Life Explorers - Forensics - Hard drives

in #forensics8 years ago

Most systems still use the traditional hard drive. Although SSD's are becoming cheaper and cheaper. In this post I will focus on the good old hard drive.

So lets start with what a hard drive really is. A hard drive is already a part of computers from the 50's. In that time they where huge. Up to 20inch and only containing a few MB. The hard drive is not much different then the good old cassette tape. When I was a little kid and hard drives where really expensive even our programs where on a cassette tape.

This relation between the both you can find in the way they store information. It uses the same magnetic recording techniques. On of the benefits on using magnetism is that it can easily be erased and rewritten. Also the data will be safe for many years. So you can power your computer off and the data will still be there.

Although it is possible to wipe the data with a magnet, I would not bet my life on it. It is still possible data will be there. Only when you have a incredibly strong electric magnetic it is possible to get all data wiped. But who owns something like that?

In a hard disk you have something called platters. The platter is ferromagnetic . It contain billions of small surfaces (even smaller then 1 sector)that can be independently magnetized (to store a 1) or demagnetized (to store a 0). This areas are known as magnetic domains.

The data is written with a writing element. Before 2005 this was done directional magnetization (left - right) see first part of the picture. And since 2005 it is written vertical. See the second part of the picture.

Credit: Makeuseof.com

So you can store data only with a 0 or 1. This system is called the binary system. The number 15 for example is 00001111 in binary. Of course we also want to store something else that numbers. Letters and other characters can also be stored as binary numbers.

Credit:source study.com

Of course that is all the technical stuff going on at a low level. But we the normal user see the hard disk trough different eyes. We see (most of the time) the disk formatted and presented to us with a file system. This can be FAT32, NTFS, ext4 and many more.In a sense it is a way to organize your hard drive. And a file system stores your data. So you have physical (magnetism) and logical (file system) that stores data. And can be used to recover delete data.

A file system provides a way of separating the data Into files. But also storing extra information like permissions and other attributes. This is also called meta information. And then there is the index of a file system. That keeps track on the location of files.

For example when a file is deleted, the meta-information and index info about this file (file name, date/time, size, location of the first data block/cluster, etc.) is lost. But that does not mean the data itself is lost. In fact only the index has marked it as free. But everything else is still there on the disk. Like the example I used in my previous post. We can recover these lost files, A JPEG file for example will be identified when a block begins with:
0xff, 0xd8, 0xff, 0xe0
0xff, 0xd8, 0xff, 0xe1
or 0xff, 0xd8, 0xff, 0xfe

Of course this only works when no new data is written over it. This technic is also used to prevent forensics from recovering data.

And also how bigger the file, the bigger the change is, that the file is fragmented. This means it is spread on different physical places on the disk. The tools have no clue of the file system. So it will not know if it is fragmented. So it can not recover the complete file. This makes complete restoring of very big files very difficult.

And even formatting a disk will not delete all your data. Formatting is not much different from deleting files. And as long as the file system type stays the same you can still recover the data.

An other tool you can use (windows) is http://diskdigger.org/download .

Erasing tools like sdelete or full disk wipe tools like killdisk in fact flip each magnetic bit back and forth between a 1 and a 0 several times (and depending on method with some randomness).

Credit Killdisk.com

Personally I do not have experience with recovering data when data is wiped. When I tested it though I could not recover data even after a single 0 pass (this is the most simple wipe. Just writing the disk full with zero's (0))

There is some myth about being able to recover data after a wipe. That is why we have all this different methods shown in the picture above. But a study claims that it is impossible to recover it with a MFM (magnetic force microscope). Especially large amounts of data seems not to be possible. For more info https://digital-forensics.sans.org/blog/2009/01/15/overwriting-hard-drive-data/

But in short the assumption was that when you wipe a disk. When a one (1) written to disk the actual effect is closer to obtaining a 0.95 when a zero (0) is overwritten with one (1), and a 1.05 when one (1) is overwritten with one (1). This effect was true on a diskette. But that had to do with the older and larger density.

So if you really want to be 100% sure. Wipe the disk by writing it over with kill disk. And after that destroy the platter.

Author's Note: The Life Explorer Series is a community magazine that brings together writers to post about a variety of topics. All topics and authors using the #lifeexplorer tag or title are part of this group and have permission to post under the heading Life Explorer. If you would like to write with the Life Explorer series about a topic, reach out and get in chat contact with @timsaid to learn more.

Make sure to catch all these Life Explorer authors:
@prufarchy
@yogi.artist
@timsaid

#lifeexplorers #cryptocoins #privacy #lifeexplorer
8 years ago in #forensics by
$29.05
  • Past Payouts $29.05, 0.00 TRX
  • - Author $21.99, 0.00 TRX
  • - Curators $7.06, 0.00 TRX
39 votes
Reply 2
Sort:  
  • Trending
    • [-]
     8 years ago 

    Great work!

    $0.00
      Reply

      Coin Marketplace

      STEEM 0.17
      TRX 0.13
      JST 0.027
      BTC 60612.92
      ETH 2607.99
      USDT 1.00
      SBD 2.65