to recover any data. But it may
be that is just what they /want/ us to think...
I posted this before, but it is the best and most thorough study I
could find on this topic:
http://www.simson.net/clips/academic/2003.IEEE.DiskDriveForensics.pdf
And another paper referenced in the above study:
http://www.cryptoapps.com/~peter/usenix01.pdf
This paper talks about physical scanning of memory devices for
encryption keys, so is a bit off-topic (even for this off-topic
thread), but it should give you a hint of what kind of effort would be
required to try and recover overwritten data from a hard disk.
Just a quick quote from the Peter Gutmann paper:
Finally, however, the best defence against data remanence problems in
semiconductor memory is, as with the related problem of data stored on
magnetic media, the fact that ever-shrinking device dimensions (DRAM
density is increasing by 50% per year [74]), and the use of novel
techniques such as multilevel storage (which is being used in flash
memory and may eventually make an appearance in DRAM as well [75]) is
making it more and more difficult
to recover data from devices. As the 1996 paper suggested for magnetic
media, the easiest way to make the task of recovering data difficult
is to use the newest, highest-density (and by extension most exotic)
storage devices available.
-Richard
--
gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
Grant wrote: > >Thanks Peter. That is quite contrary to what most of the other posts >in this thread are saying. Those are all just rumors and myths? > >- Grant > > > I think we all know it can be done. Governments do it all the time. Data recevery people do it too. Years ago I worked at a computer place and the hard drive crashed. The heads physically pulled up the magnetic media in a couple places. They still got almost 80% of the data back. Funny thing was, they repaired the heads that did all the scratching and got the data with them, so they said anyway. I'm sure the NSA, CIA and a few others can get data back off just about anything. It's just a matter of how much money you want to spend and how much time you want to put into it. Now to get some sleep. I got to go see my lady tomorrow. This one is getting serious. Cute too. :D Dale :-) -- To err is human, I'm most certainly human. I have four rigs: 1: Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now two 80GB hard drives. Named Smoker 2: Home built; Iwill KK266-R w/ AMD 1GHz CPU, 256MBs of ram and a 4GB drive. Named Swifty 3: Home built; Gigabyte GA-71XE4 w/ 800MHz CPU, 224MBs of ram and a 2.5GB drive. Named Pokey 4: Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram and a 4.3GB SCSI drive. Named Putput All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are set up as servers. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
> > I've heard that data can be recovered from a formatted hard > > disk. Lucky for me I don't have any interest in actually doing this, > > but I got in an argue\ment with a buddy last night about whether or > > not it was possible. I'm sure I've read that the government and other > > well-funded institutions have this capability. Is it true? > > What a long thread, full of myths. But there are no miracles :) > > Short answer for your question is... No. It's not true. > > Having some experience in field of data recovery I'm not going to dive > into my real stories. I'll better give some general hints. > > Answer on your question depends on how hard drive was formatted or how > it was crashed. If you do `dd if=/dev/zero of=/dev/hdd then there is no > chances you'll get you data. Why? Because all byte and bits on your hard > drive became 0. dot. If you heard about remanence or that 0 is a bit 1 > and that some big craft apparatus can read such data, think about hard > drive manufacturers. They spend big efforts to make hard drive a bit > more capacious. So why they leave free space for additional information > on your hard drive, which you have when you think about space between > tracks or under-rotation of magnetic domains? > > But than you may ask. What does data recovery companies can do? > > Well. The best they can do is to read files from you hard drive when it > contains them! So suppose you have deleted file. This operation only > removes entry in you directory table, but not the file itself. Or you > did format you hard drive. That will rebuild only file structure on you > hard drive. Normally that means that you overwrite about 5% of you > drive. All other data is intact. Just read it. > > But what I mean by reading deleted file? You may get filling about that > with grep. Actually grep is the first utility to do data recovery. It's > very easy to use but very powerful if you know what are you looking for. > just try: > # grep "/etc/fstab: static file system information" -B1 -A10 /dev/hda > and you will find you fstab on hard drive even after you remove it. If > you grep for "PDF-1." you will find some pdf files. There are special > programs for data recovery, that know many different patterns, but > internally work like grep. Of course, there are problems if, fex, file > is big enough and it is not written in consequent blocks of hard drive > or if some parts of file are overwritten... > > But what about big machines??? What they are for? You may find some of > them searching in google, fex, on data recovery sites. Well they are > used in a situation when hard drive was broken mechanically or internal > hard drive logic is broken (fex, due to bad blocks). If you hard drive > is broken mechanically, you have to find another identical (see serial > number...) hard drive and then you should open them and move disks from > hard drive with broken mechanics into new one. After that hard drive is > broken. You can not just plug in and use because unique, hard drive > specific information like where to look for zero track is lost. But that > machine allows you to "control" heads, you have possibility to read that > hard drive. After that use grep to search for your files in the raw > stream of data. > > You may find some interesting information about data recovery in google. > But as I told you. No miracles. Sorry. =) > > HTH, > Peter. Thanks Peter. That is quite contrary to what most of the other posts in this thread are saying. Those are all just rumors and myths? - Grant -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
On 31 Jan 2006, at 16:32, Alexander Skwar wrote: Stroller wrote: ... a data recovery specialist last year offered to return 17gigs worth of data from a hard drive that had died containing only 8 gigs of files. Died hard drives are a *COMPLETELY* different matter. The additional 9gigs of data were files that had been deleted and not over-written. Not a "completely different matter" at all, as formatting may only delete & replace the partition table. Stroller. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
On 31 Jan 2006, at 13:19, Schleimer, Ben wrote: I understand that writing zeros over the file should permanently delete the data but couldn't the data be cached elsewhere on the drive... On 31 Jan 2006, at 13:31, Schleimer, Ben wrote: I just read the docs for shred and it doesn't guarantee that the data will be erased on a journalling file-system. A solution to this is to shred the whole drive. Stroller. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
On 1 Feb 2006, at 18:27, Peter Volkov (pva) wrote: On Пнд, 2006-01-30 at 17:03 -0800, Grant wrote: I've heard that data can be recovered from a formatted hard diskIs it true? Short answer for your question is... No. It's not true. ... suppose you have deleted file. This operation only removes entry in you directory table, but not the file itself. Or you did format you hard drive. That will rebuild only file structure on you hard drive. Normally that means that you overwrite about 5% of you drive. All other data is intact. Just read it. I think you just contradicted yourself. ...If you do `dd if=/dev/zero of=/dev/hdd then there is no chances you'll get you data. Why? Because all byte and bits on your hard drive became 0. This is not what normally (or at least, _always_) happens when you format a hard-drive. Stroller. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
Peter Volkov (pva) wrote: > On Пнд, 2006-01-30 at 17:03 -0800, Grant wrote: >> I've heard that data can be recovered from a formatted hard >> disk. Lucky for me I don't have any interest in actually doing this, >> but I got in an argue\ment with a buddy last night about whether or >> not it was possible. I'm sure I've read that the government and other >> well-funded institutions have this capability. Is it true? > > What a long thread, full of myths. But there are no miracles :) > > Short answer for your question is... No. It's not true. Of course not. > Having some experience in field of data recovery I'm not going to dive > into my real stories. I'll better give some general hints. Ah, thanks a lot for doing away with all those myths. Everything you write sounds pretty much like what I've heard and also makes a lot of sense. Most certainly more than those recovery rumors :) > You may find some interesting information about data recovery in google. > But as I told you. No miracles. Sorry. =) > > HTH, Yes, very much! Alexander Skwar -- A person who is more than casually interested in computers should be well schooled in machine language, since it is a fundamental part of a computer. -- Donald Knuth -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
On Пнд, 2006-01-30 at 17:03 -0800, Grant wrote: > I've heard that data can be recovered from a formatted hard > disk. Lucky for me I don't have any interest in actually doing this, > but I got in an argue\ment with a buddy last night about whether or > not it was possible. I'm sure I've read that the government and other > well-funded institutions have this capability. Is it true? What a long thread, full of myths. But there are no miracles :) Short answer for your question is... No. It's not true. Having some experience in field of data recovery I'm not going to dive into my real stories. I'll better give some general hints. Answer on your question depends on how hard drive was formatted or how it was crashed. If you do `dd if=/dev/zero of=/dev/hdd then there is no chances you'll get you data. Why? Because all byte and bits on your hard drive became 0. dot. If you heard about remanence or that 0 is a bit 1 and that some big craft apparatus can read such data, think about hard drive manufacturers. They spend big efforts to make hard drive a bit more capacious. So why they leave free space for additional information on your hard drive, which you have when you think about space between tracks or under-rotation of magnetic domains? But than you may ask. What does data recovery companies can do? Well. The best they can do is to read files from you hard drive when it contains them! So suppose you have deleted file. This operation only removes entry in you directory table, but not the file itself. Or you did format you hard drive. That will rebuild only file structure on you hard drive. Normally that means that you overwrite about 5% of you drive. All other data is intact. Just read it. But what I mean by reading deleted file? You may get filling about that with grep. Actually grep is the first utility to do data recovery. It's very easy to use but very powerful if you know what are you looking for. just try: # grep "/etc/fstab: static file system information" -B1 -A10 /dev/hda and you will find you fstab on hard drive even after you remove it. If you grep for "PDF-1." you will find some pdf files. There are special programs for data recovery, that know many different patterns, but internally work like grep. Of course, there are problems if, fex, file is big enough and it is not written in consequent blocks of hard drive or if some parts of file are overwritten... But what about big machines??? What they are for? You may find some of them searching in google, fex, on data recovery sites. Well they are used in a situation when hard drive was broken mechanically or internal hard drive logic is broken (fex, due to bad blocks). If you hard drive is broken mechanically, you have to find another identical (see serial number...) hard drive and then you should open them and move disks from hard drive with broken mechanics into new one. After that hard drive is broken. You can not just plug in and use because unique, hard drive specific information like where to look for zero track is lost. But that machine allows you to "control" heads, you have possibility to read that hard drive. After that use grep to search for your files in the raw stream of data. You may find some interesting information about data recovery in google. But as I told you. No miracles. Sorry. =) HTH, Peter. signature.asc Description: This is a digitally signed message part
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
On 2/1/06, Alexander Skwar <[EMAIL PROTECTED]> wrote: > Iain Buchanan wrote: > > > They both rely on the fact that you can read what _was_ once written to > > the hard drive by examining the spaces. So that's one method. > > Yes, in theory that might be possible - but how comes, that not > even the data recovery companies advertise this? And also, do > you have solid facts about data being recovered that way? > An excellent MIT study on hard disk data recovery: http://www.simson.net/clips/academic/2003.IEEE.DiskDriveForensics.pdf -Richard -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
> > Almost everyone seems to agree that recovering data from a formatted > > drive is possible. What is the process by which this is done? I've > > read here that: > > > > 1. The space between tracks contains historical data information. > > > > and: > > > > 2. There is a difference between a track written with a 0 and then > > overwritten with a 0 and a track written with a 1 and then overwritten > > with a 0. > > > > Are these the two processes by which this data recovery is made possible? > > They both rely on the fact that you can read what _was_ once written to > the hard drive by examining the spaces. So that's one method. Ok, I thought the two items listed above were separate methods. They are the same? I'm trying to find a somewhat concise answer to the question: How is it that data can be recovered from a drive that has been "wiped" one or more times? - Grant -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
Iain Buchanan wrote: > They both rely on the fact that you can read what _was_ once written to > the hard drive by examining the spaces. So that's one method. Yes, in theory that might be possible - but how comes, that not even the data recovery companies advertise this? And also, do you have solid facts about data being recovered that way? > The other method of recovering data is just to cat /dev/hda, but that > relies on the hd not being "wiped" (overwritten with 0's and 1's many > times in a semi-random fashion!). Or even just once with 0. Alexander Skwar -- I hate you Kenny. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
Uwe Thiem wrote: > On 31 January 2006 15:19, Schleimer, Ben wrote: >> I understand that writing zeros over the file should permenately delete the >> data > > Don't believe people telling that. Why not? I would believe those people. > The data will still be recoverable Will it? Why is it, that there are no proofs at all that this is actually possible? Or do you have any prove? > The > only way to wipe out data safely is to write different random bit over it > several times. "0" is good enough with modern hardware. That's so, because current harddrives have a much higher "rate" of staying in the track and thus do not write to the "left" or "right" of it. > >> but couldn't the data be cached elsewhere on the drive, especially >> with journalling filesystems?? > > Journalling filesystems are a problem when it comes to wipe out single files. Yes. > Wiping out the whole harddrive is still possible. But not with normal hardware. Alexander Skwar -- Here we are in America ... when do we collect unemployment? -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
On Tue, 2006-01-31 at 17:39 -0800, Grant wrote: > > Almost everyone seems to agree that recovering data from a formatted > drive is possible. What is the process by which this is done? I've > read here that: > > 1. The space between tracks contains historical data information. > > and: > > 2. There is a difference between a track written with a 0 and then > overwritten with a 0 and a track written with a 1 and then overwritten > with a 0. > > Are these the two processes by which this data recovery is made possible? They both rely on the fact that you can read what _was_ once written to the hard drive by examining the spaces. So that's one method. The other method of recovering data is just to cat /dev/hda, but that relies on the hd not being "wiped" (overwritten with 0's and 1's many times in a semi-random fashion!). -- Iain Buchanan Never make anything simple and efficient when a way can be found to make it complex and wonderful. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
> > I understand that writing zeros over the file should permenately delete the > > data > > Don't believe people telling that. The data will still be recoverable (with > the right hardware). That is so because overwriting a "0" with a "0" will > lead to another level of manetic field than overwriting a "1" with a "0". The > only way to wipe out data safely is to write different random bit over it > several times. Almost everyone seems to agree that recovering data from a formatted drive is possible. What is the process by which this is done? I've read here that: 1. The space between tracks contains historical data information. and: 2. There is a difference between a track written with a 0 and then overwritten with a 0 and a track written with a 1 and then overwritten with a 0. Are these the two processes by which this data recovery is made possible? - Grant > Uwe -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
On 31 January 2006 15:19, Schleimer, Ben wrote: > I understand that writing zeros over the file should permenately delete the > data Don't believe people telling that. The data will still be recoverable (with the right hardware). That is so because overwriting a "0" with a "0" will lead to another level of manetic field than overwriting a "1" with a "0". The only way to wipe out data safely is to write different random bit over it several times. > but couldn't the data be cached elsewhere on the drive, especially > with journalling filesystems?? Journalling filesystems are a problem when it comes to wipe out single files. Wiping out the whole harddrive is still possible. Uwe -- Unix is sexy: who | grep -i blonde | date cd ~; unzip; touch; strip; finger mount; gasp; yes; uptime; umount sleep -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
Schleimer, Ben wrote: > I understand that writing zeros over the file should permenately delete the > data but couldn't the data be cached elsewhere on the drive, especially with > journalling filesystems?? Yes, that's pretty much possible. It could also happen, that the data is on a remapped (defective) sector. PS: Please could you try to shorten your lines a bit? Thanks! Alexander Skwar -- /* This is total bullshit: */ linux-2.6.6/drivers/video/sis/init301.c -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
Stroller wrote: > On 31 Jan 2006, at 01:03, Grant wrote: > >> Hello! I've heard that data can be recovered from a formatted hard >> disk. > > Yes, it's fairly trivial, for someone who cares enough to try, to > retrieve data from a disk that's merely been formatted. Oh, is it? Please explain how! > Although I've > never tried to do so myself I regularly `shred /dev/hda` on > customers' scrap PCs (see `info shred`) and a data recovery > specialist last year offered to return 17gigs worth of data from a > hard drive that had died containing only 8 gigs of files. Died hard drives are a *COMPLETELY* different matter. Alexander Skwar -- /* This is total bullshit: */ linux-2.6.6/drivers/video/sis/init301.c -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
Grant wrote: > Hello! I've heard that data can be recovered from a formatted hard > disk. Were did you hear that? I've got a hard time believing that - as long as a format is somewhat like "dd if=/dev/zero of=/dev/hda". > Lucky for me I don't have any interest in actually doing this, > but I got in an argue\ment with a buddy last night about whether or > not it was possible. I don't think so. Alexander Skwar -- /* This is total bullshit: */ linux-2.6.6/drivers/video/sis/init301.c -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
In Canada, all government surplus computers have all the HD's removed and are sent out to be destroyed. I believe the HD's are melted down. The odd time they miss an HD and the news media have a field day with it. I have seen several demos where data on an HD that was formatted, repartitioned and formatted several times have the data recovered in an amazingly short time. -- Ted Ozolins(VE7TVO) Westbank, B. C -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
> Someone will know (I don't) what the density is on a modern platter. The highest density platters today are close to 100Gbit / square inch. So no, you won't see the bits with the naked eye! -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
On 1/31/06, Iain Buchanan <[EMAIL PROTECTED]> wrote: > If you "shred" or "wipe" the data (run random data over the disk many > times, with a bit of magic formulas thrown in) then apparently the FBI / > CIA / KGB / WTFC has a magnetic data recovery tool to see what bit was > written before the current bit (don't ask me how). It works because hard disks are still analog recording devices. The magnetic field used to write the data extends slightly outwards on either side of the track, and thus can record data (although with a much lower S/N ratio) in the space between tracks. If you have the right hardware that can be convinced to read the area between tracks, you have a chance of recovering the data. In fact in recent years manufacturers have nearly reached the limit on how tightly tracks can be squeezed together before they start overwriting each other. This is why laptop drives maxed out at 120G, until Seagate started using 'perpindicular recording'. Since there is so little spacing between the tracks now, I suspect (but can't say for certain) that the chances of recovering data from a modern large (>160G) drive that has been 'shred'ed is pretty much nil, regardless of the amount of money you through at it. -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
Iain Buchanan wrote: >On Tue, 2006-01-31 at 06:56 -0600, Dale wrote: > > >>Iain Buchanan wrote: >> >> >> >>I have heard the same thing. I have watched some of them on TV get data >>off some unbelievable drives. Some had bent platters, serious >>scratches, been formatted a few times etc etc etc, After all that, >>they still got enough of what they wanted. They put a chemical on one >>and you could see the data with your eyes. It looked like a round bar >>code sort of. >> >> > >hmm, sounds suspicious... It could have been some sort of serial number, >but if you could see it with your eye, it definitely wasn't 0's and 1's >of data. > >Someone will know (I don't) what the density is on a modern platter. > > Well, the one you could see was a old floppy. I think it was a 5 1/4 floppy. You had to look close but after they put the chems on it, you could see it when they zoomed in on it pretty good. I would assume they could do the same for a hard drive and just use something to magnify it, like maybe a microscope or something. Dale :-) -- To err is human, I'm most certainly human. I have four rigs: 1: Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now two 80GB hard drives. Named Smoker 2: Home built; Iwill KK266-R w/ AMD 1GHz CPU, 256MBs of ram and a 4GB drive. Named Swifty 3: Home built; Gigabyte GA-71XE4 w/ 800MHz CPU, 224MBs of ram and a 2.5GB drive. Named Pokey 4: Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram and a 4.3GB SCSI drive. Named Putput All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are set up as servers. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
I understand that writing zeros over the file should permenately delete the
data but couldn't the data be cached elsewhere on the drive, especially with
journalling filesystems??
Cheers,
Ben
"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it." - Brian W. Kernighan
- Original Message
From: Dale <[EMAIL PROTECTED]>
To: gentoo-user@lists.gentoo.org
Sent: Tue 31 Jan 2006 02:56:25 PM IST
Subject: Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
Iain Buchanan wrote:
>
>
>I've heard of government departments filing down the old HD's into
>little pieces, then mixing them in cement for the next building project.
>Could be an urban legend though.
>
>All of the above is subject to my own bad memory :)
>
>
I have heard the same thing. I have watched some of them on TV get data
off some unbelievable drives. Some had bent platters, serious
scratches, been formatted a few times etc etc etc, After all that,
they still got enough of what they wanted. They put a chemical on one
and you could see the data with your eyes. It looked like a round bar
code sort of.
Whatever you use, if it does it quickly, it ain't worth the time.
Really erasing something and rewriting data over it takes a bit of
time. That little light should be on a while. I still wouldn't count
on it. Shreading it and putting it in concrete may be a good idea.
Maybe putting it in a MRI machine would help too. I would leave the
room though. O_O
Dale
:-)
--
To err is human, I'm most certainly human.
I have four rigs:
1: Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now two
80GB hard drives. Named Smoker
2: Home built; Iwill KK266-R w/ AMD 1GHz CPU, 256MBs of ram and a 4GB drive.
Named Swifty
3: Home built; Gigabyte GA-71XE4 w/ 800MHz CPU, 224MBs of ram and a 2.5GB
drive. Named Pokey
4: Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram and a 4.3GB
SCSI drive. Named Putput
All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are set up
as servers.
--
gentoo-user@gentoo.org mailing list
--
gentoo-user@gentoo.org mailing list
RE: [gentoo-user] {OT} Recovering data from a formatted hard disk
> -Original Message-
> From: Iain Buchanan [mailto:[EMAIL PROTECTED]
> Sent: 31 January 2006 08:11
> To: gentoo-user@lists.gentoo.org
> Subject: Re: [gentoo-user] {OT} Recovering data from a
> formatted hard disk
>
>
> On Tue, 2006-01-31 at 07:27 +, Stroller wrote:
> > On 31 Jan 2006, at 01:03, Grant wrote:
> >
> > > Hello! I've heard that data can be recovered from a
> formatted hard
> > > disk.
Just to reinforce the previous answers: Yes, it is possible. You can
delete partition(s) with fdisk, later on re-create it and your data will
be there as if you never deleted it. If you use shred, or dd with some
random bit input, then it will be proportionately more difficult to
recover your data with commonly availably means. Now, if you have
access to the NSA hardware recovery tools almost anything will be partly
recoverable. On customers disks I would use shred and offer no
guarantees of non-recoverability. On mine I prefer a commercial grade
12,000rpm angle grinder . . . :-D
--
Regards,
Mick
--
gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
Hummm,,
I just read the docs for shred and it doesn't
garanttee that the data will be erased on a
journalling filesystem.
http://unixhelp.ed.ac.uk/CGI/man-cgi?shred+1
Nevermind,
Ben
--- "Schleimer, Ben" <[EMAIL PROTECTED]> wrote:
> I understand that writing zeros over the file should
> permenately delete the data but couldn't the data be
> cached elsewhere on the drive, especially with
> journalling filesystems??
>
> Cheers,
> Ben
>
> "Debugging is twice as hard as writing the code in
> the first place.
> Therefore, if you write the code as cleverly as
> possible, you are,
> by definition, not smart enough to debug it." -
> Brian W. Kernighan
>
>
>
> - Original Message
> From: Dale <[EMAIL PROTECTED]>
> To: gentoo-user@lists.gentoo.org
> Sent: Tue 31 Jan 2006 02:56:25 PM IST
> Subject: Re: [gentoo-user] {OT} Recovering data from
> a formatted hard disk
>
> Iain Buchanan wrote:
>
> >
> >
> >I've heard of government departments filing down
> the old HD's into
> >little pieces, then mixing them in cement for the
> next building project.
> >Could be an urban legend though.
> >
> >All of the above is subject to my own bad memory :)
> >
> >
>
> I have heard the same thing. I have watched some of
> them on TV get data
> off some unbelievable drives. Some had bent
> platters, serious
> scratches, been formatted a few times etc etc etc,
> After all that,
> they still got enough of what they wanted. They put
> a chemical on one
> and you could see the data with your eyes. It
> looked like a round bar
> code sort of.
>
> Whatever you use, if it does it quickly, it ain't
> worth the time.
> Really erasing something and rewriting data over it
> takes a bit of
> time. That little light should be on a while. I
> still wouldn't count
> on it. Shreading it and putting it in concrete may
> be a good idea.
> Maybe putting it in a MRI machine would help too. I
> would leave the
> room though. O_O
>
> Dale
> :-)
>
> --
> To err is human, I'm most certainly human.
>
> I have four rigs:
>
> 1: Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU,
> 1GB of ram and right now two 80GB hard drives.
> Named Smoker
> 2: Home built; Iwill KK266-R w/ AMD 1GHz CPU,
> 256MBs of ram and a 4GB drive. Named Swifty
> 3: Home built; Gigabyte GA-71XE4 w/ 800MHz CPU,
> 224MBs of ram and a 2.5GB drive. Named Pokey
> 4: Compaq Proliant 6000 Server w/ Quad 200MHz CPUs,
> 128MBs of ram and a 4.3GB SCSI drive. Named Putput
>
> All run Gentoo Linux, all run folding. #1 is my
> desktop, 2, 3, and 4 are set up as servers.
>
> --
> gentoo-user@gentoo.org mailing list
>
>
>
>
>
>
> --
> gentoo-user@gentoo.org mailing list
>
>
"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it." - Brian W. Kernighan
--
gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
On Tue, 2006-01-31 at 06:56 -0600, Dale wrote: > Iain Buchanan wrote: > > > > > > >I've heard of government departments filing down the old HD's into > >little pieces, then mixing them in cement for the next building project. > >Could be an urban legend though. > > > >All of the above is subject to my own bad memory :) > > > > > > I have heard the same thing. I have watched some of them on TV get data > off some unbelievable drives. Some had bent platters, serious > scratches, been formatted a few times etc etc etc, After all that, > they still got enough of what they wanted. They put a chemical on one > and you could see the data with your eyes. It looked like a round bar > code sort of. hmm, sounds suspicious... It could have been some sort of serial number, but if you could see it with your eye, it definitely wasn't 0's and 1's of data. Someone will know (I don't) what the density is on a modern platter. -- Iain Buchanan I never expected to see the day when girls would get sunburned in the places they do today. -- Will Rogers -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
Iain Buchanan wrote: > > >I've heard of government departments filing down the old HD's into >little pieces, then mixing them in cement for the next building project. >Could be an urban legend though. > >All of the above is subject to my own bad memory :) > > I have heard the same thing. I have watched some of them on TV get data off some unbelievable drives. Some had bent platters, serious scratches, been formatted a few times etc etc etc, After all that, they still got enough of what they wanted. They put a chemical on one and you could see the data with your eyes. It looked like a round bar code sort of. Whatever you use, if it does it quickly, it ain't worth the time. Really erasing something and rewriting data over it takes a bit of time. That little light should be on a while. I still wouldn't count on it. Shreading it and putting it in concrete may be a good idea. Maybe putting it in a MRI machine would help too. I would leave the room though. O_O Dale :-) -- To err is human, I'm most certainly human. I have four rigs: 1: Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now two 80GB hard drives. Named Smoker 2: Home built; Iwill KK266-R w/ AMD 1GHz CPU, 256MBs of ram and a 4GB drive. Named Swifty 3: Home built; Gigabyte GA-71XE4 w/ 800MHz CPU, 224MBs of ram and a 2.5GB drive. Named Pokey 4: Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram and a 4.3GB SCSI drive. Named Putput All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are set up as servers. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
On Tue, 2006-01-31 at 07:27 +, Stroller wrote: > On 31 Jan 2006, at 01:03, Grant wrote: > > > Hello! I've heard that data can be recovered from a formatted hard > > disk. > > Yes, it's fairly trivial, for someone who cares enough to try, to > retrieve data from a disk that's merely been formatted. Although I've > never tried to do so myself I regularly `shred /dev/hda` on > customers' scrap PCs (see `info shred`) and a data recovery > specialist last year offered to return 17gigs worth of data from a > hard drive that had died containing only 8 gigs of files. I once deleted my partition table, created new partitions over the top (different sizes) but I _didn't _ run mkfs on any of it. I was able to use a tool to see where old partition boundaries were, and I recovered all the data intact :) It was many hours of farting around, but I did it :) If you use ext3, it is hard to recover the data, sure you could use grep over /dev/hda, but you don't know where the pieces are. If you're happy to put a 1000 piece jigsaw puzzle back together, then go for it. If you "shred" or "wipe" the data (run random data over the disk many times, with a bit of magic formulas thrown in) then apparently the FBI / CIA / KGB / WTFC has a magnetic data recovery tool to see what bit was written before the current bit (don't ask me how). So, it depends what you mean by format, and who has the time / money to bother trying to recover it. I've heard of government departments filing down the old HD's into little pieces, then mixing them in cement for the next building project. Could be an urban legend though. All of the above is subject to my own bad memory :) -- Iain Buchanan It's easy to solve the halting problem with a shotgun. :-) -- Larry Wall in <[EMAIL PROTECTED]> -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
On 31 Jan 2006, at 01:03, Grant wrote: Hello! I've heard that data can be recovered from a formatted hard disk. Yes, it's fairly trivial, for someone who cares enough to try, to retrieve data from a disk that's merely been formatted. Although I've never tried to do so myself I regularly `shred /dev/hda` on customers' scrap PCs (see `info shred`) and a data recovery specialist last year offered to return 17gigs worth of data from a hard drive that had died containing only 8 gigs of files. Stroller. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] {OT} Recovering data from a formatted hard disk
On Tuesday 31 January 2006 01:03, Grant wrote: > Hello! I've heard that data can be recovered from a formatted hard > disk. Lucky for me I don't have any interest in actually doing this, > but I got in an argue\ment with a buddy last night about whether or > not it was possible. I'm sure I've read that the government and other > well-funded institutions have this capability. Is it true? Formatting only really wipes the superblock, so if you can rebuild it, you've got your data back. Different filesystems use different superblock methods, so formatting with a different fs can make that harder. Until you flip every single bit on the disk, at least twice, some 3 or more times (naturally a single flip isn't enough, you'll have a mirror image!), something can be recovered, if you've got the money, skill, and patience. But we're talking the odd file, or part of file here, nothing more. The data can also been seen, so warping platters isn't enough either. -- Mike Williams -- gentoo-user@gentoo.org mailing list
[gentoo-user] {OT} Recovering data from a formatted hard disk
Hello! I've heard that data can be recovered from a formatted hard disk. Lucky for me I don't have any interest in actually doing this, but I got in an argue\ment with a buddy last night about whether or not it was possible. I'm sure I've read that the government and other well-funded institutions have this capability. Is it true? - Grant -- gentoo-user@gentoo.org mailing list
