Re: what happens to deleted files

philo wrote:


The files are still there...but simply marked as free space...so could

be

recovered.

If you want to make them essentially un-recoverable there are plenty of
third party "wipe" utilites that will shred them to the point where

they'd

only be recoverable
with expensive and time consuming lab work.

That "...[they] can only be recoverable with expensive and time
consuming lab work" can officially be classified in the "Urban Myths"
category. Nobody has ever been able to recover overwriten files, not
even Dr. Gutmann himself, he has told me so in an email conversation. I
challenge anyone reading these groups to offer concrete proof that they
can recover zero written/wiped files or to give us the names of data
recovery firms who can do it.

John



I've done some experiments and have tried *numerous* undelete utilities on
drives that had been deleted, formatted and reloaded
and have *NEVER EVER* found any remnants of previous files.

So there is no practical way of retrieving them...

HOWEVER if one had access to a lab with an electron microscope... in
theory...old data could be recovered...

They would use Magnetic Force Microscopy or Scanning Tunneling Microscopy (STM), not electron microscopes.

but it would take tens of thousands of dollars worth of lab time (probably
more actually)

NO! It cannot be done! Not at any price! It has never been done, not even by Dr. Gutmann himself, and he is the one who first advanced the theory that it might be possible to recover data from overwritten drives. The best that Dr. Gutmann could do with MFM was to show that there "might" be a possibility that some bits of data might be recoverable, he was never able to recover actual files and he has never been able to publicly demonstrate that he actually could recovery files on zero written drives, and nobody else either ever could. In anything science and research when you advance theories you then have to be able to prove them and you then have to be able to replicate the experiments, then others have to also be able to prove and replicate the experiments, no one has *ever* recovered files on zero written drives, no one! The whole purpose of Dr. Gutmann's paper was not to try to recover files in the first place, it was to make sure that they were securely deleted and absolutely not recoverable, some reading his paper incorrectly assumed that he had found a method to recover data on zero filled drives, he hadn't and that wasn't his intentions, his intentions were to suggest "software" means of securely deleting data.

Dr. Gutmann himself later said that many were making much more of his work than what was advanced or intended in his original research and white paper. Furthermore, Dr. Gutmann made it clear that the research was done on a different class of hard drives than today's drives, please read his paper:

Secure Deletion of Data from Magnetic and Solid-State Memory
http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

In particular read the Epilogue where he states:

"Looking at this from the other point of view, with the ever-increasing data density on disk platters and a corresponding reduction in feature size and use of exotic techniques to record data on the medium, it's unlikely that anything can be recovered from any recent drive except perhaps a single level via basic error-cancelling techniques. In particular the drives in use at the time that this paper was originally written have mostly fallen out of use, so the methods that applied specifically to the older, lower-density technology don't apply any more. Conversely, with modern high-density drives, even if you've got 10KB of sensitive data on a drive and can't erase it with 100% certainty, the chances of an adversary being able to find the erased traces of that 10KB in 80GB of other erased traces are close to zero."

The chances are not only close to zero, they are zero because no one has ever been able to recover any files on a wiped drive. The whole thing is tantamount to saying: "We (humans) can go to Mars because we have sent probes there so we know that we can go to Mars." Oh sure, in theory that is true, in reality it's false.

Some (incorrectly) assume or state that some governments or spy agencies (read Uncle SAM and the CIA) have magic machines or the capability to recover information on zero filled/wiped drives, that also falls in the realm of "urban legends", there are no such magic machines and the US government nor any of it's appendages have the capability of recovering data on wiped drives. In his 2004 paper, Recovering Unrecoverable Data - The Need for Drive-Independant Data Recovery, Charles H. Sobey wrote:

"It is very telling that the US Department of Defense's Combating Terrorism Technology Support Office placed a "Broad Agency Announcement" seeking just such a [magic] machine for damaged, erased, or overwritten media."

ActionFront Research
Recovering Unrecoverable Data - The Need for Drive-Independant Data Recovery
http://www.actionfront.com/ts_whitepaper.aspx

To date that request has not been filed, no one has yet been able to recover overwritten data, let alone invent a "magic" machine that can do it automagically. Just two days ago I called Seagate Recovery Services and asked to speak to one of their data recovery specialists. I posed the question to him, "Can a world class and foremost data recovery firm such as Seagate Recovery Services recover data from zero filled/wiped drives?", to which he categorically, unequivocally answered "NO". He told me that Seagate Recovery Services cannot do it and that any firm making such claims either misunderstood the question or they are outright lying. He said that if any data recovery firms make such blatant claims to make sure that they only be hired on a "No recovery, no charge basis, else you will only be wasting your money".

Now, this brings us to another "urban myth" that is often mentioned in these groups:

"There are professional file recovery companies which can often recover
data from files that have been overwritten, sometimes even if its
been overwritten multiple times.

For this reason, when the US government wants to get rid of
really sensitive data, it doesn't trust any deletion or
overwriting techniques. It physically melts the drive in a
furnace."

(Sorry Ken, but I have to take a kick at this one too ;-) )

The reason that the US government or any other entities who work with very sensitive data might melt or destroy drives instead of securely overwriting them is not because of the possibility of data recovery on these drives, it is because of the possibility of user or software errors when doing the wiping. The data is so sensitive that they cannot take a chance that a drive "thought" to be wiped gets disposed, or that the person doing the wipe thought that the drive only needed to be formatted. If the drives containing sensitive data are destroyed then there is no risk of operator error. This is really what these entities are worried about, not that the data can be recovered after a secure wipe, but rather that the secure wipe was actually done, destroying the drive takes care of possible operator errors. In highly sensitive environments like that errors are not supposed to happen, but at times they do, along the same line that surgeons aren't supposed to leave sponges inside their patients but sometime they do, we have all heard these horror stories, so in highly secure environments additional measures are taken to eliminate the risk that improperly wiped or unwiped drives fall into unwanted hands, this measure has nothing to do with the possibility that data actually be recovered on securely wiped drives. That is the mundane reason for destroying hard drives, not that someone has magic data recovery tools to recover overwritten files.

and possibly weeks or months of [lab] work [to recover data].

Try years instead of weeks or months! Read Charles H. Sobey's paper. It would take a machine taking an MFM image every minute 60 weeks to do *one* surface on a 3-1/5" diks! A 20 GB drive would yield an astonishing 40 terabytes of information and it would take years to analyze the data, there are no machines or scanners that can make heads or tails of the images, it would all have to be done by human eyes! And once again, no one has actually ever been able to look at the images and retrieve usable data from them.


So I'd imagine that most any "wipe" software would be plenty good...
as I have never heard of anyone actually retrieving wiped data either.

There is one area which can be of real concern with regards to wiped drives and where actual "bits" of data recovery could be made, cluster tips. Cluster tips are areas where data may have been written and then not over written.

Lets say you have NTFS clusters of 4KB. You save a 4KB file to the disk and it occupies exactly one cluster. You later delete the file, a simple delete to the Recycle Bin, not a secure delete. Then you save another file, lets say a 3KB file, the 3KB file is saved in the same cluster where the original 4KB file was. The first 3KB in the cluster is written with the new file but the last 1KB isn't touched, that is a "cluster tip". In that cluster tip is the last 1KB of data that was in the 4KB file that previously occupied the cluster, that data has not been overwritten, although it is time consuming and difficult there is a very real possibility that the information in the cluster tips could be recovered and that from these little bits of files some sensitive information could be retrieved, sort of like only burning the first three pages of a four page letter, if someone gets their hands on the fourth page they might obtain information that was not meant to be released. The problem with cluster tips and disk wiping utilities can happen if you use poorly designed wiping software. Some of the poorly written utilities may overwrite the file only, not whole clusters. That is easily resolved by selecting good wiping software and making sure to select wiping options that also wipe cluster tips.

So there you have it, the only place where data is recovered from securely wiped drives is on CSI Miami and it is all done in a whopping five minutes out of a one hour episode. Everything else that you hear about data recovery on wiped drives is in the realm of fairy tales.

John

Data remanence
http://en.wikipedia.org/wiki/Data_remanence

Overwitten data: Why even the Secret Service can't get it back
http://blogs.computerworld.com/node/5756

Is overwritten data really unrecoverable?
http://blogs.computerworld.com/node/5687

Can Intelligence Agencies Read Overwritten Data?
http://www.nber.org/sys-admin/overwritten-data-guttman.html

Ontrack Eraser
http://www.ontrackdatarecovery.com/hard-drive-software/ontrack-eraser.aspx

.