ATTENTION: The new home of the Digital Forensics Wiki is at https://forensicswiki.xyz/. Yeah, it's a silly name, but it was cheap.
This wiki will be going offline permanently in the near future. An exact date will be announced soon. Thank you for being a part of this community.
If you wish to work on the new forensicswiki, please join the Google Group forensicswiki-reborn
Recovering Overwritten Data
(This article does not discuss recovering deleted data, or things that 'not' been overwritten.)
Can data be recovered from a hard drive after that data has been written by 35 passes of random information? How about a single pass of zeros?
Whether or not such data can be recovered has been a question of debate for decades. Unfortunately, there have been few hard facts published.
The most widely known paper in this area is Peter Gutmann's 1996 classic, Secure Deletion of Data from Magnetic and Solid-State Memory, Proceedings of the Sixth Usenix Security Symposium. The original paper can be downloaded from []. An extended version of the paper appears on Peter Gutmann's website. [].
In this paper, Gutmann discusses techniques using an electron microscope that might work for recovering overwritten data. He then proposes a series of earsure patterns that can be used to overwrite data from hard drives that use different kinds of encoding schemes. A total of 35 patterns are proposed, although, as Gutmann notes, there is no reason to ever use all 35 patterns (because the patterns are designed for use on different kinds of magnetic recording technology.)
It's important to realize that this paper, written in 1996, discusses a magnetic recording technology that is no longer widely available. In 1998 Gutmann added the Epilogue to Gutmann's 1996 paper.