14

Is it possible to recover securely (or wiped out) deleted data from a hard drive using forensics?

Imagine police have arrested a hacker, and that hacker, before getting caught, has removed all information that leads him/her to be found guilty on his/her PC using a secure deleting method. In this case, is it possible for police forensics (or any department) to recover the deleted data?

schroeder
  • 123,438
  • 55
  • 284
  • 319
user41890
  • 157
  • 1
  • 1
  • 3
  • 5
    Agreeing with people below: you need to specify "secure wipe" or change the wording: secure by definition means it is not recoverable. – user3244085 Mar 12 '14 at 21:25
  • DoD says that it is always possible to recover it. Using normal equipment they have specified the multiple-over-write protocols to guard against "bit-walking" where the magnetic domains shift in position slightly. However, with an electron Microscope it is always possible to look down through the layers and see what is underneath. (Hint: expensive) Hence their guidance for total destruction of the drive, whether by thermite or sledgehammer. Our guys who were forced down in China used thermite. – SDsolar May 23 '17 at 21:25

5 Answers5

14

Your question has a problem with the definitions of the words in it.

If a HDD has been securely wiped, by definition, no recovery is possible. If a HDD has not been securely wiped, by definition, recovery is possible.

Perhaps you mean: How secure are various methods of wiping Hard Drives? Very secure, assuming you're talking about "traditional" drives (with magnetic spinning platters) and you use something reputable like Darik's Boot And Nuke (aka DBAN).

There is some concern about how to securely erase Solid State Drives, because the drives have a built in ability to evenly (and transparently) distribute read and write operations across its entire memory space. This is done to increase lifespan of the drive, but can frustrate secure erase operations.

scuzzy-delta
  • 9,303
  • 3
  • 33
  • 54
  • 4
    Most modern SSDs use hardware AES encryption by default, so they just have to throw away the encryption key... – Jingo Mar 12 '14 at 21:31
  • 2
    An excellent point, although it should be noted that it is [not always simple to implement correctly](http://security.stackexchange.com/questions/29565/ssd-encryption-difference-between-models). – scuzzy-delta Mar 12 '14 at 22:13
  • 2
    Not sure this goes for "most" SSDs, and you still need to enable the encryption. – user3244085 Mar 13 '14 at 05:57
  • 1
    Thanks for the answer.I know if a H.D.D is securely wiped out,there would be no way to recover lost data,but i have heard that it is possible to disassemble H.D.D parts then reconstructing them in order to recover lost securely wiped out data.All i want to know,is it possible to disassemble and reconstruct the H.D.D parts to get lost data recovered?(Imagine i have removed data using the wiping out method.)Thanks. – user41890 Mar 21 '14 at 13:38
  • No. Taking apart the drive does not aid data recovery. That's only needed for damaged drives that won't work otherwise. – scuzzy-delta Mar 22 '14 at 11:08
  • 1
    @scuzzy-delta are you sure?this case is so important to me. – user41890 Mar 22 '14 at 12:37
  • Absolutely sure. If you have already used DBAN (or similar) on the drive, disassembling the drive makes it even *less* likely that any data can be recovered. The extra handling makes it more likely that physical damage will be done to the platters. You are perhaps thinking of very advanced techniques that image the platter surface at high magnification. Disassembly is required to use those methods, but does not *aid* them. – scuzzy-delta Mar 22 '14 at 14:05
  • 1
    @scuzzy-delta Do you have source to prove your words? – user41890 Mar 30 '14 at 19:52
  • 1
    The argument presented is logical (that extra handling makes it more likely that physical damage will be done) - if you agree with the premises, you must agree also with the conclusion. I know of no experimental attempts to validate this, probably because it is an obvious conclusion. Therefore if you are still not convinced, I doubt I will be able to offer anything further that will convince you. – scuzzy-delta Apr 04 '14 at 12:50
3

If you think of a secure wipe in terms of first formatting the drive, then opening the case, running a rare-earth magnet over the platters, working on them with a heavy hammer and a wrench for a couple of minutes, and finally dropping them into a camp fire, then no, police will not be able to recover the data.

If you think of a secure wipe in terms of running some "secure erase h4xOr tool", then sorry, you're out of luck. At least, if whatever you may have on that disk is worth the effort.

It is very well possible (and not hard, just expensive) to reconstruct data from magnetic store even after it has been overwritten a dozen times. That's something that has been done more or less routinely with black boxes since the 1970s. Admittedly, data density has increased a few orders of magnitude since then, and it is very likely that a 100% restoration will not be possible, but you must expect that a sufficient amount can be restored.
It does not matter so much whether it's possible, but whether you (or the data on your disk) are important enough to justify the expense.

Further, modern drives increasingly perform wear levelling (SSDs in particular do that for every single write). Which means that you have little or no control about what data you actually overwrite when doing a secure erase. You might be doing a "secure erase" and the complete data is still on the disk.
SSDs usually encrypt all data to increase the efficiency of wear-levelling (to randomize data, not for security!), but you cannot rely that there is no way for law enforcement to recover the encryption key. All modern drives have a key-erasing unblocking key sequence, there probably exists a secret, non-key-erasing unblocking key sequence for law enforcement use as well.
This is the case for cylinder locks and strongboxes / security containers, it would be unreasonable to assume no such thing exists for disk drives.

That said, even if your hacker used full-disk encryption using the right software (which offers perfect deniability), and the police can't do much to recover the data or even prove that anything is there, that isn't a certain thing.
Again, it only depends how important the data on your drive is, and who is after you.
While it may feel really cool "cuz stupid cops can't prove nuttin", it doesn't feel nearly as cool when you have a sack over your head and are being beaten with a rubber hose or being waterboarded. If someone really wants to know your encryption key, you will tell them. Trust me, you will.

Damon
  • 5,001
  • 1
  • 19
  • 26
  • 2
    I read with interest your note claiming that data recovery after 10x overwrite is possible. Do you have a citation? [NIST Guidelines for Media Sanitization](http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_with-errata.pdf) notes that (pg 6) "*...for ATA disk drives manufactured after 2001 (over 15 GB) clearing by overwriting the media once is adequate to protect the media from both keyboard and laboratory attack.*" – scuzzy-delta Mar 12 '14 at 22:09
  • DoD standard for "data not classified as secret" already included overwriting at least three times (of which one pattern should be the complement of another) as early 1991, and what NIST publishes isn't always the ultima ratio or even conclusive/transparent (think e.g. final round of the SHA-3 process). Disks admittedly have much higher density nowadays, which makes lab reconstruction more difficult, but lab technology has advanced, too. Recovering information after 10 overwrites is probably very optimistic, but I wouldn't bet my life that it cannot be done, if the information is important. – Damon Mar 12 '14 at 23:20
  • You always need to decide how important you and your data are. It's no mistake to operate in full paranoia mode (that is, pretend your disk containes the plans to murder your president). Even if the disk only contains your personal data that is a good approach, since you only know that you weren't careful enough after it's too late. In particular if you don't control what's going on on that drive. A common thief probably won't spend a 5-digit sum to see your holiday photos, but the police might, if you're a criminal suspected of serious enough crimes (OP only said "hacker", could be anything). – Damon Mar 12 '14 at 23:28
  • Even for a completely innocent person (like I assume you are), full paranoia mode is adequate -- data can far too easliy be abused. – Damon Mar 12 '14 at 23:31
  • 5
    The number of overwrite passes needed has been going down over time, not up. In 1991, a single bit might be spread over several tens of magnetic domains and a re-write would not reliably erase all of them. Drives made in the past 10-15 years have stored one bit per domain, so a single overwrite pass will wipe everything. – Mark Mar 13 '14 at 04:15
  • Maybe so, maybe not. Though neither you nor me know what restoration technique to identify patterns in single misaligned elementar magnets may exist now or in 5 years if only one is dedicated enough to use an expensive tech. NIST on the other hand has a long history of questionable decisions and recommendations (DES, AES, EC params, SHA3, DRBG, to name a few). Not few of these are discussed as having deliberately badly chosen parameters or being outright backdoored. As a conclusion, if NIST says "once is enough" then it is pretty safe to assume that even _twice_ is certainly not enough. – Damon Mar 13 '14 at 10:04
  • Security is like a rusty bear trap that you use as a stepladder. You put your foot on the trigger and then very gently put your weight on that foot. The bear trap is old and rusty, and you are pretty light, so it probably won't trigger. But you don't know if and when the weight will cause the trigger to go off, and _at that point there is no going back_. The leg is off. Same for your disk. Maybe overwriting once or twice works, maybe not. But once someone else has our data, there's no turning back the clock. – Damon Mar 13 '14 at 10:12
  • 1
    Magnets, smashing and low temperature fires should not be assumed effective if overwrite security is insufficient. Hard drive heads are extremely powerful and focused and it is unlikely that even a rare earth magnet will perform better. Smashing results in pieces that are still quite large: Grinding into fine powder would be more effective. Campfires do not get up to high enough temperatures to demagnetise most materials. Consider using a bunsen burner, or if one is not obtainable, an ordinary gas stove instead. If maximal data security is desired the resulting powder should be stored securely – timuzhti Jan 17 '17 at 09:57
  • @timuzhti - If grinding is deemed to more effective, what options are there for the general public i.e. how does the average Joe grind the disk to powder? – Motivated Dec 29 '18 at 17:25
  • @Damon - Can you elaborate on "That said, even if your hacker used full-disk encryption using the right software (which offers perfect deniability), and the police can't do much to recover the data or even prove that anything is there, that isn't a certain thin"? Do you mean to say if i have a used full disk encryption and then proceeded to securely wipe the data once, that it is still possible to recover data? – Motivated Dec 29 '18 at 17:27
  • @Damon - Can you also elaborate on "All modern drives have a key-erasing unblocking key sequence, there probably exists a secret, non-key-erasing unblocking key sequence for law enforcement use as well". What do you mean by unblocking key sequence, key erasing and non-key-erasing? – Motivated Dec 29 '18 at 17:28
  • @Mark - Can you elaborate on "Drives made in the past 10-15 years have stored one bit per domain". What do you mean by "one bit per domain"? – Motivated Dec 29 '18 at 17:32
  • @Motivated: The answer is a bit outdated and doesn't quite reflect things well in the mean time (I should occasionally rewrite it). But to address your questions: if data was properly wiped, it should not be possible to recover (but you never know what is "properly" unless you physically destroy the disk). Modern SSDs are always-encrypt drives, so in theory, you can use the manufacturer's disk tool for a "secure erase" which simply deletes the key and everything will be unrecoverable. In practice, you don't know, there _might_ be a secret key store which still allows accessing the data. – Damon Dec 29 '18 at 19:39
  • Also, there's the thing with data recovery and deniability. If you have encrypted data which cannot be read, it is still possible to tell (at least, often) that there exists data. Getting to it is only a matter of making your life unhappy enough once it's known something is there. But even with plausible deniability this isn't granted. If there's evidence otherwise and there just isn't anything on your disk, you may still experience major inconveniences (depending on who wants your data and why). Only really safe way is the hammer or shredder or fire method, i.e. physically destroy. – Damon Dec 29 '18 at 19:43
  • @Damon - I assume that if i'm not reliant on the manufacturer's encryption methods and employ open source alternatives such as LUKS or Veracrypt, the ability to recover data is not possible if it is wiped using solution as dd. Would this be a reasonable approach? – Motivated Dec 30 '18 at 00:06
  • @Motivated, a "magnetic domain" is the minimum magnetizable unit of a material. It used to be that bits on a hard drive were larger than domains, so re-writing a given bit might not flip all the domains it was stored on, and it was theoretically possible to read the old value by looking at the un-flipped domains (though I only ever heard of it being done on audio tapes, not hard drives). Today, one (ECC-encoded) bit = one magnetic domain, so wiping a drive is guaranteed to set every magnetic domain to the wipe value. – Mark Dec 30 '18 at 00:19
  • @Mark - Thanks. If wiping is guaranteed (I am assuming you are referring to non-SSD drives), how does this relate to Dennis Kelly's answer below? Under what conditions is wiping not guaranteed? – Motivated Dec 30 '18 at 01:20
  • @Motivated, what Dennis Kelly is referring to is that flipping a magnetic field doesn't always change it 100%. You might go from "97% north" to "95% south". In theory, it's possible to use this to figure out what the previous data was. In practice, nobody's ever demonstrated that it works -- the best I've ever heard was that they could make guesses about individual bits that were slightly better than random chance. – Mark Dec 30 '18 at 01:42
  • @Motivated Use an angle grinder. And since we're dealing with an adversary that can recover data after a dozen overwrites, you should separate the dust into ziplock bags inside safes and bury some of them 20 feet underground in secret locations. And it'll still be easier to recover the data from the dust than from a modern hard disk after one or two overwrites. – timuzhti Dec 30 '18 at 03:37
  • @timuzhti - I am assuming you are being facetious. – Motivated Dec 30 '18 at 03:49
  • @Motivated In my opinion, good humour usually has a kernel of truth. In this case, any agency or secret world ruling cabal with the resources to go over a hard disk with a magnetic force microscope and forensically extract data would almost certainly be able to take the extra steps of torturing you for the information and doing the same forensics to hard disk dust. Whether it's actually possible to reassemble the information becomes a matter of how redundant a single bit of hard disk information is stored, versus how small you can grind your dust into and how that information is denatured by – timuzhti Dec 30 '18 at 11:38
  • ... heat. Both have hard physical limits, but as the storage density of hard disks increase, the former becomes harder and harder than the latter. To truly defend against the agency of unlimited resources this answer seems to assume, *information theoretic* security is required. This can be done by ensuring the data is encrypted using a one time pad, or by completely destroying the hard drive, perhaps by vaporisation. Neither are particularly feasible for the average Joe. Nuking it from orbit is the only way to be sure. What you usually want is *sure enough*. – timuzhti Dec 30 '18 at 11:39
  • @timuzhti: The thing about physical destruction is that it's a strong indicator that no data can be recovered. Data that was erased (i.e. simply overwritten) with a one-time pad and which possibly left a good enough residue is indistinguishable from extremely valuable data that was encrypted and is recoverable (if the key is known). Which leads to the assumption that holding you captive with a sack over your head, and beating the shit out of you is worthwhile. Whereas when the disk has been burnt or torn to small pieces, it's pretty obvious that no amount of beating will reveal the data. – Damon Dec 31 '18 at 10:18
  • @Damon They're using a microscope. A microscope doesn't care how small the pieces you feed it are. All you've done is superencipher with a transposition with huge chunks of plaintext. Hammering and campfires are stupidly ineffective, sanding, an acetylene torch and thermite are what you want. Even if your disk is a melted puddle, you have backups. What do you mean you don't have backups? Your data is important enough for me to beat you with this lead pipe, so of course you have offsite backups. If you've got an amoral major power after you, the manpower for the lead pipe treatment is trivial. – timuzhti Jan 01 '19 at 14:33
  • Yeah, even if an infinitesimal chance of getting the data exists, someone might take it, so even if you provide very visible evidence of the destruction, well... You might have some knowledge in your mind somewhere, if we help you remember it. Or maybe your employer--Who's your handler? What about your family? You might have let something slip to your friends. If we assume unlimited resources and unlimited will, you can keep your secret only if you're willing to die messily, and they'll still torture your accomplices. – timuzhti Jan 01 '19 at 14:43
  • Why would I trust you instead of NIST and literally everyone else? You provide absolutely no source or explanation for the "It is possible to reconstruct data from magnetic store even after it has been overwritten a dozen times, and it's been done routinely since the 1970s" statement. If it's possible to recover data after 12 overwrites, then it's possible to store 13TB on a 1TB drive. – the default. Jul 24 '21 at 04:04
3

As suggested, If a file is deleted using simple "delete" mechanics, then the data is not actually removed from the drive. Only the directory entry is removed; the data remains and is easily recoverable.

If instead the existing data blocks are overwritten, then forensic recovery is effectively impossible. Some statistical reconstruction is sometimes possible on a small scale with vast amounts of effort, but this is a largely academic pursuit. Actually recovering multiple megabytes of data from modern drives is well beyond the capabilities of any existing lab.

That said, some filesystems (eg: ZFS, BTRFS, sometimes NTFS) as well as some media (eg: SSDs) won't overwrite existing blocks directly, but will instead write updates into new, empty space on the drive, leaving the originals untouched. This further complicates "secure delete" procedures.

Wiping the entire drive in one go at a low level (rather than through the filesystem) circumvents most of these caveats and again makes recovery extremely difficult.

If you take a hard drive that has completely overwritten with zeros from even a single pass to any forensic recovery lab, you'll get a 0.00% recovery rate. In fact, most places won't even accept the challenge if you tell them what has happened.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • @Kiwy If everything hangs on a **single** 1 or 0, then perhaps.. sometimes.. maybe. But the technique does not lend it self to large-scale data recovery, and often doesn't even work *at all* on newer media, which strain the areal density so far as to rely heavily on error-correction just to read a *working* disk. – tylerl Mar 13 '14 at 09:07
  • Even very partial data can be useful, but it's true that the very dense hard drive we get now are aharder too read – Kiwy Mar 13 '14 at 09:15
  • You mean if you shred even with single pass of replace with zero command your data is practically irrecoverable? Talking wrt http://askubuntu.com/questions/17640/how-can-i-securely-erase-a-hard-drive – Chinmaya B Aug 15 '15 at 19:44
  • @Creator Recovery success is entirely dependent on the properties of the storage medium. But as a rule, yes. – tylerl Aug 16 '15 at 19:05
  • What do you mean by properties of storage media? – Chinmaya B Aug 16 '15 at 19:26
1

The magnetic data written to the hard drive can be over-written, but the original data will still be there, at a lower signal level. So with clever software, and also possibly use of special heads, you can read the different levels of magnetisation. Its also only 0 or 1 that is recorded on each bit, which makes recovering the information slightly easier physically.

So, the only way you can really hide the info is to melt the platters.

N.B. if you have a hybrid drive don't forget the flash memory chips.

Dennis Kelly
  • 11
  • 1
  • 1
    I am not sure this data can be recovered without significant degradation even with pretty good hw support. But the theoretical possibility exists. – peterh Feb 25 '17 at 11:21
  • wow... This is why I love info security topics. It's a never ending struggle between shield and spear. Anyways this means any software implementation of "Secure Wipe" can't be ultimately secure against someone who's so determined to recover HDD with specially calibrated hardware & software (like the Police). – Dominic Jung Mar 04 '22 at 00:46
-3

Nah, once data is overwritten with secure sanitising software that randomly rerecords 0's and 1's in place of original data its like putting a jigsaw back together without a picture to reference. Once its rewritten 35 times, a.k.a. the Gutmann method, it's gone, unless it's an SSD and then you need to plow insane amounts of data onto the SSD over and over again to essentially defrag the drive with new data.

SSD's have a limited lifespan and won't respond well, according to reports, to repeated heavy rerecording. SSD's are usually written once and referred to lots of times. The RAM does all the temporary storing of data so it limits the finite SSD rerecord ability limitation.

Forensics can't recover what is already gone. If a simple delete of old data is done (i.e. delete recycle bin or permanently delete data), the links would be gone but not the data which is still recoverable.

There is lots of free software to download and try to recover the lost data (links) but it won't bring back sanitised data.

schroeder
  • 123,438
  • 55
  • 284
  • 319
spaz
  • 1