The Great Zero Challenge Remains Unaccepted 496
An anonymous reader writes "Not even data recovery companies will accept The Great Zero Challenge and only four months remain! We've all heard how easily data can be recovered from hard drives. We're told to make multiple overwrites with random data, to degauss drives and even physically destroy them just to be extra safe. Let's get the word out. The challenge is almost over! It's put up or shut up time. Can you recover the data?"
Re:Do many companies really do EFM recovery? (Score:5, Interesting)
An urban legend (Score:5, Interesting)
It's an urban legend. You can't recover erased bits. If you could it would imply that you can store at least two bits in the space of one. Disk companies have a pretty good idea what their heads and surfaces can do. Do you think they'd be passing up big $$$ by under-utilizing their disk's capacity?
There is that one Usenix conference "paper" foating around out there, but if you read it carefully it does not give a single example of one recovered bit.
If you've ever looked at the waveform coming off a disk head, you'd wonder with all the x/y noise and jitter how they can get even ONE bit out of that hairball. The answer is, they can, just barely, by applying all the sync, gating, PLL, and deglitching tricks, just barely reliably recover bits at the maximum recording density possible.
And all those pictures they show of bit patterns lingering under large erased areas are actually counter-examples. They prove that you can detect periodic bit patterns under large erased areas. Duh. In the real world the underlying data is not periodic, and the erasure isn't smooth or periodic either. If you overwrite real typical data with random data, you can't recover the original data. Shannon and company, you know.
Re:Pop Quiz (Score:4, Interesting)
Sumary of the fallacies I've seen mentioned on Slashdot so far:
1) lack of reward ($40, plus used 80GB drive worth $30-$40 new, minus shipping).
2) risky. You have to pay a deposit of $60, you have to pay shipping, and you only get the drive for 3 days.
3) You aren't allowed to take the drive apart, which, theoretically, would be necessary for EMF recovery
4) lack of publicity. Many of us didn't even know about the challenge until today. Most professionals probably will have never heard about the challenge even when it is over.
Basically, they are assuming that if nobody does the challenge, that nobody could.
The do have a valid point though. DOD 3-pass is more than enough for 99% of people. Common criminals and the FBI wouldn't recover that, and the NSA might not either. Destroying perfectly good drives is a waste of money and resources, and the practice should stop in 99% of cases.
Unfortunately, 16systems doesn't have enough funding to prove this. It would be nice if a more wealthy person/company would duplicate this challenge, but have several hard drives, pay shipping, have a reasonable reward ($5000+, the more the merrier), and be able to advertise the challenge better.
Re:An urban legend (Score:2, Interesting)
I believe that you might be able to determine that if the current value is a 0, that at some point in the history it was a 1. And vice versa. The problem as I see it is that you wouldn't be able to determine how far in the past. Image if the disk were written:
1, 0, 0
You would probably still have some residual history of the '1'.
If you had a disk that was written exactly 1 time, and then overwritten with 0's, then I would believe you could recover some of the data. But how likely is that?
Wrong interpretation (Score:3, Interesting)
If my interpretation is correct, you're still $20 behind [....] since if you win you get to keep the drive, but apparently aren't refunded your $60 deposit.
Wrong interpretation! From TFA:
If you damage the drive, then your deposit will not be returned.
So, (if MY interpretation is correct) you will always get your deposit back if you return the drive in good order or win.
But I have to agree that it's not quite the amount of money I'd do it for, even if I were able to.
Data can be recovered ... (Score:3, Interesting)
... if using older recording technology that has gaps between tracks and records zeros in raw form. Today's recording involves multi-level coding and scrambling, where even all-zeros will have a big mash-up of flux values, and overlaps the gaps to some degree.
If that 80 GB drive that had been zeroed-out with dd had recorded Osama bin Laden's exact location, you can be sure the data recovery experts at certain nameless US government agencies would scramble to get hold of that drive, regardless. And it would not surprise me if they can recover some data from it. They would not be worried about getting their $60 deposit back, and the drive will likely be destroyed as a hard drive as we know it. The tab for such recovery could be in the millions of dollars, but for that kind of data, it would be worth it.
Is the data on your computer with that to someone?
Re:From The Experts (Score:2, Interesting)
However, you can pad out the start with zeroes.
Precisely. In my case, I could brute-force keys with 1-28 "real" bits... presumably 29 would have taken twice as long, around 4 hours. I didn't have to heart to put my laptop's little fan through that. Also, keep in mind that a Feistel-type cipher lends itself to variable key sizes, and Rijndael could probably be modified for lower keys sizes. The reason AES specifies Rijndael with a minimum 128 bit key is exactly the same reason you overwrite a disk multiple times. Technically 56 bits is enough, but 128 is only a constant slower, and several orders of magnitude harder to attack.
Re:Critical line in the Challenge: (Score:3, Interesting)
Yeah, when I saw that you weren't allowed to disassemble the drive, I knew they weren't challenging anything more than script kiddies and their corporate equivalents.
This "what do I need to do before I chuck a hdd" conversation has come up before. I'll ask, "How many dollars do you want somebody to spend to get the data?" They, almost invariably respond "I don't want them to be able to get any data." My response usually involves renting a shotgun/smg and some rangetime.
I would bet they are right (Score:3, Interesting)
What people also have to remember is that unless you ARE talking about data with national security type implications, commercial companies are all you are going to be facing anyhow. Sure, it is possible that the NSA or SIS or the like have some secret technique for recovering data from overwritten drives. Guess what? If they do, they aren't telling anyone, and that includes law enforcement, your company, etc. They wouldn't want anyone to know, lest a way be found around it.
Now, as for law enforcement agencies, well they don't have big secret research divisions. They buy products and services from regular commercial companies. Have a look at the weapons police use, for example. While they are sometimes variants that are not available to the general public due to various weapons laws, they are made by firearms providers you've heard of" Glock, Smith and Wesson, Sig Sauer, etc.
Same deal for forensic tools. By and large the most used tool for disk analysis, in fact the only one I've ever seen, is EnCase. It basically images an entire drive (including all empty space) and then allows you to look through it in various useful ways. However, this means that it is only looking at data currently on the drive. Anything overwritten even once isn't visible to it, since it is just pulling data through the drive's normal interface.
As a practical matter, the tools law enforcement uses need to be known because they are going to be scrutinized in court. In pretty much any court in any free nation when the question "What method was used to find this data?" is asked, an answer of "We can't tell you," isn't going to cut it. You discover that forensic methods of all sorts are subject to scrutiny. The way that DNA matches are done, the method for comparing paint chips, etc, all are open to be looked at. The investigators can't just say "Ummm ya, the DNA matches. We can't tell you how we know, we just do." Same deal for digital forensics.
So while there's certainly nothing wrong with running a good wipe as a CYA sort of measure, this paranoia of "OMG they can read your data no matter what!" needs to stop. For example we do DOD 5220.22 wipes at work because it is a good way to have ourselves covered if anyone asks. After all, it's an official DOD standard, if it's good enough for them it's good enough for us. However I've no illusions that it is necessary over a simple zeroing of the disk. Maybe if I was worried about the NSA reading our disks, but I'm not.
Yes intelligence agencies go to some extreme lengths (like wiping a disk, grinding it up and melting it down) but that's not because they think that is all needed, but because they don't want to find out they are wrong. When you are protecting national secrets, you don't take chances. However if you aren't, and people here aren't, then this paranoia is rather silly.
Re:Wow, what a prize! (Score:2, Interesting)