Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Data Recovery

from [Brewis, Mark] Network Security [Permanent Link]
Subject: RE: Data Recovery
Date: Tue, 31 Oct 2006 11:21:51 -0000 
The pages are opened in a frame: however,
http://www.pcpro.co.uk/shopper/features/85694/recovery-position/page1.ht
ml through page6.html.
You may well have to register to access the full article.

Selective overwriting is difficult - the issues with PGP identified by
Vinnie Liu  www.metasploit.com/research/vulns/pgp_slackspace/ are a
perfect example.

There is some very interesting technology out there to look at disks -
there is a paper on Magnetic Force Microscopy (MFM) by A.M. Alexeev and
A.F.Popkov, NT-MDT & State Institute for Physical Problems, Moscow,
which has some great illustrations of what data on a disk actually
'looks' like
http://www.ntmdt.ru/SPM-Techniques/SPM-Methodology/Magnetic_Force_Micros
copy_MFM/text45.html.

Leaving aside the issue of whether data can be recovered, and assuming
for the sake of argument that it can be, the issue with data recovery of
this type is that it is data: binary magnetic information.  The data is
only meaningful when interpreted through an application(s) which
understands the construct.  There are still big challenges with file
carving from data where the construct is known, as Simson can be the
first to tell you -
http://www.dfrws.org/2006/challenge/submissions/index.html - although
the state of the art is still improving.

Meaningful artefact identification from recovered data would be a
tremendous task, even if a complete, contiguous recovery was possible.
To extract meaning from a fragmentary recovery of a series of binary
transitions  110101     01110111 01101 10 1  10   111 1101101
0110110110110110110 etc could be a Sisyphean task. 

Regards,

Mark

This email contains information which may be confidential and may be
privileged. Unless you are the intended addressee (or authorised to
receive for the addressee) you may not use, forward, copy or disclose to
anyone this email or any information contained in this email.  If you
have received this email in error, please advise the sender by reply
email immediately and delete this email.  Any opinions expressed in this
email are opinions of the author and do not represent a formal statement
or opinion by EDS.

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Simson Garfinkel
Sent: 30 October 2006 19:48
To: Russell Aspinwall
Cc: forensics@securityfocus.com
Subject: Re: Data Recovery

Please post the full URL of the article.

It is quite possible that disk erasing programs do not delete the data.
But this is almost certainly the result of a bug with the programs in
question. It is quite difficult to selectively overwrite certain files
on a hard drive --- remnants of the files are left in non-obvious
locations (like swap space). However, it is quite easy to overwrite the
entire contents of a hard drive. To date, that has NEVER been a public
demonstration of data recovered after it was overwritten.


On Oct 26, 2006, at 4:20 AM, Russell Aspinwall wrote:


In response to data recovery after 57+ formats query

The UK magazine Computer Shopper carried a feature article "Recovery 
Position" in its March 2006 issue, which can be found here 
http://www.computershopper.co.uk and search for Recovery Position.
It appears that disk erasing programs do not delete the data, if you 
have the right tools for recovery; however a hammer does work.

--
Regards

Russell

Email: russell dot aspinwall at flomerics dot co dot uk Network and  
Systems Administrator           Flomerics Ltd
Telephone: 020-8941-8810 x3116              81 Bridge Road
Facsimile: 020-8941-8730                    Hampton Court
                                           Surrey, KT8 9HH
                                           United Kingdom


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

Flomerics Group plc, Registered Office 81 Bridge Road, Hampton Court, 
Surrey, KT8 9HH. Registered No. 2327348. This e-mail is confidential 
and intended solely for the use of the individual to whom it is 
addressed.  Any views or opinions presented are solely those of the 
author and do not necessarily represent those of Flomerics Group plc 
or its subsidiaries. If you are not the intended recipient of this 
e-mail you may not copy, use, forward or disclose its contents to any 
other person ; please notify our Computer Service Desk on +44 (0)20 
8487 3000 and destroy and delete the message and attachments from your



system.
For more information on Flomerics visit our web site at 
www.flomerics.com
[More messages with this same subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Seagate to encrypt data on hard drives, Travis Haymore
Next by Date:  Re: Data Recovery, Mario Cardenas S.
Previous by Thread:  Seagate to encrypt data on hard drives, Travis Haymore
Next by Thread:  RE: Data Recovery, Steve Hickey
Indexes:  [Date] [Thread] [Top] [All Lists]