Wiping your data

You decide that you want donate your computer to your local charity or a family member. However, you have read the articles about all the data that remains on your hard drive even if you delete the data. How is it that your personal data can be removed from the drive so no one else can see it?

Early in their use of computers, the U.S. Government recognized that hard drives (and now solid state drives) retain lots of data. Some of this data is easily accessible in the “User” area and some less accessible in the systems areas of the hard drive. Prior to replacing the hard drive the data needs to be permanently removed from the hard drive. The process of destroying the data started with a simple writing of any character over all the data area of the drive. The concept of what we now call “wiping” has developed into a standard employed across the U.S. Government and adopted worldwide a sbest practices for wiping hard drives.  The standard developed as U.S Department of Defense  standard DoD 5220.22-M. It outlined the recommend methodology for destroying data using software methodology. The standard listed suggestions from a single pass of the data area with random characters to 30 passes over the data.  This methodology has changed and most in the field recognize that based on the current hard disk drives configuration a single pass sufficiently destroys all the data for non-classified storage devices.  Classified storage devices are physically destroyed. All of the recommended methods of data wiping are just that, recommendations.  The agency retaining the data has to decide the method and procedure required to destroy the data based on the data’s significance.

The National Institute of Science and Technology (NIST) released in December of 2014 an updated version of its Guidelines for Media Sanitization.  Some of the recommended factors to be considered are included from page 11:

“Organizations should consider environmental factors including (but not limited to):

  • What types (e.g., optical non-rewritable, magnetic) and size (e.g., megabyte, gigabyte,and terabyte) of media storage does the organization require to be sanitized?
  • What is the confidentiality requirement for the data stored on the media?
  • Will the media be processed in a controlled area?
  • Should the sanitization process be conducted within the organization or outsourced?
  • What is the anticipated volume of media to be sanitized by type of media?
  • What is the availability of sanitization equipment and tools?
  • What is the level of training of personnel with sanitization equipment/tools?
  • How long will sanitization take?
  • What is the cost of sanitization when considering tools, training, verification, and reentering media into the supply stream?”

These are all good things to consider in a small business and may still be relevant in our personal decision making process.  The NIST guide describes types of data deletion as Clearing, Purging or Destruction.  Clearing and Purging relate to the actual overwriting of the data on the drive and Destruction is the physical destruction of the hard disk drive.

For the average computer user the most likely question becomes what is the intended use of the hard drive after the data destruction.  Its generally that you want it to work after the data is removed or you don’t. If you want it to work, a data wiping program is the most useful tool or technique. In this case the data is destroyed and the hard disk drive can be reused. Physical destruction is just that, the data drive is no longer accessible due to the physical destruction of the hard disk drive. The government’s consideration of destruction is usually the use of a large shredder or destruction device capable of dealing with hard drives. However, most physical destruction to the drive (hammering in until its flat) will make the data unrecoverable for the average persons intentions.

Another old school method of destruction is the use of a Degausser (commonly used in destroying data on tape). Degaussing as defined by NIST is:

“To reduce the magnetic flux to virtual zero by applying a reverse
magnetizing field. Degaussing any current generation hard disk
(including but not limited to IDE, EIDE, ATA, SCSI and Jaz) will
render the drive permanently unusable since these drives store track
location information on the hard drive.”

The magnetism required has to be sufficient enough to change the magnetic field on the drives platters. Smaller older Degaussers can render the drive inoperable but may fail to destroy the data on the drives platters. The NSA has an approved list of degaussing tools that can be found in their Deagausser Evaluated Products List.

Something you may want to consider also is getting a certification of the data destruction. Once the data is destroyed verifying the destruction is a normal part of the process. Using data wiping tools the person or company verifying the data destruction can look at the data storage space and see that the data was destroyed. Using physical methods such as shredding, the drive owner can see that the drive is physically destroyed.  Degaussing as a method is the only one that has a difficult level of determining the data’s destruction.  Providers of data destruction services can provide letters or documents of the destruction.

Whether it is a personal decision or for implementation in a small business your decisions about data wiping are:

1) What is the intended use of the hard drive after the data is destroyed?,
2) What method of destruction should I use?, and
3) What will the cost be for destroying the data?
4) Do I need certification of the data’s destruction.

Any full service data recovery company can assist you with your decision making and will offer one or all of the types of destruction processes mentioned and should offer a certification of the destruction.

Recovering deleted data from a GoPro SD card

The wildly popular video camera GoPro is a significant leap forward in personal video recording. The video format it uses is also a significant leap forward. Mp4 is its identified format, but recoveries of GoPro video’s as not a straight forward find a header and a footer recovery.

GoPro has introduced the ability to put their Hi Def video in the same stream as their low def version. Some many frames for Hi Def and one for Low Def. What this does is severely complicate the process of finding the video’s intact. The header actually has a listing of the parts assigned to each portion of the video and aids in the recovery if the data is present. This requires the video files to be individually rebuilt after their deletion.


My Monkey Broke My Thumb drive…

The telephone calls a legitimate data recovery company gets can sometimes be amazing. Whether a monkey broke the thumb drive, some fluid (coffee or otherwise) was spilled on the computer or the baby chewed on the SD card, recoveries are all different. Sometimes the office intake person is washing quickly after opening a package or after receiving a client’s computer, but our job is to recover the data no matter the circumstance. Any data recovery company having done recoveries after a fire will tell you that the lingering odor of the burnt computer stays in the laboratory.

No matter the client issues the data recovery specialist needs to evaluate the devices problems (and their often can be more than one) and in some cases will have to take time to clean the storage device before the analysis can begin. Each recovery attempt truly is individual and no two are the same from the beginning through the delivery of the client’s data.

Counterfeit Flash Memory

Counterfeit media is not new to the flash memory market. However, the increase in the number of counterfeits chips we have been seeing is notable. Counterfeit chips to the untrained eye look exactly like the real one. They may have even come out of the same factory. But there is usually identifiable differences in the media upon closer examination. If the media is functioning there are methods of identifying the whether the chip is real our not.

Commonly the counterfeiters will use a smaller sized storage chip then listed on the packaging and loop the code in the chip to respond as if it is a much larger size. If the chip is not responding correctly, examining the physical device, controller chip and storage chip can give the data recovery specialist  ready identification of the counterfeit. The counterfeiter often will have spent a lot of time trying to make the exterior of the product, such as flash media (SD card or thumb drive) look like the original. However, the coding on the chips will be wrong or non-existent.

The manufactures information imprinted on the chips is something that data recovery specialists use to identify the chips and how they are designed. Without this information, it can be very difficult to recover the data. With the correct information, the data recovery specialist can run the chip make and model through various websites to acquire the correct chip design and layout to aid in the clients data recovery.

Music Server Recovery

Its not unusual to see odd data recovery jobs walk in the office. This one was one where the client had a music server that stopped working and needed to recovery his 450 gigabytes of music back. This was odd in the fact the company making the music server had gone out of business and could not longer support the product. The client had tried to recover the data himself but the drive was not recognized by his Windows computer.

As always we conducted an initial analysis and examination to identify any possible mechanical or electrical issues with the drive. IN this case the drive was functioning properly. A review of the data area initially revealed no file system or data.  A review of the partition table in a hex editor found no normal partitions. There was data in the normal location that the partitions should exist but it was not in the correct location or normal format. We were able to identify the partition naming convention uniquely used by the manufacturer and ultimately found that the drive had old FAT16 and FAT32 partitions. Following the end of one partition entry to the beginning of the next we were able to chain the partitions together and identify the four partitions (of the eight) that held the customers data. Using X-ways forensic tool we rebuilt the partitions and identified the file structure and the data files. This of course was not the end of the work.  The music server company had applied a unique formatting to the individual music files. The first sector of the file contained information about the author, song name and album. Then there were three empty sectors before the correct music file header information was located. Cutting these first four sectors and saving the file allowed the music file to play properly.  We did this for one file, but remember there was 450 gigabytes of music files.  In house we built a script to recursively go through each file, open the file, cut the first four sectors and save it again. The script was able to correct the file headers so we could provide the data to the client.