Data recovery from a computer forensics expert can be described as being the electronic form of physical residue left behind, for example when you touch a material fingerprints are often left behind in data from the finger prints are usually when a storage media has been formatted or data deleted from the drive. These fingerprints which have been left behind enable the reconstruction of the file to happen in this research paper I will be looking into the way in which data recovery plays a role in computer forensics expert's job.
The reasons behind Data Recovery
"A recent study by Seagate concluded that only 14% of us backup up our data on a regular basis. This fact makes business very good for the Data Recovery Industry"
(http://datarecoveryspecialist.com/data_recovery_article_4.htm)
As a computer forensic expert data recovery is a major part of the role depending on the type of forensic expert you are will depend on the type data being recovered, working for the police the majority of cases involve child pornography therefore it is essential that all the data is recovered to ensure the person behind it is brought to justice criminals will use the methods in this research paper to hide or even destroy the data from being recovered. Other types of data needed to be recovered include businesses investigating internal cases of computer misuse and general data recover.
Most of the operating systems provide a service which when a file is deleted it is not immediately removed, instead it us usually flagged for removal or moved to a holding area, there are different reasons for this but the main reason is so that a user can reclaim a deleted file if they later decided they needed it. Another reason for why Data remanence occurs is when a piece of data is deleted the entry is only removed from the file system directory meaning that the data is still on the disk but is now not linked to the file system. This happens due to less work needed to be carried out by the computer and there for helps provide processing power to other resources. Many users believe that simply reformatting a storage medium will remove all the data stored but as only the entries from the file system directory are removed this is not the case.
Ways to prevent data recovery
To prevent sensitive information being recovered there are different techniques which can be implemented below I will discuss the different ways in which data recovery can be prevented and how effective each method is.
Clearing
Clearing is a technique which is used to prevent the data being recovered without using expensive lab equipment. The main purpose for a business to use this method is to reuse the digital storage device with in the business. The way in which to clean a storage device is very simple and only requires the data to be written over which can be accomplished by using tools such as ccleaner the user is able to clean the space of the hard drive where previously deleted data has been. This technique is mainly used by non technical computer users as a way of giving a false sense of security.
Purging
Purging/ Sanitising is the way in which data is removed from the AIS so that it cannot be reconstructed using a known technique this is used when a business wishes to get new storage devices and they wish to release the old ones out of their control. Programs which are aimed at this type of deletion are DBAN and KillDisk they purge the disk by using random writes of 0 and 1. Due to the nature of this wipe the data is very hard to recover but it can take very long periods of time to carry out, so if a forensic investigator comes across a PC to investigate which is running the above programs it is possible to power off the PC and take the computer to a lab to recover the untouched files.
This is the most common method of removing data remanence and is done by writing over the entire drive with new data. Another reason why this method is popular is due to the large amounts of open source programs making is free to do. By undertaking just one write to the disk with random data will prevent the data being retrieved by using low level data recovery tools. If the person wanting to remove the data wants to ensure that the device is clear the amount of writes can be increased along with the patterns of data written.
The complications in overwriting data are that the parts of the device which are damaged due to errors or degradation will not be written to as they will be flagged as unusable. This can be used to hide information and there for giving the user a false sense of security
Physical Destructio
Destruction as the name suggests is when the device which holds the data is damaged in such a way that it impossible to recover any data there are many different ways to destroy the drive but the main ways are as follows;
Destruction is the most secure way in to ensure the data cannot be recovered and there for the investigator will have to look for other means of recovering data such as other computers or internet traffic from the ISP.
Logical Destruction
When data is damaged due to power cuts the logic data is prevented from being written to the file system. This can also be due to driver errors and system crashes. The result of this happening is that the data is inconsistent, windows OS has a tool called CHKDSK which attempts to repair the disk.
Degaussing
Degaussing is a method of reducing or removing the magnetic field on a disk, the device which is specifically made to destroy the media by creating a magnetic field. The degasser purges data from the disk clearing any information stored. Due to the way in which the degasser operates data is erased quickly and efficiently. There is a high chance that by using this method the drive will be rendered useless due to low level formatting done by the manufacturers. The current level of degasser is three which is approved by the Department of Defence and also the National Security Agency in America.
Encryption
"encryption is the process of transforming information using an algorithm (cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as ciphertext). In many contexts, the word encryption also implicitly refers to the reverse process, decryption (e.g. "software for encryption" can typically also perform decryption), to make the encrypted information readable again (i.e. to make it unencrypted)."
(http://citp.princeton.edu/pub/coldboot.pdf)
This method is for prevention as if the data is encrypted then the data remanence will be as well, this will only be as secure as the key used and how it is stored.
Feasibility of recovering overwritten data
The costs of recovering overwritten data can scale depending on the type of recovery needed there are low or even open source methods which can be used for data which is only deleted or overwritten partially.
For data which has been overwritten numerous times or even from a damaged device there is a technique which involves using a magnetic force microscopy device due to the costs of this will only be implemented in cases where data recovery is vital.
The United States department of defence do consider rewriting to a disk a satisfactory way to clear any magnetic disk but not as a method of sanitisation. The only methods they implement are degaussing or destruction of the physical device.
Data recovery methods
Now that I have looked at the reasons behind data recovery and the technique implemented to prevent the recovery I will investigate ways in which data can be successfully recovered
Recovering from a physically damaged disk involves assessing what has been damaged and replacing the part with an undamaged part. The area of the disk which is prone to damage by accidental damage or old age is the printed circuit board. After repairing the disk the computer forensic expert will have to interrogate the data and try to recover as much as the can. To ensure the data is not altered in the imaging process a write block is used these can be software or hardware depending on the case both can successful but the hardware option guarantees the data will not be changed. It is important not to write to the disk as this will make it harder or even impossible to recover the data. Commercial write blockers can either be IDE to IDE or Firewire/ USB to IDE
Images of hardware write blockers (http://www.dataduplication.co.uk/details/Tableau.html)
Commercial software write blockers main advantage over hardware is the ease of use since they can be used from a removable device and therefore do not require the computer forensic expert to dismantle the case another advantage these have is that they do not create a bottle neck. SAFE Block XP is accepted by NIST making is a tool to safely image a device.
The main features of a write blocker:
(http://en.wikipedia.org/wiki/Data_recovery)
All of these features ensure the data is not corrupted and that a high percentage is recovered.
Post imaging a disk there are two predominantly used methods for recovering data which has not been overwritten or degaussed which comprise of consistency checking and data carving these methods do not guarantee all the data will be recovered.
Consistency examination involves a method scanning of the logical configuration of the drive to ensure the consistency is the same as the specification CHKDSK provides this service by ensuring the file directory system is correct. This is done by reading each directory and ensuing that the directories point to the correct places.
Data carving is the recovery of data with no file system allocated the raw data is searched for known file signatures when the desired data is found the forensics expert will then attempt to carve out the data and recover the data from raw data. In recent years this method has progressed to algorithms being able to recover files which have been fragmented. This method is time/ resource intensive and if incorrectly used can lead to data being overwritten and lost.
Recovering overwritten data
This has lower success rates the more times the data has been overwritten the only way in which this can be achieved is from the use of a transmission electron microscopy which was first presented in a paper by Peter Gutmann in 1996, Although this has had major criticisms due to the lack of evidence backing up his theory.
The future of data recovery
"200 million disk drives will ship to consumers and businesses this year. Nearly 97% of those drives are sold to computer and consumer electronics makers for use inside PC's, TiVo's and other gadgets. This year we will see hard disk drives going into automobiles"
(http://datarecoveryspecialist.com/data_recovery_article_4.htm)
With the increasing need for storage there are becoming more and more places in which to hide sensitive or illegal data meaning that constant up to data training for computer forensics experts needs to be under taken. Also with the increasing used for storage the investigator needs to ensure nothing is left at the scene of the crime.
Technology is also increasing and now more solid state drives are being shipped with guarantees of less read and write errors and increased speeds. Although this is an advantage to the end user as a computer forensics expert it makes it harder to recover data from these devices as unlike a disk drive having a physical space where the data is written a solid state drive does not have moving parts
The two most common causes of data loss in flash media and solid-state drives are:
(www.ontrackdatarecovery.co.uk/flash-ssd/)
Conclusion
Although there are new technology advances in ways of storing data disk drives will continue to be used thus meaning computer forensics experts will always need to know the methods of recovering the data. Also as criminals come up with new ways of hiding evidence it is a priority for experts to ensure everything is recovered.
Additional References
http://www.fas.org/irp/nsa/rainbow/tg025-2.htm.
Why Information Must Be Destroyed - Overview of paper-based destruction Ben Rothke, CISSP, British Telecom
http://www.fas.org/irp/nsa/rainbow/tg025-2.htm
Defend your data!: ICSA's guide to data recovery By David J. Stang
Tutorial on Disk Drive Data Sanitization Gordon Hughes, UCSD Center for Magnetic Recording Research, Tom Coughlin, Coughlin Associates
