SANS Digital Forensics and Incident Response Blog: Author - craigswright

Spin-Stand Microscopy of Hard Disk Data

I shall be posting a series detailing the additional data not included in the paper [1] on recovering overwritten data in the following weeks.

My thanks to Dave Kleiman (one of the original papers co-author's with myself) for reviewing and adding some details to this post series.

Due to the limitations of peer reviewed papers, much of the detail of a process is commonly lost. This series of posts will endeavor to fill out the areas that are not covered in the paper in any detail and also add some further level of knowledge.

The recovery of data from damaged hard drives has come a long way over the years. Various techniques have been developed using both optical and electron microscopes and leading to the use of Magnetic force microscopy (MFM). MFM is a category of Scanning Probe Microscopy (SPM) and perhaps is the most widely used of these techniques. Of the techniques


Data Recovery: ECC Data and recovery.

My thanks to Dave Kleiman (one of the original papers co-author's with myself) for reviewing and adding some details to this post series.

One of the misconceptions that is held concerning the recovery of data following its being overwritten is that the modern ECC (error-correction codes) used in hard drives will enable the data recovered to be reconstructed. This it is believed will allow the drive to recover from the stochastic nature of the data recovery demonstrated previously [1].

This is a flawed supposition. When data is overwritten, the drive updates the ECC information to reflect the new data that has been written to the drive. As such, the recovery of the ECC data that is associated with the former write is also randomly distributed. Though the ECC data does help in the


Overwriting Hard Drive Data

By Dr. Craig Wright
GIAC GSE (Compliance & Malware)

This post is based on a paper I published in December last year; "Overwriting Hard Drive Data: The Great Wiping Controversy" by Craig Wright, Dave Kleiman and Shyaam Sundhar R.S. as presented at ICISS2008 and published in the Springer Verlag Lecture Notes in Computer Science (LNCS) series.


Opinions on the required or desired number of passes to correctly overwrite (wipe) a Hard Disk Drive are controversial, and have remained so even with organizations such as NIST stating that only a single drive wipe pass is needed to delete data such that it can not be recovered (that is a wipe of the data).

The controversy has caused much misconception. This was the reason for this project.

It is common to see people quoting that data


Searches and the US 4th Amendment

In much of the common law world (including the USA, UK, Canada, NZ and Australia), law enforcement needs to obtain a legal authorization in order to search and seize evidence. Generally, this power is granted through a request for a search warrant which states the grounds for the application including the law which has been broken. In the United States and the United Kingdom the requirements further require that the application describes the specific premises to be searched as well as the items being sought.

In the US, the Fourth Amendment and the Electronic Communications Privacy Act (ECPA) determine the lawfulness of a search. The Fourth Amendment only applies to government searches (such as those conducted by law enforcement officials). The ECPA applies to everyone (whether government or private) and


Destruction of adverse documents

It is an offence to destroy any document that is or may be used as evidence in an ongoing or potential judicial proceeding in most western (at least the common law) jurisdictions. An organization must not destroy documents on the foundation that the evidence is unfavorable. The penalties for the destruction of documents suspected to possibly be subject to litigation may perhaps end in a charge of obstruction to justice. This makes the determination of deleted material that has been destroyed following a litigation hold situation a key goal of the forensic investigator.

Adverse inferences are often upheld in litigation if a party cannot produce the required documents. There is also the hazard of reputation damage. In British American Tobacco Australia Services Limited v Roxanne Joy Cowell for the estate of Rolah Ann McCabe [2002] VSCA 197 the Judge in first instance seriously denounced BAT for the methodical destruction of a large number of records. Documents that may hold

... Continue reading Destruction of adverse documents