Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security IT

Forensic Computer Targets Digital Crime 212

Posted by kdawson from the taking-a-byte-out-of-it dept.
coondoggie writes "A European consortium has come up with a high-speed digital forensic computer dedicated to the task of quickly offloading and analyzing computer records. The TreCorder is a rugged forensic PC able to copy or clone up to three hard disks simultaneously, at a speed of up to 2 Gb/min., far faster than alternative equipment. The PC not only provides a complete mirror image of the hard disk and system memory — including deleted and reformatted data — but also eliminates any possibility of falsification in the process, meaning that the evidence it collects will stand up in court."
This discussion has been archived. No new comments can be posted.

Forensic Computer Targets Digital Crime More

Forensic Computer Targets Digital Crime

Comments Filter:

  • how good is it? (Score:2, Interesting)

    by thatskinnyguy ( 1129515 )
    I have to wonder, after how many overwrites can this system detect data? The last I checked, the FBI can see data that has been overwritten 12 times.

    • Re: (Score:2)

      by omeomi ( 675045 )
      the FBI can see data that has been overwritten 12 times.

      The FBI publishes this information?

      • Re: (Score:2, Insightful)

        by Harmonious Botch ( 921977 ) *
        One of their experts has probably testified to it under oath.

      • Re: (Score:2, Informative)

        by thatskinnyguy ( 1129515 )
        An electron microscope can pick up even the faintest of magnetic fields. The weaker the field, the more times it's been overwritten.

        • Re:how good is it? (Score:5, Funny)

          by compro01 ( 777531 ) on Sunday September 09, 2007 @03:25AM (#20526685)
          well, as someone said in a previous discussion:

          The only way to truely protect your data is to grind up your hard drive into powder, magnetize it all, then heat it into a liquid. Cool and grind it up again, scatter it into the wind, and just HOPE entropy does the rest.

        • Re: (Score:2)

          by suv4x4 ( 956391 )
          An electron microscope can pick up even the faintest of magnetic fields. The weaker the field, the more times it's been overwritten.

          I just find it odd that some storage device company hasn't integrated an electron microscope to create infinite storage plate yet :)

          Honestly though, if you have so sensitive info just don't put it on your HDD. You can keep it on external Flash storage, which is easily removed, disposed of, or destroyed.

          • Re: (Score:3, Insightful)

            by GPL Apostate ( 1138631 )
            Most people have little control of where the info gets cached on the system. You can *think* that it's only on the flash drive, but somehow an app sticks it into swap or a file in a temp folder.

        • Re: (Score:3, Insightful)

          by gweihir ( 88907 )
          An electron microscope can pick up even the faintest of magnetic fields. The weaker the field, the more times it's been overwritten.

          But the magnetic landscabe is noisy and there is a smalles stable magnetic intensity. After one overwrite it is very likely that the residual magnetisation from the eralier data vanishes in the noise and is too small to be stable, at least fo current disks. Remember that the HDD manufacturers have benn storing very close to the material limits for some time now.

    • Re: (Score:3, Insightful)

      by dclocke ( 929925 )
      I wouldn't mind seeing a source on that statistic. Because I'd be pretty comfortable betting my life savings that it's not true.

      • Re: (Score:3, Informative)

        by deftcoder ( 1090261 )
        Agreed, considering the NSA standard for data wipes is 7 random passes...

        I'm more comfortable using this though: http://en.wikipedia.org/wiki/Gutmann_method [wikipedia.org]

        • Re: (Score:3, Informative)

          by Jah-Wren Ryel ( 80510 )

          Agreed, considering the NSA standard for data wipes is 7 random passes...
          The NSA has no such standard.
          Really, try to find an official source, you won't.

        • Re: (Score:2)

          by Nullav ( 1053766 )
          I'm more comfortable just hitting the thing with something heavy or melting it all together with thermite. If you're serious about wiping the thing so absolutely no one can read it, you should either write complete nonsense on the disk 30-40 times (maybe something innocuous on the last few passes) or physically destroy it and swap it out.
        • If you're using a drive which uses encoding technology X, you only need to perform the passes specific to X, and you never need to perform all 35 passes. For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do. As the paper says, "A good scrubbing with random data will do about as well as can be expected". This was true in 1996, and is still true now.

          Seems like Gutmann himself says his method is only relevant for old encoding technologies like RLL and MFM... and he also says

    • Re: (Score:2, Insightful)

      by Remik ( 412425 )
      It doesn't matter how many times, it only matters which methods are used. If you're just using a Windows format (or worse, quick format), you can run it 100 times and the data will still be accessible.

      That said, the DoD standard for "wiping" a drive is also excessive in what it requires to declare the media clean. (All 0s, then all 1s, then 010101..., then all 0s again...blah blah blah)

      My somewhat expert opinion is that a program that writes the drive to all 0s or all 1s is all you need.

      -R
      • I've heard from an unreliable source (perhaps it was on slashdot, I can't recall) that a good method for doing this is rather to write data streams randomly. Something like an MP3 or any binary you'd like.

        I guess the theory was that if you do this a few times with random sources, the magnetic characteristics (shadows) have not all been changed by the same amount, so you can't apply a logarithmic algorithm to figure out the possible states that the disk could have been in and see if they make any sense.

      • Re: (Score:2)

        by arivanov ( 12034 )
        Aaaa...
        The good old 00, FF, AA, 55, 5A, A5, 00. This is what memory tests used to do in the days where the memory tech implied possible interference between adjacent bits. I am not sure if this is of any particular relevance to modern hard disk tech though...

    • Reformat != Overwrite (Score:3, Insightful)

      by Nymz ( 905908 )

      I have to wonder, after how many overwrites can this system detect data?

      I'm thinking zero overwrites. From the article it appears that the system is a portable solution that only plugs into hard drives, and not a reader of the platters themselves. Software alone can analyze deleted files and a reformated file table, but it cannot use the orignal drive to read information that was overwritten.
    • You cannot read data overwritten even once unless you disassemble the hard drive. If you use a disk copy utility, any of them, you get nothing more than the current layer of data. That is simply all a hard drive reads. As such if you wished to get any overwritten data you'd have to take the platters out and put them under some other kind of analysis equipment.

      As for the feasibility of that, well, there isn't. Sorry. Even if you have a setup to do that, the chances of getting anything useful are extremely lo

      • Re: (Score:2)

        by AmiMoJo ( 196126 )
        Furthermore, the idea that it can copy what is in the computers memory is rubbish too.

        Aside from anything, Windows and Linux both have memory protection which prevents programs reading any memory except their own, which is cleared before it is given to them. Sure, on Windows if they happened to catch the PC booted up and logged in as an administrator they could install a driver to copy the contents of the PCs RAM, but then they would have tampered with the evidence and it would be worthless anyway.

        I wonder

        • Sure, on Windows if they happened to catch the PC booted up and logged in as an administrator they could install a driver to copy the contents of the PCs RAM, but then they would have tampered with the evidence and it would be worthless anyway.

          ... and, most importantly, they would need to have the presence of mind to do it right there. Usually, however, this is not how these "raids" happen. It's more like "jackbooted thugs cart everything off, and geeks do the analysis months later". Once it's unplugged, all RAM is gone.

        • Reality check for you (Score:3, Informative)

          by Burz ( 138833 )
          re: live RAM acquisition - http://it.slashdot.org/comments.pl?sid=291981&cid= 20526915 [slashdot.org]

      • Re: (Score:2)

        by orin ( 113079 )
        There are a few places that you can start, but I'd start with books like Moenssens books on scientific evidence which go into some detail in terms of the admissability of this sort of evidence.

      • Re: (Score:3, Insightful)

        by turbidostato ( 878842 )
        "1) You are, in fact, guessing. You are looking at imprecise data and trying to figure out what was there. Any competent defense attorney would tear such a thing apart. Just because the technician assumes a string of bits corresponds to a given waveform, doesn't mean they are right."

        Not to say you are wrong; I think you are overall right, in fact. But in an ideal world, a competent attorney can't have more than justice gives him (after all, if you can hope for a "competent defense attorney" you should expe

    • Re: (Score:3, Interesting)

      by Jah-Wren Ryel ( 80510 )

      I have to wonder, after how many overwrites can this system detect data? The last I checked, the FBI can see data that has been overwritten 12 times.
      Possible, but highly unlikely and certainly expensive if they were able to pull it off.

      Read this, including the epilogue:
      Secure Deletion of Data from Magnetic and Solid-State Memory [auckland.ac.nz]

    • If it doesn't involve cracking the disk's case open in a cleanroom (and this is just a hot PC with write blockers), then it's at the mercy of the drive's read head and every bit it gets will be what the drive natively believes is a bit.

      Recovering overwritten information isn't the big deal in forensics, anyway. Organizing, managing and documenting the mountain of evidence is. If you're dealing with well written malware, worry that it's not on the disk at all and is strictly RAM-resident.

    • Drive density (Score:4, Interesting)

      by Beryllium Sphere(tm) ( 193358 ) on Sunday September 09, 2007 @01:16AM (#20526181) Journal
      I'd enjoy seeing (recent!) references on this, since hard drive technology has moved quite a bit since the Gutmann paper (the epilogue to which says "with the ever-increasing data density on disk platters and a corresponding reduction in feature size and use of exotic techniques to record data on the medium, it's unlikely that anything can be recovered from any recent drive except perhaps a single level via basic error-cancelling techniques").

      The two best arguments I've seen among the speculation are

      AGAINST: if it were possible to read under 12 layers of overwriting, wouldn't the drive manufacturers boost density by writing the same spot 12 times?
      FOR: a read head in a lab doesn't have to be light, may not need to be fast, and definitely doesn't have to cost less than a good dinner. In other words, it's not subject to the limitations of the drive's read head.

      • Re: (Score:3, Insightful)

        by timmarhy ( 659436 )
        "if it were possible to read under 12 layers of overwriting, wouldn't the drive manufacturers boost density by writing the same spot 12 times?"

        what makes you think they would want to do that? it'd be dog slow, and it'd also be error prone. none of which helps to sell drives.

      • AGAINST: if it were possible to read under 12 layers of overwriting, wouldn't the drive manufacturers boost density by writing the same spot 12 times?
        Yes, but you'd need to take apart your hard disk and bring in a forensic analyst to actually get any data off it. And there'd be no random access, you could only write to the top layer.

    • Re:how good is it? (Score:5, Interesting)

      by SamP2 ( 1097897 ) on Sunday September 09, 2007 @01:17AM (#20526187)
      I keep seeing over and over posts that say that a "hardware" method would be the one that is totally secure, and the best example being a hammer.

      You'd be surprised, however, how resistant drives can be do physical damage.

      For those who know anything about hard drives (referring to regular platter drives, not solid state), you'd know that inside the rectangular case (made out of crappy soft aluminum) lie several plates connected to each other through a spinner in the middle, and they are made out of pretty strong steel.

      When I took my data security course, we practiced destroying data physically. So I opened the hard drive, removed the platters and disconnected them. Then came the fun part, trying to destroy them.

      First I tried several grades of sandpaper. All the lighter ones didn't leave a JACK SQUAT mark, no matter how hard I tried. The most heavy ones left _very_ small marks which were only visible in the direction of the strongest applied force. Sanding a whole drive this way would take days, and I wasn't sure it was strong enough to actually fully remove the magnetic cover. If anything, I damaged the sandpaper more than the drive.

      Then I tried a metal file. The results were considerably better, with deep strong marks, but again, they only covered the path of the sharpest edge of the file, not the whole contact surface area. I filed away for 5 minutes straight, and I only managed to produce about 30% area of a single side of a single platter which I could say was destroyed with high probability of not being recoverable.

      Finally, I tried a heavy hammer on another platter, having locked the platter in a vise. I wasn't impressed. The hammer, at best, produced bends across the drive. After another 5 minutes of hammering away, the drive was certainly not round anymore, but the total surface area actually destroyed by these bends was fairly minimal. Sure, it may prevent an easy automatic way of recovering data using regular means (spinning it against a magnetic reader the same way drives usually work), but I'd say at least 80% of that platter still had data on it. The manual work requiring to read the data piece by piece may indeed take weeks, but it would probably be possible, and having the mentality of "it'll take them too much work to read it" is akin to having the mentality of "nobody will hack me because I'm not a target of interest and they won't bother". From the point of view of a security specialist, it's wrong in principle.

      The moral of the story is that hard drives are a pretty tough nut and not as easily physically destroyed as you may think. To all those rambling away about how unreliable hard drives are and how easy they break down, I'd say that in the vast, vast majority of cases what breaks down is the engine, the magnetic mechanism, or something else that would prevent the drive from being readable by tools built in the drive box, but not the platters with the data itself.

      Another common myth is that you can easily and securely permanently wipe the data with a magnet. The forces required to near-instantly and irrecoverably overwrite the magnetic stripe of the disk are ENORMOUS. During regular usage, a relatively weak magnet is used to read and write on the disk, but it only operates on a minuscule area of the disk (trivially, by writing a bit on an 4 (double sided)-platter 500GB drive, the magnetic edge only operates on 1/500,000,000,000th area of the platter. Now use the denominator to figure out the magnetic intensity required to fully overwrite the whole disk at once. It ain't pretty. Industrial-grade degaussers may do the trick, but not your average home magnet (which, of course, doesn't mean the magnet is not good enough to randomly corrupt a small part of the data which will screw your partition table and make your OS refuse the read the drive anyways). But I somehow doubt the folks in the NSA use Windows XP Home Edition to investigate hard drives.

      The "true" way to destroy hard drives is to completely melt them in an incinerator, and t

      • Re: (Score:2, Interesting)

        by Hex4def6 ( 538820 )
        Why not just dip the platters in a some corrosive? I'm sure even some like drano might do the trickk.

        Or perhaps how about holding the platters up to a propane torch? you wouldn't need to melt them, just get them hot enough that they lose their magnetic field.
        • The Curie point of modern magnetic media is higher than the melting point of aluminum.

        • Re: (Score:3, Informative)

          by toddestan ( 632714 )
          Why not just dip the platters in a some corrosive? I'm sure even some like drano might do the trickk.

          Harddrives platters are commonly coated with DLC (diamond like coating). The Drano is not going to get through that to the metal. The DLC is also why the parent poster had no luck with sandpaper, as the DLC is likely harder than the grit. (the purpose of the DLC is to protect the platters from accidental contact with the heads - it's tough stuff)

          However, your idea could work if the chemical was particular

      • Re: (Score:3, Informative)

        by TooMuchToDo ( 882796 )
        I always though the best poor man's magnetic eraser would be an old MRI machine. Keep your storage array near the center suspended by a strong, non-metallic material. Someone busts in the door? Just push the breaker on for that MRI machine.

        That, my friend, should be enough electromagnetic energy to wipe the entire drive at once.

        • Re: (Score:3, Interesting)

          by DMUTPeregrine ( 612791 )
          Pulsed-power. coin shrinkers [delete.org] are an easy solution. Just use the coil around the HDD instead of a coin. I generally just use a grinding wheel. It's hard to read platters once they are dust.

      • Re: (Score:2)

        by ophix ( 680455 )
        I use an arc welder. Probably one of the most enjoyable ways of destroying old hard drives that guarantees a lack of data recovery.

        Old backup tapes get torched .... literally. My employer lets me use an acetylene torch to burn them.

        Hammers are overrated ;}

        Arc welders and acetylene torches are where it's at

      • The moral of the story is that hard drives are a pretty tough nut and not as easily physically destroyed as you may think. To all those rambling away about how unreliable hard drives are and how easy they break down, I'd say that in the vast, vast majority of cases what breaks down is the engine, the magnetic mechanism, or something else that would prevent the drive from being readable by tools built in the drive box, but not the platters with the data itself.

        What's funny is older drives which have had some bad sectors on them, I opened them up and discovered pitting. Whatever managed to get in the drive managed to eat a away at a few small holes.

        Anyhow, rather than using brute force to destroy platters, or heat, why not try electrolysis. Sodium carbonate solution, attach to a strong 12V supply, + to platter - to an electrode, and the ferrite layer erode.

      • Re: (Score:2)

        by aliquis ( 678370 )
        According to Storage review [storagereview.com] they are made of aluminium (eventually alloys) or glass (eventually mixed with ceramics.)

      • Re: (Score:3)

        by arminw ( 717974 )
        ..... when you see the FBI at your door going after all your pirated MP3s, I'd just say don't bet on it to work...........

        I think a disk drive tossed into our hot wood stove the moment an unknown knock came to the door, would be useless to the FBI/KGB/CIA/NSA or anyone else of equal expertise. The stove works well on old papers and credit cards also. Everybody with deep dark secrets needs a good wood stove. As a side benefit, it'll keep the house nice and warm for cheap.
    • "the FBI can see data that has been overwritten 12 times"

      Bull. Shit.

      If the data has been overwritten (actually overwritten, not just "deleted" or disk format) there's not a company/organisation/indivitual in the world that can read the data that used to be stored there.

      Granted, an on-track overwrite will in most cases leave residual off-track magnetic trace that could be recovered using exotic forensic techniques, but this can be extremely difficult and highly unreliable - especially for newer HDD's using d
    • Maybe the older HDs of under 32gig, but todays high density drives use such modern writing and its so tiny that there is no overlap or
      micro leaks to look for. Besides you would need a damn $100m machine to do it.
    • I have to wonder, after how many overwrites can this system detect data?

      None.

      The drives connect via normal SCSI, SATA or IDE connections. There is no way to read the raw data from the heads. Even if you could, it wouldn't help on any disk made in the past 10 years or so, because modern drives don't use simple on/off transitions to record data. The idea is that with very very old disks, it's possible to see minute fluctuations in the levels of the recorded bits and see what they once were. It's sort-of

    • Re:how good is it? (Score:4, Informative)

      by MoralHazard ( 447833 ) on Sunday September 09, 2007 @10:59AM (#20528449)
      Dear God, when will the FUD stop??!!?? This silly meme has been making the rounds for a very long time, ever since Gutmann wrote that god-awful paper for USENIX '96. IT IS NOT TRUE!! There are no scientific or engineering papers that provide any evidence to suggest otherwise--NONE.

      Here's the story: Back in 1996, Peter Gutmann published a paper where he described the theoretical possibility of reading small sections of overwritten data, in a largely unreliable fashion. Having gone back through the source he cites, I came to be of the opinion that his assertion was irresponsible, since he makes a very bold claim without pointing out how many qualifications and 'but's are attached to it:

      1) The specific techniques he discusses address older hard drive platter recording technologies that were completely supplanted, throughout the industry, in 1996-1997. Newer hard drives changed recording techniques to cram more data onto the same platter area, which eliminated the specific properties that would have allowed Gutmann's proposed recovery method to work.

      2) None of Gutmann's citations ever claimed to have made the recovery methods work in a practical fashion (as in, actually recovering a sector of data, let alone a whole file) on a real hard drive. There were a few lab experiments that were NOT performed on hard drives, and nobody was cited as actually implementing a real-world method.

      3) Since the 1996 paper (in '99, I believe), Gutmann published a revised draft that really only changed the section talking about this issue, and he significantly backpedaled his claims. Supposedly, some of his colleagues pointed out that his assertion was scientifically unsupported and extremely inflammatory. Net result: In the newest version of that paper, he basically admits that recovery of overwritten data, on modern hard drives, is snake oil.

      There's more, though. Having worked in forensics and specifically dealt with federal law enforcement agencies, I get a chuckle when people (usually, the same tinfoil-hat guys who believe in aliens at Roswell) talk like the FBI has secret recovery technology that the private sector doesn't. This is provable bullshit, for several reasons:

      1) The FBI has no real engineering capacity, and they're not as good at stuff like this as you think. In data forensics, especially, their equipment, techniques, and training have never been as good as what the private sector has. The private sector has more money, which means it can buy the newest toys and do real R&D, and it can afford to pay the big-ass salaries that cutting edge engineers require. For comparison, go ask somebody at Hitachi or Segate who does hard drive research how much money they make. Then, ask the FBI how much their highest-paid experts make. It's going to be at least a 2:1 difference, maybe more.

      2) Secret methodologies are useless to the FBI, because they would never hold up in court. Data forensics depends on its credibility under the standards of scientific evidence, otherwise it gets tossed out of court and the defense wins. The basic test of scientific evidence is "Does the scientific community have a consensus that this method is correct?" If it's a secret method, there can be no consensus in the community, and it can't be used in court.

      3) There's a simple thought experiment that verifies this: If it were possible to read data that has been overwritten even once, doesn't that mean that your hard drive has an actual storage capacity is twice what the manufacturer is actually giving you. How much sense does that make? Those guys jump on every technology possible to cram more data into a smaller space, so even if it's space-alien-magic stuff, they'll have an enormous incentive to make it practical to mass-produce. And they usually do just that. There only a tiny bit more usable capacity on your drive (Let alone 12x worth!) than the manufacturer's label says, and that's replacement sectors for areas that develop problems--we know about that, and it's not useful in data forensics for other reasons.

  • Not so fast... (Score:4, Informative)

    by Remik ( 412425 ) on Sunday September 09, 2007 @12:30AM (#20525961)
    2gb/min isn't that fast.

    Standalone devices like the Logicube [logicube.com] Talon copy twice as fast. They also hash the drives and store audit trails to a CF card.

    I can see the potential benefit to creating 3 mirrored drives at once, but it is extremely limited.

    -R
  • "The TreCorder is a rugged forensic PC able to copy or clone up to three hard disks simultaneously, at a speed of up to 2 Gb/min. The same transfer would take 30 to 60 minutes using alternative equipment said Martin Hermann, general director of MH-services..."

    And, don't forget this gem:"...eliminates any possibility of falsification in the process."

    Although, I must be honest... A pre-configured dual-boot XP/Linux forensics box, 4GB RAM, 2TB internal HD, and a 3TB external backup system, seems lik

    • Re: (Score:2)

      by Remik ( 412425 )
      There's some pretty good FUD coming from the developers here, as well..

      They make it seem like a huge problem that EnCase isn't entirely secure against potential attacks from the target machine. Well...the only time I'd use a software acquisition method is when a hardware acquisition is strictly out of the equation (i.e. live & critical servers that cannot under any circumstances be shut down). How likely are the servers for an airline's ticketing system to be booby-trapped?

      They're creating problems an

      • Re: (Score:2)

        by dgatwood ( 11270 )

        FireWire hardware can be set up to allow or disallow DMA requests depending on the device on the other end of the wire. Most OSes now only allow it if the device on the other end looks like a hard drive for security reasons. You can lock them down further if you want:

        http://matt.ucc.asn.au/apple/ [ucc.asn.au]
        http://rentzsch.com/macosx/securingFirewire [rentzsch.com]

        Linux also has security features [linux1394.org] in recent versions of its kernel to protect against arbitrary DMA attacks. (Search for firewire-ohci.) Windows does the same th

    • Re: (Score:3, Interesting)

      by Fourier ( 60719 )
      The article mentions this being chose over sleuthkit, which makes me wonder just how much better (if at all) the software internals are on the TreCorder.

      The key isn't so much the software as it is the hardware. The TreCorder uses hardware write blockers [tableau.com] to provide a rather strong guarantee that the original data will not be corrupted even if the OS and the acquisition software happen to be written by idiots.

    • Re: (Score:2)

      by v1 ( 525388 )
      but also eliminates any possibility of falsification in the process

      I just love it when people automatically consider a system impenetrable the second you seal it up with so much as a strip of duct tape.

      Who does he work for? Diebold?

      Security is never absolute.

  • doubtful (Score:3, Insightful)

    by crossmr ( 957846 ) on Sunday September 09, 2007 @01:05AM (#20526131) Journal
    does it create a read only image that can never be tampered with? Given the fact that anyone can do just about anything, most digital evidence always leaves me lacking.
    • If it's like everything else in that space it generates a secure hash of the source material as it's being acquired. Write that down and store it someplace, and you can prove later that the data haven't changed, barring a mathematical breakthrough or the most amazing coincidence in world history.

    • Re: (Score:2)

      by Cheesey ( 70139 )
      This is a good reason to use full disk encryption. You can't tamper with such an image unless you know the key. If the police accuse you of a crime and confiscate your computer, you can refuse to unlock the hard disk data until you are certain that corrupt policemen will not be able to add new files to incriminate you. (Plus, if your machine gets stolen, the thief has no access to your data.)

      • Re: (Score:2)

        by crossmr ( 957846 )
        unfortunately they don't let you sit there and watch them while they spend days and weeks coming through the contents of your hard drive and other media.
         
  • I'm sure that the RIAA is in line for the first dozen.

    But how can it read reformatted data? I was always of the impression that to read more than the most recent data required removing the platters and using special equipment on the naked disc surface. If the original disc heads were reading all these previous layers, they'd never be able to accurately read the current data on the hard drive.

    • Re: (Score:2)

      by Remik ( 412425 )
      Depends what you mean by "reformatted".

      Usually:

      Deleting only updates the FAT. The data is all still there.

      Formatting only deletes the FAT. The data is all still there.

      What you're referring to with "reading all the previous layers" is quasi-theoretical ways of getting at data that has been completely overwritten.

      Unless your deleting/formatting process actually overwrites the data, it is all still there.

      -R

      • Re: (Score:3, Interesting)

        by RLiegh ( 247921 )
        What about when you replace FAT (or NTFS) with another filesystem entirely? Would the format done by mkfs.ext2 (or whatever) overwrite the data, or would it simply set up a filesystem table and leave the previous data on the drive readily accessible (to anyone who wants to recover it)?

        • Re: (Score:2)

          by aliquis ( 678370 )
          I have no idea what it does but considering how fast most formats are done I'm very confident it doesn't overwrite all data atleast. I guess it atleast overwrites the data on the blocks where it stores superblock backups.
      • You may notice that Windows has a "quick" and normal format. The difference? About an hour on a large drive. So why the time difference? Well a quick format goes and just writes to disk what is needed for the partition, which is an empty MFT more or less. Takes little time. All sectors are marked as blank and usable, but aren't touched. A full format then goes and zeros all the sectors.

        It's actually not for security, but for reliability. During the full format, if there's a sector that's problematic to writ
  • This makes the argument for keeping all your important data on a drive with an interface so old and obscure that this new box can't interface to it.
  • I wish I had one of those, but not "secure" (and so much cheaper) that can just clone one existing HD I'm replacing onto a larger one with which I'm replacing it. Even 1Gbps would be good.

    Maybe there's a dead-simple Linux app that will do this across a Gb-ethernet. Not just "network tar", but which reloads a new drive that's got only a new install of the OS (eg. Ubuntu) with only the non-OS data, plus OS configs (eg. /etc), from the old one.

    • Re: (Score:3, Insightful)

      by Cheesey ( 70139 )
      The job you are talking about is quite easy on Linux because the only file that requires a special post-copy procedure is the kernel image - and even then, you only have to rerun lilo or grub. In fact you can copy an entire disk image using just "cp -a", and it will still boot if you update lilo or grub. The best way to upgrade a Linux system to a new hard disk is to do a copy in that way, with the target disk mounted somewhere in the current system. Then swap the disks, boot from a live CD, and run lilo or
      • Mostly true. But there's a lot more to reinstalling a corrupted (or possibly) OS than just the kernel image. Or I'd just (apt-get --reinstall install kernel-image). When I upgrade drives, I also like to prune back my installed apps. It decreases the dependency hell. And it removes the bloat from all the apps I installed for one-shot tasks, or experimenting.

        I hear there's a way to get APT to generate a graph of all the installed apps, with dependencies. I wish I could use that graph as a UI to prune and add

  • Anyone make a self distruct system for a PC? (Score:3, Interesting)

    by WarlockD ( 623872 ) on Sunday September 09, 2007 @01:23AM (#20526219)
    Seriously, like some kind of bullet that shoots the hard drive (Maybe 22round, aimed toward the ground) and can be activated at a press of a button?

    • Re: (Score:3, Insightful)

      by 'Aikanaka ( 581446 )
      I recommend a thermite disk eraser - http://www.metacafe.com/watch/599982/how_to_make_t hermite/ [metacafe.com] - which will provide a very quick method of creating a very non-recoverable hard disk. Thermite FTW!

      • Re: (Score:3, Interesting)

        by aliquis ( 678370 )
        Yeah, just open an old HDD, remove the platters and heads and fill it with thermite, connect an electronic igniter (if one exist/works) to the molex-connector and you are good to go!

        That will show them not to touch your data ;D

        Or in your case put that drive on top of the other and light it yourself when they come knocking on your door.
    • That would certainly give new meaning to the warning: "Be careful what you type when logged in as root. You could easily shoot yourself in the foot!"
    • Encrypting the drive seems to be saver, easier and less prone to devastating and potentially deadly errors.

      Not to mention, if you are doing this to protect yourself from the police, then "wired his pc with a bomb" will not sound good in front of a jury.

  • Secure drives and erasure (Score:5, Interesting)

    by Barny ( 103770 ) on Sunday September 09, 2007 @02:01AM (#20526373) Journal
    Ahh just in time then is Seagates announcement of FDE series of drives, they use a small linux based boot sector to allow or disallow access to the drives decoding hardware, of course without that hardware enabled and with the right key it will all be useless :)

    As for the people talking about "safe methods for wiping drives", the only place I (personally) know of that has such requirements is DIGO http://www.defence.gov.au/digo/ [defence.gov.au] they use a furnace, works damn well. The moral of the story is, new drives are cheap, why fuck around with "maybe".

    • Ahh just in time then is Seagates announcement of FDE series of drives, they use a small linux based boot sector to allow or disallow access to the drives decoding hardware, of course without that hardware enabled and with the right key it will all be useless :)
      And you don't think there is a built-in backdoor already there from the factory?

      • Re: (Score:2)

        by Barny ( 103770 )
        Oh yeah, of course...

        And if it became publicly known that Seagate did such a thing they would lose their corporate clients how fast?

  • 240 volts to usb/firewire ports (Score:5, Funny)

    by timmarhy ( 659436 ) on Sunday September 09, 2007 @02:21AM (#20526453)
    This makes me want to disconnect my usb/firewire cables and solder a 240 volt feed to them.

    lets see their nifty device copy shit then.

  • From post-Soviet Russia, digital crime targets you !

Slashdot Top Deals

On the eighth day, God created FORTRAN.

Close