Forensics: Can data forensic companies retrieve overwritten data?

Can data forensic companies retrieve overwritten data? No.

Though its a common fallacy that data be recovered once overwritten

Overwritten data cannot be recovered, it is over written. The video below shows what an overwritten drive looks like, with a forensic tool – blank, nothing can be recovered.The drive shown was overwritten just once.


12 Responses to “Forensics: Can data forensic companies retrieve overwritten data?”

  1. Nitin Kushwaha Says:


    Can this be possible using Microscopy forensics,

    changing the voltage/current levels and …some stuff.

    I guess NSA and FBI has these tools ..?

    Any idea if it is true or not?


  2. How do you destroy a hard drive? « Data – Where is it? Says:

    […] idea that overwritten data, on a modern hard drive, can be recovered is just fanciful. Nobody has ever recovered an overwritten modern drive, and nobody has said they […]

  3. rich Says:

    hi i installed windows 7 over vista home pre not once but twice in a four hour time fram did this destroy all the old data i did a clean install not a upgrade so no one can ever recover anything from it

    • 585 Says:

      No not really, but that not may be relevant.

      A couple of points:

      Firstly, Whether you did it twice in 10 minutes or 10 days will not really change anyting. Once a file is overwritten its overwritten, it doesn’t need to be done 10 or 100 times, just once.

      With that siad the question is did you overwrite the “data”, to which the a short answer is probably not.

      Example: A hard drive is 100 GB and 1 GB is it contains t he Windows install. i.e. 1% of the space is used up with Windows the rest is “blank”. If never use a computer and just resinstalled windows over the old version 99.9% of 1 GB of data would be overwritten, but not 100% because it would not be installed in the exact same place and areas like “file slack” are not overwritten by creating new files.

      For example lets say the 100 GB hard drive has 1000 different points it can store data on it (0.1 GB per location). The 1 GB of data is stored in the locations 1 to 10. When you re-install the data you are re-installing it the locations 1 to 4 and 6 to 11 leaving location 4 containing a fragment of old data. For a Windows installation this is not really important but its a key point – just installing things does not necessarily overwrite the data.

      Now, lets think about your computer. Lets again assume its a 100 GB hard drive, again with 1 GB of Windows installtion on it and 1000 different points to place the data. But, this time lets say there was 50 GB of movies and documents.

      The Windows is installed and re-installed in the areas 1 to 10 and the movies and documents did exist in the locations 500 to 1000.

      As you re-install Windows over and over again all your doing is overwritting (some) of the data from 1 to 10 and leaving the data in 500 to 1000 untouched.

      This means that the movies etc are deleted, but not overwritten.

      The locations on a hard drive are called Sectors and there are 10,000,000s of of them on a typical hard drive. They only way to overwrite them is to use a dedicated tool to do that.

      But the files that used to be on your computer be recovered? Not easily, and they could only be “carved out”. It really depends on the what else has happend to the hard drive, what type of data there was etc etc.

      • rich Says:

        i had movies some pics stuff like that and personal stuff in there ,, also i never physicaly saved the movies to a folder i just left them in the media player library so what happened to these things …. how long does it take before stuff starts to be over written

      • 585 Says:

        It sounds like the data was saved, but just to a standard/default folder rather than you chosing a location. The fact that is was saved to your hard drive is the only point of relevance – the actual folder it was in is not relevant.

        There will be, quite literaly, 100s of millions of “sectors” – i.e. locations on the hard drive only when every one of those has been overwritten can you say, definatively that data has been overwritten. You would need a tool for that. Just using your computer is not going to overwrite EVERY sector and every bit of data on the hard drive.

        But, as I mentioned previously that may not matter. For example, lets say you have a movie that is deleted and 99% of data is overwitten, that 1% of data left would not be a fragment of data that you could see or interpret it would just look like junk data.

        However, if you have a text document that is not fully overwritten somebody could, in theory, see those fragements of data.

        The probabilities of this occuring must be measured against the risks. If you are a government agency and the enemy is a nation state – then you need to make sure every part of the hard drive is 100% overwritten. If you trying to hide files from family, its a different issue.

  4. rich Says:

    what do u mean by carved out

  5. Anonymous Says:

    It is possible to change the magnetic levels to recover it with the right tools… but their are none so far. If you wanna be extra safe though there’s a gutmann method which overwrites it with encrypted codes 30 times and random data 5 times. cant crack that!

    • 585 Says:

      “It is possible to change the magnetic levels to recover it with the right tools…” this is somethign that is routinely talked about, in often hushed tones. However, nobody has (to my knowledge) ever demonstrated it working, but people have tested for it and found it could not be done. i.e. I have not seen any evidence of it, but have seen evidence to the contray.

  6. Raid 0 Data Password Recovery Macbook Pro Says:

    I read this piece of writing completely about the difference of most up-to-date and previous technologies, it’s remarkable article.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: