Recovering Data From Broken Hard Drives and SSDs

Russell Chozick owns a small company in Austin. TX, called Flashback Data that recovers data from messed-up hard drives. And SSDs and Flash memory, too. How badly damaged does a drive have to be to defeat Russell and his crew? Apparently, smashed to bits. Not long aqo we did a video about a company that destroys data on hard drives, and we've had at least one Ask Slashdot where the question was, "What's the Best Way To Destroy Hard Drives?" In today's video, Russell is talking about the opposite of destruction -- except that he destroys data upon request, too. Obviously, checking the wrong box on a customer order form could cause big problems at Flashback Data, couldn't it? Let's hope they never do that -- and let's hope we all back up all of our data so we never need to use a data recovery service. You do back up all your data, don't you?

BS Summary

[gweihir]

Do one overwrite with zeros for magnetic media. They cannot recover that. Open the drive, take out the platters, bend or break them, they cannot recover that. SSDs are more tricky, but one overwrite with random data assures that no more than the spare capacity can be recovered.

Re:BS Summary

[TWX]

Just remove the casing and put the SSD board/chips into a microwave... If anything, physical destruction of an SSD should be even easier... Just pop the chips off the board with a flat knife and cut them into pieces with aviation snips...

Re:BS Summary

[guttentag]

Do one overwrite with zeros for magnetic media.

I just send all my broken storage media to the Nixon Presidential Library, labelled "18 1/2 minutes" in a box with a return address for "Flasback Data Recovery Specialists: We Recover Anything, Confidentiality Guaranteed. Austin, TX." They replace all the 1s and 0s with pure silence. Nothing beats that.

Re:BS Summary

[The+Grim+Reefer]

This should work for both spinning disks and SSD. of course you can't make an aluminum ingot from an SSD.

Re:BS Summary

[CanHasDIY]

Thermite, like duct tape, is the solution to damn near everything.

Now, if you'll excuse me, I have some men in black suits and dark glasses at my door, and I think they want to talk to me....

Re:BS Summary

[blueg3]

you can recover 1 overwrite actually....

You cannot. Or rather:
* Nobody has ever demonstrated success of recovering data from a modern hard drive (anything more recent than MFM) that has been overwritten even one time.
* The person who wrote the paper on recovering data from drives after erasure, Gutmann, has said there is no reason to believe that it is possible with modern drives.
* Other people have a quite sound theoretical arguments that it is impossible. (That is, there is a hysteresis effect, but it is so small compared to noise that the statistical probability of getting correct data instead of random data is much, much too small to be of any practical use even in a best-case scenario.)

This is a myth in computer forensics and security that needs to die.

Re:BS Summary

[tibit]

That's incorrect. Current drives store information in individual (as in single) magnetic domains. A magnetic force microscope is of no help there. Once you flip a domain, you've flipped it. There's no history, no layers, nada. You're referring to information that was current 20 years ago.

Re:BS Summary

[Lord+Crc]

That paper is from 1996. The updated epilogue contains this quote:

Any modern drive will most likely be a hopeless task, what with ultra-high densities and use of perpendicular recording I don't see how MFM would even get a usable image [...]

Re:BS Summary

[lgw]

Let me pile on with the "no you cannot". Once this was true, back in the days of MFM drives, because there was lots of redundant magnetic media on that drive. But the need to squeeze out every last bit of data density on drives has changed that - any place on the media where leftover traces of previous writes could be found is a place where more bits could be fit on the platter. Still, with older IDE drives you might have wanted to do one pass of random data instead of 0s, if you were worried about an opponent with an electron microscope (I've actually seen bits on tape in an electron microscope image - very cool).

GMR drives took that trend even farther, by using the Z-axis to help store each bit, not just the surface of the platter. With modern drives the media is completely used to store current data.

Re:BS Summary

[SuricouRaven]

You're close. Overwriting media with zeros almost entirely erases everything - there was a time when it was possible for someone with a highly specialised magnetic probe to pick up leftover traces from the space between the tracks, but modern drives have the tracks far too close for that. There is just one place data may survive: Remapped sectors. The drive logic does detect if a sector is going to fail or already failed, and if so will remap it to a spare area, just as SSDs do. The old data gets left behind in the now-disused space.

But all that'll save is the odd little fragment here and there, either 512 bytes or 16k depending on the drive. An attacker would need a lot of luck to find something good in there.

Re:BS Summary

[K.+S.+Kyosuke]

Thermite, like duct tape, is the solution to damn near everything.

So, if "Perl is the duct tape of the Internet", what is X and Y in "X is the thermite of Y"?

Re:BS Summary

[xtracto]

Nice try NSA guy.

Re:BS Summary

[K.+S.+Kyosuke]

"Using quantum detection for variations in the strength of the magnetic field (government level equipment) can detect multiple layers."

This sounds like total bullshit to me. We already have to use heavy error-correcting codes on pretty much all modern media to read even the last thing you wrote on them. What makes you think that whatever residual magnetism remains after a mere zeroing (although I'd opt for /dev/urandom instead) is sufficient to restore whatever had been written on it before that?

Re:BS Summary

Do one overwrite with zeros for magnetic media. They cannot recover that

For those that don't believe it:

Assume, for argument's sake, that one could recover one previous generation of data written to magnetic media after an single overwrite. That means a nominal 1TB drive could be used to store 2TB of data. The fact that no hard drive manufacturer has been able to take advantage of any hysteresis effect to increase their storage densities is a strong indication that it's not possible.

http://xkcd.com/808/

Re:BS Summary

[tehcyder]

Using quantum detection for variations in the strength of the magnetic field (government level equipment) can detect multiple layers.

What you seem to be unaware of is that, when The Government want to restore a destroyed hard drive, They simply use their Quantum Flux Capacitor Time Machine to go back in time to just before you tried to wipe it and get their Men in Black to zap you and copy the disk.

When you return to consciousness, you have no recollection of what has happened (since they obviously reset time after they leave), so you set about overwriting the disk, or dissolving it in acid or whatever, and have no idea how they manage to produce a flawless copy of your collection of Japanese child tentacle porn as evidence against you.

I thought this was common knowledge in the tech community after the revealing M.I.B. documentary series?

Best way to destroy the drive...

[TWX]

...is to literally destroy the drive...

A small four-pound sledge and a suitable hard surface to act as an anvil and one can break the aluminum case into bits in a couple minutes and crease and crack the platters to the point that there realistically isn't anything being read from there. If you're REALLY worried, break out the plasma cutter and just cut the platters into bits...

Speaking of bits, Spanish colonial currency were "pieces of eight". "Shave and a Haircut, two bits" is a $0.25 cost. So, eight bits to a full unit... Coincidence for eight bits to a byte, or intentional?

Speaking of Recovering Things

[pitchpipe]

Does this company offer a way to recover a Slashdot that doesn't disguise advertising as a story?

Re:Speaking of Recovering Things

[berashith]

not disguised at all. If the first words of the summary arent " somerandomuser writes" , then I know that it wasnt user submitted, and is being pushed in from above. I only come into the comments of these types of stories to verify that I didnt click through to their ads.

slight correction for this post:

[nimbius]

s/that recovers data from messed-up hard drives/that has learned the value of sponsored content advertising through the dice network/

Re:Advertisement within an advertisement?

[EmagGeek]

Just curious, why did you attempt to obscure the word "SHIT" in your post?

Just say it. SHIT. It's a wonderful, useful word, just like FUCK, HELL, TITS, ASS, CUNT, DICK, and so many others that describe Slashdot and those who make it yet another newsvertisement site.

WTF? I thought I had ads diabled??

[gweihir]

Why is this stupid marketing BS still displayed?

Re:Slashdot is vulnerable and should be updated

[ArcadeMan]

Maybe you haven't updated Firefox in a while. Are you still using yesterday's version?

Personal experience with them - they are legit

[millisa]

Not disagreeing that the video was pretty bad - I can't say I'd do any better if asked to do an interview off the cuff. Definitely not a well planned advertisement if that's what it was supposed to be.

I've had customers that have used these guys with about a 50/50 success rate at getting 100% data back. The times they couldn't get the data were due to head crashes that had scrapped the platters clean.

It never seems to fail, customer declares they absolutely don't need backups for their workstations, they only need it for their servers and that their users will always remember to put the data on the server. Except they don't . . . and there ends up being something business critical on Joe User's laptop that they just dropped/spilled on/etc.

The way Flashback works is they'll do an eval on the drive (which they used to charge a couple hundred bucks to just do the eval, but they've gotten cheaper on the more common drive types) - after they get you the list of files that they can get back, they'll quote you what it takes to recover the data and you can choose whether to move forward. If they can't get anything, they let you know and you aren't out thousands of bucks with nothing to show for it.

As much as we try to avoid the situation where an individual drive matters when it comes to data, the human part of business seems to generate conditions that causes these guys to be needed. I rarely have had to take anything to these guys, but overall I've been happy with the turn around, the pricing is reasonable compared to the national-mailin type chains and they don't sell you on things that are impossible. Usually I end up just bringing them a boxxed drive to dump the data on if they can get it, but they've been flexible at getting the important files up on a site that we can ftp it if the customer desperately wanted it.

(and that's probably a better slashvertisement than what ended up coming across in the video - there was still some good info in it about how the ssd recovery differs from platter based if you can sit through the eye twitching and 'ums'). In any case - they haven't come across as the usual scum/basement recovery operations.

Re:Personal experience with them - they are legit

[gweihir]

Good to know. So just their PR sucks. Actually, that may be an indicator that their work is not too bad, because the crooks rely on PR to get new customers, while those that actually get results can rely in part on repeat business.

spamdot?

[X0563511]

We can flag comments as spam, but not "stories" such as this. Hmm.

Re:Advertisement within an advertisement?

[cdrudge]

You've hurt my feelings since you didn't obscure SHIT.

LOL DR Chipper Shredder

[Virtucon]

I doubt after your hard drive goes through a chipper/shredder that they could recover the data.

Duct tape is like the Force.

[drainbramage]

There is a light side and a dark side.
Use the tape wisely.