[Dshield] Secure Data Removal

Kenneth Coney superc at visuallink.com
Sat Jun 5 17:56:09 GMT 2004

It can't be that much of a myth as there are several companies that 
specialize in recovering lost data from accidentally erased or fire 
damaged hard drives.  (magnetism hates heat, so I would imagine a fire 
damaged HD would be pretty much the ultimate test.)  As I understand it, 
using the peaks and valley analogy given previously, the reconstructor 
(henceforth called he) would identify as many 0s and 1s as possible, 
then based on a knowledge of what kind of storage format table was used 
on the disk start reconstructing the bytes.  Some would be clear and 
readable at once and they will be set aside and used to help reconstruct 
the rest.  Some will be missing only one bit.  He will then add a 
missing bit and see if the new resulting byte makes sense in the context 
of the previously recovered bytes.  This continues down to the level of 
bytes missing three or four bytes.  Statistical context analysis I think 
it is called.  Lots of uncertainty.  Lots of possible answers for the 
missing data.  Clearly bytes used to form words in a spoken or written 
language (i.e., english, french, german, etc.) are easier to work with 
as reconstructed bytes that form gibberish can be quickly discarded and 
after doing one or two megabytes of restoration he either has a nonsense 
page or a readable text.  I would imagine recovery of numerical 
databases would be a lot harder.  A large 0 or 1 database (vs. a 1 2 3 4 
5 6 7.., etc database) would be close to impossible to completely 
resurrect.  Quantum statistical probabilities (which would primarily 
consist of guesses about the intent of the database) would probably 
enter the analysis.  Interviews of the computer owner would be very 
helpful, but in an intelligence or law enforcement setting are probably 
not an option.  Likewise I would imagine recovery of even a simple DES 
encrypted, then erased or multi overwritten database would be virtually 
impossible or else require years of computer time as each wrong byte 
would push decryption to verify the content further away.  We are 
talking about some really expensive equipment, clean rooms and 
supercomputers at this point.  Not something that your average hacker 
can do on the PC in his living room.

More information about the list mailing list