Software

Question

Gravatar
0 Votes
Locked

$MFT & FILE ERASURE

By npmarica ·
Hey All,

Help me settle a bet...It's my contention that
if you: delete a file (say... a word document or a temp file) and use a really good erase/overwrite utility (I personally use "ERASER") and defrag the $mft properly then there will be no evidence that a given file ever existed on your pc... As Palmetto expertly pointed out to me in a different post, the MFT defrag will remove the file pointer, but the data will still be there...Is there a way to "clear" the data from "unused" MFT space? If so, does that truly mean that for all intent and purposes, the file never "existed" on you pc? Or could it somehow still be located & read?

TIA....

NICK

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

gravatar
Collapse -

RE Or could it somehow still be located & read?

by OH Smeg Moderator In reply to $MFT & FILE ERASURE

With the right Forensic Recovery Application anything is possible.

The Platter of the HDD can be removed and coated with a Green Goop then read on a special machine which will recover every layer of Data ever written to that HDD.

This is Horrendously expensive and of course means the destruction of the HDD in question but is 100% effective in recovering all the Data that was ever written to that HDD. It is used by the Police and similar authorities in Suspected Serious Criminal Activity where the Accused has wiped the HDD to try to protect themselves.

The fact that you think bout doing things like this points to a need to hide things which if you where to be dealing with people who investigate this type of thing would immediately raise Red Flags and point to your Possible Guilt. What that means is that instead of using the easy fixes they would immediately go the whole Hog and pull out the Big Guns to see what it was exactly that you where trying to hide.

The only real way to prevent some Data being recovered off a HDD is to destroy the Platter.

Col

gravatar
Collapse -

Infintely permanent data on HD?

by wrleeii In reply to RE [i]Or could it somehow ...

I think that "...every layer of Data ever written to that HDD" might be overstating it a bit, but there are expensive techniques using highly sensitive electro-magnetic sensors to identify recently written data that the HD heads themselves are unable to detect. Another technique is to read outside of the track area read by the HD heads... when recording, data can be spuriously recorded outside of the track area and these recordings can sometimes be read by special equipment.

There are military spec. erasing tools that make data less detectable by rewriting the same locations with alternating patterns to obliterate the original data. Higher security requires more rewrites of various patterns. A time-consuming process.

Some will claim, as I assume the original replay stated, that there is no way, short of destroying the platters, to ensure that the data is not accessible. I'm not convinced that this is necessary.

gravatar
Collapse -

RE : ...every layer of Data ever written to that HDD

by OH Smeg Moderator In reply to Infintely permanent data ...

While I tend to agree that it is a Fantitisit Claim that is what the Places that do this say and as they are not advertising in the convential way I'm ore inclined to believe their claims than to disbelieve.

Adding to that On Track's ability to recover Data off of one of the HDD's on Colimba at it's destruction that had suffered severe heat damage I'm much more inclined to believe the claim. Inthe case of those Colimba HDD's they where given 3 failed to recover anything off 2 of them because there was no material left on the platters to read from and then with the third one which had not suffered as much heat damage they got 80% of all the data and they did get all of the Important Data off the Drive.

AS these recovery Methods ar enot employed for general run of the Mill Recovery but are reserved for Criminal Evidence Gathering cost isn't an issue as the Authorities include this cost in the Trial Costs and as it is accepted by Courts as Accurate the posibility that it is not possible is even less.

If you understand they way that those ones & Zeros are writen to a Platter it becomes more believable the claims that it is possible to recover every layer of Data that was ever written to that Platter as the Values are nto the same all the way through when something is over writen the Value of the 1 or 0 is slightly different and it is that difference that is being used to read the data.

Besides a bit of Negitive Advertising never hurts to impress upon some types that what they want to achieve isn't possible. :)

Col

gravatar
Collapse -

Data recovery

by wrleeii In reply to RE : [i]...every layer of ...

Yeah, I've been pretty amazed at what can be recovered from "destroyed" drives... the key distinction, in this case is that the original poster wants to _deliberately_ erase the data (not the case in accidentally destroyed drives). While there are layered techniques in laying down bits, it isn't like sedimentary rock... old data does not form layers below new data. A bulk of the same magnetic material is used to record new data. With enough re-recording, any older data gets masked in the noise of random writes/rewrites. That's why the DoD spec for erasing drives for reuse (i.e., when not physically destroying the drive) is very rigorous.

To retrieve purposefully erased data using the techniques I alluded to requires as much luck as it does expensive, advanced technology.

I would definitely not go so far as to say that there is any guaranteed way to erase data, but it is equally true that there is no guarantee that you can retrieve the data, no matter what the desire or expense.

Bill...

gravatar
Collapse -

Yep I do agree

by OH Smeg Moderator In reply to Data recovery

But in answer to the OP question it must be there is no Guarantee one way or the other about Completely Destroying Data.

Col

Back to Software Forum

Start or search

Related Discussions

Related Forums