Legal Technology News - E-Discovery and Compliance Blog

« White Paper: MetaLincs - Gartner Report | Main | Webinar on E-Discovery Case Preparation »

April 09, 2008

The Multipass Erasure Myth

Erasers As I amble the backroads of listserves and blogs, occassionally the same mangy, flea-bitten assertion trots up.  Someone will claim that, "Top notch computer forensic examiners have tools and techniques allowing them to recover overwritten data from a thoroughly wiped hard drive, so long as the drive was wiped less than 3 (or 7) (or 35) times."  Often, it's paired with the claim that you can use Guidance Software's EnCase to do it.

Nonsense!  Neither Encase nor any other tool or application accessing the drive in the customary way (through the drive's firmware) is capable of reading the contents of sectors that have been overwritten by new data.

To be unequivocal and hopefully help drive a stake through the heart of urban legends about overwitten data recovery with EnCase, FTK, X-Ways Forensics or Hermione's Magic Toaster: No way, no how, not gonna happen. Zip. Zilch. Nada. Period.

I think I know where this pesistent fairy tale got its start (or at least a big push).  About a dozen years ago, a very smart Kiwi named Peter Guttmann wrote a paper with the title, Secure Deletion of Data from Magnetic and Solid-State MemoryDr. Gutmann wrote of very cool technotoys like magnetic force scanning tunneling microscopes and ferromagnetic fluids.  Of magnetic force microscopy as a data recovery tool, he opined, "Even for a relatively inexperienced user the time to start getting images of the data on a drive platter is about 5 minutes."


Now, I'll concede that Dr. Gutmann's Ph.D can kick my J.D.'s ass; but on this point, he's simply havin' a laugh, at least with respect to any hard drive made this century.  The good Doctor goes on to prescribe a regimen of thirty-five varied overwiting passes to thoroughly erase data--a so-called Gutmann Method erasure.  To his credit, even Dr. Gutman awoke to his folly of '96 and, in an epilogue added years later, marveled that so many came to regard his Gutmann Method erasure as "a kind of voodoo incantation to banish evil spirit" from hard drives, conceding  that "performing the full 35-pass overwrite is pointless for any drive."

Exponential increases in data density have made the true even truer, such that none of the discussion about shadow tracks and data persistence (even my own from years ago) have anything to do with sucking data out through the IDE (or SCSI or SATA) channel.

You don't need Gutmann's 35 passes or (unless your work requires compliance with DOD 5220.22-M ) even the Department of Defense's 3 passes.  Call it the Ball Method if you will, but you only need one complete pass to eviscerate the data recovery skills of every computer forensic examiner out there.

That is not to say that overwritten data cannot be recovered. There are methods centered on off track persistence, additive and subtractive voltage thresholds and three-dimensional "carving" of the magnetic media, but all of this is out-of-the enclosure, spin-stand analysis stuff from the 15th sub-sub-basement of the NSA. It's real enough (though more theoretical than practical), but it's no more EnCase-level recovery than my Estes rocket was a moonshot.

Don't take my word for it. The bleeding edge of data recovery is a fascinating place to be, and there is much insightful material to be had on the web. Two I highly recommend are authored by a terrifically smart fellow (and Texan) named Charles Sobey.  The challenging one is here: Recovering Unrecoverable Data - The Need for Drive-Independant Data Recovery and and the quicker read is here: Drive-Independent Data Recovery - Current State of the Art

I learned more about hard drives from Chuck Sobey's work than from almost anything else I've ever come across. He's obviously a gifted teacher.

If this stuff grabs you, I also commend the work of U. of Maryland researchers Isaak Mayergoyz, Charles Krafft and Chun Tse. Their patent, Method for intersymbol interference removal in data recovery, is enlightening, particularly in its description of prior art.

One point that should come across clearly when one makes the leap from the simplistic way we imagine hard drives work to the way they really track and encode the information is that all the anectdotal wiped data recovery stuff we've heard about for years (e.g., "I know a guy who has a counsin who recovered overwritten data using Encase by tweaking the frazzle settting and putting the drive in the toaster.") is completely bogus.

Software and operating systems live on the wrong side of the HD firmware tracks to have any prospect of reaching overwritten data. You've got to think out of the box (or at least out of the enclosure) and you better have a spin stand at the ready. 

There's NOBODY for hire out there--and I include every e-discovery provider and commercial data recovery shop in the known universe--who can resurrect a modicum of intelligible, truly overwritten data from a modern hard drive, even if it was overwritten with just one measly pass. Just to make my point: I'll buy a brand new iPod for the first person who can prove me wrong.

And if you decide to take up the cudgel, don't come at me with host protected area stuff or re-mapped balky sectors.  You've got to bring back a document, spreadsheet, e-mail or photo from an ordinary, modern, magnetic platter hard drive after its been thoroughly and properly overwritten with a single pass. 


TrackBack URL for this entry:

Listed below are links to weblogs that reference The Multipass Erasure Myth:


Craig, Wonderful post. This is one of the largest myths in computer forensics. For the past 4 months, I have started discussing it at SANS through the a computer forensic Mythbusters segment that I teach. Glad to see someone else speaking the truth.

Rob Lee
Faculty Fellow
SANS Institute

Craig, Wonderful post. This is one of the largest myths in computer forensics. For the past 4 months, I have started discussing it at SANS through the a computer forensic Mythbusters segment that I teach. Glad to see someone else speaking the truth.

Rob Lee
Faculty Fellow
SANS Institute

It's been almost three weeks -- has anyone made a claim for the iPod yet?

No one has made a claim for the iPod. Are you ready to make a run for it? I'd be willing to sweeten the pot to an iPod Touch if that gets anyone's juices flowing.

Craig Ball

The comments to this entry are closed.

Sign Up for the E-Discovery and Compliance Newsletter

An Affiliate of the Network

From the Newswire

Sign up to receive Legal Blog Watch by email
View a Sample

Contact EDD Update

Subscribe to this blog's feed

RSS Feed: LTN Podcast

Monica Bay's Law Technology Now Podcasts are also available as an RSS feed.

Go to RSS Subscribe page

March 2013

Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30

Blog Directory - Blogged