Quick legal computer ques.

[robsatx]

Not sure where everyone gets their info

A hard drive is magnetic media. It is charged and discharged sections on a drive. The heads in hard drive write to the platters as it spins. True if you perform a format the data is still partially there. When you format the drive, it writes a new (FAT) File Allocation Table. The data can be re-constructed if you have not written anything else to the hard drive. Format the drive then copy a bunch of music files from Kazaa or the like. Fill the hard disk completetly. Once the new data has been written to the drive. The old data is history. THERE is no way to recover it. Most of the programs that you buy are just doing all these unnecessary steps. A hard drive is not like a CDrw. The disk is never physically changed. Only charged and discharged to create 1s and 0s (binary) that the IDE or SCSI controller can convert back to a higher level language.

I have personal experience in this. Not for legal purposes but for clients. We do a fair amount of disaster recovery. We have had to use the "big boys" on a few occasions. As long as no one has "written" to the drive, we can usually get the data. Once written to, we can only recover bits and pieces of the data (where the drive was not written to). IN most cases, you can not take "parts" of a file as they will be corrupted and unreadable. Although not impossible highly improbable.
Summary:
If you fill the drive with bogus info the previous info is gone. If you do not completely overwrite the disk. Bits and pieces may resdie. I hope this helps!

 

[massradius]

good article

http://sfgate.com/cgi-bin/article.cgi?f=/news/archive/2003/01/15/national1617EST0765.DTL

if you need some cheap software to do the job the above artivle reccomends AccessData

http://www.accessdata.com/Product07_Overview.htm?ProductNum=07

 

[robsatx]

That article backs my post up 100%

Thanks!

 

[icelandic]

A low level format overwrites all the data with zeros. That should be totally unrecoverable shouldn't it?

I theory, yes. Truth to be told, however, it depends on exactly how secret the data was and who your possible adversary is. Let me give you this example: For drives which stored Top Secret information at the CIA. First they undergo what is called a DoD wipe (continous binary stream written to the drive repeated six times), next holes are drilled through the magnetic platter, finally the remaining "drive" is incinerated.

Do you have to go to this extreme? Of course not. Just be very wary of any software solution (such as "evidence-eliminator") which promises to wipe a drive. As a former EE, I can tell you there are some extraordinarily smart people working in the field of data recovery, and they are mostly employed in the govt sector. Luckily, I doubt anybody here is importatn enough to arouse their suspicion. If you're really paranoid however, first wipe the drive, then smash the fucker!

 

[lousygenes]

Robsatx,
I normally reformat my hard drive a couple of times a year. While I know that it's possible to restore data from previous formats, how difficult is it? I mean, let's look at this pragmatically. If your house gets raided and they seize your computer, how much time are they really going to spend trying to recover data on your computer if they've only found personal use quantities of roids in your house? I wouldn't think that they'd spend a whole lot of time.

Serenity head, I'd simply reformat the hard drive. Don't try a low level reformat if it's a laptop; it's possible to fry the hard drive. While you can get replacement hard drives for laptops, they're a lot more expensive than buying a replacement hard drive for a desktop.

 

[icelandic]

No!!!!
Simply reformating the drive does little to anything to deter law enforcement from having a look see at your data. A reformat simply rewrites the boundaries of the drive, so to speak - the data contained within those boundaries will be left largely intact. A simple hex editor will allow you to have a look see.

Here is a timely link on the subject of data recovery:

http://sfgate.com/cgi-bin/article.cgi?f=/news/archive/2003/01/15/national1617EST0765.DTL

Note that many of the drives on which data were recovered were reformated

 

[robsatx]

Ice, read my post - then compare to the article.

No!!!!
Simply reformating the drive does little to anything to deter law enforcement from having a look see at your data. A reformat simply rewrites the boundaries of the drive, so to speak - the data contained within those boundaries will be left largely intact. A simple hex editor will allow you to have a look see.

Here is a timely link on the subject of data recovery:

http://sfgate.com/cgi-bin/article.cgi?f=/news/archive/2003/01/15/national1617EST0765.DTL

Note that many of the drives on which data were recovered were reformated

Ice, read my post - then compare to the article.

 

[icelandic]

Sorry, i have nasty habbit of just reading the first post of an archive, not enough time to soak it all up. Looks like im not the only slashdot reader, eh?

 

[robsatx]

Thanks for the honest reply!

Sorry, i have nasty habbit of just reading the first post of an archive, not enough time to soak it all up. Looks like im not the only slashdot reader, eh?

Others on this board would have started getting caustic.

Karma your way . . .

 

[icelandic]

Cool you work in the field. I have a degree in EE but never pursued a career in the field. I don't really do anything funky on my windows box but read my email and surf the boards. For other stuff I run freebsd. Since there is 1024mb of memory in the box, I use a "memory drive" for the swap space - when the box reboots, goodbye swap. I also employ a "disposable partition" - when the data has outlived its usefulness, the entire partition is dod-wiped.