Data Recovery & Solid State

theoverlay writes "With all of the recent hype about solid-state drives in both consumer applications and enterprise environments I have a real concern about data recovery on these devices. I know there are services for flash memory restoration but has anyone been involved in data restoration projects on ssd drives? What are the limits and circumstances that have surfaced so far? What tools will law enforcement and government use to retrieve data for investigations and the like?"

SSDs have one infallible data recovery option

[Amiga+Lover]

Which is the same infallible data recovery option for any media. Multiple, cascading, incremental and offsite backups.

Trusting data to just one piece of media is being broken in the head.

Re:SSDs have one infallible data recovery option

[jeffmeden]

-1, didn't read the question. He is NOT asking about how reliable the drives are, since he acknowledges that ANY media can fail. Instead, he asks about recovery options when there are no other alternatives, such as extreme disasters or criminal cases where data was intentionally lost. This is a good question, I look forward to constructive answers and the discussion that follows. Yours, however, is a dead end.

Re:SSDs have one infallible data recovery option

[TubeSteak]

When someone asks a question like: "What tools will law enforcement and government use to retrieve data for investigations and the like?"

The issue isn't just 'how do I recover data' it's also 'how do I erase it permanently'

In my experience, you can recover anything that hasn't been overwritten on a flash drive with most recovery programs.

Keep in mind, that even if you've "erased" your files, not all wipe/erase programs will delete the file & folder names from your drive. Programs like DirSnoop can recover the names, if not the files.

Re:SSDs have one infallible data recovery option

[Z00L00K]

Most filesystems only does a removal of the reference to a file when a file is deleted. A few may offer the added feature of overwriting when deleting a file. If I remember right OpenVMS actually has an option to the DELETE command that allows this.

The second question here is if it is possible to recover data that has been overwritten on a solid state device. It is possible on magnetic disks, but a solid state device is encapsulated in a much more rigorous manner which means that it will be a lot harder. However, it may still be possible using the right equipment.

And don't forget: Never store your important data under the directory /tmp or /var/tmp on any *NIX machine. It will be erased! I know that this has happened, since I was working for a company where a consultant did EXACTLY this. That consultant stored all his sources there! And the system erased all files older than 14 days, and since it was /tmp there was no backup. That person had to do it the HARD way because there was no way that there was any possibility to recover that data. I have no idea what became of that consultant after that was cleaned up, but I sure hope that he at least didn't make that mistake again!

One of the classical Murphy's law moments...

Re:SSDs have one infallible data recovery option

[JesseL]

One confounding aspect of trying to permanently erase things from solid state drives is the fact that most flash drives incorporate wear-leveling. You may not be able to over write specific physical sectors without just overwriting the whole drive several times.

Re:SSDs have one infallible data recovery option

[sm62704]

...criminal cases where data was intentionally lost

You can completely and unretrievable wipe data from both paper and disk drives. With paper, shredding is no good but a single match or Bic will do the trick. Cheaper than a shredder, too. With a disk drive, just disassemble it and sand off all the oxide. Or alternatively, if you have a smelter or other really really hot mass of molten metal, you can just drop the thing in there. The smelter option works for CDs and tape as well.

Or you can bury it in the bridge abutment your construction company is building with tax dollars, right next to Jimmy Hoffa.

Oh oh, am I on my way to Gitmo now?

-mcgrew

(still no journal although the last one was updated Friday. Mod me down for this?)

Re:SSDs have one infallible data recovery option

[Zerth]

Yup, it can be extra hard to wipe a flash drive without knowledge of its particular wear-leveling algorithm. In these cases, Fe2O3+2Al is your friend.

Re:SSDs have one infallible data recovery option

[DaveV1.0]

Most of a hard drive is made of aluminum. Disassemble, mix, and sell to local recycling plant.

Re:SSDs have one infallible data recovery option

[yabos]

I just feed all my shredded documents to my worms(no joke)

Re:SSDs have one infallible data recovery option

[Hal_Porter]

You can use sdelete on Windows

http://www.microsoft.com/technet/sysinternals/Security/SDelete.mspx

Re:SSDs have one infallible data recovery option

[Paracelcus]

Just a thought:
Powdered magnesium & aluminum 60/40 in a plastic capsule with the same dimensions as the SSD unit in question, perhaps 2mm thick with a small plastic tube connected to a solenoid valve and a tiny O2 bottle. When activated by a panic switch the 6000 degree F temp should vaporise the chip (vary the thickness to increase the burn time).

Re:SSDs have one infallible data recovery option

[billcopc]

The day someone can recover data from media I've killed with thermite, then we'll talk.

Right now, if someone sketchy wants to cover their tracks, it's cheap and relatively easy. I've personally witnessed the awesome destruction that thermite does to a hard drive, it leaves a big drippy hole where the platters once sat. It's basically super-welding the drive into one big block. I don't think there's any way to get data back, at least not with current nor near-future technology.

Re:SSDs have one infallible data recovery option

[dave87656]

You can use sdelete on Windows

http://www.microsoft.com/technet/sysinternals/Security/SDelete.mspx I'm a little suspicious of a microsoft command which would permanently erase my data. Are you sure they are not sending it to themselves first?

Re:SSDs have one infallible data recovery option

[Fred_A]

The day someone can recover data from media I've killed with thermite, then we'll talk. Maybe some day an extherminator will be able to cure your drive of its thermite problem...

(*ducks and runs*)

Re:SSDs have one infallible data recovery option

[Hal_Porter]

Sdelete is a sysinternals utility. You can get the source code, or at least you could. Even if you can't you can still use File monitor to see what it does. It would seem like a very bad move for Microsoft to change it in a way that makes it send data off to them.

Re:SSDs have one infallible data recovery option

[phagstrom]

Hey, just fill up the drive with puns like that and your data will be lost forever.....It'll never be able to recover. ;-)

Re:SSDs have one infallible data recovery option

"Damn you worms, eat FASTER!!!! I can't stall the SWAT Team much longer!"

Re:SSDs have one infallible data recovery option

[dave87656]

Sdelete is a sysinternals utility. You can get the source code, or at least you could. Even if you can't you can still use File monitor to see what it does. It would seem like a very bad move for Microsoft to change it in a way that makes it send data off to them.

Thanks for the info. I was being a little facetious with a subtle reference to past policies which sent off user data at installation even though the user declined sending the information.

Such tools as...

What tools will law enforcement and government use to retrieve data for investigations and the like?"

Waterboarding, tasers, sleep deprivation, bright lights and loud obnoxious music.

Re:Such tools as...

I like loud obnoxious music you insensitive clod!

Re:Such tools as...

[urcreepyneighbor]

Waterboarding, tasers, sleep deprivation, bright lights and loud obnoxious music. Sounds like my last date. :(

Re:Such tools as...

[ari_j]

No wonder she never called back.

Re:Such tools as...

[Nodamnnicknamesavial]

Wow, Kenny G will have a busy schedule for the next few years.

Re:Such tools as...

[TheGratefulNet]

suppose 'bad guys' are at your door, trying to 'steal' your computer records.

can you erase your disk? not really, not fast enough.

you can grind cd/dvd roms - they make paper shredders that take opto discs.

much better though: a hammer smashing a usb key drive! no amount of 'forensics' can recover broken silicon chips.

there you go - anti-spook protection should you need it. afterall, its a dangerous world out there. many 'people' mean you harm.

Re:Such tools as...

[urcreepyneighbor]

I heard, from a mutual friend, that she didn't like her victim's to be "into it". Something about the "fun not being there" when the victim begs for more.

Argh! Women! They remain the eternal mystery!

Re:Such tools as...

A handful of usb keys can be flushed in a few seconds. Then there's no evidence that you are trying to hide anything.

Re:Such tools as...

[Luke+Dawson]

Sounds like Toby Keith's wet dream.

Re:Such tools as...

[Amouth]

http://www.pcpro.co.uk/features/113080/what-does-it-take-to-destroy-a-hard-disk/page1.html

i would never agree that "no amount of 'forensics' can recover broken silicon chips"

sure it might be hard.. but it is still more than possiable - the trick is how much is it worth to the person/people trying to get the data back.

i was trying to find a better artical where they went over how ontrack recovered 90+% (don't remember exactly) from the drives on the 2003 shuttle that turned into a fireball and shreaded..

i seriously doubt that your hammer would do much - and as for the other person that responded to you.. flushing it woln't do much good.. as well all they need to do is find it..

again.. it is all dependent on how much it is worth to the person trying to get the data back.

Re:Such tools as...

[TheGratefulNet]

I'm no chip physicist - and I don't even play one on tv - but tell me how a SHATTERED broken wafer can be readable? by anyone! using any tech!

seriously. its shattered. one smash with a ballpien hammer to break the plastic shell of the thumb drive apart, then one more smash on the wafer/chip itself. its now bird-seed. go and try to 'read' from that. you can't. if you have time to do the double-smash (LOL) then you have all the physical security you need, in terms of rendering some non-volatile memory storage .. well ...permanently volatile.

Re:Such tools as...

In this case, I think "last" carries both meanings: "most recent" and "final".

Re:Such tools as...

And I like insensitive music you obnoxious clod!

Re:Such tools as...

[BlueCollarCamel]

He's posting on /.. Inflatable dolls can't call back.

Re:Such tools as...

[nmg196]

..and I like waterboarding, but over here we call it "surfing".

Re:Such tools as...

[Amouth]

well i personaly would assume that as people can do jig saw puzzles - and that people manage to mend broken glass and other broken artifacts quite well that if you take someone with the right equipment (say Intel and their fab lab) they could get it back to a reasonable shape - also mix it with the constant charge in each cell - you may have to read each one manualy but it is like all things if you can do it once you can do it a million times - it just takes time.

Considering that intel recently showed off some of it's new chip fab equipment where they can take a fabed CPU - remove the heat spreader place it in a special board in a special box where they can control the clock rate al the way down to a basic pause and read each transister state in real time and even change the state and even remove and add traces in real time. that your rather simplistic flash drive compared to a new 45nm cpu would be a walk in the park.

all i was pointing out is that your hammer isn't going to remove the data - sure it might smash the chip into a million peices but the data is still there in each and every cell - all that has to happen is for it to be put back together and then read- sure it isn't going to read by ust shoving it back in your usb port - but there is many more diffrent ways to read the data..

it all comes down to what is the value of the data to the person trying to recover it. if it is worth the time effort and cost then it can be done

Re:Such tools as...

[TheGratefulNet]

no, I don't think this is AT ALL like a jigsaw puzzle.

once you shatter and destroy the silicon, even god himself won't be able to make humpty dumpty whole again. not if HD is made of silicon chips ;)

really - the chips get crushed into near dust with a hammer. this is 99.99999% impossible to re-assemble.

Re:Such tools as...

Creeping around in the bushes around her house does not constitute a "date".

Re:Such tools as...

[XHIIHIIHX]

You're high. If you took a hammer to your usb drive, they could still read the data off of it *without even entering the room*

Re:Such tools as...

[RockWolf]

So they'll play you classical music. Where's the problem again?

Re:Such tools as...

[andreyvul]

Hammer? lol.
I would look at the the pinout of the memory chip and solder +12V to ground and ground to +12V. Burning transistors, anyone? This would be like a thermite reaction or acetylene torch on current HD platters.

Re:Such tools as...

[mwvdlee]

You're equating Kenny G. to waterboarding, tasers, sleep deprivation, bright lights and loud obnoxious music? Bullshit! He's not bright at all.

Re:Such tools as...

what about if you masturbate?

Honk! Honk!

[tripwirecc]

I'd figure the same as with regular harddisks apply. One pass and gone the data is.

Re:Honk! Honk!

[Vicarius]

Actually with regular/magnetic drives data is not gone forever with one pass. You can still use specialized readers that will detect change in magnetic field and be able to tell whether the analyzed bit was 0 or 1 before it was overwritten.

Re:Honk! Honk!

[farkus888]

I know that is not enough to securely wipe a traditional hd. the current standard is 7 passes of random 1s and 0s. even worse than that, I have had people who formerly worked nsa tell my that really sensitive data is only considered gone when they have dismantled the drive and melted the platters in acid.

Re:Honk! Honk!

[tripwirecc]

That may have worked with old drives, forensics experts tell me these MFM/RLL things, but with modern drives and the used recording tech, it's practically impossible. But hey, keep pandering to these myths.

Re:Honk! Honk!

[Aardpig]

I seem to recall hearing that US spy planes have a special 'eraser' built into onboard HDDs, that behave like arc welders. Turn it on, and within less than a second the platters are completely slagged.

Re:Honk! Honk!

[Jagen]

That is a myth based on a theoretical paper. The principle is good, but you would need to know the starting voltage of each bit and exactly how many times that bit had been written to. Overwrite your files once, and they're gone, for good.

Re:Honk! Honk!

[_KiTA_]

I'd figure the same as with regular harddisks apply. One pass and gone the data is.

Except that unlike normal HDDs, SSDs intentionally fragment the data across the drive to avoid writing to a specific section of the drive repeatedly (an attempt to avoid over-writing to the flash). Assuming you don't fill up the ENTIRE DRIVE, your data might very well still be there.

I'd love to ask Ontrack or Drivesavers about it, to be honest.

Re:Honk! Honk!

[segfaultcoredump]

While it is true that the data can be recovered after multiple passes, what most folks forget to mention is the level of effort required to recover such data.

Think hanging chads, but on a much larger scale.

You get to pull the disks, and start walking them with an electron microsocope looking for the 'residual' images. Then you get to make a guess as to the 'bit' being a 1 or a 0. Then you get to start assembling a filesystem on top of all of that.

Yes, it is possible, but it would take a very, very long time.

Generally speaking, overwriting the data _once_ is enough to tormet your local law enforcement agency. The level of effort required is just too much for them to deal with the issue given the other things that they need to do. (rumor has it that in the old days they could just modify the firmware to shift the drive heads over a touch, but that trick does not appear to work as much with newer drives since there is not much space between tracks anymore)

The reason that the Military/NSA/FBI/CIA want to actually destroy the disks is because even though it is _difficult_, it is still _possible_ to recover the data.

Please note that for this to work, you must overwrite the actual sectors on the disk (aka "wipe"), not just blow away the metadata (aka "delete")

Re:Honk! Honk!

[farkus888]

built into the device? now that is cool! personally I've always wanted to watch one of the thermite grenade emergency data "deletions"

Re:Honk! Honk!

[phillips321]

I wish the US would spend more time inventing special 'erasers' that behave like god sends. Turn it on, and within less than a second the mother-in-law completely disappears.

Re:Honk! Honk!

[SharpFang]

The recovery services can recover data up to 4 passes deep. Thing is the magnetic orientation is not really boolean but float. So the transitions of the values of the plate surface are like (new) = (0.9*trans)+(0.1*old), so:

0->0 = 0
1->1 = 1
1->0 = 0.1
0->1 = 0.9
0.9->1 = 0.99
0.9->0 = 0.09
0.09->1 = 0.909

so you can guess the sequence of transitions from the value.

I know battery-backed RAM can't be recovered that way - it's like it was constantly writing to itself, you'll have a thousand write cycles in matter of miliseconds. I don't know how data is stored in flash though.

Makes you wonder if you could quadruple the capacity of the harddrives that way too.

Re:Honk! Honk!

[alen]

when i was in US Army Europe the intel guys would take the HD's out of their PC's when it was time to toss them and open them up and scrub the platters with brillo or some other wire brush to destroy the platter. The PC's would then get turned in via usuall channels.

For monitors if you wanted to process classified info it was a whole lot of paperwork because with the old CRT's you can read what is on the screen from like 3 blocks away just by the radiation they put out. ditto with Cat5. if you had a classified laptop you would have a short cat5 to a special encryption device, then cat5 out to the datacenter downstairs which had the same encryption device and then it would run out to the servers. NSA said you could read cat5 traffic from like 3 blocks away as well

Re:Honk! Honk!

[Hal_Porter]

How do we know you're not an NSA mole, paid to persuade us that one pass is enough? Or maybe your experts are an NSA moles and they've tricked you.

Re:Honk! Honk!

[afidel]

You are wrong, in fact the small feature size of modern HDD's actually makes it easier in some cases as the smaller magnetic domains are harder to flip so even small changes in alignment will mean that recoverable data will be left behind.

Re:Honk! Honk!

[iviagnus]

Just a quick FYI: Acid doesn't melt anything, it dissolves them. Basic Science 101.

Re:Honk! Honk!

The important thing to note is that you just mentioned the current NSA standard which takes into account massive paranoia and stupid theory.

More NSA paranoia, they're not sure if they need to start destroying UTP/STP Ethernet cable because it could store residual images of classified data making the cables themselves permanently classified. I am not even close to joking about this, they're that screwed up and over budgeted that your tax dollars are being pissed away on this kind of "research."

Oh, and then there's the new NSA-backed encryption with a built-in back door. Why bother breaking the encryption when you can just get in the easy way?

It's totally out of hand, so next time someone mentions the NSA and computer security in the same sentence, put your fingers in your ears and start yelling as loud as you can until they're done talking. It will make you feel less dumb about paying your taxes.

Re:Honk! Honk!

As someone who makes a living doing forensic recovery from drives that have been wiped please keep propagating the one overwrite myth...

Re:Honk! Honk!

[FesterDaFelcher]

Not in less than a second, but all of the hard drives we used on the AWACS plane had toggle switches that would begin writing random 1s and 0s to the drive for as long as there was power applied. One complete rewrite took appox 15 seconds, and the T.O. specified flipping the switch at least 2 minutes before a catastrophic event (read: plane crash). We also had another tool for physical destruction of our equipment, commonly called an "axe". :)

Re:Honk! Honk!

You're citing a 1996 paper when discussing modern HDDs?

Re:Honk! Honk!

[uncqual]

I believe the requested feature is best implemented in the file system layer rather than the physical media layer (SSD vs. HD).

There is a good proof-of-concept available (but it currently works only for wives) that could probably be easily enhanced to implement the mother-in-law eraser function (actually, perhaps it's already there, I've not used Reiser4 much).

Re:Honk! Honk!

[misleb]

Actually with regular/magnetic drives data is not gone forever with one pass. You can still use specialized readers that will detect change in magnetic field and be able to tell whether the analyzed bit was 0 or 1 before it was overwritten.

Yes, that is the common myth. And some say it is theoretically possibly. But nobody has ever published anything that I am aware of showing it actually being done. Can you point to reports of anyone actually do it? Anyone sell these "special readers?"

That said, i think it depends on WHAT you overwrite the data with. If you just use all zeros, then ya, you MIGHT be able to see what was there before, but if you write random data, I doubt you'll be recovering much, if anything. Maybe you'll get lucky and read some off-track writes, but I dunno.

-matthew

Re:Honk! Honk!

[afidel]

Why not, GMR technology was already on its way out of the lab by 1996, the only HDD tech more advanced than that is vertical recording which is still new and only used in a handful of drives.

Re:Honk! Honk!

[misleb]

The only difference between theory and practice is that, in theory, there is no difference. Congrats for referencing the same old paper that everyone else references on this subject. Now try finding reports of people who've actually recovered a meaningful amount of data from a drive that has been overwritten with random data.

Re:Honk! Honk!

[Jah-Wren+Ryel]

You are wrong, in fact the small feature size of modern HDD's actually makes it easier in some cases as the smaller magnetic domains are harder to flip so even small changes in alignment will mean that recoverable data will be left behind. You are wrong. You should have cited the author's follow-up to the original paper, like I just did.

Here's the relevant part of new epilogue:

Looking at this from the other point of view, with the ever-increasing data density on disk platters and a corresponding reduction in feature size and use of exotic techniques to record data on the medium, it's unlikely that anything can be recovered from any recent drive except perhaps a single level via basic error-cancelling techniques. In particular the drives in use at the time that this paper was originally written have mostly fallen out of use, so the methods that applied specifically to the older, lower-density technology don't apply any more. In fact, the same man has written paper that somewhat addresses the original question regarding forensic recovery of erased data in sold-state memory for usenix 2001.

Re:Honk! Honk!

[gardyloo]

Given the _same_ coercivity of a magnetic domain, given temperature, and a given external field, I would think smaller domains should be _easier_ to flip, on average, than large domains. The nearest- and next-nearest-neighbor influences would be much larger for small domains than large ones. After all, given the scaling laws of diffusion-driven "averaging" processes, fluctuations spaced closer together always converge to an average much faster than those spaced further apart.

      I _guess_ that the linked article is talking about the possibility of recovering data from the "edges" of data tracks, based on some remnant domain orientations due to the small widths of the write/erase heads. I can see how smaller domains might help retain data in that case.

Re:Honk! Honk!

[Firethorn]

I figure the requirements for a 21 pass overwrite scheme is still a requirement for sanitizing government drives for a reason.

Is it overkill? Certainly. But apparently 3 passes isn't considered enough.

Now, a simple overwrite is considered sufficient for flash, so we do have some standards.

Re:Honk! Honk!

[misleb]

The recovery services can recover data up to 4 passes deep.

Which 'recovery services' are these? Can you reference any authoritative reports of ANYONE recovering a meaningful amount of data even 1 pass deep?

Re:Honk! Honk!

[Teppic_52]

But if you delete the file, then for example cat /dev/urandom > /mnt/sdd/largefile on the drive, it will keep 'catting' until the drive is full.
Lather, rinse, repeat...

Re:Honk! Honk!

The recovery services can recover data up to 4 passes deep. Name one recovery service which has publicly stated that they can perform recovery of data which has been overwritten even just once. You know they would announce that far and wide, because it would save a lot of people's asses to be able to resurrect accidentally overwritten data.

Re:Honk! Honk!

[richlv]

hmm. are we talking here about cat /dev/zero > /dev/sda or cat /dev/random (or urandom) ?
because while i can clearly see that being possible with zeroes, overwriting with random source doesn't look such a likely candidate for recovery.
now, if i had some information i would like to be really gone, i'd probably use /dev/zero and [u]random at least a couple times each. anybody (except the known cia moles :) ) with insight how possible could _that_ be for recovery ?

Re:Honk! Honk!

[angus_rg]

I'm not a forensic expert, and don't even play one on TV, practically impossible isn't how I would describe the likely hood of retrieving data.

When write heads write, the are kind of like an analog device, they don't stop on the drop of a dime, so when writing to a sector, it may be a hair off and you can make out what was there before. With the help of checksums, you can sometimes fill in the blanks if one of the bits is unreadable. The biggest problem you have is finding a write that was before the deleted file.

There's a reason the DoD had/has a policy of writing 5 passes to a disk. Something like 1 pass Zeroing, another Oning, and the rest random. As I said before, I'm no expert, so I don't know how likely they'll find it, but, the more you write and defrag, the less likely.

Re:Honk! Honk!

[nasor]

And perhaps more importantly, there are currently no established forensic procedures for recovering data that has been overwritten. Police can't just use any random forensic procedure that they feel like - only certain established procedures can be used, and at present no such procedure exits. Which means that even if it were physically possible for the police to do it, the resulting evidence would almost surely be inadmissable in court. The NSA might take an electron microscope to your hard drive if they think you have the plans for China's new invisible tank on it or something, but in general the police won't be able to do a thing.

Re:Honk! Honk!

[SharpFang]

Not really - if the values are orders of magnitude apart. You pick a bunch of zeros and try to separate them in two distinct groups, "deeper zeros" and "shallow zeros". These that have been ones in previous life, and the ones that have been zeros. The groups will be quite distinct with very little/no "specimens" on the border, because the residual value from "two lives ago" has very little influence. Then you can take each of these groups and split it in half again. The difference will be much smaller but still you should come up with two distinct groups.

Differential readout is a wonderful thing.

Re:Honk! Honk!

Thing is the magnetic orientation is not really boolean but float. So the transitions of the values of the plate surface are like (new) = (0.9*trans)+(0.1*old), so

This argument assumes simultaneously that the magnetic orientation is and is not truly "boolean." ie: it is based on the idea that the first set of data is 1.000 or 0.000, so that you can neatly detect the difference between 1.00->0.00 = 0.10 and 0.00->0.00 = 0.00. If what you really have is 0.9±0.1->0.0 = 0.1±0.1 and 0.0±0.1->0.0 = 0.0±0.1, then your deciphering becomes a lot more difficult.

Presumably, drive manufacturers store their data so densely that they can be pretty sure to resolve the difference between nominally 1 and nominally 0, and those transition effects are way down in the noise.

Re:Honk! Honk!

[Biff98]

Just because something is a government policy, DEFINITELY doesn't mean there's a good reason for it existing...

Re:Honk! Honk!

[William-Ely]

I work in the data recovery field and I can say that it _might_ be possible to recover overwritten data on older drives by messing with their calibration but at that point the likelihood of success has to be incredibly small. With the data density of modern drives being as high as 250Gb/in^2 you would need some serious equipment and a lot of time, money, and patience. In fact I imagine that if the data was that important that you would go to such lengths to recover it you should shoot yourself for not having a backup of it somewhere.

The recovery process for SSD media is actually similar to normal flash memory. In fact it's easier than normal drives since there are no heads and platters to worry about. So yes deleted files can still be recovered and drive scrubbing utilities will still work as intended.

Re:Honk! Honk!

[Kjella]

The reason that the Military/NSA/FBI/CIA want to actually destroy the disks is because even though it is _difficult_, it is still _possible_ to recover the data. And at some level, the risk/gain ratio becomes so abysmal you just destroy it anyway, even if you don't think it's possible.

Re:Honk! Honk!

[Gordonjcp]

Then you get to make a guess as to the 'bit' being a 1 or a 0.

That's the tricky bit. Any hard drive built in the last ten years or so won't actually write ones and zeros to the disk, but uses something like QAM to pack even more bits per symbol on. Think in terms of one nybble being represented as an analogue value from 0 to 15 - was that 6 really a 6, or is it a faint 7? Or was it a 5 that wasn't particularly strongly erased?

Overwrite each track once, and the data is gone.

Re:Honk! Honk!

[segfaultcoredump]

When dealing with the military, you also have to factor in the difficulty level of the instructions.

Which is easier:

Run this application, selecting the entire drive, following these procedures, bla, bla, bla

_or_

Smash drive into little bits

Now, you also have to take the 'fun' factor into it while you are at it. Smashing the drive is a lot more fun :-)

Re:Honk! Honk!

[Jah-Wren+Ryel]

I figure the requirements for a 21 pass overwrite scheme is still a requirement for sanitizing government drives for a reason. Please cite a government document that specifies this 21-pass overwrite (or any number of overwrites). No amount of overwriting serves to 'sanitize' a classified hard disk. At least not for the US government.

Re:Honk! Honk!

[Jah-Wren+Ryel]

FWIW - a data zero does not produce a string of zeros on disk. The encoding mechanism is a lot more complicated than that. It's not random, but it isn't anywhere near that straightforward either.

Re:Honk! Honk!

[SP33doh]

I'd consider seagate a little more than a handful.

Re:Honk! Honk!

[gnick]

Smashing is effective and very simple. I work in areas where, if a CD needs to be destroyed, it is degaussed, crushed, and incinerated. At first, it seemed ludicrous to degauss a CD. But they use the same procedure for everything and it's (usually) very effective. Got data to be destroyed? Toss it in a burn box and it's toast. Really toast. Very effective, very easy, and basically no thought or instruction. Better for data to be accidentally destroyed than accidentally saved in some arenas.

Re:Honk! Honk!

[mikael]

I once heard a story that there is a layer of magnesium between the magnetic layer and the glass/aluminium platters. The entire component is sealed hermetically with inert gas. To destroy the data all that has to be done is to pull out a small plug and the oxygen in the atmosphere reacts with the magnesium to turn the drive into toaster waffles.

Re:Honk! Honk!

[Sanat]

Back in the 70's before hard drives were small enclosed devices, I had worked on a hard drive that would give old outdated data of customer's information... things like an old telephone number, or old contact names, addresses, etc.

The drive used every other cylinder with the idea of one day doubling density of the drive with the addition of a jumper wire on the track counting circuit. Well the zero track sensor was defective and so the disk was formatted twice with each interleaving the other as the first format failed.

Every once in a while while performing a "restore" command which brought the heads back to the zero track the carriage would mistakenly stop on the middle cylinder thus providing old information mistakenly updated previously.

Replacing the track zero sensor did the trick in fixing the problem... everyone thought the drive was possessed by evil spirits as corrected data would mysteriously change itself back to what it was prior to the change.

This was a Wang model 710 and of the 20 mistakes a designer could make in designing a disk drive about 19 were accomplished in the 710's design. The only thing that was done right was pulling it off the market and replacing it with a Diablo model 43.

This problem brought a whole new philosophy about deeper zeros and shallow zeros. Thanks for your post... it re-reminded me of the 710 fiasco.

Re:Honk! Honk!

[_KiTA_]

But if you delete the file, then for example cat /dev/urandom > /mnt/sdd/largefile on the drive, it will keep 'catting' until the drive is full.
Lather, rinse, repeat...


So all I have to do is every time I want to delete a file, wait for a 15-319 gig file to write to the drive?

Woo, Thank god I get extra performance out of Solid State Drives.

In all seriousness, working in tech support, I am much less concerned about data security per say and somewhat more about "whoops, my SSD drive died, wonder if I can recover anything?"

Re:Honk! Honk!

[Rakishi]

Government mandates also include grinding, shredding and melting the hard drive then storing the molten brick for 50+ years.

Re:Honk! Honk!

[imgod2u]

Just like a normal HD, there is a "wear and tear" involved with each bit. For NOR flash, the charge is literally "forced" into the floating gate by a large voltage being applied across the dielectric. This occurs for each write. The erase, as far as I'm aware, uses quantum tunneling to discharge the floating gate which is a lot less harmful, I think, than hot carrier injection.

If each time a bit is written (and it's always written only if it's to be a "0" in the NOR case) the dielectric has some measurable wear (which I think it does) then the number of writes for each bit can be determined. Knowing the scatter-write algorithm and if the algorithm doesn't use a real random seed (like system time or user input), it's possible to map these writes to what the algorithm would've written (assuming you knew the erase-over pattern as well).

That's a lot of if's. Any good "eraser" worth its salt would use a real random number (user input or system time) to generate its erase pattern. It'd then be very difficult to tell where the "old" data is and where the "new" data is.

Re:Honk! Honk!

[s13g3]

How in the name of CowboyNeal did parent get modded as +5 Informative?

I recover deleted data WITHOUT a clean room or disk disassembly process on a nigh-daily basis. There are plenty of software tools that will recover data post-format, deletion, or crash; some even after multiple passes. Just yesterday I recovered about 3.4GB of data from a hard drive (that I didn't know at the time was failing with bad read-heads that were pinging the disk surface and creating physically-bad sectors) that had been reformatted (full format, not quick) and re-installed. The particular sequence of apps and methods I used enabled me to recover almost all the important docs on the machine minus a handful of unrecoverable files in the physically failed sectors. The disk later crashed again after the recovery, which was when I discovered the drive was failing. The MFT and MBR were completely shot and most bootable diagnostic applications listed the disk as unreadable. Others would attempt to read the disk but showed no data, even some tools that are supposed to seek data outside the MBR by examining individual clusters. Once again by using the right tools in the right sequence, I am, as I write this, recovering data from the disk yet again (this time as a slave drive in another machine, backing up to a known good archive drive)... Looks like I'm once again going to get all the data but another handful of files that were stored on physically damaged sectors.

So, no one is pandering - please to know what you're talking about first... Yes, my ability to recover data via software tools extends even to many (but not all) software applications that are supposed to securely and irrevocably destroy data. Also, if you're insistent about staying off-topic in regards to data-destruction in the face of law enforcement, not only are all the software methods you might use to destroy data far too slow, but chances are they just won't do the trick. This was a giant concern for the U.S. Air Force after the collision of a P-3 Orion with a Chinese fighter jet, where it was forced to land in China, and NONE of the data destruction techniques available to the crew were remotely sufficient to destroy enough data in the time available to them, but even if they had been, chances are a devoted enough analyst with the proper equipment and time still would have been able to recover more data than desirable (which, since it was all highly classified, means any data at all) outside of explosives, which they had, but are not generally a good idea to detonate on the inside of a flying aircraft. Since then the U.S.A.F. has developed a method of data destruction that utilizes what is essentially a modified medical defibrillator with a somewhat greater total output and replacement of the standard shock paddles with high-strength electromagnets that are placed on both sides on the drive and then discharged, functionally flipping the polarity of the entire disk and destroying all lingering magnetically resonant harmonics.

A dedicated and determined analyst with the right tools and time can recover vast quantities of data on disk subject even to a "military format"... Modern drives and recording techniques have nothing to do with anything in this regard. The only fool-proof way is massive electromagnetic discharge, incineration or to sand or otherwise physically damage the platters themselves... To quote 'Zerth' from above, "Fe2O3+2Al is your friend." Nothing will do the job quite as readily as Thermite, however it obviously presents it's own issues... especially since setting it off to erase your hard-drives before the authorities arrive is almost certain to earn you a large number of other very serious criminal charges, and liable to burn your home or office down; it's also hard to get the stuff to ignite reliably sometimes.

I'd STILL like to hear an answer to the actual question put forth in the article... We all know that hard disks can be disassembled and forensically recovered in the case of serious failure or attempted data destruction... But a

Re:Honk! Honk!

[RobBebop]

I have seen a device that you insert a CD/DVD into and then it pops out a clear plastic disc with some dusty residue. Highly effective at eliminating any data on your CDs.

Re:Honk! Honk!

[Whatanut]

Boss: Hey! What are you doing back in the computer room?
Employee: Playing with my wang.
Boss: ...

Re:Honk! Honk!

[letchhausen]

And they leave a laptop with all the data on it in some bus terminal somewhere.....

Re:Honk! Honk!

[Nintendork]

I remember reading about this in regards to CRT. Here's a good article. Regarding the reading of CAT5 from a distance, I call BS. There isn't enough leakage due to the positive/negative pairs. In any case, IPSec in transport mode should be used for secure transmission on any media. No standalone device required. Even fiber can have a splitter installed for eavesdropping if the traffic isn't encrypted.

Re:Honk! Honk!

[Jagen]

"As someone who makes a living doing forensic recovery from drives that have been wiped please keep propagating the one overwrite myth..."

You my anonymous friend, are a no good, stinking liar. There is no software method for reading the magnetic flux levels of the bits of a hard drive as obviously the drive firmware interprets that data itself and present the 1 or 0 to you, and you do not have an ETM that can be anything like precise enough for the density of modern hard drives, and even if you did how quickly could you read the data and what could you do with it? The bits are essentially stored as analogue data so apart from what the current setting is supposed to represent (1 or 0) how do you propose to get any useful information about the history of that bit?
I can believe you recover data from drives people think they have "wiped", but if I overwrite every bit on my hard drive with garbage you are not going to get anything but garbage from it.

Re:Honk! Honk!

[m85476585]

It doesn't dissolve anything either (well, it might, but not anything that is not already soluble in water). It reacts with things and creates other products. Consider this reaction:
2HCl + Zn ---> ZnCl2 + H2
The Zn is not dissolved. It becomes ZnCl2, which is insoluble in water and probably settles out. This is a simple Redox reaction.

Re:Honk! Honk!

[Sanat]

There were lots of jokes like that . We joked about it too.

Wang Labs had PC's back in the late 70's based on the Z-80 architecture. The thought process back then was to stay proprietary so no other company could move in on you... what it did was make a lot of companies look like dinosaurs. Wang, Data General, Prime, Honeywell, etc. all went down the tubes because non-interoperability.

Perhaps the best book that I have ever read was "The Soul of the New Machine" by Tracy Kidder... if you are a techie then this is a must read. If I remember right it even won a Pulitzer Prize... it is about a new machine designed by Data General techs beneath the radar of management that kept the company going against all odds. How one man fighting big odds was able to make it happen.

Re:Honk! Honk!

[Alex+Belits]

that had been reformatted (full format, not quick) and re-installed. The particular sequence of apps and methods I used enabled me to recover almost all the important docs on the machine minus a handful of unrecoverable files in the physically failed sectors.

O RLY?

Re:Honk! Honk!

[loimprevisto]

Fun?!

Sure, during the first two- or three- or 10 taking a sledge to the drives and ripping out the magnets for various amusements may be fun... but when you have a whole cabinet of them to destroy, and a 12lb sledge is your only tool, and it's the middle of summer in Louisiana you really start wishing your unit would just buy a degauser!

Re:Honk! Honk!

It's far faster to detroy the few bits of encryption key material as opposed to trashing the entire sum of all data. Yes, there's a chance the Chinese could decrypt it, but realistically, the data will be worthless by then. (Assuming the use of a proven algorithim, and public knowledge concerning the strength of them).

Re:Honk! Honk!

[Vellmont]

I figure the requirements for a 21 pass overwrite scheme is still a requirement for sanitizing government drives for a reason.

I've never heard 21 before, but there's a common belief (often inaccurate) that more==better. I'd bet your "reason" for multiple passes is really more of a CYA kind of thing.

As far as data recovery goes, no amount of re-writes is guaranteed to overwrite every single sector on the HD. Modern HD's do "sector re-mapping", which means the HD will mark a physical sector out of service, and re-map it to a set of spares. Whether you can ever write to this sector again without messing with the internal firmware of the HD, I don't personally know.

Re:Honk! Honk!

[Vellmont]

Yes, my ability to recover data via software tools extends even to many (but not all) software applications that are supposed to securely and irrevocably destroy data

So how does one destroy data, beyond your ability to recover it? What's the software that actually destroys the data?

A dedicated and determined analyst with the right tools and time can recover vast quantities of data on disk subject even to a "military format".

I find this hard to believe. Formatting is nonsense, but if you write to every single sector on the drive booted into a separate OS, I just can't see how it's possible to recover anything but maybe some re-mapped sectors. Making wild claims about "proper tools" tells me nothing.

Re:Honk! Honk!

[Nintendork]

I'd have to agree with the other posters. Modern drives (Post 2001 and > 15GB) can't have overwritten data recovered. And that time and size is when all of the drives had advanced, so I'm sure there's plenty manufactured before then that qualify as well.

Most data recovery shops don't even have a clean room. They get people that did a quick format (Wiped MBR, MFT, or partition tables), overwrote just some data, or had failed PCBs. Hell, with mechanical failures, I've gotten about 75% backed up by freezing them overnight before hooking them back up. Another 10-20% I've recovered by swapping PCBs with a donor drive. These so-called "Recovery experts" charge laymen $800 for minimal labor at best or PCB from a $50 ebayed drive at worst. That's a huge profit margin.

There are a few recovery paces that are skilled enough to swap heads and maybe even some that can figure out how to swap platters. But when it comes to recovery of overwritten or physically destroyed media, good freaking luck.

Re:Honk! Honk!

[s13g3]

My techniques would take too long to outline in this space, and can be discovered by anyone willing to take the time to research software data recovery techniques. While the archive method violates several copyright laws, there is an excellent compendium of related tools on the "Hiren's BootCD" that you can find by searching for a torrent of the same name - this is a pretty comprehensive group of tools for many applications, and the collection of data recovery tools is excellent, especially if you know how to use them in addition to other recovery methods.

As far as data recovery on a drive that has in theory been flipped to pure 0, to 1, and then back to 0 again, ask anyone who works or has worked at a data recovery facility where they physically disassemble the disks for analysis. They'd be able to give you a much more scientific explanation (that's not what I do for a living), but the short of it is that the platters retain a magnetically-resonant harmonic latent in the background that is not immediately apparent to the standard read-heads built in to the disk, or is not apparent to them on individual sectors; however, when all the platters on an entire disk are examined, the standing magnetic harmonic (this may not be exactly the right term, but it's close enough, iirc) may be seen and analyzed in order to reconstruct the data on the disk. When I worked at D.E.C., we had an engineer in the "warp core" downstairs who had purchased a mil-spec "portable clean-room" for dirt cheap at an Army/Navy Surplus store that didn't realize what he had. I distinctly remember him making the claim (other engineers in the building validated his claim, though I never witnessed it myself) that he could even recover about 60%-70% of the data from a disk that had been subject to a "military format", which iirc, at the time referred to a disk that had been formatted to 0 then to 1, 0, 1, 0, 1, 0 (i.e. seven full flips). It is my understanding that a fully outfitted and funded data recovery analyst (i.e. large corporate or military/government) can still recover similar amounts of data after numerous "disk-shredding" operations.

I'm mainly limited by drive-failure in my ability to recover data. Enough formats or overwrites of the individual sectors may prevent me from being able to see or recover the data with what tools I have available. A full-on format, however, still doesn't ensure I can't get data, unless you use an application specifically meant to wipe a disk that runs from a bootable (non-windows) environment, and some of those seem to do better jobs than others; that said, a full wipe (which happens to generally be a very slow process too) is your best bet short of physical destruction in order to prevent any software based recovery... As far as preventing actual recovery analysts from finding data, use the methods I and Bill Stewart mentioned above - Drill/sandblast the platters, degaussing (and no, a regular magnet will NOT prevent a real analyst from recovering data... you need a particularly high-strength electromagnet), or thermite; these are the only guaranteed methods. You could try rigging up a method using the magnetron from a microwave, but that would bear experimentation and I have no certainty of it's effectiveness.

Examine the "Hard Disk", "Recovery Tools" and "Partition tools" portions on the Hiren's disk, and experiment with the tools available there. It still takes a little experimentation on my part depending on the nature of the data-loss to find exactly the correct or safest procedure for data recovery, but if you know what you're about when it comes to computers, it shouldn't be too hard to figure out. There are also a number of tools on the CD that run in Windows instead of from the bootable portion of the CD, and a number of these are also very successful at recovering data - GetDataBackNTFS did for the first recovery on the machine I referenced above... Even though it had been NTFS full formatted and re-installed since, I could have recovered all the data on the disk, incl. OS (except what

Re:Honk! Honk!

[jmdc]

What tools do you use for data recovery? Are you recovering from a situation where the data is still on the disk but the data structures that point to the data are gone, or has the data itself been overwritten? Thanks in advance.

Re:Honk! Honk!

[s13g3]

Please see my above reply to Vellmont - a fair majority (but not quite all) of the software tools I use are contained on the Hiren's BootCD, though whenever possible I try to acquire valid licensed copies of these tools whenever possible in order to remain legitimate, thogh this isn't always possible with tools such as Winternals Disl Commander, as it is no longer in production. I do periodically download a new version of the Hiren's CD in order to see if any new tools or techniques I don't know of have cropped up there.

There are different (usually) utilities to recover data that has been deleted/formatted/etc. vs. data that was "lost" due to MFT corruption, tho some applications work alright for both. Some apps seem to have better results in some situations or depending on the actual techniques employed leading up to the recovery process, but I can usually get both. Additionally, occasionally when a disk is suffering unidentifiable physical failure, including where the disk isn't even recognized in BIOS, it sometimes works to place the disk in the freezer overnight, then in the morning or whenever plug the disk in FAST and bootup, then either attempt to copy the data to another disk as normal, or boot into a recovery utility to copy the data just as fast as you can. It doesn't always work, but in the face of absolutely nothing else working, it's worth a try and seems to work about 1/4 of the time, though recovery tools may still be needed, and it may or may not last long enough to recover all the data you need.

Re:Honk! Honk!

[s13g3]

Caveat - Do NOT attempt the freezing procedure on a disk until every other recovery method has been tried and failed. I am not certain whether or not this process will affect a true data recovery facility's ability to recover any data, but on two occasions that I recall, the disks involved after freezing showed signs of what seemed to be bearing or motor failure where the disks at least spun-up (but were not otherwise detected in BIOS or readable) prior to freezing, but afterwards started producing very bad noises... I'm fairly certain one case the drive had been having issues to a cracked bearing... While I would normally think that freezing it (thus causing the bearing to shrink marginally and reducing the strain placed on the drive motor and spindle) would have stabilized it for a while for data recovery, either something happened with the bearing lubricant or motor or... well, I can't be certain, but whatever it was, the drive was then thoroughly shot, as indicated by lots of really *bad* noises coming from the drive that weren't there before.

In neither of the two cases where I suspect this procedure having actually made things worse was the data important enough for the drives to be shipped to a recovery facility where recovery costs start at $500, so I'm not sure, but I tell my customers that if it would be worth spending $500+ to recover their data that they go ahead and contact Cherry Systems and ship their drive to them. From their website:

If you have experienced a data loss, we understand the pressure you may be under. With a success rate of over 90% our experienced technicians at the Cherry Systems Lab can help you.

To increase your chances of a successful hard drive recovery, do not run any utility programs on the drive or allow anyone to work on it unless the drive has been successfully copied or mirrored.

So, I assume they mention this in case someone tried to do something foolhardy or ill-advised (which in general probably includes freezing) to the disk, though I do know that I have sent many other disks that I attempted to recover by software but could'nt (and did not freeze) that were then sent to Cherry and the data from them was successfully recovered... So, that warning may include freezing, though I think if you're intelligent about what tools you do or don't employ and what techniques you do or don't use when considering the importance of the data to be recovered, then you'll probably be safe... However, if it's just some old but unimportant emails or music or something that isn't worth paying $500+ to recover, it can be worth the try - I just wanted to make certain I didn't leave anyone under-informed.

Re:Honk! Honk!

[greenbird]

This was a giant concern for the U.S. Air Force after the collision of a P-3 Orion with a Chinese fighter jet, where it was forced to land in China, and NONE of the data destruction techniques available to the crew were remotely sufficient to destroy enough data in the time available to them, but even if they had been, chances are a devoted enough analyst with the proper equipment and time still would have been able to recover more data than desirable

I don't know where you got this information but this sounds outright stupid to me. Why wouldn't you use encrypted drives? That way the only thing you need to wipe are the keys. That should eliminate the need for any James Bond stuff to prevent capture. Unless you're suggesting all encryption is crackable.

Re:Honk! Honk!

[dbIII]

I'll add to this from an engineering viewpoint that the freezing thing is only for failed bearings which is always going to be a noisy or completely halted drive (you can't feel the thing spin up). Offtopic a bit: the most dramatic use of the freezing trick I've seen was for a ~250kg copper piston stuck in the first stage of a shock tunnel used to produce mach 6 shock waves. Drilling carefully chosen holes in the piston, feeding in a lot of liquid nitrogen plus a fair bit of encouragement from a ceiling crane eventually got the thing out.

Re:Honk! Honk!

[greenbird]

Not in less than a second, but all of the hard drives we used on the AWACS plane had toggle switches that would begin writing random 1s and 0s to the drive for as long as there was power applied.

Am I missing something here? Why not just encrypt the drives and just wipe the keys in an emergency? Seems to me that would pretty much foil any attempts at data recovery.

Re:Honk! Honk!

[Vellmont]

If you're talking about reconstructing a filesystem, after the filesystem has been "formatted", I have no problem believing that's very very possible, and done on a daily basis. Reconstructing the boot sectors, file allocation tables, etc is of course quite possible, since the actual files haven't been overwritten.

I distinctly remember him making the claim (other engineers in the building validated his claim, though I never witnessed it myself) that he could even recover about 60%-70% of the data from a disk that had been subject to a "military format", which iirc, at the time referred to a disk that had been formatted to 0 then to 1, 0, 1, 0, 1, 0 (i.e. seven full flips).

This is more the claim I have a problem believing. I always hear this, but never from anyone that's actually done it. When I do, it's always years ago.

The other thing I hear is that it WAS possible many years ago, but with modern disks with extremely high-density data, it's no longer possible.

Re:Honk! Honk!

Do a google search on "Tempest eavesdropping". you'll get plenty of info, and proof that data from cable leakage is more than possible.

Re:Honk! Honk!

What a waste of space and time. All that text was written just because the author doesn't know the difference between wiping and (full) formatting. He thinks he's leet because he has a collection of warezed data recovery tools which reconstruct files from readable sectors on a hard disk which a preceding format didn't touch. At least it's an example for the way moderation works in pseudonymous contexts: Confidence draws positive moderation, no matter how wrong the author is.

Re:Honk! Honk!

Actually I sat in on an ACM lecture where a digital forensics professor from the University of New Orleans was asked this same question. He said that SSDs pose a new problem to forensics, and that further research into this field was required.

Re:Honk! Honk!

[someone1234]

Hmm, so you practically double or treble your disk capacity, considering you can safely recover data using software tools after 1 or 2 overwrites?

Why isn't this method on the market yet ?

Re:Honk! Honk!

[FesterDaFelcher]

No, you're not missing anything, but there are a lot of factors in play:

1. This is LITERALLY 1970's technology. I installed the first hard drives on the plane in 1998, before that, we were carrying boxes of reel-to-reel tapes around. Scary, huh?
2. It does have a form of encryption, but when it comes to top-secret data, there is no "good enough" when it comes to data recovery. The data has to be completely GONE in order for it to pass acceptance.
3. The keys for the radar, IFF, etc were kept on a removable key (looked like a metal TV remote from the 1950s) that could be wiped, and then there was a special port that the key was plugged into that ran a huge pulse of energy through it to actually melt the board. It would then be dismantled and the boards inside hit with that axe I mentioned before. (Only in extreme cases)

The other thing to remember on any military plane is that everything has to be emp hardened. That meant that PCBs had to be huge, grounded 9 ways to midnight, and EVERYTHING was encased in faraday cages. All of our computer switching equipment could have been kept inside one PC, but in order to withstand an EMP blast from a nuclear explosion miles away and still function, it took up 4 cabinets that were twice the size of refrigerators.

With the military, enough is never enough.

Re:Honk! Honk!

[misleb]

I figure the requirements for a 21 pass overwrite scheme is still a requirement for sanitizing government drives for a reason.

Is it 21 now? I thought it was 7. And no, that isn't proof of it being possible to recover data from a drive that has been overwritten. It just means the government knows it not necessarily impossible. SO they're just careful. Also, I imagine they figure if you're going to overwrite it once, it isn't much trouble telling a program to do it many times.

Is it overkill? Certainly. But apparently 3 passes isn't considered enough.

Or it is just as easy to do it 21 times. It is one of those "why not?" things. The only thing that counts as evidence that it (recovery of data from one or more overwrites) can be done is that it has been done.

-matthew

Re:Honk! Honk!

your comment about using data recovery utilities does not apply to this discussion at all. The poster is talking about recovering data after it was overwritten, not simply formated or deleted. I doubt you understand how the file system works much less the mechanics of a disk head read/write operation.

Re:Honk! Honk!

[s13g3]

I don't know where you got this information but this sounds outright stupid to me. Why wouldn't you use encrypted drives? That way the only thing you need to wipe are the keys. That should eliminate the need for any James Bond stuff to prevent capture. Unless you're suggesting all encryption is crackable.

I am suggesting precisely that. While it is still incredibly off-topic when compared against the original parent article (considering most people don't care or need to encrypt their data drives, and said encryption is totally irrelevant to the question of data recovery - just because you don't have a key to read it immediately doesn't mean the data files can't be recovered intact from a disk and later analyzed), yes, even "government grade" encryption is susceptible; I suggest you educate yourself a bit more before you start bandying about words like stupid - look into the details of the U.S. Navy EP-3E ARIES mid-air collision with a Chinese F-8 Finback. In their case, much of the data on the aircraft was encrypted, but this did very little to soothe the Navy's concerns... Fact is, they were fairly certain that the Chinese analysts stood a high probability of recovering vast amounts of sensitive data, encrypted and otherwise from the aircraft, as you can't possibly encrypt everything on the aircraft; too many of the surveillance and communication (not to mention flight control) systems on the aircraft demand or record data at rates far in excess of what an encryption/decryption algorithm can keep up with - crypto requires time and resources, neither of which are generally over abundant when it comes to air operations.

From GlobalSecurity.org:

After Sunday's collision, the 24-member crew had just minutes before making an emergency landing on China's Hainan Island to destroy sensitive information. This would include codes for encryption systems and the records of electronic intelligence that had been collected during the flight - both of which would be highly useful to a potential adversary.

The 19 "electronic warfare" technicians, working shoulder-to-shoulder at terminals back in the windowless fuselage, practice such destruction techniques under far less stressful circumstances. The first few minutes last Sunday morning - over water, hundreds of miles from the plane's base on Okinawa, and in the presence of armed and hostile jets - were undoubtedly palm-sweaty tense as the pilots struggled to regain control of the plummeting four-engine plane.

Even if the crew was able to destroy all the computer codes and electronic records of the flight, US military and intelligence services "will probably treat as compromised much of the equipment just to be on the safe side," says Smith, a former military intelligence officer. Using reverse engineering, for example, Chinese technicians will be able to gather important data on the receivers, radars, and other highly classified equipment used in gathering the "SIGINT" (signals intelligence) and "ELINT" (electronic intelligence). This could be the difference between victory and loss in time of war.

There is also this at DarkReading (originally from VARBusiness):

JUNE 16, 2006 | PORTLAND, Ore. -- In 2001, an American spy plane collided in the air with a Chinese fighter and was forced to land on Chinese island. Since then, researchers have been looking for a way to quickly erase computer hard drives to deny access to sensitive intelligence data.

Scientists at the Georgia Institute of Technology (Atlanta), working with L-3 Communications Corp. (New York), said they have developed a technique for quickly erasing hard-disk drives. The team reports development of a prototype fast-erasure system to prevent sensitive information from reaching enemy eyes.

At the time of the U.S.-China incident, there was no way the

Re:Honk! Honk!

See, the problem with your "multiple pass data erasing" scheme is that no matter how many times you write to a sector, there is still a magnetic field there. True data security can only be achieved with dynamite. Take a page out of your local meth-head's book: booby trap your case with trip wires to make sure nobody ever ever gets at your data.

Re:Honk! Honk!

[Nintendork]

Thanks for the term. I was having trouble finding relevant information. After more searching witht he term you provided and associated terms like EMR, the closest information I could find for monitoring data cables is this pdf covering the eavesdropping on EMR from RS-232 cables. From the paper:

"Eavesdropping experiments showed that RS-232 data signals can be intercepted several meters away from a target system, even when a shielded data cable is used."

"A PC-modem connection placed in a living room could be intercepted in the bedroom of an adjacent house!"

Re:Honk! Honk!

[zerkon]

Yup it's like a planer for wood working except for destruction of classified CD's, we use them in my office.

Re:Honk! Honk!

[itchyfish]

In addition to freezing drives, I've also heard of putting them in a regular oven at a very low temperature, like 150F or so, to achieve the same effect. I have performed both methods (many moons ago) to try and get drives to spin up. Freezing has worked twice, and warming once for me as far as getting them to simply spin up. I don't think I was actually able to recover much data from either, but then again, like s13g3 mentioned, it wasn't worth the $ to go any further.

Re:Honk! Honk!

[s13g3]

Very interesting... I'd never tried heating the drives, but it may sometimes be worth a try... Any idea what situations heating may be preferable to freezing?

Re:Honk! Honk!

The EP-3C knocked down over Hainan Island was a NAVY plane, not Air Force.

Er, what's the actual question?

[broken_chaos]

Is it "How can I recover data from a failing/failed solid-state drive?"? Or is it "How easily can someone else find my 'deleted' data on my solid-state drive?"?

I'm not sure of the answer to either question, directly, but I'd suggest multiple backups for the first one, and encryption for the second one (full/near-full disk encryption is quite fast on a multi-core system).

Pointless

[mlyle]

It appears that solid state drives are going to have several times the MTBF of conventional media, and thus a failure rate several times lower. Sure, data recovery is much less likely to work when SSDs fail-- as it's more likely to be the actual memory failing than controller chips or ancillary electronics. However, normal disk recovery places can only recover your data from a failing/failed drive perhaps 60-75% of the time. Thus, the actual incidence of unrecoverable data on a SSD is likely to be much lower than with rotating media, and the overall failure rate lower still. This is nothing but a win, as the normal data recovery rackets are made irrelevant in the case of media failure and overall reliability is improved.

Re:Pointless

[TooMuchToDo]

I agree with your post, and would like to point out that the original question is moot. Between SSD media, redundant drive systems, and autonomous remote backup platforms, you should care little about the media data recovery rate. Only care that you've put an intelligent data management system into place. Don't have a single point of failure (like the media) and you'll be fine.

Re:Pointless

[TubeSteak]

It appears that solid state drives are going to have several times the MTBF of conventional media, and thus a failure rate several times lower. Generally speaking, solid state media don't fail. You lose sectors over time and these get replaced from the resevoir. When the resevoir runs out, the size of the available space shrinks, but AFAIK, data doesn't get corrupted when a sector gets stuck.

AFAIK, the only way you get data corruption in a SSD is from power fluctuations causing a bad write.

Re:Pointless

[QuantumRiff]

However, if your not concerned so much about recovering your data as you are about someone else recovering your data, I would zap the chip with 110V ac current. We used to play with EEPROMS and the like in college, putting too much current to them, it literally melts the logic gates.

Re:Pointless

[Kjella]

I'm not sure which law it is, perhaps Titanic's law, but anything that's claimed to be infallible will find a way to fail on you. Redundancy is the only real answer - and preferably a lot of that too, I had two disks fail simultaniously in a RAID5.

Re:Pointless

[TooMuchToDo]

Or wrap the SSD device with thermite, and enclose it within a fireproof safe. Poof.

Re:Pointless

[darkwhite]

By "media", most people understand the whole storage unit, not the actual cells on the chip. That means failures in any of the flash chips (which may have nothing to do with the actual memory cells - anything from the power bus transistors to the solder pads on the packages), the bus interface chip, the controller/addressing chip for the flash chips (if any), etc. There's plenty of room for failure.

Re:Pointless

[russotto]

Generally speaking, solid state media don't fail. You lose sectors over time and these get replaced from the resevoir. When the resevoir runs out, the size of the available space shrinks, but AFAIK, data doesn't get corrupted when a sector gets stuck.

You'd think so, but it ain't so. The junctions can get slightly leaky with use, so you write your 0, verify it as a 0, but a few seconds later it's a 1 again. Corruption.

Re:Pointless

[dgatwood]

That's not entirely true for flash media, though. Flash media are rated for a specified number of write cycles, and then they won't reliably hold their state. As I understand it, those failures are all pretty heavily clustered around the mean time to failure. Because of wear leveling, you're using up all your cells approximately equally. Thus, once you start seeing bad cells (not counting initial cell defects, of course), you probably need to retire the drive, as all the spare cells are likely to fail to be writable in fairly short order.

Humorously enough, my experience with hard drives has been similar. With few exceptions, a couple of bad blocks showing up is usually a precursor to the drive going completely dead within a matter of days. YMMV.

Re:Pointless

[Silver+Gryphon]

Humorously enough, my experience with hard drives has been similar. With few exceptions, a couple of bad blocks showing up is usually a precursor to the drive going completely dead within a matter of days. YMMV.
I believe IDE drives made since the early/mid 90s have auto-remapping where a bad sector is moved silently except to the SMART diagnostics -- no bad sectors show up at the OS. When SMART reports you have a pending failure due to bad sectors, it's because most of the spares have been taken up or the remapping failed on the first try. By the time an IDE drive shows a bad sector, it's practically toast.

Am I wrong about this?

Re:Pointless

[brock+denton]

You are pretty close on all this. Yes, modern flash firmware should use a reservoir of replacement sectors to fill in for bad ones. Even HDD do this to some degree but I believe limit it to nearby regions. Flash firmware has less of a dependency on location of the bad blocks. It's firmware dependent, so may be limited to sectors in blocks on the same chip when choosing replacement sectors. On most modern firmware there should be no limitation though.

As for write power failure of SSD, modern flash firmware is more transaction based and should recover from this. You may lose the data that was being written at the time of the power failure, but previous data and the firmware datastructures should still be in good shape. However, I'm sure there's still much flash sold on the market that doesn't handle power failures on write; I just hope that they aren't used in SSD's.

Obviously, you can also eventually run out of replacement sectors. At that point it's firmware dependent as to what will happen. Flash cells could start wearing out and being lost at this point as there's nothing to replace it. Even before this point if several flash cells in a sector (or whatever is protected by ECC) fail catastrophically it may be that even ECC can't help the data recovery when writing a replacement sector.

A point that many seem to miss here though is that flash has a history stored in it automatically. Because of the nature of flash, you don't actually write the cell that currently holds the data you want to modify. Instead you actually write a different sector. Due to time and power concerns, the original data will not be erased immediately, but instead at a later point in time. In the meantime the firmware knows to take the more up-to-date version of your data when a read is requested on its logical location.

Hence, in theory, the best chance for data recovery is returning your flash chip to the developer of the firmware itself as they should know how the firmware operates and can track this history better than anyone else. Of course this depends upon many non-technical factors within the company that developed it. As third party companies likely don't know this IP, it's not likely that they can help much on this front. More likely than not they are just running some simple FAT fix-up utilities as this can probably deal with 50% of the issues out there.

Re:Pointless

[dgatwood]

I honestly don't recall whether ATA drives do remapping silently or if the protocol returns a soft error that tells the computer to try again. It has been too long since I looked at any part of an ATA stack outside of the probe code (which is the part I typically have to hack to get LBA48 support on crappy old ATA cards that don't really support it)....

Usually, when I start seeing bad blocks, it is either because the bearings are leaking grease all over the disk or because a head arm is halfway broken off and is occasionally impacting the surface. In the first case, the drive doesn't spin up a week later. In the second case, it sounds like a chainsaw. Either way, if you don't have backups, you're pretty f*cked. :-D

SSD Data Recovery

[RNLockwood]

Not to worry, I have Time Machine backing up to an external drive.

Re:SSD Data Recovery

[snowraver1]

Awwe, how cute! Would you like an apple shaped cookie?

Ram and Nand

[elsJake]

I don't know about NAND chips , but apparently ram isn't all that "volatile" as it should be( http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html , part 7). If nand flash is anything like ram the ware leveling algorithms would still ruin any forensics in a system were data changes frequently.

Re:Ram and Nand

[tripwirecc]

Oh god, Gutmanns bullshit still circulating?

Re:Ram and Nand

[elsJake]

arguments please

Re:Ram and Nand

[tripwirecc]

It's the same Gutmann that wrote the dramariffic Vista DRM paper. This person's not to be taken seriously. He also wrote some data recovery paper a computer forensics friend of mine reads once a while to cheer up his day.

Re:Ram and Nand

[elsJake]

i'll look into it then, thanks!

Re:Ram and Nand

[misleb]

I don't know about NAND chips , but apparently ram isn't all that "volatile" as it should be( http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html [auckland.ac.nz] , part 7). If nand flash is anything like ram the ware leveling algorithms would still ruin any forensics in a system were data changes frequently.

Grr, why does everyone reference that paper and just assume it has actually been proven in teh field? That whole paper is just THEORY which has never been show to be practical, as far as I know.

What is the Data recovery % for non SSD drives?

[Bill,+Shooter+of+Bul]

I realize there are "professional" companies that specialize in data recovery, but in my ( admittedly limited) experience I've only heard of sob stories of people paying $$$ and not getting any data back. On the plus side, Its always taught them to back up their data.

Google Media....

[DontLickJesus]

Perhaps as these types of media become cheap enough we will all be able to run our own media with the GMail-esk mantra "Never delete data again!". But seriously, Data Recovery exists through a flaw(?) in old media types. If I delete something, I want it gone. If I want to get it again, or insure it from loss, I should make backup. This is all well and good until FBI/NSA/DHS decides to install rootkits on every media type we buy... that'll be the day.

Re:Google Media....

If you're worried about law enforcement having access to all your data, why would you be looking forward to having a single point where millions of people have uploaded all their data ("Google Media")? Instead of rootkits in everyone's physical media, they get access to one company/tool and now they've got access to all your stuff.

That doesn't even approach the issue, either, of whether you want Google indexing all of your backed up personal and business* data to serve you ads.

(* Serious businesses can't use Google's services for e-mail or, potentially, data storage due to SarbOx requirements.)

Clearly...

[spadefoot]

A dolphin with a SQUID would seem to be the obvious choice.

Worst. Blog Ad. Evar.

From the first sentence's "there is a significantly less number of qualified technicians" to "However, none of this any consolance to the customer who has just lost critical business material", there is no content in this blog. Worst blog-slashvertisement ever.

Simple

[Kjella]

If you want security, encrypt before you store. If you want recoverability, get a real backup. Seriously, this has been this way ever since computers got fast enough to do AES on the fly against disk. Ubuntu supports it in the alternate installer, Debian and probably the rest too. On Windows various closed source software like DriveCrypt++, Bitlocker and whatnot is available. This isn't really all that difficult...

Re:Simple

So very not simple, and you missed the whole point...

Encryption isn't a substitution for a data-retention program. You think your NIST approved encryption algorithm is gonna stay that way forever?

Re:What is the Data recovery % for non SSD drives?

[sBox]

Not recovering the data you want is always a risk. In my experience I have recovered everything I've needed using a pay-for service. Expensive? Yes, but you (or your client) must weigh benefit.

Backup, backup, backup. Those that don't will pay the price. Literally.

Secure erase

[trainman]

Actually my concern would be more the exact opposite, what are the implications for secure erasure of these drives? Before we could just open the drives and smash the platters if you wanted to be really paranoid. Now, do we have to make sure we find all the flash chips and ensure each one of them is destroyed? Are there other implications because of this flash memory for secure erase utilities?

If your hard drive dies and you don't have a backup, I have very little sympathy for you. You should know better. Especially anyone reading slashdot. Let's get back to our NSA fearing roots and talk about how to protect ourselves with the latest in encryption technology. ;-)

Re:Secure erase

[dasbush]

Before we could just open the drives and smash the platters if you wanted to be really paranoid Couldn't one just take a hammer/woodchipper to the new SSDs? Sure, you might be able to get some data off the drive. But the same would be true about a hard drive. If someone wanted to (already has?) invent a drive reader for a smashed up Solid State or Disk Platter drive, I'd bet that they could given enough time/money.

Re:Secure erase

[maxume]

Fire will do a fine job of finding all the flash chips.

Also, do flash chips even have a memory effect?

Re:Secure erase

[joeytmann]

In short, yes. What's the difference in cracking open a platter based drive and an ssd based drive? Nothing, you just have to destroy the media. That's what large hammers are for.

Re:Secure erase

[Mr_eX9]

Well, you could take the principle behind the Etherkiller and apply it to SATA or USB or whatever your SSD's connection is. Sending 120 volts to your flash chips should quite literally toast them, right?

Re:Secure erase

[Kjella]

If someone wanted to (already has?) invent a drive reader for a smashed up Solid State or Disk Platter drive, I'd bet that they could given enough time/money. From what I understand, this is standard (but not cheap) service at IBAS and such, at least for hard disks. Damaged platters and such would be insane to spin up, they could fly apart and some might be already be so damaged they can't be spun around the axis. Instead they'll open the drive in a cleanroom and bring the reading head to the platter rather than the other way around. A wipe is probably more effective, at least I think IBAS will tell you to forget it if you bring them a wiped drive. What the NSA may or may not be able to do, you're at least not going with something that's publicly and well documented possible to recover.

Re:Secure erase

[JATMON]

I was just looking into these the other day. If you want to spend the money, They have SSDs that erase to Military SPECs (http://www.stec-inc.com/technology/total_drive_protection.php). If you are really paranoid, they even have a destructive purge that will destroy the drive in 2 seconds.

Re:Secure erase

[darthflo]

If it doesn't, move to Europe. 230V will kill more.

Re:Secure erase

Before we could just open the drives and smash the platters if you wanted to be really paranoid. Now, do we have to make sure we find all the flash chips and ensure each one of them is destroyed?

I think this method of disposal should work equally well for SSDs as it does for traditional HDs.

Re:Secure erase

[Firethorn]

Step 1: Find two sockets that are on different circuits.
Step 2: Verify that the circuits are on seperate phases
Step 3: Rig a cable going from hot 1 to hot 2*
Step 4: Fry circuits using etherkiller type cable@240V

Alternatively, use a dryer socket or something.

*Make sure both circuits aren't GFI, otherwise they'll pop pretty much instantly.

Re:Secure erase

[AvitarX]

http://www.willitblend.com

I would think that at least the "flash" part of a drive will blend (maybe not the case).

Re:Secure erase

[xaustinx]

Pretty much everything on this planet is susceptible to fire at some specific degree of heat. I'm sure tossing an SSD with whatever protective casing it ships with into a campfire or a fireplace would sufficiently melt, then destroy the flash chips housing your secrets.

Re:Secure erase

[ACMENEWSLLC]

Secure Delete; http://www.microsoft.com/technet/sysinternals/Security/SDelete.mspx

I use this to zero out drive space on virtual machines, which allows for their virtual drive to be shrunk.

sdelete -p 2 -z -c -s c:\

It's batch scriptable to run in %tasks% nightly.

"Delete implements the Department of Defense clearing and sanitizing standard DOD 5220.22-M, to give you confidence that once deleted with SDelete, your file data is gone forever. Note that SDelete securely deletes file data, but not file names located in free disk space.

To overwrite file names of a file that you delete, SDelete renames the file 26 times, each time replacing each character of the file's name with a successive alphabetic character. For instance, the first rename of "foo.txt" would be to "AAA.AAA"."

So in other words, if you have a bunch of mp3's in a directory that is deleted - the mp3's data will be gone. But the filenames will be there, in the form of zzzzzzzz.zzz zzz.zzz zzzzzzzz.zzz

Now, if you trust Microsoft with this task, that's another story.

Re:Secure erase

[dermoth666]

I'm pretty sure a couple of ESDs with your BBQ lighter on the chip pins will do it, although for safety a bunch of "shred" passes wouldn't be a bad idea first.

(FYI shred is a UNIX tool that erase normal hard disks in a way optimized to prevent data recovery)

Re:Secure erase

[pananza]

http://www.willitblend.com/ Put your 2.5" SSD disk in a http://www.blendtec.com/ and problem solved.

Use the gForce

[carpe_noctem]

Ask Slashdot: For when you've got time to write up a whole paragraph, but not a 5-word google search...

Google results, which seem rather informative

Re:Use the gForce

[carpe_noctem]

Looks like I misspoke a bit... looks like the point of this post isn't to ask something that could have been easily googled, it was for this chump to plug his blog. So, let me rephrase:

Ask Slashdot: When a slashvertisement just won't do, since you've only got yourself to sell.

Re:Use the gForce

[MyOhMyOhMy]

Even if there was some shameless intent in doing "Ask Slashdot", I still believe the category has value to the average Slashdot reader, which I will not proclaim to be myself, since I have no idea what "average Slashdot reader" is like in the first place. The point is, that one could certainly Google for answers, and I frequently do, but sometimes one wonders how many people would agree the search topic is interesting, and would like to get feedback from Slashdot dwellers. This way one does not wonder alone.

Re:Use the gForce

[uvajed_ekil]

Looks like I misspoke a bit... looks like the point of this post isn't to ask something that could have been easily googled, it was for this chump to plug his blog. So, let me rephrase:

Ask Slashdot: When a slashvertisement just won't do, since you've only got yourself to sell.

Ask Slashdot: For when you want to rip someone's post without actually reading it or understanding the best way or reason to flame the poster until after you reply.

Re:Use the gForce

[Eadwacer]

It gets worse. If you double up the word 'recovery' - data recovery solid state drives recovery - the first two google results point to this discussion.

Pointless

Data recover services exist because people are stupid enough to not use redundant arrays and not make reliable backups. If you care about the integrity of your data you should be doing those two things, which will make the capabilities of data recovery services irrelevant. (Oh, and it's a hell of a lot easier to make your data safer by using more redundancy and more backups than by using a technology which is easier to recover.)

well that makes it easy

Just put your drug deals, k1dd13 pr0n, and terrorist plans in a file called attorneyconfidential.doc. That way when you erase them you can claim attorney-client privilege with a straight face.

Re:well that makes it easy

[dotancohen]

Just put your drug deals, k1dd13 pr0n, and terrorist plans in a file called attorneyconfidential.doc. What's wrong with attorneyconfidential.odf? Not everyone has MS Office, you insensitive clod!

Re:well that makes it easy

[jgoemat]

Everyone Knows that child molesters and terrorists use Microsoft products, duh!

Its a good thing

[mrroot]

And why is it considered a desirable effect that someone can forensically recover data that the owner indended to destroy? If SSD really does not allow data to be recovered like this, then in general thats good, IMO. Not just for legal reasons, but for any reason of privacy.

If you are concerned about protecting against data loss there are other more effective ways like implementing RAID and maintaining off-site backups.

Fire

[davidwr]

There are ways to destroy solid-state disks that don't require a hammer.

SSDs have one infallible data erasure option

[Amiga+Lover]

Which is the same infallible data erasure option for any media. Incineration.

Trusting data loss to just one delete command is being broken in the head.

Re:SSDs have one infallible data erasure option

[ichigo+2.0]

-1, didn't read the question. He is NOT asking about how to eliminate the drive, since he acknowledges that ANY matter can be destroyed. Instead, he asks about recovery options when there are no other alternatives, such as extreme disasters or criminal cases where data was intentionally lost. This is a good question, I look forward to constructive answers and the discussion that follows. Yours, however, is a dead end.

Re:SSDs have one infallible data erasure option

[Amiga+Lover]

pwnied :)

References please...

[Joce640k]

Makes you wonder if you could quadruple the capacity of the harddrives that way too.

I think you just proved to us why your statement is false.

If old data is recoverable, the disk would hold more data.

Re:References please...

[SharpFang]

I don't know how big the equipment to read data that deep is, but my bet is it wouldn't fit between the platters, or even within a 5.25" enclosure, plus costs a good deal more than your typical hard drive head. And reading one bit 4 levels deep may take far longer than picking up the 'outer-most' layer of information. The residual information remains and is readable strictly because the hard-drive head takes so short to write it.

And even assuming you could read the data at current speeds of reading 1-bit data, think of the process of writing the data in orderly manner: changing the data in layer 1 pushes the old data into layer 2, l2 down into l3, l3 into l4, and l4 into oblivion. So if you want to modify l1 data, you first cache the other 3 layers, then write them all back in order, before writing the top-most one.

This would be good for "shadow directory"/"snapshot"/"undo file" type storage, or "write rarely, read often" like applications or long-term storage (though I'm very unsure about how long-lasting is the deeper-level field value change). But most likely cost, reliablity, speed and size are prohibitive factors. It's cheaper to squeeze bits twice as densely.

Re:References please...

not if reading with such accuracy requires a read/write head and electronics that is more expensive than simply using more platters or drives.

Re:References please...

[Paradigm_Complex]

As others have pointed out, recovering the information is quite a lot of work. The equipment alone would not necessarily fit within the 2.5" standard for harddrives. There is a sizeable distance between something being theoretically possible some time in the future and something being economically feasible at this point in time.

not impossible

[tempest69]

The chinese used some very impressive tech to read the hard drives from a US surveillance plane, where the data was overwritten, and then melted with thermite. Magnetic domains aren't that easy to erase, it like erasing a whiteboard with a slotted eraser, there will still be traces of the magnetic domains even after two rewrites. And the extra data that drives store for CRC info helps a bunch in getting the data right.

Re:not impossible

[smooth+wombat]

where the data was overwritten, and then melted with thermite.

WHAT?!!!! I'm hoping I'm parsing your sentence incorrectly because any hard drive subjected to thermite becomes nothing but a puddle of molten then solidified metal.

What I'm hoping you meant to say was that even though the hard drives in our surveillance plane had been subjected to thermite, parts of the drives remained intact enough so the data on the unmelted parts could be retrieved despite the data also having been overwritten.

Allow/Deny?

Re:not impossible

[jacksonj04]

Now that *is* impressive. I've seen thermite go through some pretty thick reinforced metals, so lord knows what those disk platters were made of.

Re:not impossible

[zippthorne]

The problem is, on the plane you're talking about, the crew did not use the proper data-destruction procedure during the ditch. Perhaps they were overwhelmed by the accident or thought they'd ditch somewhere the plane would be lost, so it wouldn't matter, or had survival related tasks which required all of their attention. In any event, if thermite was part of the destruction procedure, it was not used.

This was, in fact, a matter of some controversy at the time, as was the decision not to bomb the wreckage.

Datarecovery of SSD drives.

[rew]

I work for www.harddisk-recovery.com .

We will gladly reverse engineer the data-distribution algorithms that the SSD device uses on a case-by-case basis. We have done so in the past for several different USB sticks. We will desolder and read the individual data-holding chips and then reverse engineer their scrambling algorithms. We will then recover your data from whatever chips still work sufficiently to provide us with some data.

The first time this will take us a few days extra. Expect about a week turnaround time the first time anyone sends us a failed SSD disk.....

Re:Datarecovery of SSD drives.

[Reziac]

Very interesting, thanks. So all is not lost. :)

What does this cost, compared to recovery from conventional hard drives??

Re:Datarecovery of SSD drives.

[yabos]

An arm AND a leg instead of just your arm.

Re:Datarecovery of SSD drives.

[Silver+Gryphon]

In 1998 I worked for a real estate company that kept its entire rent database on an IBM DisplayWriter 8" floppy disk, no backups. Strangely enough, it lasted longer than the 30MB hard disk in the CEO's secretary's PC. Boss man said to spend $1,000 to recover the address list on the drive. They salvaged everything, including the 25KB of value on a 30MB drive. Finally backed up to... wait for it... a single 3.5" floppy. $84 million in revenue and you couldn't convince them to spend a dime in the right places.

When the CEO drove to work in his new $300k Ferrari, I decided my value was understated and moved. They sold the company 3 years later.

Re:Datarecovery of SSD drives.

[rew]

We charge by result. This means: No cure no pay.

Secondly, you don't care about wether or not we just had to run our in-house data-recovery software, or we had to swap platters with a different drive.

On a job where we have to figure out how things work, we usually lose money (or "invest"), but we learn things which we will write off on future jobs.

Re:Datarecovery of SSD drives.

[Reziac]

So I gather once you have a given storage type reverse-engineered, it takes no longer to recover than a standard HD?

By results is certain fair. Yep, not fair to charge the customer for learning time, but since it won't be the last of any given type, as you say you'll make it up.

Destroying sensitive data

[Venik]

If you have any data that you may need to destroy quickly and permanently, I would suggest using DVDs. Sure, it's slow and a hassle but, when you need to get rid of a large volume of information in a hurry, you just take your DVDs and put them in a microwave for a few seconds.

The damage microwave radiation causes to the data on the DVD extends beyond visible damage to the metal layer. That is to say that, even though it may seem like there are undamaged areas left on the DVD's surface, they are still unreadable. And it only takes 2-3 seconds to completely destroy a whole stack of DVDs, if they are arranged in a microwave with some space between them. Rewriting a hard drive with multiple passes may take hours and still leaves a possibility that some data may be recovered.

It seems to me that with SSD data recovery should work better than with conventional hard drives. You may need to overwrite the entire disk multiple times, as opposed to overwriting just the selected data, as you would with a conventional hard drive.

Re:Destroying sensitive data

[Happy+Lemming]

Personally, I favor gerbils - they are great for shredding moderate amounts of printed data. They don't do much for the working copy on the hard drive, though.

Re:Destroying sensitive data

[DarkSarin]

Yes, but what does a microwave do to a HDD? Of course, the HDD does have the reverse damage feedback spell enabled, so it will probably kill the microwave too, but if you were in a hurry to kill sensitive data, that's a risk I'd take...

Telling the gov't why your HDD was in the microwave might be a little trickier...

Re:Destroying sensitive data

[JeepFanatic]

Wouldn't you still have a problem that the data would have been at some point on your hard drive as well before it was transferred to DVD? Even if just as a cache of some kind?

Re:Destroying sensitive data

[elsJake]

i'm guessing since it only destroys the metal layer they could re-coat it. the actual data is stored on an organic material not on the metal.

Re:Destroying sensitive data

[Kjella]

Yes, but what does a microwave do to a HDD? Of course, the HDD does have the reverse damage feedback spell enabled, so it will probably kill the microwave too, but if you were in a hurry to kill sensitive data, that's a risk I'd take... Little to none, I'd wager. Oh, you might manage to melt the circuit board a little but the platters will probably do just fine, at the very least you'd need to open the HDD and expose the platters to the microwaves directly. I don't think that either would work, but in any case that certainly rules out any kind of fast erasure.

Re:Destroying sensitive data

[Auntie+Virus]

Personally, I favor gerbils - they are great for shredding moderate amounts of printed data. They don't do much for the working copy on the hard drive, though.

Armageddon!!!!

Re:Destroying sensitive data

[Venik]

Microwave energy is reflected by the aluminum layer, forming electric arcs between adjacent peaks and between loops of the spiral and generating heat, which fractures and melts the sub-nanometer peak-and-valley structure of the polycarbonate plastic. Re-coating the disk with a fresh layer of aluminum will not restore this structure.

Re:Destroying sensitive data

[Venik]

This is true, but you have ample time to securely erase the data off your hard drive, once it has been transferred to DVD.

Re:Destroying sensitive data

[Danga]

The organic layer is connected to the aluminum layer so you either lose both layers or none and any portion that are lost or damaged will lose all of that data completely. You cannot recoat because the data is already gone at that point. This is a reason why it is MUCH more dangerous to damage the top part of a recordable CD/DVD because if you scratch the bottom of a disc then you can usually buff the scratch out and the disc is like new. However, if you scratch the TOP of the disc (don't use regular pens on discs!) then any area that has the coating scratched off has just lost a lot of data which will never be able to be recovered.

FWIW I work in the CD/DVD forensic and data recovery business as a software developer.

Re:Destroying sensitive data

[JeepFanatic]

Which takes you right back to the original problem that you had to begin with.

Re:Destroying sensitive data

[JonathanR]

I thought that CDs had their data layer on the top, covered by a protective lacquer, but with DVDs the data layer is actually sandwiched between two polycarbonate disc layers. My memory tells me that this was the reason for dropping the jewel cases in favour of a new design that popped the disc of its mount by pushing the centre of the mount. Storing DVDs in jewel cases would overstress the disc near the hub during mount/demounting in the case, causing delamination of the two polycarbonate layers (thus destroying the disc).

Just my two bob worth. Might be totally wrong.

Re:Destroying sensitive data

[Danga]

Thanks for the correction and you are correct about DVD's having the data layer sandwiched between 2 polycarbonate discs. I should have specified the "scratching the top" problem as CD only.

Still, whether the disc is CD or DVD does not matter with regard to "repainting" the metal layer. CD-R/DVD+-R's both have the reflective metal layer directly adhered to the organic dye which means if you lose one you lose the other and recovery will be impossible for that portion of the disc. The rest of the disc should still be readable although it might require some specialized hardware to do so since a normal drive might not go into the ready state with the damaged disc.

MOD PARENT UP (not a troll)

[mkcmkc]

Parent is not a troll--his answer is the answer to this question.

If you're wanting to know about recovery for security purposes, as in, "how do I destroy this thing so that no one can recover data from it?", that's an interesting and useful question. If you're just wanting to know out of general curiosity, it's also an interesting question.

But if you're thinking about what might be possible as part of disaster recovery, you've completely lost the plot. This thought seems to spring from the same well as the idea that "mirroring" can be used for backups. No, no, a thousand times no.

Re:MOD PARENT UP (not a troll)

You and the troll above completely missed the point. Did you even read the post?

The submitter wants to know what tools are available to recover data from a SSD, not how to protect data. What tools do or will law enforcement use to recover data from an SSD? Does a criminal simply need to switch to using SSD and simply erase the data, then write over the disk once more and everything is completely gone forever, no chance of recovery?

Re:What is the Data recovery % for non SSD drives?

[darthflo]

A relative of mine paid some $2500 for what probably were a few broken sectors. Years later, the recovered data (and all the stuff accumulated in between) was, without any backups, stored on the disk he got it from the recovery service. Which started failing, too.
Some people never learn.

Differential Attacks

I've seen a lot of comments about using whole-drive encryption on these flash drives. However, flash drives balance the load across multiple blocks in order to extend the life of the device. Anybody want to take a guess at how less secure your encryption becomes if there are mutliple historical copies of a block around to use for comparison?

The real danger is a loss of recovery companies...

[PortHaven]

My experience with Flash medium has been extremely impressive (especially versus harddrives):

I've encountered a nearly a dozen hard drive and micro-drive failures in recent years. Meanwhile, I have experienced only one partial failure of a flash device - it had a bad sector. I could extract all the rest of the data except for the file written in that sector of a 512mb Compact Flash card. So it was merely a partial loss and very small percentage. While this was enough to lead me to cease using this card, it was a very very minimal loss of data.

Now, I haven't even addressed the accolades of flash based devices. I have one thumb drive, it's a few years old now and still running. That may not be all that surprising. But I think it is unlikely that a 3 yr old hard drive would still be running after having gone thru the washing machine and the dryer....twice!

***

So back to the point of my reply....

The recovery options seem very similar to me. Clean room, magnetic readers, etc. I expect the same basic processes as are used to recover data on hard drives and floppies. However, I expect there to be a lot lot less need to do so.

The problem is see is that the small number of recovery centers may become even fewer. And the issue might be finding a company to extract the data. Especially after disaster situations (ie: regional flood, etc) where a large number of individuals & companies desire data recovery. We could see a large backlog occur as there might not be enough business out there to keep a large number of companies operating in this very unique field.

- The Saj

Re:The real danger is a loss of recovery companies

[oddaddresstrap]

The recovery options seem very similar to me. Clean room, ...

Clean room? Why?

fire insufficient in and of itself...

[Firethorn]

Having operated a makeshift incinerator a few times, I have to point out that fire can be insufficient in and of itself.

I've actually held bits of ash with legible writing still on it. I was burning old checks for my parents.

I wouldn't count it destroyed until the ashes are stirred well.

Re:fire insufficient in and of itself...

[ogl_codemonkey]

Which is why we used to hose out ours; *wet* ash turns to mud. Hard to read mud.

the effect of wear-levelling on recoverability?

[Tumbleweed]

Okay, so the new wear-levelling ability of SSDs, (where if it cannot write to a block/bit/whatever, it marks that as bad and writes somewhere else), brings a question to mind:

Let's say you have had your SSD for awhile, and some data is in areas that subsequently get marked as 'bad'. You 'format' your SSD clean, but does the format change those marked-bad bits? If not, just because they cannot be written to, doesn't necessarily mean they couldn't be READ from by some utility that ignores the marked-bad flags, in theory. So, is it possible for an SSD to have data recoverable from 'marked bad' areas, that might even pass a format/multi-write randomizing utility? Something to think about. Hopefully someone knows the answer...

Re:the effect of wear-levelling on recoverability?

[glop]

Hi,

You are correct. Hard disks have the same kind of feature I believe.
The manpage for shred (*nix utility that erases files "securely" by writing random data several times) warns about this problem if I remember correctly.
You may also find Truecrypt's documentation interesting, they list features (such as disk paging) that may cause data in RAM to be written to hard disks. They could then fall in the spare sectors and survive your efforts to shred the hard disk (computing the probability of such an event seems difficult though).

I am nevertheless using Truecrypt to avoid my data falling in the wrong hands but it looks like real experts would have a decent chance of getting everything I have on my disk. But I just want protection from casual thieves, not from the KGB or the Mafia...

Re:the effect of wear-levelling on recoverability?

[PitaBred]

Dunno, the Mafia seems to have trouble with computers. I'd be most worried about the KGB or NSA, not the Mafia.

Re:the effect of wear-levelling on recoverability?

[nerdbert]

In modern HDDs when a bad sector is detected for whatever reason (TA, etc) the drive heads into recovery mode and generally tries a set of increasingly aggressive recovery methods until it manages to recover the data. At that point, the sector is silently remapped into one of the spare tracks. The data in the original sector is still there (we managed to read it once, right?), but you'll never see it nor be able to erase it.

This is one of the reasons I tell my friends that if you EVER see a bad sector message you know your disk is not long for this world. If you've managed to burn through all the spare tracks your lifetime is in the toilet.

Recovery--what about wiping?

Seriously--does anyone know how to wipe a SSD? It's my understanding that these things have wear-leveling built into the firmware--I tell this to write 0's to some sector, and it might just reorder the device and write there instead...

I admit I don't understand exactly how this works, but it strikes me as trying to wipe a journaled file system...

Anyone care to contribute thoughts?

Re:Recovery--what about wiping?

[PitaBred]

dd if=/dev/urandom of=/dev/sdf bs=512K

That'll fill the whole drive with random noise. Wear-leveling doesn't do much when the drive is completely full. You could even do it multiple times if you cared, but you don't have the magnetic side-effects of storage with flash that you do with traditional magnetic hard drives.

Quick and Most Secure Drive Erasing

[Nintendork]

DoD5220.22-M is what most use and is becomming old-school. That means three passes. Ones, Zeros, then Random. However, the national standard in America is NIST 800-88. Newer drives have a function built into the firmware that do a secure erase in one pass, even covering spare sectors. It's called Secure Erase or SE. The NSA likes it, rating it higher than using an external program. It meets security requirements of HIPAA, PIPEDA, GLBA, and Sarbanes-Oxley. If you want it, check into this man's utility and its educational document.

SpinRite

[Bailsoft]

I guess these drives are going to put Steve Gibson out of business; unless he's currently writing ReadRite!

Does it blend?

[the_one(2)]

yes, yes it does =) (haven't tried though. Should not be considered technical advice =))

Actually...

Actually, I restore data like this for a living.

Overwriting with a single pass of /dev/urandom will only make recovery very labour intensive and hugely expensive, but not impossible.

Two wipes makes it harder still. It is a statistics game, each write makes the odds go down (and steeply at that) that the data can be recovered.

Anyway, wiping once is not enough to keep our lab from looking at your pr0n.

Improbable

They can't be moles. Secret Squirrel would never stand for that.

Re:The real danger is a loss of recovery companies

[lcoughey]

Being one who is an owner of a data recovery company, I have been contemplating the idea of writing an article about the implications of SSHD and data recovery. I guess this discussion has beaten me to it.

I have a few thoughts on this matter and will post them in point form:

1. The elimination of the clean room?
- For obvious reasons, the necessity of a clean room for solid state devices will be drastically reduced. However, due to the price and size constraints, I don't foresee the elimination of the traditional hard drive for some time to come. Of course, that could be 5 years or 15 years, depending on industry trends.

2. The stability of solid state hard drives?
- I'd say that SSHD are more stable from the perspective of being bumped around. However, a simple power surge could render the data lost forever. This is where the traditional drive has a hope. The electronics can be toast, but the data is still on the platters.
- To the most part, traditional hard drives show signs of dying before they completely crash where a SSHD is going to work or not work, with the exception of failing bits.

3. Will SSHDs be the data recovery lab killer?
- I doubt it. It is true that hardware failure is the number one reason for data loss. But, a close second is human failure and I believe that will never change. So, the SSHD may become a more stable drive, but it won't be the end of data loss. If anything at all, the SSHD technology will create more false security, making for more critical data loss.

4. Will SSHDs affect the cost of data recovery?
- I suspect that we will see three different quotes for these devices: 1. around $500, 2. around $2000 and 3. unrecoverable.

All in all, I am excited about the technology and look forward to putting my first 250GB SSHD into my MacBook Pro. But, until we see the prices drop and the capacities increase, we won't be seeing these drives in anything other than a few overpaid executive's laptops.

Troll?

[Bill,+Shooter+of+Bul]

I don't see the troll rating as being accurate. Overrated ... perhaps. I didn't think someone was going to be posting the answer to my question a few seconds before I asked it. In any case, that was not an attempt to troll. Meta mods... do your magic.

[Citation Needed]

[pragma_x]

I call shennanigans. Recovery after thermite? Not a chance.

Any ferrous material brought above the Curie Point is no longer magnetic, and looses any magnetism it had prior to heating. You can test this yourself with a magnet, a butter knife and a blowtorch. No matter what combination of iron and impurities your drive surface has, its Curie Point is easily below the temperature of molten iron - the product of your thermite reaction.

So even if the discs were heated by thermite, rather than just plain destroyed, it's unlikely that the heating would allow any data to survive unless the iron was already pretty cold.

That said, this was a surveillance plane flying over a foreign country in a (presumably) covert fashion. If it had such a self-destruct, it would be a mil-spec component. In case of a crash, I doubt there would be much of a plane left, let alone drive platter pieces to be recovered.

Re:[Citation Needed]

[TheSkyIsPurple]

If the thermite only hit part of the platters, and burned so fast that the rest of the platter didn't have a chance to hit the curie point, maybe some percentage of the sectors was readable?

I would love to experiment with that one... =-)

Re:[Citation Needed]

[Fred_A]

I call shennanigans. Recovery after thermite? Not a chance.

Any ferrous material brought above the Curie Point is no longer magnetic, and looses any magnetism it had prior to heating. In that spirit I have long wondered if merely heating disks in an oven wasn't enough to wipe them. A household oven will go up to around 550 or maybe 600 K. That's probably too low though.

Of course it's not a very good method if you're in a hurry (maybe in a microwave oven ?). :)

Not funny...

In today's political climate, this probably should have been modded insightful or informative instead.

We liked Sandblasting our RM05s

[billstewart]

Back during the Reagan Administration, when I was working as a tool of the military-industrial complex (:-), we had a VAX lab that we used for classified projects. The Army's rules for wiping disks before declassifying them said that you could either use NSA-approved software (didn't want to do the paperwork to find out if any of that was supported on our Unix versions), an NSA-approved Big Degaussing Magnet (not near *my* lab, thank you!), or physical destruction (yee-hah!)

Our disk drives were RM-05s, which had stacks of a dozen or so 14" platters. Most computer administrators had one on their wall showing the effects of a head crash, with various tracks scraped into the oxide finish. I was no longer running the lab when we decommissioned the VAX, but my successor got to take the disks down to the machine shop in the basement to have them sandblasted. The platter on her wall didn't have any oxide left - it was smooth and shiny metal.

Tools Depend on Who's Attacking You

[billstewart]

The tools that get used to investigate your disk drives are going to depend a lot on who's trying to investigate you and your computers - how much are they willing to spend.

Law enforcement organizations aren't going to waterboard you, which would be against the law, though they might have fun tasing you. And courts have simpler methods - they issue you a subpoena that says to turn over any information you've got, and can make you sit in jail or pay heavy fines for not handing it over, or if it's a civil lawsuit they can decide that you're acting in bad faith and decide in favor of your opponent and make you pay their attorney's costs.

Law enforcement organizations are also highly unlikely to get out the electron microscopes and look for fuzzy bits around the edges of your disk tracks; that's more of an NSA/CIA spy-vs-spy kind of threat model. On the other hand, they are often willing to have some sleep-deprived technician who likes bright lights and loud obnoxious music do the kind of disk recovery that looks at your file systems for the data sitting around in unerased blocks or marked deleted in directory listings.

Fundamentally, if you're storing data on a computer that you don't want anybody else to recover, you need to store it in encrypted form so the only thing that can be recovered is the cyphertext.

For most people, though, the real threat model is that Murphy and BillG gang up on you. For that you need backups, and you need to periodically make sure you can recover your backups, and every couple of years you need to copy the data from old media to new media because otherwise your only copy will be on a 9-track tape or MFM disk. And BillG's still going to make sure that you can't read that proprietary file format that was used by some word processor in 1994. And your corporate IT staff are going to write a backup script that only copies files in Microsoft Office formats, which don't include the .txt and .html you saved them in to prevent that problem. (And yes, that's happened to me during a laptop upgrade, and of course they returned the old drive for credit before they gave the new laptop back to me.)

Fortunately, storage costs have been dropping much faster than Moore's Law predicts, so in theory it's getting easier or at least cheaper to do backups. In practice, Murphy's taken out one of my new 500GB drives, and Maxtor's turned the other one from 500GB into 128/137 GB because the old Maxtor USB-drive case didn't know if the new Maxtor drive supported 48-bit addressing....

Fill and flush

[Chas]

Likely what you'll need is a program that fills the drive several times.

RAS Syndrome

[juancnuno]

http://en.wikipedia.org/wiki/RAS_syndrome

Re:The real danger is a loss of recovery companies

I have a shitty portable hdd that I bought about 6 years ago. It still works perfectly. A cheap bus powered 20gb drive (1.8 inches I believe). I have dropped it and knocked it off the table (while it was running) and generally carried it about for ~3 years before moving on to a smaller flash drive and use of the internet for storage.

I had a flash drive that I paid just as much as the HDD cost me. $70 for 256MB (which actually was a steal at the time). I used it for less than a year (and not all that much because I had two of them.) It just died one day. Do not know why, but it did. My data? No more. Unreadable. At least if the HDD died I could still have a chance at data recovery.

In this case the shitty HDD with its moving parts ended up being more durable. The stupid less used flash drive sucked.

This is not the only reason flash scares me. I have really never lost anything important to drive failure as I have always been at least able to access enough to get my files that I wanted (I do have backups, but that is not the point.)

oops bad memory, my bad..

[tempest69]

I guess they didn't use thermite, but somehow this article corrupted some neurons.... http://www.darkreading.com/document.asp?doc_id=97378

The researchers concluded that permanent magnets are the best solution. Other methods, including burning disks with heat-generating thermite, crushing drives in presses, chemically destroying the media or frying them with microwaves all proved susceptible to sensitive, patient, recovery efforts.

And the Chinese did manage to recover the data... I cant find the article right off.

Storm

Field Standard for Law Enforcement

[TubeSteak]

EnCase® Forensic
http://www.guidancesoftware.com/products/ef_index.asp

I'm surprised no one has mentioned it yet.
It clones your HD and provides an image that law enforcement can work from & admit as evidence.

What was that, besides pure BS?

[nerdbert]

No, you can pick up the old signals even in new drives. It's more complicated now, since you need to know the encoding schemes and ECC strategy (there are some wild ones out there now with fancy LDPC structures and the like), the fact that media noise is actually the dominant factor in modern encoding schemes, and tracks are pretty tight. But if you're willing to go the distance you can pull stuff off. And if you're the NSA or a drive manufacturer you can go great guns and use a interferometer controlled spin stand to read the off track footprint from the slight servo misalignment of the head and track when you did the erase. Not cheap, not quick, but it'll usually work. We do stuff like that to make sure that overwriting performance is "good enough" to dominate the signal, but you can still see the old signal down in the noise if you need it badly enough.

Yeah, I work on the things. So what's your point? Nothing's changed so badly that a single write can wipe out the data completely unless you're very (un)lucky if you want it badly enough. You still have to overwrite a fair number of times to really wipe your disk.

And before you CS types go all whacko on best theoretical patterns for erasure, we encode your bits ourselves into our own codespaces and usually use sequencers to scramble the bits to whiten out the frequency bands for more typical input patterns, so without knowing what we're doing your efforts to optimize erasure are dubious at best.

There *IS* a DES standard...

[Jane+Q.+Public]

As anyone who has used Norton WipeInfo can attest, there is a U.S. Government "Data Encryption Standard" for wiping disks. It involves multiple writes of different bit patterns to the drive. Now, the standard is probably old, and made for those old disk technologies... but since when have you known the government to keep up with technology?

Nice Try!

[Jane+Q.+Public]

But no banana.

Recovery from formatting has very little to do with forensic data recovery. The other posters in this thread are correct: with modern drives, there is very little magnetic "slop" left once a bit has been written.

True, it is not enough to just format the drive or erase files; one MUST overwrite the bits to actually destroy the information. But as for recovering data that has been overwritten on a modern drive, forget it. If anyone took even minimal care to make sure it was fully overwritten once, or even better twice, an "analyst" and his tools can get as "anal" as he/she wants pursuing the data, and will get nowhere. It just doesn't exist anymore.

What you claim may have been true in the bad old days (between about 5 and 15 years ago, give or take) but is simply not true true today. Try to keep up.

Not Random At All

[Jane+Q.+Public]

There is nothing random about it. The DES calls for specific patterns of bits to be written to the disk repeatedly.

Don't sweat it

SSD is 100x easier to strip the data from than traditional technology. You can pull the data directly using any chip reader / programmer. It should actually be a CONCERN for you that it's so easy. Security on old drives is much tougher. On an SSD drive you can strip the data so much easier, it's a joke.

Re:What is the Data recovery % for non SSD drives?

[RalphTheWonderLlama]

With a reputable company, you wouldn't have to pay if you didn't get your data back. That's fairly standard now.

If you really need it, then you pay for it, don't you. Yes, everyone should backup.

Re:The real danger is a loss of recovery companies

[PortHaven]

Great response BTW