First question:

After you write random 1s and 0s to the disk (we'll just say 1 pass) how is it ever possible to retrieve that data again? It seems it should be lost after COMPLETELY randoms 1s and 0s are written.

Second Question:

Is there a software that can recover this that isn't some FBI / NSA / CIA type crap? I'd like to look into purchasing something like this because lately I've been doing a lot of data recovery with Recuva and GetDataBack, but I'd like something that can actually repair files as well once they are found. GetDataBack always gets back A LOT, but 60-90% of the files are always corrupt and do nothing when you try to look at them.

Is there a software that can recover this that isn't some FBI / NSA / CIA type crap? I'd like to look into purchasing something like this because lately I've been doing a lot of data recovery with Recuva and GetDataBack, but I'd like something that can actually repair files as well once they are found. GetDataBack always gets back A LOT, but 60-90% of the files are always corrupt and do nothing when you try to look at them.

You're pretty much screwed. If a DOD type wipe was done and every sector was written to, the data is gone. It's not like CSI where the data magically reappears. Even the FBI isn't going to recover this one. There could be a chance some sectors were skipped and data could still live there, but I doubt it. Out of curiosity, why didn't the customer do a back up or insure there was nothing they needed before the wipe?

You're pretty much screwed. If a DOD type wipe was done and every sector was written to, the data is gone. It's not like CSI where the data magically reappears. Even the FBI isn't going to recover this one. There could be a chance some sectors were skipped and data could still live there, but I doubt it. Out of curiosity, why didn't the customer do a back up or insure there was nothing they needed before the wipe?
Well, I know DOD wipes (7-pass) can't be 100% gone or else there wouldn't be an option to do a 35-pass erase in Disk Utility in OS X. So I'm sure there has to be a way to recover a "zeroing out" (single pass)? A customer didn't do this, nobody did it. It's just when they delete something and remove it from the recycle bin and realize it a week later when they've transferred another 8 GB worth of pictures, downloaded music, and browsed the internet... a lot of information has been written to the drive and I just consider that amount to end up being comparable to a "1-pass wipe" at least for over 50% of their files. I'm wondering how to get more data back after that week of writing to the disc.

I suppose my biggest question was: "What's the best data forensics software out there"? lol

Thanks for your quick reply, I appreciate it.

The 35-pass option is there for the paranoid. Once something has been emptied from the recycle bin, your hdd marks those areas for reuse. If nothing gets rewritten to those sectors, then the data is still there. Usually the drive doesn't start reusing those areas immediately unless a defrag has been done or there was a large amount of data in the bin. A random 1/0 wipe targets every sector on the drive to be written. This is why it takes so long for a true wipe. While you may (unlikely) still find fragments of data, they will be unusable and unreadable without forensics software to read them. Even then, you're only going to have little snippets of info, not complete files. A format simply tells the system that the entire partition is available for use. Until something is written, data is still easily recoverable. Even deleting a partition doesn't get rid of everything. It simply puts that area in limbo until you do something with it. Remember, hdd's, in the simplest of terms, are merely a collection of magnetic switches. These switches only have two positions. Once you change the position (switching polarity), data is gone. The switches don't have a memory to tell them how they were oriented at a given time.

The police in the UK use a piece of software called Encase which is meant to be pretty powerful.

These switches only have two positions. Once you change the position (switching polarity), data is gone. The switches don't have a memory to tell them how they were oriented at a given time.

Not quite true. While we often say data can be written as only 1's an 0's, that isn't true. The electromagnetic read/write heads write something as close to a 1 as they can. However, it might actually be 0.95. Where this comes in handy when doing data recovery, is that a 1 written over a 0 will be something like a 0.90 and a 1 written over a 1 will be closer to 0.97 or 0.98. The same happens for a 0. This is how people can reverse low level formats.

@Davis I think you read the same site I was just reading.:) I learned a few things in this guy's page. Check it out, click on some of the papers he's written.

http://www.cs.auckland.ac.nz/~pgut001/

From what I gather, if you do 8 or more passes, the data is pretty much gone.

Encase Is pretty solid software, however it will be overkill for what you need. It is geared specifically for investigations. It is also Very expensive. It doesnt use real high tech tools, there are better out there. But the ones that it uses are proven, hence the investigations part.


Forensic recovery suite is another that is used as well as helix which is a flavor of linux.

DOD is a 3 wipe pass, funny though, because now the military mainly destroys the drives totally, its hard to find a intact hard drive when they demil em.

AFAIK, it has never been confirmed on any level that more than 2 wipes is recoverable. Maybe the CIA has something, but for mainstream LE and civilian sector thats off limits. but AFAIK, even with electron microscopes and frequency analysis included, no tangible evidence it can be done has been presented...

I never used to use On-track recovery until it was suggested by colleague , it has been great in comparison with getdataback and some others. It is compatible with Encase and is being implimented in a number of labs.

On-track is expensive, but Ive used almost all the data tools out there(everything from GDB to Encase/Helix, etc), and it has been the best in my testing and real world expirence.

@Davis I think you read the same site I was just reading.:) I learned a few things in this guy's page. Check it out, click on some of the papers he's written.

http://www.cs.auckland.ac.nz/~pgut001/

From what I gather, if you do 8 or more passes, the data is pretty much gone.

Nice find man! Thanks for the link.

If every sector of the hdd has been rewritten maybe you stand a chance by performing a raw scan. In simple terms a raw scan searches for file signatures. So instead of finding a file structure, like you would be able to after a regular format, now you may be able to find individual files like word , excel, indesign all you can think of by specifying the file signature which is the first hexadecimal digits in the hex representation of the file (try winex to find that). As to which raw scan software to choose try some trial versions that you find on the web.
If that does not work out, it is not a matter that the data is unrecoverable but whether you have the equipment to retrieve it (which can be very expensive).
In general with magnetic media such as hard drives there is no such thing as the data being lost forever. Encase is a very good piece of software but not so much for retrieving lost data as to doing a forensic search on a hard drive image.

^^

+1
Use a program such as Ontrack EasyRecovery - the bootable one which support RAW scanning and you can choose stuff like sector regions to scan, etc. It's more likely to recover stuff after just a 0&1 wipe compared to one of the 'tin foil hat' methods such as the Guttman 35 pass.

Just a heads up. We always hear about how Dban wipes everything, and returns the drive to original state. Some time ago I dbanned a Dell drive, and dban did not touch the HPA (host protected area). I google and found that this is true and normal.

I don't know if any other programs really wipe a drive or not.

This isn't germaine to the poster's inquirely, but just thought that I would toss it out there. Forensic people are interested in protected areas like this.

Packrat1947