On 6/30/2003 at 8:46 PM Benjamin A. Okopnik wrote: >Well, I can't claim that I've actually seen a _documented_ recovery as >such, or that I have *absolute* proof, but - having worked for >$LARGE_AEROSPACE_COMPANY where this was a concern, I'm aware of two >techniques that were supposedly in actual use then.
I know that the government is quite interested in this and I'm sure that your statement is correct. But does "actual use" mean actual *practical* use or does it mean successful proof-of-concept demonstrations? The latter are real, the former I doubt. >One of them, at >least, returns several highly relevant Google hits: > >"magnetic media microscopy" Yes, many hits, but none relevant unless you mean the FUD being circulated by companies trying to sell their multiple-overwrite, disk-sanitizing, solutions-in-search-of-a-problem. A relevant hit is one that either offers to recover my overwritten data or offers to sell me the equipment to do it myself. A casual scan of these sites could be misleading. This is a mature technology and is routinely used by hard disk manufactures for research, quality control, and failure analysis. There are probably hundreds of sites discussing the techniques and showing the pictures. This has nothing to do with recovering overwritten data. >There are at least two companies that claim to be using it for data >recovery: > ><http://www.1stdatarecovery.com/QA_UK.htm#Q17> I found the topic mentioned in two places, both in the FAQ: Q6: If I have overwritten the data, can you recover? A6: Yes or no. It depends on each situation. An overwritten file can often be recovered since the data usually exists in several places. For example, temp files, the swap file, print spooler, etc. Our topic is the recovery of an overwritten disk, which this does not address. Q17: What is the Magnetic Media Microscopy (MMM)? A17: Magnetic Media Microscopy (MMM) is used in cases where data has been overwritten. MMM is a lengthy process that involves examining each bit of data at a magnetic level to determine that bit's previous state. Recovering just a floppy disk using this technology can take days or weeks. MMM is rarely used because of the cost factor. Compared to a modern hard disk, a floppy is a very simple, primitive thing and may possibly be recoverable. Notice the "days to weeks" time frame. Now consider the modern hard disk which would be orders of magnitude more complex and consider the nominal 1MB floppy vs. a small 1GB hard disk. Forget the budget, just think about the time involved. Would the data have any relevance when recovery is completed many years in the future? Looking at it another way, "examining each bit" implies that the process is not automated; human intervention is necessary. Assuming that a bit can be properly "examined" in one second, the recovery rate will be about 1MB per man-year of effort. ><http://www.savemyfiles.com/> > >The last one claims NASA and Harvard Med school as clients - and is, >incidentally, quoted in this connection on SecurityFocus (small world, >ain't it?) Perhaps I missed it, but no place did I see a claim that they could retrieve overwritten data. There was a reference to recovering a disk which had been overwritten with another operating system, which is an entirely different matter, usually not catastrophic, and not on topic. >The other technique supposedly required a SQUID (Superconducting QUantum >Interference Detector); all I'd heard about it was that a local guru >(this was in Los Angeles) was the only guy in the US that was using one >that way at the time. Oh, and charging ~$60k per HD. I have been in the computer forensics business in Los Angeles since before the term "computer forensics" was coined. I've never heard of this guru, but I would like to make his acquaintance if anyone has contact information. Jack Crone --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
