Are overwritten files really, truly gone? Or could some snoop, given enough money and resources, get that data back?
In my story last week, Surviving a home data disaster: How Shirley got her files back, several readers questioned a statement made by Ontrack's Sean Barry that it's no longer possible to recover data from an overwritten area of a disk.
“There is no chance of recovery with overwritten clusters. The bit density on hard disk drives is so great now that when the magnetics are rewritten, the data is gone,” he said. Barry is Ontrack's Remote Data Recovery Manager and has 10 years of experience recovering files for private business as well as government agencies.
Thomas Feher was one reader who challenged that statement. He writes: "Even if the files are overwritten with new data on the hard disk drive, such as the DDL case you mentioned in the article, it is still possible to recover the images," he says, if you send it into a recovery lab that uses special equipment that can read the residual magnetism that exists around the edge of the track where the new data was written. "They will physically dismantle the hard drive in a clean room environment and use special probes to read the magnetism. They will detect the traces of previous signals and rebuild the HDD's contents, even if deliberately overwritten several times." Feher says Kuert Information Management is one firm capable of such a recovery.
True? Or legend? Here is Barry's response:
Back in 1996, Peter Gutman, computer science professor at Auckland University in New Zealand, published a paper proposing how data could be recovered from hard disk or floppy disk sectors that had been overwritten. The idea behind this is based on the fact that the read/write heads are never precisely positioned over the same exact area twice and that by using electron-microscopes (Scanning Tunneling Microscopy) it would be possible to find a 'shadow' of the previously written sector.
The hard drives mentioned in this 1996 paper are MFM and RLL drives, which were the first generation of hard drives used for personal computers (IBM called them the Winchester drives). The largest MFM and RLL drives made got up to about 130MB in size and were quickly replaced by IDE/ATA hard drives. At the time Professor Gutman's paper was published, the MFM/RLL hard disk technology was already 10 years old. [See the time lines of hard driver here and here].
Technology has continued to advance for hard drives and the most important advances have been in the form of higher bit density per square inch. Getting the data that small has required evolutionary changes in magnetic storage and head design. When Professor Gutman did his research, the track spacing between groups of sectors was very wide and the bit density was low, thereby providing a valid means of recovering a shadow of the previous sector. Of course if you could only read just the top level of bits per sector that had not been overwritten, you would only be able to recover an extremely small percentage of the original sector--at best you would only be able to recover just a small sliver of the original sector.
Today's hard disks have a bit density far greater and the track sizes are extremely small--down to the nano scale in size. Notice the advances in the past 10 years:
For a detailed overview of today's technology, read of the feature, Hard disk-drive technology revolutionizes processing.
Daniel Feenberg highlights some other interesting points about this topic.
The notion that overwritten sectors can be recovered by searching for 'shadow' copies on today's hard drives is false.