General discussion


Drive Forensics

By Richard.McKinney ·

I have several servers that I am taking out of service. I am sure the
customer will ask me about the safety of the data when I brief him. I want
to be sure I know what the risks are. I have 3 cases:


CASE=1: a server, essentually desktop hardware, with a single ATA drive.
I will boot to MS DOS and run the Resource Kit DELPART to delete the NTFS
partition. I belive that only serious forensics will recover the data. Is
this true?

CASE=2: a server with 2 drives on a RAID card, using RAID-1 (Mirrored). I
will use the ROM in the RAID card to delete the logical drive. Is that the
same as the DELPART above? I am a little concerned because with RAID-1 I
have a full set of the data on each physical drive.

CASE=3: a server with 7 drives in a RAID-5 Array. I will use the ROM in
the RAID card to delete the logical drive, and then randomly shuffle the
physical disks between the various servers being sold off. I belive that
since each physical drive in a 7-drive RAID array only has 1/6th of the
data, it should not be able to be reconstructed, even by serious forensics.
Is this true?


Rich McKinney

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by TheChas In reply to Drive Forensics

False, false, and false.

It is fairly easy to reconstruct a deleted partition.

Now, how far to go depends on how sensitive / valuable the data on the drive might be.

If the data is very sensitive, or valuable, the cost of a new drive is very small in relation to a solid sense of security.
My recommendation when any recovered data would be of value is to physically destroy the platters inside the drive.

Hammers, bullets, blast furnaces, or ****-torches are all good ways to get at and destroy the drive platters.

If the data has no "real" value, you can clean of the drives fairly well.

Start by deleting the partitions and creating new partitions of a different size.

Format the partitions and logical drives.

Run one of the DOD rated drive erasure utilities.
These write a pattern of random data to the drive with at least 7 passes.

Then, delete the partitions again.

The more you do, the less the chance that any data could be recovered.

When you look at the amount of time you need to invest to clean the drives, it can be cheaper to destroy them.


Collapse -

by Richard.McKinney In reply to

Thanks for the advise. I can do the "partition/format/wipe" cycle on the data volumes in NT4 before I delete the sys partition. I'm not sure how to get to the sys partition though. I don't think my dos disk will read across the RAID Controller (no raid driver for MS-DOS). I'll try it and see.

Collapse -

by Richard.McKinney In reply to Drive Forensics

This question was closed by the author

Related Discussions

Related Forums