Note that I didn't say easy, but I did say quick.
Next week, I'll be at the Computer Forensics Show in Santa Clara. Today, I learned that there's a bit of a throw-down going on between the keynote speaker and a number of industry experts, which has led to the experts offering some serious coin to the keynote speaker to back up his claims--to put up or shut up.
The keynote has been advertised as follows...
'"When No One Else Can": Data Recovery from a completely overwritten hard drives. Sample Forensic recovery from over written drive from Turkish assassination case, 2007. - Presenter - Alfred Demirjian - CEO at TechFusion' (sic the whole thing--typos are in the original text)
I've spent a reasonable amount of time recovering data off damaged disks, so I know how tough it can be. Of course, those were 3.5" disks at Northwestern in the late 80s, but who's counting? (Where'd I put my remote archival backup of MacTools, anyway?) And, to the co-ed whose disk I over-wrote by transposing the source and target disks, I apologize, a couple of decades late.
If anything stuck with me from Scott Moulton's excellent talk at ShmooCon 2009, it's that a single-pass erase using a proper tool is sufficient to wipe a drive. That's it. Full stop. Scott was pretty confident in his assessment, as were a number of the...uh...ahem..."security practitioners" in the overflowing conference room.
So, I was pretty surprised to learn that the keynote at Computer Forensics was going to be about data recovery from completely overwritten hard drives. Even more surprising to me is that a couple of forensics experts have said that the keynote speaker is selling snake oil.
They're calling shenanigans.
They're calling bullshit.
And they're throwing $250,000 into the pot to get Mr. Demirjian to prove that he can do what he says. The suggested challenges are pretty simple--take a couple of files, do a single random wipe, get 'em back, prove how he did it.
And you thought forensics was dry. Stay tuned throughout the week for further updates. I don't think we're done with this story just yet.