I spent sometime a few years ago working on the software element of a system that could of potentially done this job. the project was axed due to budgetary constraints but was interesting nonetheless. Essentially the system worked like this: Individual platters were removed from a drive and mounted on a spindle. The spindle (sitting on air bearings) was span at a constant rate (not necessarily the original speed) and this accurately maintained using feedback via a phased locked loop. Read heads from a non-specific drive were lowered into 'contact' with the platter via armatures allowing the head to be moved across the surface of the disk as would the original head. The output from the read head was fed into the front end of a disk controller board, this effectively amplified and shaped the output. This was then decoded. OK that's the basic theory of this technique. here come the problems 1. You have to work out the data rate of the domains passing under the head. This varies as the head moves across the platter as the data is zoned i.e. you can fit more sectors onto the longer outer track than you can on the shorter inner tracks. 2. The magnetic domains do not relate directly to a one or a zero. By this I mean a magnetic north is not a one and a south a zero. The encoding method complicates this by a) interlacing clock data between each bit and b) using a flux reversal to indicate a 1 and a lack of a flux reversal to indicate a 0. 3. The encoding scheme used for the data, is it MFM (not likely nowadays) or RLL, if RLL what variant. 4. To get certified good data out you need to use the correct CRC/ECC algorithm however modern chipsets are very flexible and let you a) supply your own polynomial for the CRC/ECC and specify what to preload the registers with. For floppies this is obviously standardised (preload = FFFF's and 16 bit polynomial = X^16+X12^+X^5+1 - I think, its been a long time) other wise you would not be able to share floppies between computers. For a hard disk this does not apply as the media is part of the drive. Also over what 'data' is the CRC generated is it just the data, the data and the data mark bytes or part of the data mark. Finally there are two CRC/ECCs for any sector, one for the address mark and address and one for the data mark and data, and how big is the CRC - normally 16 bits for the address mark but it used to be 56 bits or more for the data. 5) Due to the tolerances or the platter centre hole and minute sizes of individual tracks. You have a problem with centering. i.e. if the point of rotation of the mounted platter isn't exactly the same as the original then if the head is kept still and the platter rotated under it the head will cross a number of tracks for each rotation. In practice we saw about 5 tracks passing under the head but this was for 1GB drives - density has increased since then. The solution was to oscillate the heads and 'track follow' but to do this you need to know where the tracks are, which obviously means that you need to be able to read the address mark. A bit chicken and egg but it could be done. So, yes you can read the side of the track. If an older drive has gone out slightly out of alignment it is possible to read down the side of the track to see what was there before. as the CRC/ECC is written with the data then a good read can be verified. The process is to read a sector as it is now and then try to read the side of the known sector to see if you can get data that is different. Of course once you have got it you need to make sense of it - you almost certainly won't recover a complete drive in this way. Of course this technique is even more useful where a user has attempted to trash a drive physically rather than overwriting the data. Modern drives, however, use servo tracks/platters so they always know where they are and therefore 'track drift' is less likely to occur - Gone are the days of stepper motors where a 'defective' drive could be made to read by standing on its side and letting gravity help. Also the latest encoding techniques use Partial Read Maximum Likelihood (PRML) technology that affectively works by determining 'how likely is this magnetic anomaly going to be a 1' The upshot of this bit of my history is that all of the above problems still stand when it comes to looking at the data using Microscopy. $10K may get you some of the hardware but then you need a monster development budget. Sorry this is a bit rambling (and maybe well out of date) but I hope its food for thought. Paul ----Original Message----- From: Matthew.Brownat_private [mailto:Matthew.Brownat_private] Sent: 02 October 2001 21:30 To: forensicsat_private Subject: Re: Recovering data from a wiped HD Javi This issue comes back from time to time. The Usenix needs to provide a proof of concept, I'm not sure they realized how often this theory would be revisited. This was a concern of ours during the Cold War, while I was in the DoD that is. Costs: The equipment costs, no longer appears to be an issue. You would need a raw disk platter controller and mount, a clean room, a semi powerful microscope. This is just the basic equipment list, but could cost under $10,000.00 before you could start your own microscopic examination of the bit areas, which are referred to as "domains". Probability/Candidates: There are two types of candidates for this theoretical procedure. 1. If the drive has been zeroized (old Crypto variable term) to overwrite all data (hex 00 written to each byte = all binary zeros written to each domain). It might be like trying to interpret a poster on a wall that has been white-washed. The problem is that both the ones and the zeros have had zeros written on top of them. The only hope you have is that the most recent constant zeroizing process would be slightly (microscopically) off-set, there by revealing the previously recorded binary digit pattern. This may even work even if the different patterns are swept across the drive several times. 2. If the drive has been re-partitioned, reformatted, and a new instance of an operating system has been installed. Good luck. That would be like trying to interpret a poster with another poster plastered on top. I do not consider this a candidate, at all. Time: Do the math! How many domains are there on a 20GB laptop hard drive? Multiply the number of domains by how long it would take to visually determine a single domain and then toggle the domain on another drive. I didn't promise there wouldn't be a math test today. Hint: A lifetime. I'd hate to QC this person's work, what an error rate. I do concede that this process could possibly be automated. Legal: Opposing counsel's expert witness would have a field day. "So, basically you changed the bits as you saw fit"? Conclusion: Possible Urban Myth. I've seen what these domains look like under a microscopic examination, only after seeing the actual work in front of you, do you truly realize what we are talking about. Thanks, Matthew Brown, CISSP Javi Polo <javipoloat_private> 10/02/2001 06:06 AM To: forensicsat_private cc: Subject: Recovering data from a wiped HD What technics could be used for recovery of an HD, floppy or whatever magnetic device from a ... let's say, completely overwritten by zeroes, or random stuff ... :? I've heard that this can be done, so it's just curiosity on how could I wipe more securely data ... I suppose that by refilling severall times the same sectors, it does hardens the recovernig process .. :? Does anybody know of this? -- Javi Polo - DrSlump - Registered Linux User #97502 Proud member of the Panda Gey Community (powered by linux) http://javipolo.ivworlds.org/ - Fidonet 2:347/1.1 ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Oct 03 2001 - 06:38:28 PDT