ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Recovering Overwritten Data

From ForensicsWiki
Revision as of 17:18, 29 October 2005 by Jessek (Talk | contribs)

Jump to: navigation, search

(This article does not discuss recovering deleted data, or things that _not_ been overwritten.)

Can data be recovered from a hard drive after that data has been written by 35 passes of random information? How about a single pass of zeros?

Whether or not such data can be recovered has been a question of debate for decades. Unfortunately, there have been few hard facts published.

The most widely known paper in this area is Peter Gutmann's 1996 classic, Secure Deletion of Data from Magnetic and Solid-State Memory, Proceedings of the Sixth Usenix Security Symposium. The original paper can be downloaded from [[1]]. An extended version of the paper appears on Peter Gutmann's website. [[2]].

In this paper, Gutmann discusses techniques using an electron microscope that might work for recovering overwritten data. He then proposes a series of earsure patterns that can be used to overwrite data from hard drives that use different kinds of encoding schemes. A total of 35 patterns are proposed, although, as Gutmann notes, there is no reason to ever use all 35 patterns (because the patterns are designed for use on different kinds of magnetic recording technology.)

It's important to realize that this paper, written in 1996, discusses a magnetic recording technology that is no longer widely available. In 1998 Gutmann added the Epilogue to Gutmann's 1996 paper.