The Great Zero Challenge Remains Unaccepted 496
An anonymous reader writes "Not even data recovery companies will accept The Great Zero Challenge and only four months remain! We've all heard how easily data can be recovered from hard drives. We're told to make multiple overwrites with random data, to degauss drives and even physically destroy them just to be extra safe. Let's get the word out. The challenge is almost over! It's put up or shut up time. Can you recover the data?"
Re:Do many companies really do EFM recovery? (Score:5, Informative)
Although the drive has to be in a living system and not on the shelf, it's worth noting the cold boot attack
Not in this context because we're talking about how intentionally wipe the data from a drive, e.g. when you want to erase the data and dispose of the disk. The cold boot attack, although interesting, has nothing to do with recovering data from a drive after someone has attempted to destroy it, unless your implication is that someone would try to overwrite the header a split second before someone like the FBI breaks the door down. Even then, simply unmounting the volume will wipe the key from memory. If you have time to attempt an erasure you have time to unmount the disk. If you are in a situation where you have enough time to write zeros all over the drive, as in this challenge, you are certainly not at risk from the cold boot attack.
Re:Do many companies really do EFM recovery? (Score:3, Informative)
I had an old drive which failed - one of those laptop Travelstar's that were known as 'deathstars' for the number of times they had died from overheating. Data recovery companies gave me a quote for anywhere between 300 pounds and 800 pounds, depending upon whether they would have to remove the spindle/platters from the drive and place them into a new one.
Fortunately, I managed to recover all the data from this drive for free, by putting it in external USB enclosure, place this in a freezer to cool it down, then give the enclosure a quick twist once the enclosure was plugged into an USB port. That was enough to recover the data.
You can recover the partition data of a drive erased using 'fdisk' by running the 'testdisk' utility.
(written by Christophe Grenier of http://www.cgsecurity.org/ [slashdot.org]">CG Security
It is NOT an "urban legend"... (Score:5, Informative)
This is of course no longer true what with much tighter tolerances, smaller and vertical magnetic domains, and so on. I think that is the point of this challenge.
It is recoverable, but at a price. (Score:5, Informative)
It is likely that there is a hysteresis in the platter causing a "0" written on top of a "1" to be slightly "weaker" than a "0" written on top of a "0".
On old tape, this hysteresis was about 10%, and was actually visible with a magnetic loupe, so depending on s/n ratio, you could recover quite a bit, no pun intended.
The problem with a HDD is that the signal from the heads go through a lot of signal processing including Extended PRML or EPRML. There is also an algorithm like RZ to not have a long series of the same bit written physically. If you take the electrical output from the read head, you will have a big task reconstructing the data, even if there only good data.
The only places today that can analyze well what is read physically is at HDD manufacturers research lab, and probably using custom HW to read the platter that collects all the errors and offsets. For a recovery company to do this, they probably would have to invest millions of $$$, so they will not.
So bottom line is that you could send the drive in to Western Digital, and they could probably recover the raw data with about 90% accuracy. If that is enough for the error recovery to chew on, I am not sure, but here and there, long strings would be recovered. They can for sure give the exact probability for the recovery of a bit.
WD however does not have any incentives to demonstrate that wiping their drives with "0" is not sufficient. aux contrare, they may consider this an undesirable property. Therefore, the only ones that can recover this is unwilling.
So the challenge remains unaccepted.
Re:The whole article is full of comedy gold (Score:4, Informative)
"It can't be done" is a little strong: On older (early-1980s) hard drives it probably could be done. Modern drives, less likely. No-disassembly rule, no chance whatsoever.
That said, "industry best practices" is what it is. When I'm wearing my data security hat for a company managing people's medical records, I'm going to advise that we follow whatever accepted standards are for wiping drives; if FIPS says to degauss the drives, we're damned well degaussing the drives. "Nobody ever got fired for choosing IBM" may be a lousy rule for procurement, but "nobody ever got fired for insisting on industry-accepted security practices" is right on the money.
Re:Do many companies really do EFM recovery? (Score:3, Informative)
Re:Jeez (Score:3, Informative)
$300? That's for running what's pretty much an "undelete" like any shareware program can do.
$3,000, and you might get what amounts to a sector dump.
$30,000 and damaged platters/heads might be replaced, and attempts at hardware recovery done.
$300,000, and the electron microscopes might see use.
Real price is $700 (Score:4, Informative)
$300? That's for running what's pretty much an "undelete" like any shareware program can do.
$3,000, and you might get what amounts to a sector dump.
Not at all true. I priced this out for a friend that had removed data beyond what the simple undelete commands you mentiioned can do. The real cost is more along the lines of $700, and you get real data files back.
$3000 is more along the lines of, the actual physical disk inside the case has been disturbed and you are talking about recovering whatever data you can. That starts to get real pricey, really quickly.
Re:it is PR (Score:4, Informative)
Encrypted by whom? Oh, that's right, by him.
Sorry, encryption doesn't lend any kind of credibility to the claim at all. That only makes it harder to change the list from now on, but doesn't validate that the list was correct in the first place. What would be stopping him from zeroing one drive and provide the list from another drive (or make one up), and then encrypt the wrong list? There's no verification process in place, which causes the addition of this encryption step to smell of snake oil, making it slightly less believable than if it had been all in the open.
I'm sorry, but you're taking his word on faith. Which is a very wrong thing to do, even if he is right. It's not the amount of money in question that's the big problem here, but the lack of accountability.
Where in the hell... (Score:3, Informative)
...did these guys get the idea that anyone who knew what they were talking about claimed that it was possible to recover data from an overwritten drive without taking it apart?
Re:Do many companies really do EFM recovery? (Score:2, Informative)
but you need knowledge of the file system in question, and how exactly it stores its file names.
Its good you brought this up, because the poster went back in time and included it in TFA. Its people like you keeping these guys honest:
We did a default initialization and NTFS format from within Windows XP.
Re:The whole article is full of comedy gold (Score:3, Informative)
"No disassembly" doesn't mean you can't tap onto the drive's external circuit board, where you *might* just be able to get the voltages before they go digital, unless the ADC circuitry is inside the housing...
Re:it is PR (Score:3, Informative)
Re:The whole article is full of comedy gold (Score:2, Informative)
Actually, since the voltages are so tiny, the ADC is usually mounted on the arm right next to the heads. You can see it if you open the drive.
The problem is it isn't that simple (Score:4, Informative)
Long gone are the days when drives stored things in a simple modulation format. That's what MFM hardrives were (MFM means Modified Frequency Modulation). Now harddrives store an analogue wave, and analyze it to determine the maximumly likely result for a given waveform. It's called EPRML, Extended Partial Response, Maximum Likelihood. You can Google for the specifics of how it works, but the general idea is there isn't a certain threshold beyond which something is 1 or 0. Rather it is an analogue wave of varying intensity and by looking at how it changes, the drive's processor can pick out the binary stream it is most likely to represent. Sounds like voodoo, but works really well and is extremely reliable.
Well, that means that data recovery of overwritten data just became a hell of a lot harder. It isn't a matter of saying "Well the current data is a 0, however it is on the high end of 0 so it was probably a 1 before." No now you have to be able to tell what the wave looked like beforehand, and interpret that.
Now maybe there's a way that it is possible, but I'm rather doubtful. There is, of course, also the time factor. Supposing you can do this, how long does it take you to read one byte? A second? A minute? Ok, how long are you willing to spend scouring a drive that has five hundred billion of those bytes? So not only do you need to be able to do this, but you need to be able to do it quite quickly if you are to have any hope of scanning a modern drive in a timescale that is useful.
Re:I think you got it at the beginning. (Score:1, Informative)
...could have sworn it was $500.
Re:Critical line in the Challenge: (Score:3, Informative)
RTFA, they specifically allow disassembling by data recovery organisations and the 3 letter ones to.
Re:Critical line in the Challenge: (Score:3, Informative)
RTFA. (How does someone get modded "insightful" when they haven't?)
That's not in the challenge NOW. It was some months ago, as he didn't want to supply a unlimited number of drives for people to trash, but now the drive does not have to be returned, you can do what you like.
Re:Do many companies really do EFM recovery? (Score:2, Informative)
Kernel memory pages are usually not swappable. They will stay on physical memory.