There have always been rumors that the NSA or someone could recover even data that had been overwritten n times, but if that were true, the same techniques could be used to make a drive with n+1 times the capacity. Maybe they can sometimes get fragments, if the original data was overwritten only once, and if it wasn’t encrypted. Anything beyond that, I’m highly skeptical.
When I worked at a hosting company, we would do a similar procedure ourselves when the disk would still spin and made no awful noises, but couldn’t be read. In that case, we’d go into our closet of used drives (we had thousands at times), find one that matched the dead one as close as possible, replace the controller board, and see if we could read it. Recovered customer’s data a few times that way. If that didn’t work, we’d offer to send the drive to them, and they could send it to the data recovery service of their choice.
I’ve had friends and customers get their overwritten files back from regular data recovery services, not the NSA. Reading between the tracks for data recovery used to be a common practice in that situation. Even using a program like DBAN will still leave data recoverable by a determined person with the proper tools.
In the special case that a drive contains particularly sensitive information that should not be recovered by anyone, the only solution is to degauss or destroy the drive; both of which will make the drive unusable.
From this PDF describing some methods of magnetic data recovery: Account Suspended
Watch the first three videos here: https://www.youtube.com/c/LinusTechTips/search?query=data+recovery
Your cited paper is undated but the most recent citation within it was dated 2006. And the IT culture it’s describing sounds about like then, if not earlier.
That doesn’t make the info necessarily wrong, but it does mean the info it has is increasingly suspect. New tools and techniques can retrieve older data more easily. And of course a paper written in ~2006 can’t possibly say anything about new storage techniques invented after that. Such as how to recover, or what’s necessary to prevent recovery, from an SSD.
Oh yes, that doc is exclusively about platters. SSDs are a different ball game. I haven’t tried to recover data from a SSD, and don’t know anyone who has. So, I can’t comment on it.
No you haven’t. They may have had deleted data recovered, but the recovery of overwritten data is somewhere between a rumor and a theoretical possibility. No one has ever demonstrated it actually being done. If it is possible, it requires equipment and time investment far beyond what anything your friend has could possibly be worth. How many scanning tunneling microscopes does this “regular data recovery service” own?
See this link: Can Intelligence Agencies Read Overwritten Data? - MyNBER
Hmm, interesting article. In truth, I was not around for the overwrite either time. Both times they said they overwrote data, and I advised them to find a data recovery outfit because even if they’d just deleted the data from an ext3 filesystem it was beyond my abilities to recover it. It’s possible they just overwrote the first inode, and the rest of the file was still there scattered around the drive.
And of course, I didn’t bother finding out the name of the service they used, so I can’t even inquire about what actually happened.
I recall reading that trying to identify overwritten data requires you to have a pattern you can match against what’s on the disk. i.e. you have to know what you’re looking for to prove it was on that disk.
I worked at a mid sized data center used mostly for banking systems. Protocol for ensuring no data gets stolen was that old/bad drives were logged, then thrown in a locked shred bin. Then once a few of these bins were full, we’d call in Iron Mountain to spend a day chucking them all into their mobile shredding truck. They would then haul them off to be melted down while one of our employees witnessed. Lots of paperwork.
As for recovery, enterprise systems are highly redundant, so a single drive/system/site failure is inconsequential. Just replace it and the new one mirrors the redundant data really quickly.
RAID as it’s name states, " **Redundant Array of Independent Disks" or “Redundant Array of Inexpensive Disks” or any of the variations of it, is fine for protecting, recovering already written data, but does nothing for recovery of a deleted or overwritten file in the same block/sector. That’s what backups are for.
As a real data point, I think the powers-that-be did try to recover data used by the 9-11 hijackers (or was it Moussaoui?) on a public computer at an internet cafe. Basically, they got nothing of note. If there was any meaningful data to be recovered by any method, they would have found it.
I realise this thread is old, but something that relates to the OP’s question (and I didn’t spot being discussed, unless I missed it) - recovery of data from ‘dead’ drives isn’t always about scanning the platters for orphaned chains of data.
In many cases, a ‘dead’ drive can be brought back to life by either swapping out the PCB with one from an identical model, or clean-room transplantation of the platters into an identical model. Some data recovery services will do this as a first step if the drive won’t respond or has a mechanical fault - i.e. if the data is inaccessible, rather than deleted.
I was able to bring a dead drive back to life by swapping the controller board with one from an identical model. I quickly copied everything to a brand new drive, as I didn’t know what fault had fried the original board and didn’t want to risk it happening again. (I also drilled multiple holes through the original drive to make sure that my banking and other personal info was unrecoverable by anyone without major resources.)