[ QUOTE ]
Ratus said:
With how much time and effort?
How much does reading a platter nearly destoryed hard drive cost?
As long as it doesn't have my bank or CC#'s, is it really necessary?
[/ QUOTE ]
Ratus;
If the info was deleted, the disk reformatted or re-partitioned and reformatted, no problem. Recovery time is a few hours or less, all machine time and pretty much automated. After that, it's up to the reviewer to look and report on the findings.
If the disk was wiped or a real time wipe program was used that conformed to government standards, I'll need the original disk, not a copy since the subtle magnetic variations would not be passed to a copy. The cost is high to very high depending on what needs to be done. It may be necessary only to run the disk through a system running the recovery programs or it may require removing the heads and replacing them with very fine heads that can read boundary data and have sufficient resolution to sense shadow data. Our forensics lab can't do this type of work, we'd need to send it to a speciality lab at terrific expense.
Recovery in these modes is never complete, fragments need to be put together by the technician and reviewer. This type of recovery is never done unless the need is extreme since the cost is also extreme. You wouldn't really need to worry about someone getting your CC#'s since the cost of recovery would exceed your credit limit.
This is true today, tomorrow who knows. But you should certainly wipe a disk with at least three passes before disposing of it. As an example, a tech was charged with cc fraud. He was doing free work for a charity organization to repair donated computers. With just over the counter tools he recovered information and CC#'s etc. A simple wipe program would have prevented that from happening.
I recently had quite a long conversation with a friend who has first hand knowledge of an industrial espionage incident. Information from either his company or an affiliate (he wouldn't say which) was sold to a competitor. An employee was charged and his home computer was seized for examination.
The machine was subjected to a standard forensic examination using a bit copy of the disk. Although nothing incriminating was found, the disk appeared to have been cleaned by a wipe utility. A wipe utility cleans deleted files, file slack, ram slack and unallocated space by over writing those spaces with specific data designed to eliminate prior information. Some utilities are more efficient than others but few rewrite more than 3 times due to the time involved unless specifically configured to do so. These utilities can either run stand alone or as a real time background task.
Wipe utilities also remove deleted entries from the file allocation table to destroy file back pointers. This disk had all the signs of being wiped since there were no indications of it having any deleted data although the OS and other information on it were several years old.
Since there was a lot of money at stake, next the original disk, not a copy, was then sent to a recovery lab where it was subjected to techniques called "Border and Shadow data" recovery. Although the lab determined that the disk had been "wiped" by a three pass real time cleaning program, the recovery techniques were successful in reconstructing sufficient data for a successful prosecution.
When a zero bit is written to a disk, it is weaker if the prior bit stored in that location was a one than if it was a zero. Equipment exists that can detect this difference and reconstruct the "Shadow Data" despite the wiping. A second technique causes the read head to "jiggle" around each bit looking for differences at the border or bit edges caused by the head not hitting exactly the same spot each time it writes the bit.
It takes a wipe program at least seven passes with specific data patterns being written to eliminate the "Shadow" data and seven more using a wipe program designed to "jiggle" the head during the write to eliminate "Border" data. On a 20gb disk, this would take many, many hours.
It is possible for these recovery techniques to recover multiple, valid data streams from the same locations on a disk.
It is interesting to note that these techniques cannot be used on a bit stream copy since they are totally dependent on very subtle differences in the magnetic structure of the original disk. Reconstructed data is written to a second disk to avoid damaging the original.
In my company, I instituted a policy when I began my employment to remove and dismantle or destroy the disk drives when disposing of equipment.
Paulr;
You asked what tools are used. I use the Forensics Toolkit (FTK) from Access Data, EnCase by Guidance Software, a hardware based bit stream copy tool and tons of other utilities. These are expensive packages ($2000.00 and up per user) and not easy to purchase anyway.
Data recovery in the legal world is useless unless the examiner is a certified professional. This isn't cheap at all, it can easily cost tens of thousands of dollars to acquire the necessary credentials and expertise to qualify the examiner to recover data and testify as an expert. Failure to qualify in any way would compromise the case, even get the examiner discredited.
There are other toolkits available to law enforcement only, the general population cannot purchase them. Copies won't function due to the hardware key (all kits use keys) and the individual examiners access codes.
Al