Exactly. As I describe above - Flash memory works totally differently, and the wear levelling system keeps old blocks in an effort to even out write operations across the entire device. It therefore keeps a significant reserve of blocks in addition to the externally visible capacity. If you get past the wear levelling system you can see all the reserve blocks, and whatever data was in them. Flash is much more like conventional memory than disk.
Is there anyway I can do this with my camera SD card? We went on holiday, and after downloading the pix to computer I deleted them from the card. But then the computer got stolen.
The card has been overwritten maybe 6 or 7 times, but only to less than 1/4 of capacity…
Do I have any chance of recovery, and is it going to be horribly expensive?
Ah… I think I see what you’re saying now. If you had completely filled, then emptied the card, you wouldn’t be able to retrieve anything from before that point, but if you’ve quarter-filled, then emptied it several times, you’d get back some stuff from several iterations ago.
Still, to get 1.5 times the data capacity out of the card means some of those files are not in their original states.
That’s farkin’ awesome.
Thanks a kajabillion.
Recovered 58 files. It’s still only a small fraction of what was lost, but it’s still a bunch of great photos that I wouldn’t otherwise have had.
Cheers!
I have heard this many times before, but I am not sure if has been borne out with any real evidence.
One article to consider.
Several years ago someone put up a five hundred dollars for a challenge. They had a hard drive and then erased it with one pass of zeros. They said they would award the prize to anyone that could name a single file or folder on the hard disk. No one attempted the challenge. This was covered by several more mainstream tech sites, so it was not obscure.
This means one of several things.
- The award money was too small, and apparently no one was interested in the prestige of the accomplishment.
- No one that could perform the feat could do it publicly (NSA, CIA, KGB, etc).
Overall, I think the idea of a standard hacker being able to get information out of a hard disk drive that has been overwritten once is questionable.
All of the above.
$500 for data recovery services is peanuts. Take it from someone who has paid well over 20 times that for recovery of data from a single faulty disk. Data on the platters was fine, it was the controller that was dying - still cost a bomb. Indeed I would say that the person offering the reward was simply naive.
The people that can perform such recovery are not just government security agencies. Indeed the company that I used did work for police and government agencies - up to working with armed guards at the door of their clean room.
However a hacker with access to some reasonably sophisticated, but off the shelf, gear - and the ability to use it - is another matter. What is required is direct access to the heads and actuator. All typically available via a couple of connectors on the disk assembly. However developing the skills and knowledge of the drive in order to extract the information would take quite a while. I do doubt there are any private individuals that have bothered. But if Bunny can crack the X-Box with an FPGA and some ordinary digital electronics lab gear, it is not much of a stretch to get the data off an erased disk. But for $500 I would not bother getting out of bed. $50,000 and you would have a queue.
Let me just be sure I understand what you are saying.
You are saying there are companies that DO obtain data from perfectly operational hard disks that have been systematically overwritten with void data. Do they publicly claim this?
I have a Mac and have seen and used that feature, but have been skeptical that it actually means what it says. It does take quite a bit longer, now I know why. I guess I just don’t want to feel like I have to pull the hard drive and drill a hole through it, melt it down, grind it to powder then kill the guy who sold it to me in order to make sure financial records or other personal information can’t be stolen when I retire a computer.
Not quite. There is chain of things here.
These companies are capable of recovering data from disks that have been in a fire, floods, have had data overwritten - but as discussed earlier in the thread “overwritten” means lots of different things. They can mount disk platters in clean rooms and assemble hardware around the platters to slowly extract viable data. Since they can do all of this it is not a big leap to performing the on-platter analysis needed to look for overwritten data’s footprints. And they do work for security agencies. Whether they openly advertise the depth of their abilities I’m not sure. I do know that their services can reach hundreds of thousands of dollars, and that customers pay, and some customers send supervising officers that have guns. It has been a while since I talked to anyone in the business, I’m no longer in a position where I would need to talk to them, so I’m somewhat out of touch with the current state of play. But if you have a disk that has been overwritten, and you need the data enough to pay that sort of money, you probably want to talk to them. Of course at this level of recovery, there are absolutely zero guarantees. We are in the zone where security agencies and police play, and partial recovery or indicative snippets of data may be quite enough for them. Pulling back a complete disk’s contents is almost certainly fiction.
It happens that yesterday, I lost a file while doing a cut/paste. I used a free tool I have to see if it could retrieve the lost file (the first time I did that). It found 35 000 retrievable “deleted” files (I had the computer for maybe 8 months). I never could find the file I was searching for.
While I was at it, I thought I could as well delete all these files (the same tool does that too), thinking that maybe it could help my computer and that if it did not, it wouldn’t cause any harm anyway. I gave up when I noticed that the deletion was really taking a long time. I assume that’s the reason why computers don’t automatically really delete files. Time consuming.
If the default behavior was to irrevocably shred instead of just deleting, there would be too many accidental shreddings and lots of pissed-off users asking “why can’t they design the o/s so that it makes a copy of everything I shred and stores it in a hidden folder, in case I want to get it back later?!”
Delete does mean delete. It doesn’t mean erase in a manner that eliminates the possibility of recovery. Throwing a piece of paper in a trash can does not mean shredding it. And shredding it does not mean burning it.
Despite the possibility of recovering over-written data on a hard drive, it can rarely be done without some solid leads on what you are looking for to start with. The vast majority of data recovered in criminal cases was simply deleted from the file system, and no steps were taken to actually make the data unrecoverable. A single over-write will almost always eliminate the possibility of recovering data unless you know where and what to look for, and even then it’s hit or miss.
in re the 35 overwrites.
Overwriting 35 times is a method created by Peter Guttman. It’s meant to cover several data writing methods used by different hardware. If you know the correct wipe method, you can just use the right one. If you don’t know which to use, you use the 35 overwrites and it should work no matter what hardware you’re using.
Very informative and detailed article about file deletion and recovery.
Delete is from the Latin root meaning to destroy or obliterate. When I think “delete” I don’t think “leave it where it is and copy over it when you get a chance.”
And I do realize that even cursory deletion doesn’t occur until you empty the trash, er, recycle bin.
Good read. I would tend to agree with the conclusion too. My information is equally old, and I greatly suspect that the conclusion that it isn’t possible on a modern disk is reasonable. Certainly as the magnetic element size decreases it becomes vastly harder, and with perpendicular recording (introduced quite a while ago now) the geometry is less conducive to recovery too. The amount of noise in the system probably renders recovery impossible now too.
Well if you lived in Latin America where people speak latin :rolleyes:, I might understand why you’re confused. Delete on a computer means to destroy or obliterate the logical presence of a file from a logical file system. I’ve often derided the adaptation of certain words from their colloquial usage to barely corresponding meanings in computer terminology, but this isn’t one of them.
If you’re worried about some crackhead buying your used computer and recovering your financial data, forget about it. A crackhead would have a tough time recovering your financial data even if you didn’t delete it.
You have to ask yourself, who am I protecting the data on this disk from? If you’re trying to protect against the NSA or the KGB (or whatever their name is these days), then physical destruction of the disk is the only standard. But why is the NSA trying to recover data from your disk? If the information is really that critical, they’ll just arrest you, sit you down in front of some nice gentlemen, and you’ll answer their questions.
Or maybe you’re trying to protect the data from law enforcement, or some big corporate client. OK, but again, why does Bill Gates need the data on your drive? How much is he willing to pay to try to recover it?
Or maybe you’re imagining some sort of hacker ring, that buys up old disk drives, recovers deleted passwords, and then steals from people. But suppose you’re a cybercriminal, is this sort of thing going to be worth your time? Are you going to use advanced and expensive data recovery techniques on the off chance of extracting someone’s credit card number? That’s very high effort for almost no reward. The value of your credit card number or bank account number is not that high.
Bottom line is that normal deletion of your information would be enough to stop 99% of all attempts to recover that data, simply because nobody cares about your data. But if someone is willing to spend hundreds of thousands of dollars to recover your data, then physical destruction of your media is the only possible standard.