Anatomy of Disk Recovery Evasion

~ Dade Murphy

InfoSec Write-ups – Medium–

Disclaimer: Do not attempt to violate the law with anything contained here. If you planned to use the content for illegal purpose. Neither administration of this website, the authors of this material, or anyone else affiliated in any way, is going to accept responsibility for your action. We do not own any copyrights on the images and videos shared in this post, it has been delivered here just for educational purposes and thus is considered as fair use.

All types of storage media aim at storing the ever-changing digital information in a relatively permanent form. Nearly every type of computerised device uses some form of storage medium to read and write information.

As aspiring penetration testers and cybersecurity professionals, we must need to understand the methods used by hackers to clear their physical tracks (clearing digital information stored on hardware devices and storage mediums) so that it is easier of us to understand their minds and way of execution a little deeper. Now lets dive into various methods they use and I will post some examples (funny and effective) on how they make data irrecoverable.

Introduction:

When you delete a file on your computer it goes to the recycle bin/trash depending on the Operating System, but what happens exactly happens after we delete it from there too?

You will understand is more as you go through the post, but still, in a nutshell, the data doesn’t just vanish as most users think. It still remains in the storage media.

https://medium.com/media/03455bbf9ce02199bb3cca840e2cfe62/href

https://youtu.be/tNUsoangGFs use in case of failure

All the 1’s and 0's in the files are still present in the sectors of the drive until or unless it is overwritten by other files/programs in the computer, but the larger the size of the drive lesser the chance at it would get overwritten, maybe never in many cases. Data Recovery software use this to locate the files that are deleted but still have the data written to the storage media. It simply reorganises the 1 and 0’s like it was before (not always perfectly) and gives us the output. Here we are going to go through some methods hackers use to delete files permanently and by doing so successfully evading the detection from disk recovery softwares.

Hard Disks:

The disk-like structure is called as Platter, and data can be written, rewritten and retrieved as much as thousands of times per second (differs depending of the RPM of the drive, SATA version and many such aspects). This platter is made of aluminium, glass, ceramic substrate or similar materials with little magnetic properties. Data is just stored on the platters but for the read and write function of it uses the Read & Write Head, Actuator Arm, Actuators Axis and many more.

* There are many components of the hard disk, but I haven’t explained to them as it is beyond our requirement *

These are the basic bare bones of the hard drive that you need to understand in order to do through the post. These “Magnetic Mediums” (platters) can be easily erased and rewritten several hundreds of thousands of times throughout its life (The amount and read and write depends on various aspects are well).

Finally, there is a Controller Electronics attached to one side of the hard disk and it is responsible for controlling the read & write mechanism and the motor/spindle that spins the platter. And it also converts the magnetic domain on to platter into bytes while reading/retrieving data and converts bytes into magnetic domain while writing data to the disk.

Solid State Drive:

This is a storage device that retains data in flash memory. By definition, “Flash memory is an electronic non-volatile computer memory storage medium which can be electrically erased and reprogrammed”.

It stores data in a durable cluster of semiconductors or memory banks (SSD is just a large version of flash drive/pen drive/thumb drive which can be used internally inside a computer/server just like a hard disk). SSD’s are getting popular because of the tremendously fast data read and write speeds (low latency), and due to high durability and mobility compared to the traditional Hard Disks.

But still hard disks are widely used in places where the data integrity, redundancy and disaster recovery are in the at most importance. In theory you could store a piece of information and potentially just forget about it, come after 10 years to find the hard disk piled under dust and still the stored data would be good as new (that is if that disk still works). As data is stored as electricity inside flash memory after a certain period of time the energy will either get depleted or just won’t be sufficient enough to power the semiconducting data holding memory blanks and transistors in the flash memory chip and thus data get is ultimately lost.

Now getting into what we are here for:

Method 1: When it comes of Hard Disk the data is stored across the platter in the tracks, disk sectors, sectors and blocks as shown diagram below.

* clusters are know was blocks in Linux based systems, track sector is also called sectors *

The allocating of these tracks, sectors, blocks, etc is accomplished at the initial formatting performed by the manufacturer, this process of creating these fragments is known as Low-Level-Format and this needs to be performed before the drive is sold. What we as users do while formatting data is known as High-Level-Format through which we create portions, file systems and segments of the hard disks (partitions) as per our individual or collective requirements.

When MFM hard drives were still in usage, the LLF method was accessible to common users. They used it to permanently delete data and it was the de-facto solution to recover a computer infected by a boot sector virus. And it was also used before selling the hard drive so that the buyers would be unable to recover any personal/corporate information from the sold drives.

But today with the introduction of SATA and ATA hard drives, we can’t do an actual LLF (can be done but comes with many hazards and you could loose/corrupt the whole disk in the process). As the LLF that manufacturers created can’t be changed, hackers came up with a new method called Zero-Filling (but some still call it LLF). It is a process through which random 0 and 1’s are written to the drive sector where the data was initially stored, and to further evade disk recovery risks, hacker repeats the zero-filling process several times (some even zero-fill the entire disk several times before installing a new OS, it takes longer but is worth the wait).

Most of the major drive manufacturers have their own zero-filling tools, please use the software specific to your band of use as they may perform the formatting faster and effectively. Seagate, Western Digital, Samsung, Hitachi all have their own tools, but if you are a concern if their WebApp will keep a record of you downloading the tool, you could use the DBAN ISO to boot and do the same and thus have a little more anonymity (DBAN works with all brands of hard disks).

Note: The above-mentioned method is specific for hard disk and is 99.8% effective, don’t try them on solid-state drives.

Method 2: The best method by far I have come across to destroy any types of Flash-Memory-Chip is to literally cook it, YES COOK IT. Just not how you would imagine.

https://medium.com/media/1f226f826f5c5e7373783175a79fc8ff/href

https://www.youtube.com/watch?v=mh3AQuhQO8U use in case of failure

In short, if the memory chip inside the thumb drives or SSD’s experiences an electrical short circuit, it potentially gets fried and the data will is ultimately lost. You could use an old microwave which you don’t use anymore to do this task, just microwave the chip more than 10 but lesser than 30 seconds (am specifically telling you, folks, to use an old microwave because it’s likely going to damage the microwave as well, the last thing we wanna destroy is a $1000 microwave, trust me).

Another way to cook it is with water and a pinch of everyone’s deadly companion electricity. What I mean by the pun is using the process of electrolysis to fry the memory chip. This involves the submersion of the flash chip in a liquid and sending an electrical current through it.

There you go 2 perfect recipes to fry flash-chips, enjoy!

Method 3: The last of these might probably sound too crazy, must personally I don’t recommend these (except one am gonna start with).

Flash memory is relatively easy to destroy as mentioned above, so am gonna be specific of hard disks.

i) Use an angle grinder or a drill to cut through the platter (use zero-filling method and then cut the platter).

ii) Burn it till it turns to ash.

iii) Dissolving the disks into highly corrosive acid.

If you wanna learn more insane methods watch this video of Zoz on his speech at Def Con hacker convention:

https://medium.com/media/108d365623ba2af90209352f02d0ab84/href

https://www.youtube.com/watch?v=-bpX8YvNg6Y use in case of failure

Regards,

S. Viswajith

Anatomy of Disk Recovery Evasion was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

View original article on InfoSec Write-ups – Medium

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s