tankman1989
Active Member
- Reaction score
- 5
A little over a year ago I attended an invitation only IEEE criminal forensics sciences lecture that focused about 95% of the time on computer related issues. I have to say that I was astonished at what I heard at this meeting and learned a lot, both in a positive and negative aspect of how things are done.
The most memorable topic of discussion was data recovery from hard drives. The speaker, who currently worked for the state police, said that the forensic lab used manufacturer designed software which allowed access to hidden areas of the hard drives. He said that it is/was possible to recover just about any file that had been on the hard drive even if it had been securely deleted. I questioned this by asking if it was possible to recover if the file had been zero'd out numerous times or over written with other data numerous times. I also asked if the drive was wiped were these files recoverable. He answered yes to all my questions. I pondered... I wanted to ask if over the life of the drive the drive had contained 100x the total capacity of the drive (deleting & overwriting of course), would a file written on the first day and overwritten the next day (let's assume constant continual use for 5 years) be recoverable - but due to the lecture format, I wasn't able.
This topic was brought up when talking about recovering the internet cache of pedophiles. He said that they could recover just about any file that had been written to the hard drive, no matter when it was deleted, as it was stored in a special area of the drive which was ONLY accessible by the manufacturer or this forensics software.
I also asked a couple other questions prior to this that were fairly technical, but questions I felt any computer security professional should know off the top of his head, and he couldn't answer these (I'm not even a security specialist, more a novice). After these questions and then the recovery question, I didn't want to make him look ignorant in front of the crowd..
So, I have a couple theories on this "special area" and how these forensic's "specialists" work. The only way that this special area can work the way they say it does is if HD capacity is incorrectly reported by manufacturer - in which case, there is technology that allows for much greater density of storage than we know about - ie a single platter stores 100TB instead of 1TB & there is a permanent storage section that is sequentially written with a 1% "useable" section. This is very probably when national security & spying (look why & who developed computers & Internet) is taken into consideration. Also, makes "Moores Law" easier to understand as well as the naming of it - coincidence that Moore predicted so much "more" capacity & speed? Was the capacity always there but limited so that they could sell incremental increases over the next 40+ years while they developed/stole the next technology?
OR - The HD has this "secret area" which stores special files such as Internet cache files. Good for national security and such... Perhaps it stores all MS office docs and other data files... This would require much less space but it still involves some kind of conspiracy.
What I also found very interesting and made me understand why some criminal investigations and prosecutions move so slowly is that in a state of over 13 million people, there are only 4 people who work at the state forensics lab. This lab does all the work for local and state police as well as regional FBI work! Knowing how long it takes to do some procedures I now understand why the police push so hard for confessions or plea deals, because if there is a lot of forensics work, it might not even get to trial in time or there could be a lot of possibilities for the defense to say there were incorrect procedures in examining the evidence.
I have the feeling that these people working in the forensics field don't necessarily understand the science behind what they are doing, especially when it comes to the computer forensics. Meaning they might not understand the firmware and operation of a hard drive while they do understand the results they get from the proprietary software that they use. This makes a lot of sense as it would be almost a career in itself to fully understand how the firmware of a HD works. So when they have to know 10-20+ of these software programs, it would be impossible to understand the fundamentals of what they are doing or how the hardware/software truly interfaces.. **edited/added - As Phazed pointed out - this might very well be to instill fear in the public to either deter crime or to help elicit a confession.
So what do you think about the "secret area" on the hard drive? I know that this has to be listed under some kind of conspiracy, even if it is at a very low level, but I think the computer industry is full of these to varying degrees. Don't even get me started on Microsoft!
The most memorable topic of discussion was data recovery from hard drives. The speaker, who currently worked for the state police, said that the forensic lab used manufacturer designed software which allowed access to hidden areas of the hard drives. He said that it is/was possible to recover just about any file that had been on the hard drive even if it had been securely deleted. I questioned this by asking if it was possible to recover if the file had been zero'd out numerous times or over written with other data numerous times. I also asked if the drive was wiped were these files recoverable. He answered yes to all my questions. I pondered... I wanted to ask if over the life of the drive the drive had contained 100x the total capacity of the drive (deleting & overwriting of course), would a file written on the first day and overwritten the next day (let's assume constant continual use for 5 years) be recoverable - but due to the lecture format, I wasn't able.
This topic was brought up when talking about recovering the internet cache of pedophiles. He said that they could recover just about any file that had been written to the hard drive, no matter when it was deleted, as it was stored in a special area of the drive which was ONLY accessible by the manufacturer or this forensics software.
I also asked a couple other questions prior to this that were fairly technical, but questions I felt any computer security professional should know off the top of his head, and he couldn't answer these (I'm not even a security specialist, more a novice). After these questions and then the recovery question, I didn't want to make him look ignorant in front of the crowd..
So, I have a couple theories on this "special area" and how these forensic's "specialists" work. The only way that this special area can work the way they say it does is if HD capacity is incorrectly reported by manufacturer - in which case, there is technology that allows for much greater density of storage than we know about - ie a single platter stores 100TB instead of 1TB & there is a permanent storage section that is sequentially written with a 1% "useable" section. This is very probably when national security & spying (look why & who developed computers & Internet) is taken into consideration. Also, makes "Moores Law" easier to understand as well as the naming of it - coincidence that Moore predicted so much "more" capacity & speed? Was the capacity always there but limited so that they could sell incremental increases over the next 40+ years while they developed/stole the next technology?
OR - The HD has this "secret area" which stores special files such as Internet cache files. Good for national security and such... Perhaps it stores all MS office docs and other data files... This would require much less space but it still involves some kind of conspiracy.
What I also found very interesting and made me understand why some criminal investigations and prosecutions move so slowly is that in a state of over 13 million people, there are only 4 people who work at the state forensics lab. This lab does all the work for local and state police as well as regional FBI work! Knowing how long it takes to do some procedures I now understand why the police push so hard for confessions or plea deals, because if there is a lot of forensics work, it might not even get to trial in time or there could be a lot of possibilities for the defense to say there were incorrect procedures in examining the evidence.
I have the feeling that these people working in the forensics field don't necessarily understand the science behind what they are doing, especially when it comes to the computer forensics. Meaning they might not understand the firmware and operation of a hard drive while they do understand the results they get from the proprietary software that they use. This makes a lot of sense as it would be almost a career in itself to fully understand how the firmware of a HD works. So when they have to know 10-20+ of these software programs, it would be impossible to understand the fundamentals of what they are doing or how the hardware/software truly interfaces.. **edited/added - As Phazed pointed out - this might very well be to instill fear in the public to either deter crime or to help elicit a confession.
So what do you think about the "secret area" on the hard drive? I know that this has to be listed under some kind of conspiracy, even if it is at a very low level, but I think the computer industry is full of these to varying degrees. Don't even get me started on Microsoft!
Last edited:
