SANS Digital Forensics and Incident Response Blog

Data Recovery: ECC Data and recovery.

My thanks to Dave Kleiman (one of the original papers co-author's with myself) for reviewing and adding some details to this post series.

One of the misconceptions that is held concerning the recovery of data following its being overwritten is that the modern ECC (error-correction codes) used in hard drives will enable the data recovered to be reconstructed. This it is believed will allow the drive to recover from the stochastic nature of the data recovery demonstrated previously [1].

This is a flawed supposition. When data is overwritten, the drive updates the ECC information to reflect the new data that has been written to the drive. As such, the recovery of the ECC data that is associated with the former write is also randomly distributed. Though the ECC data does help in the reconstruction of data, reconstructed ECC data does not offer the ability to reconstruct the overwritten or wiped data.

Writing data to the disk in order to overwrite the previously written data also updates the ECC information on the drive. There is no need to run a special command to overwrite the ECC data (such as a SCSI-2 WRITE LONG command) as the ECC data is automatically updated when a wipe occurs.

In modern hard drives, each drive sector incorporates a built in checksum and error correction code (the ECC). When any write is made to the disk, the ECC and checksum data for the sector is also updated. As a consequence the ECC data is automatically overwritten when a drive wipe is conducted. Some information associated with these codes may be recovered (in a stochastically random manner). The probability of recovery is less than 100% and it is not possible to determine which recovered ECC data bit is in error. As some of the data in the ECC is invalid, it can not be used to validate or reconstruct the data from the recovered sector that has been overwritten.

Each time that a drive writes to a sector, the ECC and checksum are also overwritten. As such, when the drive reads the overwritten sector, it will recalculate the new checksum and compare this information to that of the overwritten data. Hence it is possible to validate the data associated with the wipe process, but not the overwritten data.

In general, the ECC can correct an error rate of between 10 to 12 bytes for each 512 byte sector on the drive. This is not in dispute. The problem is that the ECC can correct errors with the new data (that is the wipe process itself), not that from the wiped data. As the ECC data can not be recovered perfectly, it does not function as a means to recovering additional information from the recovered patters that is associated with the data that existed prior to the wipe.

There is no need to have special processes to overwrite the ECC data associated with a sector, this is a function of writing the sector. Wiping the sector is a write and this itself updates the ECC for that sector. Data recovery of wiped data is not aided through ECC data.

Craig Wright, GCFA Gold #0265, is an author, auditor and forensic analyst. He has nearly 30 GIAC certifications, several post-graduate degrees and is one of a very small number of people who have successfully completed the GSE exam.

[1] Craig Wright, Dave Kleiman, Shyaam Sundhar R. S.: Overwriting Hard Drive Data: The Great Wiping Controversy. ICISS 2008: 243-257