Overwriting Hard Drive Data: The Great Wiping Controversy
Okay, this is another one that annoys me: The claim, the myth that certain three letter agencies can recover data from erased or zero filled hard drives. The claim that those can magically ‘read’ and reconstruct data from ‘latent magnetic residue’ (I am not making this up, others did) using special machines and whatnot.
Idea is that the positioning from read/write heads is not exact. so new data (the zeros) may be written slightly off-track compared to the original data that can thus be recovered. My common sense tells me that IF exact head positioning is so difficult, then reading exactly those latent tracks is very difficult. And that IF head positioning is so difficult then there’s a chance that indeed some of the previous data may survive while other parts are actually overwritten. So at best you’d have partial data without the context of a for example a file system. You’d have binary blobs at best.
Now, assume a specific area was overwritten with new data several times as data was deleted or modified and rewritten by the same wobbly read/write heads. And finally the zero fill. Now results will be even more confusing as we’d have several layers of imperfectly overwritten data.
Zeros and ones
By the way, modern hard drives may depend to a degree on error correction when reading data. Data reads may be imperfect, but this imperfection is detected and corrected using ECC error correction. Each sector is ‘guarded’ by an ECC checksum that is computed as data is written, and data read at a later time is checked against that checksum and if needed corrected. Using ECC we can detect exactly which bits are off, the ones that were supposed to be zeros and vice versa. These ECC codes will not be available when we’re reading the latent magnetic data so we read (again) uncorrected fragmented tiny binary blobs at best.
Anyway I don’t have a science degree and will not claim that I know how hard drives work at that level, but these guys do and have examined the claims: https://www.researchgate.net/publication/221160815_Overwriting_Hard_Drive_Data_The_Great_Wiping_Controversy.
Let’s jump right to the conclusion:
This study has demonstrated that correctly wiped data cannot reasonablybe retrieved even if it is of a small size or found only over small parts of the harddrive. Not even with the use of a MFM or other known methods. The belief that a toolcan be developed to retrieve gigabytes or terabytes of information from a wiped driveis in error.
So, if I zero fill my drive, no data can be recovered, right? WRONG!
Hah! You didn’t see this coming I bet! What you are correct about is that data can not be recovered from zero-filled LBA space. No one can, not you, not me, not the CIA.
All zero filling tools that I know of can only write (their zeros) to LBA space. LBA space is the space on a hard drive an OS, a tool can address to write to or read from. As far as the OS is concerned, LBA space is all the space that exists on a hard drive.
But that does not necessarily mean LBA space covers all space that exists on a hard drive. You may have heard of HPA (host protected area) or DCO (device configuration overlay). These are areas on a hard drive that exist outside LBA space. Using ATA commands a ‘wiper’ could add these areas to LBA space. There’s also plenty of tools that can do that for you.
So, if taken notice of, HPA and DCO can be wiped. However, there may still be space lurking on the hard drive, that contains user data but exists outside LBA space. Modern drives may reserve space for caching purposes for example. Seagates refer to this as ‘Media Cache’. This is low level information obtained from a 8 TB Seagate drive:
Media Cache Partition
PBAs: 00007578F548-00007586BDF5 RST Available: 8000 SCT Available: EF
Spare pool (Multi-IOEDC Region)
PBAs: 00007687B32C-0000768872C1 RST Available: 400 SCT Available: 1A
The Media Cache partition is not inside LBA space. It is not a partition that will pop up in Windows Disk Management! Even if we completely zero fill the drive, potentially 60 GB of recently accessed data remains untouched in the Media Cache! This data can probably be recovered by a capable data recovery lab.
The only way to wipe this space is using the ATA Enhanced Secure Erase command.