Difference between revisions of "Recovering Overwritten Data"

From ForensicsWiki
Jump to: navigation, search
m
m (fixed the link)
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
(This article does not discuss [[recovering deleted data]], [[recovering bad data]], or things that 'not' been overwritten.)
 
 
 
Can data be recovered from a hard drive after that data has been written by 35 passes of random information? How about a single pass of zeros?
 
Can data be recovered from a hard drive after that data has been written by 35 passes of random information? How about a single pass of zeros?
  
 
Whether or not such data can be recovered has been a question of debate for decades. Unfortunately, there have been few hard facts published.
 
Whether or not such data can be recovered has been a question of debate for decades. Unfortunately, there have been few hard facts published.
=Prior Work=
 
  
==The Gutmann Paper [[1996]]==
+
= Prior Work =
 +
 
 +
== The Gutmann Paper 1996 ==
 +
 
 +
The most widely known paper in this area is [[Peter Gutmann]]'s 1996 classic, ''Secure Deletion of Data from Magnetic and Solid-State Memory'', Proceedings of the Sixth Usenix Security Symposium [http://www.usenix.org/publications/library/proceedings/sec96/gutmann.html]. An extended version of the paper appears on Peter Gutmann's website [http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html].
 +
 
 +
In this paper, Gutmann discusses techniques using an electron microscope that might work for recovering overwritten data. He then proposes a series of erasure patterns that can be used to overwrite data from [[hard drive]]s that use different kinds of encoding schemes. A total of 35 patterns are proposed, although, as Gutmann notes, there is no reason to ever use all 35 patterns (because the patterns are designed for use on different kinds of magnetic recording technology).
 +
 
 +
It's important to realize that this paper, written in 1996, discusses a magnetic recording technology that is no longer widely available. In 1998 Gutmann added the  [[Epilogue to Gutmann's 1996 paper]]. The gist of that epilogue is that two passes of random data should be enough for today's disk drives.
 +
 
 +
== ActionFront's Drive Independent Data Recovery 2005 ==
 +
 
 +
In August 2005 [[ActionFront Data Recovery Labs]] presented a detailed paper at the [http://tmrc.nanointernational.org IEEE 16th Annual Magnetic Recording Conference] in which they discussed the current state-of-the-art of recovering information from hard drives without using the drive's own read/write heads [http://www.actionfront.com/ts_whitepaper.asp].
  
The most widely known paper in this area is Peter Gutmann's 1996 classic, ''Secure Deletion of Data from Magnetic and Solid-State Memory,'' Proceedings of the Sixth Usenix Security Symposium. The original paper can be downloaded from [http://www.usenix.org/publications/library/proceedings/sec96/gutmann.html].  An extended version of the paper appears on Peter Gutmann's website. [http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html].
+
One of the key points that the paper makes is that there is a high degree of variability between individual modern hard drives. Manufacturers exploit this variability to increase drive densities. Unfortunately, this variability makes it dramatically harder to perform drive independent data recovery — that is, a single recovery approach that will work on multiple drives.
  
In this paper, Gutmann discusses techniques using an electron microscope that might work for recovering overwritten data. He then proposes a series of erasure patterns that can be used to overwrite data from hard drives that use different kinds of encoding schemes. A total of 35 patterns are proposed, although, as Gutmann notes, there is no reason to ever use all 35 patterns (because the patterns are designed for use on different kinds of magnetic recording technology.)
+
= Current Work =
  
It's important to realize that this paper, written in 1996, discusses a magnetic recording technology that is no longer widely available. In 1998 Gutmann added the  [[Epilogue to Gutmann's 1996 paper]].  The gist of that epilogue is that two passes of random data should be enough for today's disk drives.
+
== Paper: ''Overwriting Hard Drive Data: The Great Wiping Controversy'' ==
  
==ActionFront's Drive Independent Data Recovery [[2005]] ==
+
In December 2008 Craig Wright, Dave Kleiman, and Shyaam Sundhar R.S. presented a [http://www.springerlink.com/content/408263ql11460147/ paper] at ICISS2008, which purpose was "''a categorical settlement to the controversy surrounding the misconceptions involving the belief that data can be recovered following a wipe procedure''" [http://blogs.sans.org/computer-forensics/2009/01/15/overwriting-hard-drive-data/].
In August 2005 ActionFront Data Recovery Labs presented a detailed paper at the IEEE 16th Annual Magnetic Recording Conference (tmrc.nanointernational.org) in which they discussed the current state-of-the-art of recovering information from hard drives without using the drive's own read/write heads. [http://www.actionfront.com/ts_whitepaper.asp]
+
  
One of the key points that the paper makes is that there is a high degree of variability between individual modern hard drives. Manufacturers exploit this variability to increase drive densities. Unfortunately, this variability makes it dramatically harder to perform drive independent data recovery---that is, a single recovery approach that will work on multiple drives.
+
= See also =
  
=Current Work=
+
* [[Remnant Data]]
 +
* [[Recovering deleted data]]
 +
* [[Recovering bad data]]

Latest revision as of 13:59, 14 December 2009

Can data be recovered from a hard drive after that data has been written by 35 passes of random information? How about a single pass of zeros?

Whether or not such data can be recovered has been a question of debate for decades. Unfortunately, there have been few hard facts published.

Prior Work

The Gutmann Paper 1996

The most widely known paper in this area is Peter Gutmann's 1996 classic, Secure Deletion of Data from Magnetic and Solid-State Memory, Proceedings of the Sixth Usenix Security Symposium [1]. An extended version of the paper appears on Peter Gutmann's website [2].

In this paper, Gutmann discusses techniques using an electron microscope that might work for recovering overwritten data. He then proposes a series of erasure patterns that can be used to overwrite data from hard drives that use different kinds of encoding schemes. A total of 35 patterns are proposed, although, as Gutmann notes, there is no reason to ever use all 35 patterns (because the patterns are designed for use on different kinds of magnetic recording technology).

It's important to realize that this paper, written in 1996, discusses a magnetic recording technology that is no longer widely available. In 1998 Gutmann added the Epilogue to Gutmann's 1996 paper. The gist of that epilogue is that two passes of random data should be enough for today's disk drives.

ActionFront's Drive Independent Data Recovery 2005

In August 2005 ActionFront Data Recovery Labs presented a detailed paper at the IEEE 16th Annual Magnetic Recording Conference in which they discussed the current state-of-the-art of recovering information from hard drives without using the drive's own read/write heads [3].

One of the key points that the paper makes is that there is a high degree of variability between individual modern hard drives. Manufacturers exploit this variability to increase drive densities. Unfortunately, this variability makes it dramatically harder to perform drive independent data recovery — that is, a single recovery approach that will work on multiple drives.

Current Work

Paper: Overwriting Hard Drive Data: The Great Wiping Controversy

In December 2008 Craig Wright, Dave Kleiman, and Shyaam Sundhar R.S. presented a paper at ICISS2008, which purpose was "a categorical settlement to the controversy surrounding the misconceptions involving the belief that data can be recovered following a wipe procedure" [4].

See also