Magnetic force microscopy and other such things could (and do) indeed read past data from a hard drive that has been wiped many times (I have heard many conflicting and often wild claims about the exact number). A single pass can defeat anything the drive circuitry can grab from the disk and if you bypass the circuitry and connect the right equipment directly to the drives heads, you would be able to read remapped sectors such as grown defects, a full overwrite (on pass again) on most modern drives even eliminates this if it can access these areas.
MFM involves pulling the hard disk apart and doing a physical analysis. There is a place in Australia that does it and at least 2 in the US and 1 in New Zealand I have heard of. A doctor one of our techs knows tried to get data back from a HDD that had NO overwriting, just a very bad head crash. He was charged AU$1600 and they recovered ONE file. It was a part of the OS. Remember that a modern hard disks store data in very advanced ways and VERY tightly packed together... I am not sure how fast you could manually recover data using a highly advanced (and very expensive) microscope, but if you recover an average of 8 BITS per second of REAL DATA (and there is no doubt a lot of hamming code written for the sake of data integrity), it would take you about 17 minutes for a kilobyte. It would take you about 83333 DAYS (approx 228 YEARS) working 10 HOURS A DAY FULL TIME WITH NO BREAKS to recover a standard 3Gb data set. To quote some experts: "Magnetic Media Microscopy (MMM) is used in cases where data has been overwritten. MMM is a lengthy process that involves examining each bit of data at a magnetic level to determine that bit's previous state. Recovering just a floppy disk using this technology can take days or weeks. MMM is rarely used because of the cost factor." - ESS Data Recovery Lets say you knew the exact location of the data (or at least the filename because you could find where you want to go, lets say the SAM in WinNT), you would have to recover the boot sector (to find the $MFT), the $MFT to find the $DATA stream of the directory entry for WINNT.. etc.. then finally when you find the exact offset of the disk the SAM is on, you would have to go the right amount of bytes into the SAM and recover the encrypted password... still it is very daunting and would cost money. Data recovery is always much easier if everything is defragmented properly... just imagine the pain if it was part of a striped RAID system! The DoD standard is very paranoid and doesn't always work because mapped out bad sectors are not always wiped (look up "Grown Defect List" on Google). If you really want the data gone, incineration is the best method, then buy a new drive... Degaussing will also work (but you have to use a very strong degausser and for quite a long time) but it also renders the drive just as completely inoperable as it will wipe the sector marks and everything (but at least it still LOOKS intact). If you want it so NO SOFTWARE IN THE ENTIRE WORLD can get it off (because the drive's heads cannot detect overwritten data and the firmware will therefore not translate it), a standard one pass wipe with "FORMAT /U" and I bet you can't get anything meaningful off it! (Note a standard format without the "U" option doesn't actually do any wipe passes). Still, all that said and when government bodies ask for a contract, you will win easier if you quote a standard and do what it says, no matter how silly it all is. http://www.vogon-data-recovery.com/dr_bulletin-02/dr_bulletin_02_01.htm has a little article that you may also find interesting but it doesn't have much of a conclusion. If you want a better read into MFM look here... http://www.di.com/AppNotes/MFM/MFMMain.html In conclusion, in theory wiping it a lot means it is more secure, random data passes would make MFM rally hard, but in practice, who are you trying to kid, if your data is THAT valuable (I am talking many many dollars here), the cost of completely incinerating the drive and buying a new one is far cheaper than the paying for someone that is trusted to handle that drives data to sit there and wipe it seven, nine or even 5000 times... and far, far more secure. -- Benjamin Holmes > -----Original Message----- > From: Vlad [mailto:vlad@;verat.net] > Sent: Thursday, October 31, 2002 6:10 AM > To: maillist > Subject: Re: Interesting One > > > U.S. DoD - seven pass extended character rotation wiping [DoD > 5200.28-STD]. > And for the sake of argument the program i use has a limit of > 100 passes. > ----- Original Message ----- > From: "maillist" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, October 30, 2002 7:45 AM > Subject: RE: Interesting One > > > > I disagree with you both - the NSA standard for a drive that will be > > recycled is a nine-pass wipe ... involving pseudo-random > data, 0s and 1s > ... > > preferably in a non-predictable order ... > > > > Reading after thirty overwrites is just scare mongering. > Depending on the > > media it might just be possible on some drives (where the > heads have moved > > over time) ... but the kit to read from drives after just a > couple of > wipes > > is expensive, and usually just the provision of government types ... > > > > Avoiderman > > > > > -----Original Message----- > > > From: Nero, Nick [mailto:Nick.Nero@;disney.com] > > > Sent: 29 October 2002 17:30 > > > To: Dave Adams; [EMAIL PROTECTED] > > > Subject: RE: Interesting One > > > > > > > > > Well, the NSA standard I believe is that zero-filling a > drive (writing > > > all 0's to the platter) will make the data impossible to > recover, but I > > > am sure there are some instances when this isn't the > cause depending on > > > how retentive the media is and all that. If is > electromagnetically > > > degaussed for an extended period of time, I can't imagine > anything could > > > recover the data. > > > > > > Nick Nero, CISSP > > > > > > -----Original Message----- > > > From: Dave Adams [mailto:dadams@;johncrowley.co.uk] > > > Sent: Monday, October 28, 2002 5:06 PM > > > To: [EMAIL PROTECTED] > > > Subject: Interesting One > > > > > > > > > Greetings Folks, > > > > > > I had an interesting conversation today with someone from FAST > > > (Federation Against Software Theft) They pretend not to > be a snitch wing > > > of the BSA. Anyway, to get to the point, the guy that > came to see me > > > said that their forensics guys could read data off a hard > drive that had > > > been written over up to thirty times. I find this very > hard to believe > > > and told him I thought he was mistaken but the guy was > adamant that it > > > could be done. My question is, does anyone have any views > on this, or, > > > can anyone point me to a source of information where I > can get the facts > > > on exactly how much data can be retrieved off a hard > drive and under > > > what conditions etc etc. > > > > > > Thanks > > > > > > Dave Adams > > >
smime.p7s
Description: application/pkcs7-signature