WriteFile <-> HadrDrive <-> Data Recovery

[TNick]

Ok, question time ..  ::)


I know that writting 4 bytes with WriteFile at - let's say - offset 34 will replace in file the bytes 34, 35, 36 and 37 with the new value. My question is: will those bytes be written at the same offset on the drive? What I mean is: if you open a file and write in it, the writting operation is done by phisically overwrite or not?  Is phisical position influenced by FILE_FLAG_WRITE_THROUGH or FILE_FLAG_NO_BUFFERING flags at the CreateFile function?

And a second question:

There are manny legends about data recovery; I even hear one that says that one can recover data that you deleted years ago.
Now I understand that, when a file is deleted, it's phisical content isn't set to 0 or any other value, but only the reference to that file in the alocation table is removed. But once you write on top of that data, can we talk about recovering that data, or all this is b*** s***?

[MichaelW]

I think, in theory, if you don't change the size of the file then it will not move. But in practice, working through the API, under a complex OS, with disk caching, paging, etc, I doubt that you could depend on this to always being so. If nothing else, the automatic defect management on the drive could change the physical location of the file data.

For someone with the necessary knowledge, working in a properly equipped laboratory, and with an unlimited budget, I have little doubt that data overwritten once could be recovered. But for me, sitting at home in front of my computer, if the data was actually overwritten, then I'm going the consider it irretrievably lost.

[TNick]

I see. Thanks, MichaelW!

[BogdanOntanu]

When data is stored on the HDD this is done magnetically.

The magnetic field expands a little to the nearby particles in time.
It expands more in time esp if the file is not changed too offten.

So, in a modest laboratory one can instruct the read heads to read a little "biased" from the center of the track...and voila all your DATA is there :D ready to be "recovered". A simple "overwrte" with a zero will NOT erase this "foot print"

That is why goverment agency states as a standard policy that you MUST overwrite a file multiple times and with a specific sequence of patterns" in order to reduce this "gost image" of the original data. Only after that you can erase the file...

So it is NOT bullshit... and it has a valid technological explanation.

YES it is not easy to do by everybody without proper equipment ...

Hoverwer a specialist or police or goverment agency CAN DO IT very easy ;)

[TNick]

Thank you for your reply, domnule Ontanu. But, If I understand corectly, any sequence of patterns will not remove a file that stood long enough on disc, because the writting is done allways on the center of the track, isn't it so?

[BogdanOntanu]

YES, but the pattern is changed in such a way as to perturbate the ghost image as much as reasonably possible.
And that is why you must do it many times ...so there is TIME for the magnetic fields to interact...

Heads do have a natural osccilation and they will read/writte a little "offset" from the track center each time you do it.

But of course IF the data did sit in there for a very long time then --> the only solution is also TIME and /or the physical destruction of the HDD and/or a powerfull magnetical field.

[TNick]

I see now. Thanks!

[Mark Jones]

Hoverwer a specialist or police or goverment agency CAN DO IT very easy ;)

Well, they can recover SECTORS. If the file in question was stored in one contiguous block, then yes it is possible to recover most files even after overwriting once or maybe even a few times. But most files are fragmented and strewn across the disk, so when the FAT table has been overwritten to the point where it is not recoverable, and the file's sectors are not known, then all you have is a lot of data with no way to piece it back together... :dazzled:

The low cost of HDDs today + most new motherboards support 2+0 RAID arrays = no need to recover data. :)
Or use an external USB/FireWire HDD to backup.

[Mark_Larson]

  I've recovered deleted files a number of times over the years.  My biggest deletion was a multi-megabyte email file for Windows Outlook.  I recovered the entire file.  The utility I use is Norton Diskeditor.  However you have to be familiar with how things work at that level to be good at recovery.  It's non-trivial.

EDIT:

Well, they can recover SECTORS. If the file in question was stored in one contiguous block, then yes it is possible to recover most files even after overwriting once or maybe even a few times. But most files are fragmented and strewn across the disk, so when the FAT table has been overwritten to the point where it is not recoverable, and the file's sectors are not known, then all you have is a lot of data with no way to piece it back together... :dazzled:

  The Outlook file was non-contigious and I recovered it.  It's not much harder doing this kind of recovery with non-contiguous files, because you use the FAT to figure out where the sectors are on the drive.  If the FAT no longer has the information, you can still hunt around for the data.  For instance, a lot of people send short emails.  So it would be easy to write a program that goes through the HDD looking for email headers even if the FAT had already been deleted.

[Ian_B]

Or use an external USB/FireWire HDD to backup.

Yes, perhaps to backup, but NOT as a primary data archive. I have always had my suspicions about the quality of the hardware involved in external drives (and USB connections in general), and a friend's losing one recently in what sounds like a head crash has done nothing to persuade me otherwise. I'd never ever trust data to one myself.

[Mark Jones]

Well, this is one good reason to defragment your disks. :bdg

Or, one could always hire a black-hat cracker to recover the data. Lock him in some dark, dank mother's basement, toss in a couple of TV's, some duct tape, all the Metallica albums, a pencil lead, soldering iron, couple of PlayBoys, and slide a tray of Twinkies under the door every evening (or use "Nitro Pumpkin Seed Pie Horchata Foam" for those in a real hurry), and you'll get your data in under a week guaranteed! :U

Side: Once in 1995 a customer brought in a Packard Bell P1 which wouldn't boot. He needed the files off it but he said the disk wasn't partitioned. I checked it out and found a MBR virus that had deleted the partition table. I used Norton DiskEdit to manually build a partition table based off the drive parameters... and it actually worked, I saved his data without the $2500 OnTrack data recovery fee! :bg  (The point of the story is, don't make things any more difficult than necessary.)

...a friend's losing one recently in what sounds like a head crash has done nothing to persuade me otherwise. I'd never ever trust data to one myself...

This sounds like more an issue with the drive, rather than the USB topology.

Check out NewEgg's line of disk-less USB drive shells and other external enclosures - add your own disk. :U
http://www.newegg.com/ProductSort/SubCategory.asp?SubCategory=92

[Ian_B]

This sounds like more an issue with the drive, rather than the USB topology.

Well, obviously!  :eek  But I've never trusted USB drivers either, and hate having to rely on them to connect things, avoiding them whenever possible.

[TNick]

Mr. Mark Jones, straight to the point , as allways!    :lol  But how those two flags ( FILE_FLAG_WRITE_THROUGH or FILE_FLAG_NO_BUFFERING ) affect the writting process?

[hutch--]

For cheap bulk storage that is removable, try rewritable DVD disks. The NERO software I use has a gadget called InCD where you can treat a formatted DVD as a normal writable drive and its very simple to use. I rarely ever bother because I have enough machines to use hard disks to do backups but a writable DVD is reasonably fast and you can just take it out and put it into a DVD case and the media I have so far has never failed.