| Starije izmjene na obje strane
Starija izmjena
Novija izmjena
|
Starija izmjena
|
racfor_wiki:datoteke_i_datotecni_sustavi:povrat_podataka [2020/01/08 17:13]
pguichard [3. Recovering data to find traces] |
racfor_wiki:datoteke_i_datotecni_sustavi:povrat_podataka [2024/12/05 12:24] (trenutno)
|
| <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>**iii) The actual data recovery**</font> | <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>**iii) The actual data recovery**</font> |
| |
| <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>To recover these files, data recovery tools are used, this is a software approach. These are the most sold solutions online. It can either only repair partitions or completely repair the lost data. This kind of tool permits to locate recoverable data by browsing the disk you erased data from. Then this tool pieces it all together and pieces it back together, no matter its extension (.jpg, .zip…) and the storage media (SD card, USB disk…). This software may even recreate the original structure of the different folders.</font> | <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>To recover these files, data recovery tools are used, this is a software approach. These are the most sold solutions online. It can either only repair partitions or completely repair the lost data. This kind of tool permits to locate recoverable data by browsing the disk you erased data from. Then this tool pieces it all back together, no matter its extension (.jpg, .zip…) and the storage media (SD card, USB disk…). This software may even recreate the original structure of the different folders.</font> |
| |
| <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>It seems useless to remind that a perfect software for this usage does not exist. If the data we are searching for was overwritten too many times or compromised we will most probably not recover it.</font> | <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>It seems useless to remind that a perfect software for this usage does not exist. If the data we are searching for was overwritten too many times or compromised we will most probably not recover it.</font> |
| |
| <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>The last phase is done either by hand or using software. This is a very important step for computer forensics scientists searching for traces. We can differentiate two types of failures: software and material failure. In the first case, we obviously need a software solution and in the second, a material one. Material failures often allow partial data recovery, but it might end in a storage media destruction. Software data recovery solutions well done do not alter the medium. This is the reason why the previous diagnostic is essential, in order to know if the problem was caused by a damaged material, or by the software itself if a human mistake is not to blame. A software approach on a material failure may make any recovery attempt useless and, moreover, make it impossible afterwards.</font> | <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>The last phase is done either by hand or using software. This is a very important step for computer forensics scientists searching for traces. We can differentiate two types of failures: software and material failure. In the first case, we obviously need a software solution and in the second, a material one. Material failures often allow partial data recovery, but it might end in a storage media destruction. Software data recovery solutions well done do not alter the medium. This is the reason why the previous diagnostic is essential, in order to know if the problem was caused by a damaged material, or by the software itself if a human mistake is not to blame. A software approach on a material failure may make any recovery attempt useless and, moreover, make it impossible afterwards.</font> |
| | |
| |
| ===== 3. Recovering data to find traces ===== | ===== 3. Recovering data to find traces ===== |
| **<font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>ii) Recovering data from RAM</font>** | **<font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>ii) Recovering data from RAM</font>** |
| |
| <font 12.0pt/Calibri,sans-serif;;inherit;;inherit>No, data is not immediately unreadable after powering off RAM. Both SRAM and DRAM leave traces of data that was stored inside after the user shut it down.</font> | <font 12.0pt/Calibri,sans-serif;;inherit;;inherit>No, data is not immediately unreadable after powering off RAM. Both SRAM and DRAM leave traces of data that was stored inside after the user shuts it down. Plus, it is possible to increase the time during which data will remain stored in the system up to -60°C.</font> |
| |
| **<font 12.0pt/Calibri,sans-serif;;inherit;;inherit>a. SRAM</font> ** | **<font 12.0pt/Calibri,sans-serif;;inherit;;inherit>a. SRAM</font> ** |
| |
| |
| ===== 4. How to securely erase data from the storage media ===== | ===== 4. How to securely erase data ===== |
| | |
| | <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>**i) From Hard Drives in general**</font> |
| |
| <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>Different options are available to erase data. As seen before, we can use quick and normal format. The difference is that random files on the disk are still readable, because if quick format is used, only metadata is erased.</font> | <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>Different options are available to erase data. As seen before, we can use quick and normal format. The difference is that random files on the disk are still readable, because if quick format is used, only metadata is erased.</font> |
| <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>The most efficient solution remains to physically destroy the support, data will thus be definitely unreachable.</font> | <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>The most efficient solution remains to physically destroy the support, data will thus be definitely unreachable.</font> |
| |
| <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>Through his paper, Gutmann proposes a solution to counter the method that permits to read data on a magnetic disk. It is a way to degauss the drive. The purpose of this is to saturate the disk to the greatest depth possible to erase all traces of data that was once stored. However, highest frequencies only scratch the surface of the pattern. Thus, we need to use the lowest frequency possible. And, since producers try to increase the storage on hard drives, the frequencies used in drives are higher and higher.</font> | <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>**ii) Gutmann's method for magnetic disks**</font> |
| | |
| | <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>Through his paper, Gutmann proposed a solution to counter the method that permitted to read data on a magnetic disk. It is a way to degauss the drive. The purpose of this is to saturate the disk to the greatest depth possible to erase all traces of data that was once stored. However, highest frequencies only scratch the surface of the pattern. Thus, we need to use the lowest frequency possible. And, since producers try to increase the storage on hard drives, the frequencies used in drives are higher and higher.</font> |
| |
| <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>Because of methods of encoding, used to make sure the head does not lose the trace of where it is, it is just not possible to overwrite everything with zeros, then with ones as many times as possible. The RLL (Run-length limited) code permits to avoids analog signal peaks overlapping. Plus, it defines a certain maximum number of consecutive zeros. Without this, synchronization could be difficult.</font> | <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>Because of methods of encoding, used to make sure the head does not lose the trace of where it is, it is just not possible to overwrite everything with zeros, then with ones as many times as possible. The RLL (Run-length limited) code permits to avoids analog signal peaks overlapping. Plus, it defines a certain maximum number of consecutive zeros. Without this, synchronization could be difficult.</font> |
| |
| <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>The result of all this is a 35 passes table that Peter Gutmann recommends overwriting on the disk to erase visible under this paragraph. No matter the code used so far, the original data should not be reachable. To increase the strength of this method, it is possible to use a random order for the passes. The disk eraser can be improved by adding random passes before and after the erasing process. However, Peter Gutmann himself agrees to say that this method is outdated according to the functioning of today’s drives.</font> | <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>The result of all this is a 35 passes table that Peter Gutmann recommends overwriting on the disk to erase visible under this paragraph. No matter the code used so far, the original data should not be reachable. To increase the strength of this method, it is possible to use a random order for the passes. The disk eraser can be improved by adding random passes before and after the erasing process. However, Peter Gutmann himself agrees to say that this method is outdated according to the functioning of today’s drives.</font> |
| | |
| | <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>**iii) From RAM**</font> |
| | |
| | <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>First, it is possible to lower the time for data to be stored in RAM by heating the system up to 40°C.</font> |
| | |
| | <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>Rewriting many times on the support is not as efficient as for magnetic disks. The oxide deposit would just be a bit strengthened or weakened according to what is stored. The longer new data is stored in RAM, the harder it will get to catch the ancient data.</font> |
| | |
| | <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>According to Peter Gutmann, the oxide should be exposed to a lot of stress, with the highest temperatures and the longest time possible to expect the best erasing of data possible. However, it may damage the RAM and lower its lifespan.</font> |
| | |
| | <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>The solution he advises us to choose in order to avoid the problem of DRAM data retention is to constantly flip the bits in so that a memory cell never holds a charge for too long. Thus, it would not be possible to read it after shutting down the RAM. It is somehow impossible to implement on the whole RAM but should be used for very sensitive data such as encryption keys.</font> |
| | |
| |
| ===== 5. Study of a real case data recovery on a Hard Drive ===== | ===== 5. Study of a real case data recovery on a Hard Drive ===== |
| ===== Conclusion ===== | ===== Conclusion ===== |
| |
| x | <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>Digital information can be lost and/or hidden. Since a sinister can have important influence on companies for example and finding deleted/hidden data can change judiciary cases, it is necessary to find solutions to recover it.</font> |
| | |
| | <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>The operation is delicate, but it is possible to recover data from corrupted hard drives and even from RAM if it was stored for enough time. But such a loss can be avoided by some useful tips that most people know, even if everyone does not use them.</font> |
| | |
| | <font 14px/Arial,Helvetica,sans-serif;;inherit;;inherit>However, an important matter remained, would it be possible to really erase data from a storage media? Obviously, no one would like to know that their ID scan is possessed by some evil random guy. And yes, it exists some methods to make it truly hard to recover.</font> |
| |
| ===== Sources ===== | ===== Sources ===== |
