Data Recovery Mitchell DawsonChris Forgie Jon Davis Steve Tauber Jon Davis Steve Tauber CSSE 592/492 Computer Forensics May 7 th, 2003.

Slides:



Advertisements
Similar presentations
Term Project Grade 9 Section B Due december 18 Find and research one Emerging technology not studied in class. It can be a prototype or already available.
Advertisements

Lesson 9 Types of Storage Devices.
Storage Devices.
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Types Of Storage Device
Backing up and Archiving Data Chapter 1. Introduction This presentation covers the following: – What is backing up – What is archiving – Why are both.
Backing Up Your Computer Hard Drive Lou Koch June 27, 2006.
1 X-Ways Security: Permanent Erasure Supervised By: Dr. Lo’ai Tawalbeh Prepared By :Murad M. Ali.
Section 5a Types of Storage Devices.
11 BACKING UP AND RESTORING DATA Chapter 4. Chapter 4: BACKING UP AND RESTORING DATA2 CHAPTER OVERVIEW Describe the various types of hardware used to.
Princeton PC Users Group Hard Drive Disaster! By Paul Kurivchack March 14, 2005.
The Ultimate Backup Solution.
Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,
Data Elimination 101. What Does Degauss Mean? Computer hard drives use magnetic fields to store data on special discs called platters. Degaussing is the.
Guide to Linux Installation and Administration, 2e1 Chapter 13 Backing Up System Data.
Data Recovery Techniques By Danny Seltzer and Evan Hollander.
Computer Storage Devices Principles of Information Technology Lytle High School Click to continue.
Storage device.
3.1 Storage devices and media
What is Data Storage? ‘Storing’ data, we mean putting the data in a known place. ‘ Writing ’ data or ‘ saving ’ data are other ways of saying ‘storing’
Computer Viruses. Where the name came from This is a phrase coined from biology to describe a piece of software that behaves very much like a real virus.
1st Choice Document Destruction, Inc (a member of the NAID Association) is proud to be an exclusive distributor for “The Guardian” Hard Drive Destroyer.
Chapter 3 – Computer Hardware Computer Components – Hardware (cont.) Lecture 3.
Chapter 4: Operating Systems and File Management 1 Operating Systems and File Management Chapter 4.
Peripherals and Storage Looking at: Scanners Printers Why do we need storage devices anyway? What are magnetic disks? How do magnetic disks physically.
Data Deletion and Recovery. Data Deletion  What does data deletion mean in your own words?
Elite Networking & Consulting Presents: Everything You Wanted To Know About Data Insurance* * But Were Afraid To Ask Elite Networking & Consulting, LLC,
Information Technology
 FILE S SYSTEM  DIFFERENT FILE SYSTEMS  FILE SYSTEM COMPONENTS  FILE OPERATIONS  LOG STRUCTERD FILE SYSTEM  FILE EXAMPLES.
1st Choice Document Destruction (a member of the NAID Association) is proud to be an exclusive distributor for The Guardian Hard Drive Destroyer. Anyone.
How Hard Disks Work. Hard disks were invented in the 1950s. They started as large disks up to 20 inches in diameter holding just a few megabytes. They.
Dr.Backup Online Backup Service (888) (toll free)
INFO1 – Practical problem solving in the digital world
Computer Organisation 1 Secondary Storage Sébastien Piccand
TAPPINGMODE™ IMAGING APPLICATIONS AND TECHNOLOGY
Data Recovery Techniques Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006 Matthew Alberti Horacesio Carmichael.
1 Maintain System Integrity Maintain Equipment and Consumables ICAS2017B_ICAU2007B Using Computer Operating system ICAU2231B Caring for Technology Backup.
Crime & Malpractice AS Module Heathcote Ch. 10.
Preventing Common Causes of loss. Common Causes of Loss of Data Accidental Erasure – close a file and don’t save it, – write over the original file when.
Computer Viruses Susan Rascati CS30 Section 11 George Washington University.
System Security Chapter no 16. Computer Security Computer security is concerned with taking care of hardware, Software and data The cost of creating data.
Mark A. Magumba Storage Management. What is storage An electronic place where computer may store data and instructions for retrieval The objective of.
XP Practical PC, 3e Chapter 6 1 Protecting Your Files.
Continuous Backup for Business CrashPlan PRO offers a paradigm of backup that includes a single solution for on-site and off-site backups that is more.
Incident Security & Confidentiality Integrity Availability.
Computer security By Isabelle Cooper.
Chapter 4 File Basics. 2Practical PC 5 th Edition Chapter 4 Getting Started In this Chapter, you will learn: − What is a file − How to save a file − How.
The Ultimate Backup Solution.
Indira Gandhi National Open University presents. A Video Lecture Course: Computer Platforms.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
ONLINE COURSES - SIFS FORENSIC SCIENCE PROGRAMME - 2 Our online course instructors are working professionals handling real-life cases related to various.
Visit:  If you have lost important files, take a deep breath and rest assured that disk recovery software can likely help.
Sniper Corporation. Sniper Corporation is an IT security solution company that has introduced security products for the comprehensive protection related.
How to Recover Data from SanDisk Memory Card ?. 2 Sources:
Computer Forensics. OVERVIEW OF SEMINAR Introduction Introduction Defining Cyber Crime Defining Cyber Crime Cyber Crime Cyber Crime Cyber Crime As Global.
Welcome to the ICT Department Unit 3_5 Security Policies.
ANS File Security Chapter # 29 ( Prepared by : Mazhar Javed ) 1 Data Security “Protection against loss, corruption of, or unauthorized access of data”
Digital Forensics Anthony Lawrence. Overview Digital forensics is a branch of forensics focusing on investigating electronic devises. Important in for.
ICT IGCSE Theory – Revision Presentation 3.1 Storage devices and media Chapter 3: Storage devices and media Identify storage devices,
Principles of Magnetic Storage. Define Electromagnetism Flux FM encoding MFM encoding RLL.
File-System Management
Alicia A. Coon COSC 480 October 27, 2006
Information Technology
Hardware Storage devices.
HOW TO RECOVER DELETED PHOTOS FROM HP LAPTOP?. Every user faces this terrifying moment where users pressed the button labeled “Delete All” unwillingly.
Introduction to Computers
Secondary Storage Devices
Normal deletion Shift deletion
Lesson 9 Types of Storage Devices.
Presentation transcript:

Data Recovery Mitchell DawsonChris Forgie Jon Davis Steve Tauber Jon Davis Steve Tauber CSSE 592/492 Computer Forensics May 7 th, 2003

Overview What is Data Recovery? What is Data Recovery? How can it be used? How can it be used? Techniques Techniques Recovery Methods Recovery Methods Secure Deletion Secure Deletion Private vs. Government services Private vs. Government services Software vs. Hardware Solutions Software vs. Hardware Solutions What can you do? What can you do?

What is data recovery? Retrieving deleted/inaccessible data from electronic storage media (hard drives, removable media, optical devices, etc...) Retrieving deleted/inaccessible data from electronic storage media (hard drives, removable media, optical devices, etc...) Typical causes of loss include: Typical causes of loss include: Electro-mechanical Failure Electro-mechanical Failure Natural Disaster Natural Disaster Computer Virus Computer Virus Data Corruption Data Corruption Computer Crime Computer Crime Human Error Human Error Example Example

Cases of Recovery FIRE Found after a fire destroyed a 100 year old home – All data Recovered CRUSHED A bus runs over a laptop – All data recovered SOAKED PowerBook trapped underwater for two days – All data recovered

Uses of data recovery Average User: Average User: Recover important lost files Recover important lost files Keep your private information private Keep your private information private Law enforcement: Law enforcement: Locate illegal data Locate illegal data Restore deleted/overwritten information. Restore deleted/overwritten information. Prosecute criminals based on discovered data Prosecute criminals based on discovered data

Software Recovery of data Generally only restore data not yet overwritten. Generally only restore data not yet overwritten. Do not work on physically damaged drives Do not work on physically damaged drives Undelete Pro, EasyRecovery, Proliant, Novanet, etc. Undelete Pro, EasyRecovery, Proliant, Novanet, etc. Prices range from Free-1000 Prices range from Free-1000 Example: dd on linux used on corrupt floppies Example: dd on linux used on corrupt floppies

Private Recovery Services Many private companies offer quick, secure, and confidential data recovery: Many private companies offer quick, secure, and confidential data recovery: Computer Disk Service Computer Disk Service 20 GB from $ GB from $ GB and up – from $ GB and up – from $ Action Front Action Front External cases - $500 to $1500 External cases - $500 to $1500 Internal cases -$2500 to $4000 for a single hard drive Internal cases -$2500 to $4000 for a single hard drive Critical Response services start at $5,000. Critical Response services start at $5,000. Data Recovery Services - Data Recovery Services -

Recovery Methods Hidden files Hidden files Recycle bin Recycle bin Unerase wizards Unerase wizards Assorted commercial programs Assorted commercial programs Ferrofluid Ferrofluid Coat surface of disk Coat surface of disk Check with optical microscope Check with optical microscope Does not work for more recent hard drives Does not work for more recent hard drives More recently… More recently…

Recovery Methods When data is written – the head sets the polarity of most, but not all, of the magnetic domains When data is written – the head sets the polarity of most, but not all, of the magnetic domains The actual effect of overwriting a bit is closer to obtaining a 0.95 when a zero is overwritten by a one, and a 1.05 when a one is overwritten with a one. The actual effect of overwriting a bit is closer to obtaining a 0.95 when a zero is overwritten by a one, and a 1.05 when a one is overwritten with a one. Normal equipment will read both these values as ones Normal equipment will read both these values as ones However, using specialized equipment, it is possible to work out what the previous “layers” contained However, using specialized equipment, it is possible to work out what the previous “layers” contained Steps include Steps include Reading the signal from the analog head electronic with a high- quality digital oscilloscope Reading the signal from the analog head electronic with a high- quality digital oscilloscope Downloading the sampled waveform to a PC Downloading the sampled waveform to a PC Analyzing it in software to recover the previously recorded signal. Analyzing it in software to recover the previously recorded signal.

Recovery Methods Scanning Probe Microscopy (SPM) Scanning Probe Microscopy (SPM) Uses a sharp magnetic tip attached to a flexible cantilever placed close to the surface to be analyzed, where it interacts with the stray field emanating from the sample to produce a topographic view of the surface Uses a sharp magnetic tip attached to a flexible cantilever placed close to the surface to be analyzed, where it interacts with the stray field emanating from the sample to produce a topographic view of the surface Reasonably capable SPM can be built for about US$1400, using a PC as a controller Reasonably capable SPM can be built for about US$1400, using a PC as a controller Thousands in use today Thousands in use today

Recovery Methods Magnetic force microscopy (MFM) Magnetic force microscopy (MFM) Recent technique for imaging magnetization patterns with high resolution and minimal sample preparation. Recent technique for imaging magnetization patterns with high resolution and minimal sample preparation. Derived from scanning probe microscopy (SPM) Derived from scanning probe microscopy (SPM) Uses a sharp magnetic tip attached to a flexible cantilever placed close to the surface to be analyzed where it interacts with the stray magnetic field Uses a sharp magnetic tip attached to a flexible cantilever placed close to the surface to be analyzed where it interacts with the stray magnetic field An image of the field at the surface is formed by moving the tip across the surface and measuring the force (or force gradient) as a function of position. The strength of the interaction is measured by monitoring the position of the cantilever using an optical interferometer. An image of the field at the surface is formed by moving the tip across the surface and measuring the force (or force gradient) as a function of position. The strength of the interaction is measured by monitoring the position of the cantilever using an optical interferometer.

Recovery Methods Magnetic force microscopy (MFM) Magnetic force microscopy (MFM)

Recovery Methods Using MFM: Using MFM: Techniques can detect data by looking at the minute sampling region to distinctly detect the remnant magnetization at the track edges. Techniques can detect data by looking at the minute sampling region to distinctly detect the remnant magnetization at the track edges. Detectable old data will still be present beside the new data on the track which is usually ignored Detectable old data will still be present beside the new data on the track which is usually ignored In conjunction with software, MFM can be calibrated to see past various kinds of data loss/removal. Can also do automated data recovery. In conjunction with software, MFM can be calibrated to see past various kinds of data loss/removal. Can also do automated data recovery. It turns out that each track contains an image of everything ever written to it, but that the contribution from each "layer" gets progressively smaller the further back it was made. It turns out that each track contains an image of everything ever written to it, but that the contribution from each "layer" gets progressively smaller the further back it was made.

How to Avoid Data Recovery Companies, agencies, or individuals may want to ensure their data cannot be recovered. Companies, agencies, or individuals may want to ensure their data cannot be recovered. Simple deletion is not good enough. Simple deletion is not good enough. Faced with techniques such as MFM, truly deleting data from magnetic media is very difficult Faced with techniques such as MFM, truly deleting data from magnetic media is very difficult

Secure Deletion: Government Standards Department of Justice: Department of Justice: DoD M – Type 1 degausser, followed by type 2 degausser, then three data overwrites (character, its complement, random) DoD M – Type 1 degausser, followed by type 2 degausser, then three data overwrites (character, its complement, random) Problems with government standards Problems with government standards Often old and predate newer techniques for both recording and recovering data. Often old and predate newer techniques for both recording and recovering data. Predate higher recording densities of modern drives, the adoption of sophisticated channel coding techniques, and the use of MFM. Predate higher recording densities of modern drives, the adoption of sophisticated channel coding techniques, and the use of MFM. Government standard may in fact be understated to fool opposing intelligence agencies. Government standard may in fact be understated to fool opposing intelligence agencies.

Secure Deletion Techniques Degaussing Degaussing Process in which the media is returned to its initial state Process in which the media is returned to its initial state Coercivity – Amount of magnetic field necessary to reduce the magnetic induction to zero. (measured in Oersteds) Coercivity – Amount of magnetic field necessary to reduce the magnetic induction to zero. (measured in Oersteds) Effectively erasing a medium to the extent that data recovery is uneconomical requires a magnetic force ~5x the coercivity. Effectively erasing a medium to the extent that data recovery is uneconomical requires a magnetic force ~5x the coercivity. US Government guidelines on media coercivity: US Government guidelines on media coercivity: Class 1: 350 Oe coercivity or less Class 1: 350 Oe coercivity or less Class 2: Oe coercivity. Class 2: Oe coercivity. Class 3: over 750 Oe coercivity Class 3: over 750 Oe coercivity Degaussers are available for classes 1 and 2. None known for fully degaussing class 3 media. Degaussers are available for classes 1 and 2. None known for fully degaussing class 3 media.

Techniques Secure Deletion – Avoiding Recovery

Type I Type II/III Commercial Degaussers

Deletion Techniques Technique 2: Multiple Overwrites Technique 2: Multiple Overwrites Use an overwrite scheme Use an overwrite scheme Flip each magnetic domain on the disk back and forth as much as possible Flip each magnetic domain on the disk back and forth as much as possible Overwrite in alternating patterns to expose it to an oscillating magnetic field. Overwrite in alternating patterns to expose it to an oscillating magnetic field. Overwrite with “junk” data several times Overwrite with “junk” data several times Use the lowest frequency possible for overwrites Use the lowest frequency possible for overwrites Penetrates deeper into the recording medium Penetrates deeper into the recording medium

Deletion Techniques Peter Guttman’s overwrite scheme: Peter Guttman’s overwrite scheme: Meant to defeat all possible recovery techniques (MFM, etc) Meant to defeat all possible recovery techniques (MFM, etc) Specifies 35 different overwrites Specifies 35 different overwrites Not all overwrites are needed if targeting specific recovery method (i.e. MFM) Not all overwrites are needed if targeting specific recovery method (i.e. MFM)

Deletion Techniques Extremely Extreme Physical Destruction Extremely Extreme Physical Destruction Chainsaws Chainsaws Sledge hammers Sledge hammers Drop in a volcano Drop in a volcano Place on apex of a nuclear warhead Place on apex of a nuclear warhead Multiple rounds from a high caliber firearm Multiple rounds from a high caliber firearm Hard Drivers are tougher than you think Hard Drivers are tougher than you think

What can you do? To reliably remove files? Not Much - absolutely secure is very difficult given methods out today Not Much - absolutely secure is very difficult given methods out today Make it impractical or extremely expensive to recover Make it impractical or extremely expensive to recover

In the News After buying 158 drives, ZDNet Finds: After buying 158 drives, ZDNet Finds: Over 5,000 credit card numbers Over 5,000 credit card numbers Medical records Medical records Detailed personal and corporate financial information Detailed personal and corporate financial information Personal s Personal s Gigs of pornography Gigs of pornography Pennsylvania sold used computer that contained information about state employees Pennsylvania sold used computer that contained information about state employees A woman in Nevada bought a used computer which contained the prescription records of over 2,000 customers of an Arizona pharmacy. A woman in Nevada bought a used computer which contained the prescription records of over 2,000 customers of an Arizona pharmacy.

QUESTIONS?

Resources 4/cap4.htm 4/cap4.htm ecure_del.html ecure_del.html ecure_del.html ecure_del.html

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.