Why can data still be read when a disk is completely erased?

General discussion about data forensics.

Moderators: Eraser DevTeam, Eraser Moderators

Why can data still be read when a disk is completely erased?

Postby chrisssteeven » Wed Feb 10, 2010 7:32 am

I understand that normal delete operations only delete the file identification information, but not the file contents itself. I'm talking, though, of writing all zero's or all ones on a disk on an extreme low level format. Some disk forensics can still read data. How can that happen?
chrisssteeven
 
Posts: 3
Joined: Tue Feb 09, 2010 5:43 am

Re: Why can data still be read when a disk is completely erased?

Postby DavidHB » Wed Feb 10, 2010 8:59 pm

chrisssteeven wrote:I understand that normal delete operations only delete the file identification information, but not the file contents itself. I'm talking, though, of writing all zero's or all ones on a disk on an extreme low level format. Some disk forensics can still read data. How can that happen?

Have you seen it done, or done it yourself? If you haven't, I would advise caution, and no little scepticism, when reading information on the subject. This thread provides a healthy dose of just such scepticism about one of the mantras of safe erasing. Other threads on this forum provide links to some very informed comment.

If a complete wipe is undertaken of an empty disk (e.g. delete or erase all folders/files on a non system drive, then wipe free space with Eraser, then do a quick format to clear the FAT), the consensus appears to be that the data previously on the drive is gone, period; most people are of the view that, for ordinary users' data, a single pass wipe is sufficient. There have been techniques to read traces of the former data, but I think we can be sure that none of these has been turned into a readily available, usable and cost-effective product, or anyone who follows IT news would know about it; most of what is publicly documented in any case relates to technology that is no longer in use. It may be that people with huge resources and even greater operational security - say certain national security agencies - know things that don't get published, but their targets are likely to be specific and limited. All security is a game of chance; the purpose of a using program like Eraser is to (dramatically) increase the odds in one's favour rather than to achieve the impossible 100% certainty.

Problems multiply when trying to erase only free space and leave wanted data, particularly on a system drive. The combination of journalling file systems, page files, system protection and automated safety processes (e.g. backups) is such that copies of data, including sensitive data, may reside in places the user does not know about, and may not have access to if he/she did. A classic example of what may happen is described in this thread. We have been warned!

David
I am not an Eraser programmer, but a long-time user; my views may not be the same as those of the Eraser programming team.
Before posting, please read the top 4 topics in the Eraser FAQ, which already provide many of the answers users need.
DavidHB
Eraser Wizard
 
Posts: 2166
Joined: Sat Jan 23, 2010 8:10 pm
Location: Isle of Wight, UK


Return to Data Forensics

Who is online

Users browsing this forum: No registered users and 1 guest