1

We know that information can be retreived after it has been deleted. There are several tools for file "undeletion" (Recuva, FTK, some tools contained in Caine, etc.)

I have heard as well, that data can be recovered, even after it has been rewritten. For this exact reason, the DoD used to approve methods which included (DoD 5220.22-M) to 7 (DoD 5220.22-ECE) overwrite passes. This is still a low bar, considering there are algorithms which include 35 passes (Gurmann).

Why, though? What papers, articles, or use cases have been published that suggest successful data recovery after single or dual pass of overwritting data?

Which software, methods, or tools allow me to analyze a given HDD for "further layers" (?) of recovery or overwriting?

(I know there is a different approach and dynamic to SSD, so for the time being, let's not meddle into it)

Incarion
  • 11
  • 1
  • 4
    Possible duplicate of [Is Data Remanence a Myth?](https://security.stackexchange.com/questions/26132/is-data-remanence-a-myth), [Why is writing zeros (or random data) over a hard drive multiple times better than just doing it once?](https://security.stackexchange.com/questions/10464/why-is-writing-zeros-or-random-data-over-a-hard-drive-multiple-times-better-th). – Steffen Ullrich Oct 05 '19 at 15:13
  • @SteffenUllrich Yes, I see that now. However, I was wondering whether there had been any update on this topic, since that question was answered 7 years ago. Thanks for the referencem though! – Incarion Oct 06 '19 at 20:36
  • If you are already aware of the previous questions and want to get an update then please state this clearly in your question so that it does not get marked as duplicate. Apart from that please follow the links in the answers and you'll see for example that NIST SP 800-88 from 2006 was superseded with NIST SP 800-88r1 from 2014 which still states in Table A-5 regarding magnetic disk *" The Clear pattern should be __at least a single write pass with a fixed data value__, such as all zeros. Multiple write passes or more complex values may __optionally__ be used."* – Steffen Ullrich Oct 06 '19 at 21:41

1 Answers1

1

The whole multipass overwrite is fundamentally an urban legend hold over from a disk technology that hasn't been in use for decades.

Overwritten data (even once) is not recoverable, there is no tool to do it.

That said, the real issue is being able to actually overwrite the data in the first place. It's fairly simple to accomplish if you're wiping the entire drive (with standard caveats on overlays, protected regions, etc.), but if you are trying to overwrite only selected files, it's harder than you might think. There are numerous reasons, I'm not going into, as to why the attempt to overwrite individual files on a file system may not actually overwrite.

user10216038
  • 7,552
  • 2
  • 16
  • 19
  • -1 there are definitely methods to recover data from single-pass erased drives, such as MFM. This post is untrue and dangerous. – Jenessa Oct 06 '19 at 02:53
  • @Jenessa - MFM disk drives haven't been used for around two decades. The largest MFM / RLL produced was 130 MB, that's **MEGA** as in laughably obsolete. Even then magnet force microscope recovery was only a small scale handful of bytes demonstration. There is no forensic lab in the world that can do this with a TB IDE drive. Unless you have access to extraterrestrial technology, it's not recoverable. – user10216038 Oct 06 '19 at 03:49
  • In this case, I meant "Magnetic Force Microscopy", a technology that can be used to read arbitrary magnetic information off of any magnetic drives – Jenessa Oct 06 '19 at 04:00
  • @Jenessa https://security.stackexchange.com/questions/26132/is-data-remanence-a-myth – yeah_well Oct 06 '19 at 06:14
  • Although I must concede that I did not know of these studies and they do seem convincing, I do not think they represent an effort by a nation state power. If a reference to one of those is edited into the answer I'll retract my downvote (vote is locked by SE unless the post is edited) – Jenessa Oct 06 '19 at 10:05