Hey guys, I just did a hard drive recovery for a close friend using easeUS recovery tool. After a deep scan, i have found data from way back when they hard drive was first ever used, including data they personally deleted. Its made me a bit wary on how easy it is to locate 'deleted' data. i know alot of antivirus programs say they can delete data so its unrecoverable. But i was wondering if there is anything that people on here may have used to great success...
This was just recently mentioned in Jay's most recent Tech talk, and as many previously mentioned HDDs after you delete something they dont necessarily stay deleted.
To make sure something STAYS deleted on an HDD, you need a piece of software that rewrites the entire hard drive four times. Or to bring it to a more technical level. You want a software that will continue to overwrite every single byte with zeroes (i'm referring to binary) four times.
For future reference SSDs don't have this problem. because SSDs work differently. when you delete something off an SSD it stays deleted because data cannot be overwritten on a flash chip (that is on an SSD). It must be deleted to be written on to.
Absolutely for HDDs you have to understand, when Windows deletes a file (or when you delete a file on Windows), i'll describe it using an analogy.
All you're really doing is just taking a notebook that has written "notes" and ripping out the pages. You still have those pages, they are just not in the "Notebook" anymore. If you try looking in the notebook you obviously won't find the "Notes" the notes being the files of course.
Same thing, with the HDD, you delete it once, it's just being deleted from the "Notebook" or Windows in this case. You still have the file written on the hard drive, (you still are holding onto the "pages")
Think of it like this, if you continue ripping that page, of course you wont be able to access or read it anymore. A hard drive is no different. If you continue rewriting over that file it will eventually be unaccessable or in our case gone. Which is what we want.
The way windows formats hard drives it doesn't set all those numbers to 0. And it's sort of been proven. If you delete files on Windows. If you run a Linux distribution, (on a flash drive) for example. if you start searching through the hard drive from Linux, you can still find the files you deleted on Windows from the Linux Operating system.
When using an HDD erasing the hard drive 3 or 4 times is neccesary. (as crazy as it sounds)
In linux, you can set by default that data - when deleted - is overwritten with random noise or zeroes a number of times.
In general, standard linux carving tools can normally recover data that's been overwritten up to 4 times, and possibly even data that is overwritten more times can be recovered by disassembling the hard drive and using specialized hardware to read out the disks. Some companies use proprietary linux carving tools that are a bit more powerful than the standard open source ones.
The advantage with linux is that you know exactly where the sensitive data is on the disk from the moment it is written, even from the moment it is cached temporarily. It's therefore easy to overwrite the sensitive data without major overhead if it's done systematically.
On systems with fragmenting archaic filesystems, the data however can be anywhere, there is no tracking it, and proprietary systems use "reserved" partitions on disks, so the only solution there is to use linux or bsd to destroy the data on the entire disk and all remnants of a possible proprietary system that was on that disk. The best way to destroy that data is to overwrite it with random noise multiple times. In most confidential industries, between 5 and 10 times overwrite is now used, and that seems to work good enough.
You never write just one bit, and that's the problem: any logical writing operation can be undone by inversing the logic. The logic doesn't only show from the exact data written in that operation alone. Modern carving and data recovering tools are pretty powerful, and there's plenty of processing power available for them.
The binary character is what makes digital data so vulnerable: it takes a lot of bits to make sense, and when there is a big collection of something, there are patterns, and where there's patterns, there's reversed logic.
My dad works on classified government projects and he told me that a while ago they had to change how they decommission HDDs with classified information. Previously, they would zero the drive (or write random data to the entire HDD, I can't remember offhand) several times over. Afterwards, the drives were shredded. There were some guys (Navy, I think) that got there hands on some shredded HDDs (not from my dad's company, just some random decommissioned HDDs) and were able to piece the platters back together and recover large portions of data that was classified. After news of that got around, the policy changed. Now the HDDs are disassembled and the platters are removed and incinerated.
Of course, they weren't using consumer-grade recovery software. As has been mentioned, there are advanced techniques and methods to data recovery. They had custom-built hardware and specialized software to do the recovery. They were able to recover data despite it being overwritten several times and even despite the physical HDD being shredded. Given sufficient time and resources, a lot can be recovered from HDDs even if you don't want it to be.
I thought it was seven times. The DoD uses a 7-pass method, which is an option in Eraser.
Yes, overwriting something once isn't enough. Data can still be recovered, but the average user probably won't be able to do it. There's a whole field of study dedicated to this called "data forensics." Of course, nothing is as secure as physical destruction, which I heard is how some government agencies do it. They have a shredder designed just for shredding hard drives. Degaussing also works, but the magnets have to be strong enough, and there's always a lack of confirmation unless you try to use the drive.
Holy crap! Seriously, @Trogdor0?! I thought physical destruction was the ultimate form of data destruction. Should've known better, since the same can be done with paper documents. Thanks for sharing this important information. ^_^b