For all the incidents of data loss resulting from human mistakes or untimely computer crashes, few computer users probably give much thought to the persistence of their data.
The fact is that the normal deletion of files in your operating system of choice really only purges their respective file references. In the interest of performance, the actual data is left untouched on the drive — with the space it occupies marked as empty.
This can be evidenced by the amount of time needed to make a copy of, say, a 5 GB file. Yet attempting to “delete” the same file only takes a couple of seconds. Using the File Allocation Table (FAT) file system as an analogy, only the FAT entry has been erased here. The same is true of a regular format of a hard drive.
In fact, there are techniques and equipment that can recover data from hard drives that has been “wiped” over with zeroes or random bits.
Such equipment can be expensive, and might not be able to do a 100 percent recovery. The truth is that only a tiny snippet of recovered data might be sufficient to cause severe problems.
A research team from Glamorgan University wanted to find out just how persistent data is. They bought over a hundred used hard drives and discovered that more than half still contained personal and commercially sensitive information. Most of the drives were purchased via eBay but ten drives were sourced from LCS Remploy, a company specializing in the destruction of data.
Users simply don’t understand the risks of discarding hard drives without first ensuring that the data is not recoverable.
Recovering data from a “clean” drive
There are a number of techniques available in the public domain that can recover data from supposedly “clean” drives. Here are some:
Magnetic force microsopy (MFM) is a recent technique for imaging magnetization patterns with high resolution and minimal sample preparation.
According to a paper from University of Auckland:
The [MFM] technique is derived from scanning probe microscopy (SPM) and uses a sharp magnetic tip attached to a flexible cantilever placed close to the surface to be analysed, where it interacts with the stray field emanating from the sample. An image of the field at the surface is formed by moving the tip across the surface and measuring the force (or force gradient) as a function of position. The strength of the interaction is measured by monitoring the position of the cantilever using an optical interferometer or tunnelling sensor.
Techniques such as MFM make truly deleting data from magnetic media extremely difficult mainly because of the inability of the hard disk write head to write in the exact same location along the magnetic track.
Another way of reading earlier iterations of data is to use specialized circuitry to work out the contents of previous “layers.” This relies on the fact that the magnetic media is analogous in nature:
In conventional terms, when a 1 is written to disk the media records a 1, and when a zero is written the media records a zero. However the actual effect is closer to obtaining a 0.95 when a zero is overwritten with a 1, and a 1.05 when a one is overwritten with a one.
Recovery of at least one or two layers of overwritten data can be achieved by sampling the signal from a high-quality digital sampling oscilloscope. The resulting waveform can be downloaded to a PC for software analyzing to recover the previously recorded signal.
Recovering data from Dynamic RAM
Contrary to conventional wisdom, even “volatile” semiconductor memory retains some of its contents after the removal of power.
Dynamic Random Access Memory (DRAM), for example, “remembers” the last stored state, as a result of the thin oxide used in the construction of the chip. The properties of the thin oxide changes slightly depending on the state of the data and can generally “retain” data for hours or even days.
The easiest way to solve the problem of erasing sensitive information – such as encryption keys – from magnetic media is to ensure that it never gets to the media in the first place.
Techniques such as hard disk wipes will certainly make an attacker’s job much more difficult, if not prohibitively expensive.