HHD Gone in 60 seconds?

as has been stated about half a dozen times already in this thread... the main focus of what most people (at least in this community) are talking about with a question of "destroying a hard drive" is destroying the data on the drive and making it unrecoverable. this application, Hard Drive Killer Pro, is of the "l33t-b0y wants to fux0r his school library machine because that would be phun ha-ha, check it out, doodz!!11!1" variety.

as we will see below, it doesn't fully destroy anything... and why on earth a disk wipe tool should care about what O/S is installed is beyond me.

so, it is going to manage to "infect" the drive (write executable data to it that will be called at a later time) but also will "eat up" the drive (whatever the hell that means) while possibly "rebooting the hard drive" (uhm... it power cycles the hard disk? or perhaps the moron who wrote this summary was describing causing the box to reboot but speaks like the non-techy people at an office who call their tower the hard drive)

drives can be formatted and all data be made unrecoverable in 1 to 2 seconds. yeah, this is absolutely and totally 100% possible.

do we even need to keep commenting and analyzing this horseshit? not going to waste my time. this is clearly a tool written by a child for children. sadly, it's these children who give our community a bad name when they try to wreak havoc on the machines at their school or their friend's house because they've been raised on MTV and get bored when they're forced to go without xbox for more than a half hour.

Does anybody know of a single case where USSS or FBI successfully recovered
incriminating evidence against a suspect from a hard drive that had a single pass
wipe done on it?

I do not know of any such case. And on the eraser forums, there is some guy
who has been repeatedly asking people to give one such case.

I did ask two feds at DefCon this last year about this, and they said they did
not know of such a case either. Usually, the suspects are so incompetent and
unprepared that they always have incriminating evidence of their crimes sitting
on their hard drives that LE is able to use against them.

Ilan

and we all know how that means it certainly hasn't happened.

on a more descriptive and less snarky note, a parsing of your comments helps shed some light on a distinction that i feel is important... "USSS / FBI" is not the same as "LE"... most of the cases that the secret service or the feds are going to be involved in concern sensitive materials and (usually, but certainly not always) criminals who are a bit more well-established.

law enforcement, on the other hand, works in conjunction with local D.A. offices and 9 times out of 10 doesn't even have clean-room type equipment with which to do forensic data recovery. this, coupled with the fact that they're more likely to be investigating mouth-breathers than the feds are makes your assertion possible... it is unlikely that state or local law enforcement offices have used forensic data recovery on a drive that was erased but not secure wiped. chances are they just find a txt file or an AOL email where a person kept a log of his drug sales or arranged for hookers in his hotel room.

just so we're all straight (myself included) i'll spell out specifically how i see things, correct me if i go off the rails anywhere...

scenario 1 - data not erased at all
dumb-ass perpetrator leaves evidence of his or her crime all over the place. this will usually not be restricted to their hard disk... but will include an apartment littered with contaminated baggies, unlicensed firearms, cash and other profits of crime, etc. most likely a local law enforcement case. almost no special skills needed to "recover" data since it's not lost... perhaps "unformat" or some similar utility is involved. the cop or assistant D.A. who has the most computers skills in the office is tasked with poking through the hard drive.

scenario 2 - data erased but not secure-wiped
could be a person with some brain cells that is the target of an investigation here. could be a high-profile state case or something at the federal level. most local departments (except for major cities) will not have the ability, i would think, to do forensic recovery. case is either made based on other evidence (remember, most crimes are solved and criminals convicted with physical or otherwise traditional evidence... phone logs, bank records, etc. these are not things that a person can erase on their home computer) or -- if the case is really stalled -- the computer can be sent away for some professional help from the feds. i would suppose this involves a waiting queue.

scenario 3 - data secure-wiped
i would bet there's a good chance this is a federal matter or a national-security concern if evidence collection is being attempted on a drive that has been secure-wiped. chances are also good that you won't be reading about this matter in the newspaper. this is the stuff of FISA activity, counter-intel programs, and so forth.

so i can see how what you're talking about -- the unlikeliness of people hearing about scenario #2 -- makes sense. i'd bet over 90% of "computer evidence" at a trial is relegated to scenario #1. of the remaining 10%, most of that little bit falls into scenario #3 and we don't hear about it. so, yeah, chances are if a person wanted to plan their criminal venture and use a computer in the process, a simple format wipe or one-pass might be sufficient... but if a person is planning to cover their ass, i'm willing to bet they'll go the extra mile and use a proper wipe tool.

then there's most of us here on these boards... we're not criminals, but we're fans of hardcore security and data wipe products. why? i would say most of us just like to put up huge "leave me the fuck alone" billboards as we walk the path of life and it's one more way of doing that... at least in our own minds. (covering one's ass in the case of potential fascism or totalitarianism in the future also never hurt, either.)

Behold: The power of google:
Interview with someone who claims they have worked with the FBI on cases with data recovery. Interesting to note the limits of the FBI labs, and choice to hire specialists for data recovery. (Could be part of a marketing thing, where they work specialized hardware, or legacy systems that the FBI does not service.)

Claims:United States v. Upham covers use of recovered, deleted files in court cases:
US v UPHAM

According to this:
From the description, "formatting" in this case would be a high-level (quick) format, not a "low level" or "zeroing out" of disk space.

Information Systems Security, Summer 97, Vol. 6 Issue 2, p56, 25p. mention inclusion of Reformatted media in a procedure for evidence gathering.


There was a presentation on PBS or perhaps "Court TV" where a tech for a data recovery company was describing what he was doing to get evidence off of a formatted disk.

TV Program story:
For this program, there was a disgruntled employee who wrote a program that deleted files from a server and perhaps workstations. Before he left, he took the backup tapes, but this theft was not recognized at the time. After he was no longer with the company, files on a company server were destroyed, seemingly removing "opportunity" from his "means opportunity and motive."
They could not find any malicious programs on the drive(s.)
At this point they handed the drive to the data recovery company, and their tech gave the simple presentation about lack of repeatability of the head traversing track space allowed for uncovering data previously overwitten. He explained the amount of data was often several times larger than the original disk's stated capacity.

After analysis, they were able to uncover several copies and versions/revisions to the program he used to delete critical company files.

Later they found, or he surrendered the tape backups to the company so they could restore some of their missing data.

Hopefully, you have enough information in the above to find the program or a web page about that case. (I tried a few google searches for this, but had no luck.)

If you want to really screw it up use something from this little web site: www.ripco.com/download/text/e-texts/tbbom/. (this has gotten me in trouble several times in the past so try not to get caught with it at school.)

As Deviant Ollam already stated, the cost of performing such an analysis is likely beyond the threshold of what is feasible when traditional techniques work so well most of the time.

I'm more concerned about private parties peaking at my personals.

This device might come in handy...
http://www.i4u.com/article2752.html

Al