On Wed, 4 Apr 2007 17:29:40 +0100, "ChrisM"
>In message firstname.lastname@example.org,
>Adam Albright <AA@ABC.net> Proclaimed from the tallest tower:
>> On Wed, 4 Apr 2007 15:53:43 +0100, "ChrisM"
>> <email@example.com> wrote:
>>> In fact, even if the data has been overwritten with zeroes, I
>>> believe that using some advanced data recovery techniques, it is
>>> still sometimes possible to retrieve the original data.
>>> The erase programs used by some high security applications
>>> (military, MI6, top secret commercial data etc) actually overwrite
>>> the data many times so that the original information is totally
>> Again, that depends. That too can be BS. The king of forensic
>> software, a nifty application called ENCASE (for evidence case) can
>> recover nearly anything... no matter what you do, short of taking a
>> really powerful magnet to your hard drive or bashing it into a pieces
>> with a sledge hammer. Years back, before 9/11 anybody could buy a copy
>> of ENCASE, not anymore, now it is only sold (legally) to law
>> enforcement agencies.
>Does this ENCASE work on the HDD as is, or do you have to take things to
>bits to do this sort of data recovery?
>Surely the drive firmware(? or whatever it's called) will simply return that
>most recent bit values written to the disk??
>How do you get it to look at what 'used' to be there?? I've never really
>understood the practicalities of data recovery at this level, only that it
>could, somehow, be done...
I haven't seen the latest versions since I'm not in law enforcement.
The older versions of ENCASE would totally bypass the OS and just read
any drive sector by sector. Since the main purpose of ENCASE is to
build a air tight case against criminals, it reads a hard drive sector
by sector, bit by bit which gets copied to the trained investigator's
linked computer so they can prove they didn't tamper with the actual
contents and "plant" evidence. The build-in viewers that are a main
part of ENCASE are impressive in what they can dig up and transform
back into human readable form.
The first time I saw all it could dig out I was rather impressed. Even
written over files with so-called wipe utilites, ENCASE still often
found enough of the file and put it back together so you knew what it
was. Probably even better now since 9/11, an amazingly clever bit of
software, if the government don't abuse it. I think it costs about
Do a Google on 'file slack' and security to learn more on how some of
what ENCASE does works.
In short, file slack is a fruitful and interesting environment to
snoop in. Defined, this is the total number of bytes written to a hard
drive's sectors between the actual end of "real" file data and the
virtual end the cluster used. For example when you write a 600 byte
file, all versions of Windows need to fill out the cluster, who's
common sizes are 512, 1024, 2048 bytes respectively.
File slack can be literally made up on anything, scraps of your files,
something that was in a memory page, just garbage, anything. Worse,
since Windows is a natural blabber mouth it journalizes just about
everything you do and remembers. Applications like ENCASE know where
Hint: Just because you "delete" a file, even overwrite it, doesn't
meant that was the only time either all or part of that deleted or
overwritten file was ever in a memory buffer in it's prestine pre wipe
form and may have, and often will be used as file slack. If any bit of
any file remains on a hard drive if the hard drive can be read sector
by sector, even if you reformat, delete a partition, wipe files,
whatever you think you do as security measure some applications can
bring back the dead, often very easily. ;-)