Recover sdelete'd files?

[thorin]

Just curious if anyone out there has ever tried Helix, Encase, or whatever against a file (or files) which have been removed with sdelete?
Microsoft/SysInternals SDelete

[lupin]

Just curious if anyone out there has ever tried Helix, Encase, or whatever against a file (or files) which have been removed with sdelete?
Microsoft/SysInternals SDelete

Haven't tried it, but theoretically I would think that this wouldn't be possible. Assuming that the disk sectors containing the file are correctly zeroed out by sdelete, you shouldn't be able to recover the old contents of those files via any software interface to the drive, as any software interface should only be able to return the current 1s and 0s that are represented on the drive itself.

Concerning whether recovery is possible, I guess some of the questions are:

• How well does sdelete zero out the appropriate disk sectors? Does it ever miss something?
• Is there another copy of the file written somewhere else on disk, by either the OS or the application? Microsoft Office for example, writes temporary copies of files you are working on to the drive, and deletes (but doesn't overwrite) them once you finish your session.
• Is it possible to use a hardware interface to the drive, to read the data that has bled out between tracks on the disk. The ability to do this may relate to how many overwrite passes are made (which seems to be configurable with the -p switch in sdelete). There's a post about reading disk contents in this way on the sansforensic blog by Dr Craig Wright from a few months back if you're interested.

Post back if you give this a try, Id be interested in the result.

[Gitsnik]

Have tried it, didn't work (years ago now). Did manage to hex edit a partial file from the filesystem though - turns out that windows doesn't always keep fragments on disk where they belong when you edit them in place. Might be something to think about.

To answer some of lupin's points, the sectors that were used seemed to be well zeroed out (you can check sectors with your hexeditor, then zero them and look again), but if the OS has paged them to different area's, it seems rather useless (which is why it should start out encrypted I think).

Did I hear lately that there is no chance of electron/magnetic recovery anymore because we pack sectors too tightly these days?

[lupin]

but if the OS has paged them to different area's, it seems rather useless (which is why it should start out encrypted I think).

Yes, paging to disk, another good point.

Did I hear lately that there is no chance of electron/magnetic recovery anymore because we pack sectors too tightly these days?

That was my recollection. For modern disks anyway. If the disks are older (and smaller) this may still work however.

[thorin]

Thanks guys.

I know some out there are probably thinking, "why not just try it" ... it was simply an issue of time. I do ultimately plan to try it at some point but I was looking for a quick'ish answer for a colleague.

Did I hear lately that there is no chance of electron/magnetic recovery anymore because we pack sectors too tightly these days?

I've heard this argument but I haven't seen any actual research on the topic.

[lupin]

Thanks guys.

I know some out there are probably thinking, "why not just try it" ... it was simply an issue of time. I do ultimately plan to try it at some point but I was looking for a quick'ish answer for a colleague.

I've heard this argument but I haven't seen any actual research on the topic.

Here the blog post from Craig Wright that I was referring to before - I decided to look it up to remind myself what the conclusion was about retrieving data via access to the platters. The gist of the whole thing is that properly erased data can't be recovered, even from older disks.

Overwriting Hard Drive Data « SANS Computer Forensics, Investigation, and Response

[thorin]

Thanks Lupin.