Since we all know files are recoverable with programs after being deleted from the recycling bin, everyone is told to do secure wipes by putting random data over the files you're deleting on the disk itself. From what I understand with Hard Drives (and CDs, and Floppies, etc), the data is written to either be reflective/raised up (1) or non-reflective/sunken (0). My question is then how can a bad guy recover data that's been overwritten just once, since it would change the reflective or height of the gap?
-
2Your comment regarding reflective/raised etc may be relevant to CDs and DVDs but not for hard drives or SSDs. Hard drive use regions of magnetic polarity (various different kinds depending on technology used) and SSDs store the bits using circuitry. – Rory Alsop Nov 17 '11 at 08:49
-
3"the data is written to either be reflective/raised up (1) or non-reflective/sunken (0)" - the bits are a useful abstraction, yes; alas, it hasn't been matching the physical reality of hard disks for years. The "bits" are more similar to "weeell, this bit is most likely 1; that bit is probably a 0; the checksum matches, so let's pretend they are". Quite clever and allows for cheap, consumer-level terabyte disks, too. – Piskvor left the building Nov 22 '11 at 20:00
-
1[This is a good example of how the 'bits' are actually stored on a hard-drive](https://farm3.static.flickr.com/2646/4180253800_1a806d378d.jpg) (This screenshot is from popular hard drive "refreshing" utility SpinRite) – sleblanc May 22 '14 at 16:27
3 Answers
- See SSD (Flash Memory) security when data is encrypted in place and watch the discussion links on hard drives.
- On older drives, it was likely possible to recover overwritten data. The density of modern drives for the past 5+ (and the plus may be 10, 15, or more) years has been so high that a single pass of random data means whatever was there before is just not going to come back unless the NSA knows something about this that the rest of the general public doesn't.
- Modern file systems are such that the data may have been cached in several places, so unless the entire disk was wiped, the answer is to look for cached, duplicated, versioned, etc. copies of the file that were overlooked during the erasure process.
- 38,090
- 9
- 93
- 171
-
So it's basically old news? For modern drives it's not an issue as long as you do one full wipe? – Canadian Luke Nov 16 '11 at 23:18
-
-
1@Luke - As Jeff pointed out. You should be worried about the other shadow copies that your operating system makes. Those can be recovered. Of course once deleted they are eventually going to be replaced with another file. If you want to secure a mechanical HDD then you should still format it using a trusted method. – Ramhound Nov 17 '11 at 15:58
how can a bad guy recover data that's been overwritten just once, since it would change the reflective or height of the gap?
There are three basic methods: multiple copies, error correction, and enhanced detection.
A hard disk, or CD-ROM for that matter contains a filesystem. A filesystem is an organization of files in a way that makes sense to the computer and allows you to arbitrarily create, modify, and delete files at random.
Multiple Copies
Some filesystems have performance enhancing features like quick writes or protecting an original file while modifying it. Some features may have copies of pieces of a file or even the entire file in a separate location on the disk.
Error Correction:
CD-ROM and DVD-ROM filesystems have error correcting codes so that if your disk is chipped or scratched and some bits of a file are unreadable, it can figure out that bits are missing and recreate them.
Enhanced detection:
Magnetic bits on a hard disk platter are writen and read by sensors called heads on the end of a arm which moves across the disk platter. The bits are written in concentric circles called tracks. The tracks are spaced far enough apart from each other to prevent a magnetic bit on a track from causing the head to read an adjacent track incorrectly. However magnetic fields are not clearly discrete and recording on a track will bleed slightly into the margin between the tracks. About ten years ago the size of a disk track that the heads could write were an order of magnitude bigger than what scientific instruments could detect. In that case it was possible to use scanning tunnling electron microscopes to look for the write patterns in the margin between tracks. However, doing so would have been extremely costly and difficult, and likely never happened in the wild.
- 8,843
- 2
- 29
- 51
The general theory is that some residue of the previous state exists due to the limited accuracy of the rewrite. There may have been a proof of concept demonstration, but I'm not aware of any claims that it's actually been done in earnest. It would be incredibly time consuming and expensive to even attempt.
- 1,974
- 1
- 12
- 20
-
Any links to how it would or what type of tools, even in proof of concept? – Canadian Luke Nov 16 '11 at 22:04
-
The same kind of sensors as are normally used to read the media, only more sensitive and under manual control. Disk manufacturers must have them. – ddyer Nov 16 '11 at 22:56