It has been known for some time, that you can recover data from hard-drives utilizing specialized equipment that can:
- Use magnetic underscanning techniques that scan the undersides of a drive, picking up the "ghost" image
- Using specialized machines that can sidestep normal tracks on a drive & read slightly to the left or right of a track & pick up residual data there
- Electron Scanning Microscopes & other methods may involve being able to calculate the overwritten data content by analyzing the current 0 & 1 state, then applying filters to see what the percent of 0 or percent of 1 currently is, ie, is it 95% of a 1? or is it 90%? etc, then reconstruct various levels based on this tech.
Interesting article on data carving --> http://www.cgsecurity.org/wiki/PhotoRec_Data_Carving Though this is yet another type of data reconstruction, I found the way that it reconstructs it intelligently from existing file fragments to be interesting.
Now, what I would love to know, is while I understand that CCleaner can write or overwrite data onto a drive, I would love to know if it can totally destroy data?
Does it include a way to:
- Eliminate "ghost" images left when reading slightly to the right or the left of a track instead of dead center?
- Eliminate "ghost" images left on the undersides of magnetic media?
- Use specialized patterns that are sufficiently randomized as to prevent attempts at intelligent patterning decoder (IE, decipher the previous 0 or 1 based on the strength of the current 0 or 1 that "overwrites" the data) images?
I do believe the CCleaner people are great people that are very good at what they do, but I would like to know how it stacks up compared to the claims of something like Robinhood Evidence Eliminator?
I do not like that software. It is more confusing to use than CCleaner, + options have to be very explicit. Additionally, I have heard that if it detects you using a key it doesn't think is licensed to you, that it will go into a pretend mode of removing junk, giving you a false sense of security! This is bad for a number of reasons including over time that their key system may become compromised, which will compromise your machine, or if they update & "lose" your old key, then it no longer "works" etc.
I am not as interested, however, in that part, as I am in the forensics that this software mentions in their scareware website. So, if CCleaner does not include any magnetic underwriting, & if the data patterns are not carefully selected & sufficiently randomized as to be reverse decompiled under the hands of a skilled expert, then could this feature be added to a future release of CCleaner?
Basically, I would love to know that if I connect an external drive to CCleaner, someone can't "sidestep" the CCleaner overwrites, making the attempts to delete the data rather useless since they did not try to pull it from the deleted track, but rather from the sides or bottom of the magnetic track instead. Think of it like a highway. Normally, you go straight. But you can also go slightly left or right of the "track" you are on when driving to pass other people in many instances.
I guess the question I have here, is "Can a drive scrubbed with CCleaner be recovered if using specialized government computers/methods that us normal people don't have access to?"
I want to ask for secure data destruction, IE TOTAL data destruction in CCleaner if that doesn't exist. I am not 100% certain on all the methods CCleaner uses, however, but I don't remember reading that they scrub the sides or undersides of magnetic tracks. Perhaps I am wrong, however.
But assuming I am not, I am requesting this capability so I can know that a drive is scrubbed clean.
Additionally, I am not certain that I know that CCleaner can secure wipe a SSD Solid State Drive yet. I believe it does/should although I am not 100% certain at this time... As you know, "Wiping an individual file on a solid-state drive may not succeed in destroying the contents of the file, due to the wear-leveling mechanism that dynamically maps logical to physical disk clusters. However, if you simply delete a file and then wipe all of the free space on the drive, then the file?s contents should be destroyed." There is TRIM, but as far as I am aware, only Windows 7, the newest version of Linux kernel, or Windows Server 2008 RC 2 support the TRIM command. Hopefully, XP/Vista users? won't be left out when you get this sorted out? Of course, consideration also needs to be taken for SSD drives that don't support TRIM as this has to be supported by the drive as well. In non trim SSD, wear leveling simply writes to the pages until its full, at which time when new data needs to be written, the OS tells the controller "hey, I need to write new data", and the controller finds previously full pages of no longer needed data, zaps it empty, then writes the new data to the page.
--> Interesting read I discovered "Contrary to popular myth, TRIM does NOT immediately erase the data. It just sets a flag in the logical->physical cluster map to say that the cluster doesn't need to be read and rewritten when the block goes through the next read/modify/write cycle. If the drive correctly follows the spec, this flag will also make reads of that logical cluster return all zeros, but I am thinking that maybe there is an alternative read command that doesn't do this... If the drive doesn't follow this rule, it will make the TRIM implementation incompatible with RAID3, RAID5, & RAID6.
Also, in order to facilitate wear leveling, SSD drives and even most USB sticks have more storage than they make visible to Windows, and it is possible that multiple historical versions of a logical cluster exist on the drive, but the map of logical to physical clusters points to only the latest one.
Using http://www.diskinternals.com/flash-recovery/ I recovered almost 200MB of photos from a 128MB CF Card that had been reformatted. Don't know how it is able to get at the physical clusters that are no longer pointed to in the map but it apparently does. Don't know if this is possible on an SATA SSD."
If this were true, wouldn't this also complicate erasing the data blocks if duplicate "spares" exist that are written to from time to time? Would this present any form of data breach/leak/undelete problem?
regards,
Don