RE: Interesting One

From: Trevor Cushen (Trevor.Cushen@sysnet.ie)
Date: 10/30/02 

Date: Wed, 30 Oct 2002 10:29:08 -0000
From: "Trevor Cushen" <Trevor.Cushen@sysnet.ie>
To: <security-basics@securityfocus.com>

I believe the DOD level is 7 overwrites before the data is deemed
unrecoverable. Bear in mind however that the DOD practise is to burn
the hard drive as part of the disposal procedure.

I used @Stake autopsy and found it very quick and easy to use for
recovery of deleted files.

BackByte is another good tool but not free like Autopsy. The 30
overwrites and still getting data I don't believe however. I would
imagine the disk was used again about 30 times but the recovered data
was on a section of disk that had not been reused. I don't rule out
that it can be done but not by anything on the market. If you are
really unsure try posting your query to the people at Vogon.
www.vogon.co.uk

They are the best at this stuff bar none. Read some of their news
stories for just how realistic computer forensics is.

Trevor Cushen
Sysnet Ltd

www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499

-----Original Message-----
From: Michael Cunningham [mailto:crayola@optonline.net]
Sent: 29 October 2002 19:43
To: Dave Adams; security-basics@security-focus.com
Subject: RE: Interesting One

> Anyway, to get to the point, the guy that came to see me said that
> their forensics guys could read data off a hard drive that had been
> written over up to thirty times. I find this very hard to believe and
> told him I thought
> he was mistaken but the guy was adamant that it could be done.

Yes, it can be done.. it would cost about 100k per drive and the ability
to access an electron scanning microscope. At 30 times I highly doubt
they could recover anything of any value anyway. Using most commercially
available products like "Encase", you can recover files that have been
deleted, but not overwritten. Once the data is overwritten you are
getting into using tools which are not available to the general public
as far as I am aware.

Mike

**************************************************************************************

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.

If you have received this message in error please notify SYSNET Ltd., at
telephone no: +353-1-2983000 or postmaster@sysnet.ie

**************************************************************************************

Relevant Pages

  • RE: Interesting One
    ... overwrites all the relevant parts of the physical disk - not all tools ... Two primary things to note with magnetic media: ... The overwriting of a particular bit on the media will not always (in ... such as microscopic magnetic examination could recover ...
    (Security-Basics)
  • Re: tried to save a document over another of the same name, only o
    ... Actually it only overwrites the file allocation table entry to point to the ... been overwritten - yet - so it *may* still be possible to recover it. ... Word MVP web site http://word.mvps.org ...
    (microsoft.public.word.docmanagement)
  • Re: FreeBSD I LOVE YOU
    ... >>overwrites. ... of money to recover data, and hence nor will it be worth to go through ... all that trouble to destroy data. ... new harddrives rather than go through the trouble to overwrite the disk ...
    (freebsd-questions)
  • Re: Can You Import Text Files as Emails
    ... The reason the files are text files is explained in the help file. ... Basically MS overwrites 4 bytes for every 512 bytes in a message, when it deletes a message or marks it for deletion. ... The programs above are able to recover the 508 bytes correctly per message piece, but the 4 overwritten bytes are irrecoverable, so the messages cannot be fully recovered. ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)