160
IamA computer forensics specialist. AMA about the Ashley Madison stuff or anything else!
My short bio: I work at datarecovery.com. A few of our engineers already did an AMA a few months ago -- I'm using their account, in fact -- but I'm in a different field. I specialize in computer forensics and electronic discovery.
That means I look for digital evidence, some of which is used in court. Recently, I've been helping people verify whether or not their data was compromised in high-profile leaks such as the Ashley Madison breach.
If you've got data recovery questions, though, you can feel free to ask them, there will be a few of us on this account if this blows up.
My Proof: We'll have a Twitter link up in just a sec.
Ah, here it is.
https://twitter.com/essdata/status/637350172326957056
EDIT: This is fun! Taking a break, but we'll be answering questions all day Saturday, so feel free to keep them coming.
EDIT2: We're back, keep the questions coming.
EDIT3: It's Monday, we're still here!
datarecoveryengineer25 karma
I'd talk it over with my employer, but we do offer secure deletion services.
If it wasn't illegal and you owned the data, we'd probably do it.
flashvenom14 karma
But what if I gave you a list of certain emails I found to be... super not at all important or of interest to anyone, and just wanted those deleted... forever. And some that were A-OK. Would you question my intentions?
datarecoveryengineer17 karma
No, it's not our job to question intentions. We wouldn't do anything that breaks the law or our privacy ethics, but we believe people have the right to destroy the data that they legally own.
x7x_2 karma
So you would not have done what Hillary did with her emails?
Since you know, she technically didn't own anything in that email account and all, being a public servant.
datarecoveryengineer14 karma
I haven't researched that case. However, just being a public servant doesn't mean that you're not the legal owner of your emails. We've wiped stuff for government agencies before and it's all above the board.
But again, I'd have to get all up in the guts of that case to say whether it was legal/ethical/yadda yadda, I hate to make assumptions.
datarecoveryengineer15 karma
One thing you learn in a job like this: nearly everybody looks at porn.
EDIT: But in case I misunderstood the question, I don't know why people download porn -- but even if you never download it, we can still show what you did and when you looked at it.
Dangld13 karma
I don't know if I'm joking or if this is serious question, but what if I use google incognito?
datarecoveryengineer17 karma
You're more secure than browsing...uh, bareback. But there's still ways to figure out what you were doing, at least partially, if we get to the drive quickly enough.
arddit14 karma
How hard is it to destroy a local hard drive so even you can't recover anything? Do the old tools that run a 7-pass or a 20-pass erasing still work?
datarecoveryengineer17 karma
Yeah, if you do a complete overwrite, we're not getting it back, although we could show pretty conclusively that the drive was intentionally wiped (not really much of a smoking gun).
The question is whether your software completely overwrites 100 percent of the drive, though.
porcinepolynomial10 karma
I've heard this line many times and it's got me curious.
If I do a total wipe lets say with DBAN. What's the likelihood you're going to find something useful in the odd sectors that may have been taken out of service by SMART or in the case of an SSD by trim? It seems like you might get bits and pieces, but finding "myfraudevidence.doc" complete enough to bring as evidence would be unlikely?
datarecoveryengineer5 karma
If you use DBAN, you're completely safe. My point is that some programs are less thorough, and user error can also make something less secure.
In any case, if someone tries to delete something and we successfully recover it, it's almost always a partial recovery -- so you're correct, you're not going to get complete documents. You still might be able to use it as evidence, though.
mettle8 karma
How much do morals and ethics serve as motivating factors in the industry versus people either doing what they can to make a buck or doing what they can for the challenge? This goes both directions, i.e., black and white hat hackers.
datarecoveryengineer21 karma
Well, there's two questions here, ethics in computer forensics and ethics in hacking. I'm more qualified for the first half of the question.
In the computer forensics industry, ethics is really important, and we've got a really good reason to stay ethical -- we won't make money in the long term otherwise (same deal for our data recovery division).
If we're called in to investigate a leak, for instance, we'll do our due diligence to make sure that we're working with the victims of the leak and not their spouses or employers or anyone else who doesn't have a right to the information.
With that said, personal morals and professional ethics don't always agree. We might be asked to present evidence that will help a guilty person get a non-guilty verdict, and ethically we're compelled to do it -- everyone has a right to a fair trial, and we don't spin the evidence, we just discover it.
For hackers, I think there are far more white hat than black hat and I think most of them are really dedicated to making the Internet a safer and more secure place.
In the case of the Ashley Madison leak, I don't see how you could seriously argue that they did it for anything other than the challenge and the excitement -- there's nothing ethical about releasing that much personal info.
And for the people that say "well, they were cheaters," please realize that many of them weren't cheating at all. We've had a bunch of inquiries from people that were browsing the site with their partners, or people who just set up a profile once during a rocky time and never went back to it, and now they're facing some pretty awful consequences. It's pretty unfair.
Artavius7 karma
What was one of the craziest jobs that you were called in on to investigate?
datarecoveryengineer14 karma
Well, most interesting/high-profile was probably when we worked with the parents of JonBenét Ramsey on a civil matter related to the death of JonBenét.
Craziest, though? There's a lot of divorce proceedings that get pretty crazy. Not sure how specific I can get, but we have to take precautions to prevent people from trying to break into one of our labs to destroy evidence Breaking Bad style.
TheAddiction26 karma
So, wait. You specifically have your labs designed in such a way so that I can't park a giant ass magnet outside?
ONLY-YELLS-ANUS6 karma
What kind of education do I need to get into a job like this? I find cyber-security and data-loss prevention fascinating.
datarecoveryengineer13 karma
The reality is that a lot of computer forensic work or data recovery work is done by fairly small companies. Education options often aren't specialized on this kind of thing, but that is beginning to change as information security is definitely hot. Data recovery particularly is really a niche occupation where ideally it's best to learn from experienced engineers. However, choosing your education can help immensely. I'm a big believer in having a strong technical and computer science base because it helps you learn how to learn, learn how to think, and problem-solve.
With data recovery, you can get into the field with the (usually small) companies that are out there. With computer forensics, you have options with some small companies, and huge companies because the big companies have staff that do forensics work solely for their own company.
The two do work hand in hand though. You can really be a lot better at forensics if you are good at data recovery, and a solid computer background helps for both. See my answer above for Link4455 for a little more.
JasonUdan5 karma
if i wanted to hide something or encrypt it how or what would you recommend?
datarecoveryengineer12 karma
The security audit of TrueCrypt was completed, and I'd probably trust that just fine for my personal data despite the fact that the original anonymous developer has left. It has an option for a hidden drive, so if you're coerced to provide the encryption key, you provide the first which gives access to some data, and there is no way to know that you have a second hidden volume protected by another key.
Bruce Schneier chose to move to Symantec's Drive Encryption though.
Otherwise Bitlocker for Windows and FileVault for OS X are other options.
But make sure you don't lose your key/password because data recovery is not possible if the encryption is done correctly!
https://en.wikipedia.org/wiki/TrueCrypt https://www.grc.com/misc/truecrypt/truecrypt.htm
https://en.wikipedia.org/wiki/BitLocker https://en.wikipedia.org/wiki/FileVault
http://buy.symantec.com/estore/clp/productdetails/pk/drive-encryption
G_Maharis5 karma
Does age have an effect on hard drive recovery?
For example, if I dug up a hard drive that failed when I was a teenager and I wanted to recover the stolen mp3's, would that be possible?
datarecoveryengineer7 karma
Hard drives can become demagnetized over time, and when the magnetic charge is lost, so is the data. With that being said, we've recovered older drives before, so it depends on when you were a teenager.
weuttele5 karma
Is it stupid tot think that using incognito mode will cover up all my traces?
datarecoveryengineer5 karma
It's more secure than not using incognito, but definitely not 100 percent secure. If someone really wanted to see what you were up to, they could probably figure some stuff out.
uselubewithcondoms4 karma
Perhaps irrelevant, but can you provide evidence that tinder is using fake profiles of women that really aren't in your radius? I'm sitting here thinking, are this many hotties really nearby? I'm thinking fake profiles, but no way to prove it. Can you prove it?
datarecoveryengineer10 karma
With access to their database, we could establish an accurate count of hotties. But no, we couldn't really do it without the database.
VoilaVoilaWashington5 karma
Not having a Tinder account, I don't know, but I have used a service that was similarly skewed. What I did is fire it up on a camping trip and see what happens.
3 hours from the nearest town over 100k, range set to 20 miles, and I still got hundreds of results. Uh huh.
porcinepolynomial4 karma
How often in your position are you called into court to explain your evidence to a jury? If so have you had any interesting questions thrown at you regarding the validity of the data?
I ask because having sat on a jury, the lawyers asked more questions about the credentials of the lab tech and the organization than they did about the evidence itself.
rickeywinsagain2 karma
I've done ediscovery and had to testify a few times. In my experience, lawyers do not want to get too technical. It can get way over most of their heads very quickly. So they rely on expert witnesses and whatever credentials you have.
datarecoveryengineer1 karma
This is true, good answer. Our credibility is arguably more important than our methods, but with that being said, we obviously try to make sure our methods are bulletproof.
datarecoveryengineer4 karma
Somewhat effective. If you're still logged into Google, we might still be able to pick up your web searches. We could also check the pagefile.sys to see what you were up to recently.
datarecoveryengineer5 karma
Very secure. I'm not aware of any significant issues.
I don't use Mac at the office so I can't say how good it is performance wise.
Saemika3 karma
If my wife calls you, should I just put my phone in the microwave on potato?
delta83693 karma
Thanks for doing this AMA, a lot of the replies have been pretty interesting and informative. Not sure if this is the right question for this AMA, but:
I have some question on torrenting/pirating:
How dangerous is torrenting? Is it common for the average torrent user to face legal action for torrenting? Shouldn't the people that first create the file be held accountable, not the torrent user?
How are websites like this: http://www.watchepisode.tv not shut down? Can you face legal action for watching tv shows using these sights like you can for torrenting?
datarecoveryengineer3 karma
We haven't been called in on that type of case before. If we wanted to prove that you'd been torrenting, though, we wouldn't have any issue doing so -- the thing is, we probably wouldn't have access to your original machine, so if you anonymize your connection you'd probably be fine. I'm sure someone else here would be happy to tell you how to do that.
In all likelihood, you'd be warned numerous times by your ISP before legal action was taken, but I'm not a lawyer. I would think the media companies would prefer going after sites like you mentioned, but many aren't based in the U.S. and are therefore difficult to shut down.
I feel like that wasn't a great answer. I'll ask around my company and see if I can get a better one for you.
datarecoveryengineer5 karma
Fun! We've got a good office. Most of the work is handled at the laboratory, although we do expert testimony from time to time. The work changes every day and you've got to think on your feet a lot.
datarecoveryengineer3 karma
Encase is the industry standard, and it holds more water with legal professionals (mostly because they're more familiar with it). We have all of those, but Encase gets the most mileage.
SmartAlice3 karma
This guy got fire for make a video on the technical implications of Hilary's email situation for Youtube. Did he really do anything wrong???? Here's a ink to the video and his thread.
here is the video: https://youtu.be/xJFf6OEgWlw
https://www.reddit.com/r/tifu/comments/3h9vp8/tifu_by_getting_fired_for_pissing_off_hillary/
datarecoveryengineer5 karma
I can't really say -- where did he work? Why did they tell him he was fired?
SmartAlice6 karma
Here's what he posted on the thread: TIFU by getting fired for pissing off Hillary Clinton's campaign manager
So I won't name names but I work for a company that manages the back-end infrastructure for individual campaign donations (we process credit card transactions essentially). Anyway being the IT guru (and genius) that I am I made a sort of decent video on the technical implications of Hilary's email situation for Youtube. Well forgetting what was in my clipboard I ended up linking a few videos to my boss's boss on another unrelated topic and accidentally sent him the link to the video that I made (from my company email no less). Once the email was sent I immediately realized the problem and tried to change the name on my google account that had the video thinking id be fine and would have deniability. Well after hours of crossing my fingers and eventually moving on I got quite the call. I was ultimately told that the email ended up getting forwarded due to an out of the office forwarding setup to multiple people including Hilary's CAMPAIGN MANAGER. Anyways she called the company I work for and complained which led to my firing today so if anyone needs a IT guy fluent in MySQL, DB2, and TP systems I am available.
datarecoveryengineer3 karma
Well, without watching the entire 20-minute video, I don't think he did anything wrong, per se, but it definitely wasn't a wise move considering his position. I don't blame Clinton's campaign manager for complaining.
datarecoveryengineer2 karma
No problem. I'll add that the company should re-think their email forwarding policies.
datarecoveryengineer1 karma
My degree is in electronics engineering with a specialization in Biomedical technology. I rely mostly from experience. Other forensics people here have actual degrees in computer forensics.
ScottSEA2 karma
Doesn't McGee just piss you right the fuck off? I hate that guy. I mean, I get that it's a TV show, but come on...
cweber5132 karma
What is the future of computer forensics in your opinion? Will it get easier or harder for people in your field?
datarecoveryengineer3 karma
I'd say harder with new encryption tools and security technologies. However, we're constantly researching and looking for new tools, so it's a give and take.
Helpful to note that a lot of our job involves showing what a user did rather than recovering individual files. If we can't access or recover a file, we still might be able to provide something useful.
SirHobo941 karma
Computer Forensics and Security Masters Student here, i second this, with the advancements within encryption and all round either improvements to security or methods of actions. Forensics can sometimes hit road blocks but dependant on the case, proving what someone was "doing" rather than show what files there are can be more useful.
However i do thoroughly believe that until we change the way the data is interpreted, Forensics is becoming a field which is slowing down and not growing. Where as when you look into security and the forensics which can be done within security, that's where things are growing and expanding rapidly.
EDIT: Spelling mistakes.
Link44552 karma
What made you want to get into this line of work and what kind of schooling have you had?
datarecoveryengineer4 karma
This comes up a lot actually, good question. Some of us have computer science backgrounds, information security, forensics training, but others have very unrelated backgrounds. It is a small field and can be strange like that, but if you put in the work and know your stuff (maybe with training on the job also), that's what matters. Normally it is a technical background though. I have a CS degree.
The problem solving and reverse engineering aspects were great reasons for me. Figuring something out through a lot of hard work can be very rewarding, especially through a team effort. And especially because you are helping people, to the benefit of both you and your client. That goes for tough data recovery cases and computer forensics.
degoba2 karma
Do you have a Private Investigator Lisence? I also studied computer forensics. I went into Sysadmin though. Most of the forensics folks I have talked to in the field were cops in a former life or are required by the state to be a certified Private Investigator.
datarecoveryengineer3 karma
I don't, but in the U.S. it's not necessary, at least for the types of cases we handle. I'm sure it'd be helpful to have if you were job searching in the field, though.
NotARugDealer2 karma
How could the hackers get the info at Ashley Madison website? Did someone on the inside gave lee way to the servermajigs?
datarecoveryengineer3 karma
That's a good question. I wish I could give you a really good answer, but I don't want to make any assumptions on what Ashley Madison was/wasn't doing. It could be as simple as a bad password (doubtful, but possible). I'll think for a while and get back to you.
You might read up on Krebs on Security, it's run by a guy who really knows his stuff. He's had several incredible leads on this story. Unfortunately, it looks like the site's down right now, but it's http://krebsonsecurity.com/
datarecoveryengineer5 karma
Interesting, but also kind of crazy at this point:
As to gender of the perpetrator, there were a number of telling signs in the manifestos. The most telling was a statement calling men "scumbags" (for those readers that don't speak American/Canadian English, this is a word that only a woman would ever use to describe men). In a separate section, the perpetrator describes men as cheating dirtbags. I think in any language this would suggest that a woman is speaking.
If that fails to convince you, then this must: In the first manifesto two names of male members were released. In describing one of them the perpetrator states the he "spitefully" joined Ashley Madison the day after Valentine's Day. Anyone who ever had a significant other knows that women rate Valentine's Day higher than Christmas, and men think so little of it that they have to remind each other the day is nearing. To call an act the day after Valentines Day "spiteful", is a thought that would enter few men's minds. If this does not convince you then you need to get out of the house more often.
That's a big leap of logic. If he jumps to conclusions that easily, I question the rest of his research.
datarecoveryengineer7 karma
No clue. I'd have to work directly with the data, and I wouldn't want to guess based on reportage.
beingmrcrfl2 karma
What is the typical cost to get the information available on a person who is the victim of the Ashley Madison hack/leak? And how do you verify the person is the victim?
datarecoveryengineer2 karma
We verify details in the account and cross check them with phone numbers, other social media accounts, credit card numbers, etc. Multiple methods, we're very thorough.
We charge $200/hr and this usually doesn't take very long at all. Don't hold me to this, but every case has been $200 so far.
The obvious followup that I would ask is why pay, so I'll just ask that myself.
The fact is that people can also look up some of this stuff online, and there are a few sites that let you enter in an email address and see whether your info leaked. That's fine for most people.
However, our service is intended to be more thorough, and their database wasn't the cleanest, so we might find some info that you couldn't locate on one of those other sites. We also provide the benefit of third party verification, which could be useful in a number of situations.
Finally, some people might prefer to use a service like ours rather than enter their email address into a potentially sketchy website. And yeah, you could always download the entire database and check yourself, but most people don't know how to do that.
datarecoveryengineer3 karma
Ethically we couldn't search his personal data for you (although if you own a computer he uses, we could take a look at that).
I'd recommend talking to him -- sorry if that sounds like a cop-out answer, but a solid number of the divorce/cheating-related cases we receive could be solved by a good open conversation.
datarecoveryengineer3 karma
Yeah, I understand where you're coming from.
We price forensics services by the hour. You could give us a call on Monday and we'll try to determine whether we could legally/ethically help you, and get you an estimate (or you can also call any other reputable computer forensics firm, I don't want this post to be too promotional).
laststance2 karma
What are your views on SSDs? From my understanding most SSDs on the market has limited data data recovery abilities. Such as locking in read only until it is in use again, then wiping the drives if you try to access the SSD.
For HHDs do you use a Linux sector by sector copy of the original drive as a work bench or do you use the original drive? Is there a special rule set due to the nature of how easy it is to tamper with digital evidence?
I've heard that people who trade in CP are surprisingly technically adept and use several "wtf this type of technology exists?" type of software/hardware in their networks. Is that true? What are the developments in the digital forensic field? Is it a constant arms race?
datarecoveryengineer1 karma
What are your views on SSDs?
The big issue is that you need a different data recovery method / tool for every manufacturer / drive family. I'm oversimplifying a little there, but it's not as straightforward as hard drive data recovery. With that being said, our data recovery rates for solid-state drives have improved pretty dramatically over the last five years and I definitely wouldn't say that they're the most difficult type of device to recover.
For HHDs do you use a Linux sector by sector copy of the original drive as a work bench or do you use the original drive? Is there a special rule set due to the nature of how easy it is to tamper with digital evidence?
We would certainly make clones of every drive, and yes, there's a pretty well-defined set of rules, which is integrated into the software we use. We need to be able to repeat our results and make sure that we don't do anything to tamper with the evidence.
I've heard that people who trade in CP are surprisingly technically adept and use several "wtf this type of technology exists?" type of software/hardware in their networks.
That has not been my experience. I've seen them attempt to hide what they're doing but they're rarely successful.
What are the developments in the digital forensic field? Is it a constant arms race?
Yes and no. We've got a full research division, but on a case-by-case basis, it's more important to be able to think critically than to have the latest hardware tools. But obviously we've got to keep up with our competitors and be prepared for anything that might come in.
In the data recovery field (closely related), it's more of an arms race. However, the technology is becoming less secretive.
mitunakaptor2 karma
How likely is recovery of data when say for example a hard drive is smashed against a wall rather than securely erased?
Is a raid 0 array a secure non redundant way of encrypting my data so for example i take a hard drive with me wherever i go and keep 2 or 3 at a computer? (and obviously encrypt the array)
How secure is Tor by default, and with no script enabled? Sure you could find evidence that Tor may be on a persons computer but is the local OS free of trace evidence.
Is defragging an SSD (yes i know its terrible for drive health) likely to do anything to prevent recovery.
Also you may find these videos interesting https://www.youtube.com/watch?v=zUyxIG0xsBg
datarecoveryengineer2 karma
Our data recovery division is really good, but if you physically destroyed the platters of a hard drive, they couldn't really do anything. However, you'd have to really target the platters, so I'd recommend opening the thing up and going at them with a magnet, a chisel, and whatever else you've got.
If you've got a high-quality program to perform multiple overwrite passes, though, that's really just as secure. I'd recommend two or three complete passes, but the Department of Defense would recommend seven. That's really overkill, but it's overkill by design.
With that said, if I had the choice to attempt recovery on a drive that had been overwritten and a drive that had been physically destroyed with a hammer, I'd probably take the overwritten drive on the off chance that the user didn't know what he/she was doing. But I'm a software guy, the hardware guys might answer differently.
The RAID 0 idea is novel, I'll give you that! My concern would be that you're putting yourself at a really high risk of data loss, since you're running a non-redundant array and you're physically moving one of the drives every time you leave the house. But I can't think of a way that we could completely reconstruct the data without coercing you.
Externally (and without Javascript, etc.), Tor is very secure. If we had access to your machine, though, we could probably discover what you'd been doing.
As for the SSD, defragging would make recovery harder but not necessarily impossible. Overwrite everything if you want it to be gone for good.
alittle2hi2 karma
I live in a house of 15 people. 1 router/modem. Can people (nsa) distinguish each computer from the outside?
datarecoveryengineer2 karma
I'm sure the NSA could. You share a public IP but each machine has a separate MAC address.
praxish422 karma
If I wanted to eliminate my browsing record from my Android phone, which is linked to more than one Google account, how could I go about doing that? I assume I couldn't do anything about the information that Google has, but are there traces on my phone?
datarecoveryengineer2 karma
Yes there are traces of everything you do. Reset the phone to factory defaults, fill it up with funny cat videos, and then reset it again and you should be good to go. But if you were using the phone to access your Ashley Madison account, you may want to check the news headlines ;)
9voltWolfXX2 karma
Is it really terribly difficult to cough cough recover a wiped email server? cough cough
datarecoveryengineer2 karma
No but from experience, it is terribly difficult to set up your own personal email server in your house. This was not done for sake of convenience.
9voltWolfXX1 karma
And as a random second question, do you frequently work on data recovery for science-related projects?
datarecoveryengineer2 karma
I'm not sure what you mean by science projects, but our services are used by NASA, Brookhaven Labs, SpaceX, etc.
datarecoveryengineer1 karma
I sort of skimmed through it for lack of time, but it sounds like this guy is right on. If the HDD or SD isn't totally destroyed, there is a chance of recovery. Good find.
Zonus_2 karma
Has there been a notable difference as to what drives are easier to recover? Eg. a Seagate drive is harder to recover than a WD drive
Does the OS and distro/version have a notable impact on how hard it is for you to break into the drive, and recover or wipe the data?
datarecoveryengineer2 karma
Ease-of-recovery varies with time and depends on the type of problems. Over the last several years, it's my opinion that WD and Hitachi drives have a higher level of quality than for instance, Seagate. Seagates drives tend to "crash and burn" and can be expensive to recover.
kiwiandapple1 karma
Bleh, poor Seagate. I suggest pc builds for people all around the world. I personally use Seagate, Toshiba and WD HDDs. The only issue I currently have is on my WD black that's starts to sound like a dolphin.
But especially the Backblaze report of HDD failure rates where the ST3000 (3TB mainstream drive) from Seagate got destroyed is something that comes up time and time again when I suggest that drive.
I made a call to Seagate themselves to ask about it.
Ofcourse they weren't able to give me exact numbers, but they did mention that Backblaze used those HDDs in an environment where they are not designed for. RAID arrays, high vibration, etc. So the actual RMA request offers those HDDs is not even remotely close to that number.
But I was hoping to hear some good news for Seagate here. Damnit! :)
datarecoveryengineer2 karma
We're planning a big analysis of the Backblaze report (a couple years late, but better late than never).
Overall, I'm glad Backblaze did that and I think it's awesome that the information is now out there, but I do have a few issues with the veracity of their approach.
Ghost_Church2 karma
If one wanted to investigate the pervasive problem of abusive internet trolls and how to track them down online, how would one go about learning how to do that? Or is that beyond your expertise?
datarecoveryengineer1 karma
I'm afraid this is beyond our expertise. What's an abusive internet troll?
Ghost_Church1 karma
An individual who intentionally posts inflammatory comments in order to get a negative response, however those comments can quickly get out of hand and turn into death and rape threats which can be compounded exponentially when a mob is constantly harassing and threatening an individual e.g. on twitter, etc. I want to get into cyber security and cyber crime investigations with some focus on catching such perpetrators.
datarecoveryengineer2 karma
This sounds like an interesting field, but yes, certainly out of my expertise. It will be good having you out there killing the trolls :)
QuestionsAre2 karma
And the definite last question: How much does secure deletion wear out the hard drive, making it fail earlier... Do you recommend overwriting once or twice (Probably not more?) Does e.g. securely overwriting a whole hard drive wear it out the same as filling it up with files (or does overwriting it securely once put MORE stress on it?)
datarecoveryengineer1 karma
A single overwrite of 0's is enough to completely wipe that data. You raise an interesting question, I have heard that it's possible that some hard drives could be damaged by this prolonged write operation, but I believe this is due to manufacturer defect.
Sbprogramming2 karma
Could the drives in 9/11 really be recovered as suggested here? https://www.youtube.com/watch?v=2R3QgmWstJA
datarecoveryengineer1 karma
It's my opinion that there was absolutely no data ever recovered from hard drives that were in the towers on 9/11. The degree of obliteration was almost incomprehensible. We were one of about a dozen data recovery companies at that time and we did not receive a single case. We did, however, recover data for the NYFD and the Mayo clinic, but it was from a laptop being used to keep data about the health of the workers. I'll post a scan of the letter we received from them after we donated our time in that case. Note it says "ESS Data Recovery" Our company name changed in 2010 to Datarecovery.com, Inc. So to answer your question, I believe the video is a load of crap. If you look closely toward the end of the video, it appears that someone is using a high-powered stereo microscope and an old oscilloscope to view the platters. I can't imagine what on earth they are doing that would relate to data recovery.
datarecoveryengineer1 karma
Here is a link to the letter we received representing FDNY, NYPD, and Mayo Clinic. http://datarecovery.com/clients/the-mayo-clinic/
Sbprogramming2 karma
They look pretty legit though https://datenretter.de/default.htm?language=1
datarecoveryengineer1 karma
I remember seeing this, but I still don't believe it at all. This is just my opinion. I've talked with many experts in the data recovery circle and have yet to hear about a WTC 9/11 recovery from a credible source.
throwawaywayfar1 karma
how can you detect if digital images have be digitally altered (photoshopped)?
by the content of the image, metadata, levels of compression?
as far i know -which is very little- all of them can be edited.
datarecoveryengineer2 karma
You can check all of that stuff, but standard forensic software would be most useful for proving whether or not an image was edited using a specific machine.
If you're just working from an image and trying to determine whether it was manipulated, you can look at metadata, but that can also be changed. There are some software tools that would give you a more definitive answer by actually analyzing the photo. One cool free one (which we wouldn't use, but it's functional for private use) is FotoForensics. Their white paper is here if you want to read about how it works: http://blackhat.com/presentations/bh-dc-08/Krawetz/Whitepaper/bh-dc-08-krawetz-WP.pdf
I haven't finished this whitepaper but it looks legit. It will give you a fairly thorough overview of the methods used to detect image manipulation.
datarecoveryengineer2 karma
It's a dating website for married people looking to have affairs. Their database was hacked and a bunch of personal information for their users was released to torrent websites.
datarecoveryengineer1 karma
I like the reverse engineering, and how every case is very different. I don't think I could handle a job that was exactly the same every day (no offense to those who do, it's just a different preference). I like storage media technology, so it's cool to have a reason to stay on top of developments in that field.
Also, I think we do some good work, and I like that the company does free work occasionally for worthy causes.
libertus71 karma
Considering doing a computer science degree next year. Would you recommend? How much work outside of an office is there? thanks for the ama!
datarecoveryengineer1 karma
I almost exclusively work from the office, but there are out-of-office cases and court appearances and such. Some forensics specialists spend more time out of office.
A CS degree worked out fine for me, I'd recommend it. Whatever path you take, just be willing to start at a pretty basic/unrelated position and look for opportunities to show off your abilities.
datarecoveryengineer2 karma
Not my department, but I'll ask a mobile recovery engineer and let you know.
decentlyconfused1 karma
In terms of school and work experience, how did you get to the job you were at now?
datarecoveryengineer3 karma
I've been big on computers since my family first got a Macintosh SE. My high school didn't have any real computer stuff (kids now have lots more now!), then college with a degree in Computer Science. After that I worked at an unrelated job in the financial industry for a while (the tech bust was a bad time to graduate in CS), but also had independent projects. That's what helped me get my current job where I've had an evolving role building some of our internal systems and tools, helping with tougher data recovery cases, and of course doing computer forensics work. I've been able to learn a lot while working here, both on the job myself and from coworkers.
decentlyconfused1 karma
So a lot of what helped you get the job was more the independent projects than the degree? I've always worried with my CS degree and job choices that I'd be pigeon holing myself.
datarecoveryengineer3 karma
Yes. We wouldn't rule a candidate out just based on his/her degree if we saw decent experience, even at a non-professional level. We've got data recovery engineers with almost completely unrelated degrees (nuclear engineering, for instance).
If you work hard and show an aptitude for this type of stuff, you'll eventually get opportunities.
VoilaVoilaWashington2 karma
We've got data recovery engineers with almost completely unrelated degrees (nuclear engineering, for instance).
"Give us the data or get nuked."
DATA RECOVERED!
datarecoveryengineer8 karma
I asked him once if he could build a nuclear bomb if he had the materials (picture a Russian accent, he's Russian).
"I am thinking yes. Is not difficult."
datarecoveryengineer2 karma
We do sometimes, but I just don't prefer it for my home machine.
datarecoveryengineer3 karma
Depends; for what?
12 characters should probably do it. Make it unpredictable, with a mix of upper and lowercase letters, symbols, and numbers. I'd actually use a random password generator and then memorize the resulting password, because people are awful at making passwords truly random.
Programs like LastPass are really secure and good if you want to have random passwords for individual sites. After all, it's bad form to use the same password for every site, since sites can get hacked (see: Yahoo, Ashley Madison, etc).
Oh, and two-factor authentication is really important. Make sure you enable it whenever/wherever you get the chance.
Edited to make the advice better.
SirHobo941 karma
LastPass = a big No No, putting your passwords on a website that isn't hosted by you. Secure or not is a bad move.
I disagree with the 8-12 characters.
I use KeePass, you can choose how long you want it (always use the maximum chars allowed) and then use the random generator, for example a game i play allows 92 characters with no restrictions on special characters so it has Upper Case, Lower Case, Numbers, Special Chars, Spaces, Standard Symbols etc, its a 550+bit Password.
It is also Unique therefore if the game i play gets breached then my password isn't used anywhere else, therefore keeping the rest of my accounts secure.
Also if the place youre signing up for allows two/triple factor authentication then set that up immediately.
datarecoveryengineer2 karma
LastPass actually doesn't store your passwords, your passwords are stored locally. With multifactor authentication enabled, I have no problem recommending that service for people who use multiple computers.
However, I agree that KeePass is fundamentally more secure.
ManInAmsterdam1 karma
Thanks for doing this AMA. I have 2 questions:
I have 2 broken portable hard drives from a couple years ago. They both broke and i have very important files on there, but im also a poor student. Is there anything I can try to recover the data myself without risking further destruction.?
Whats the educational background of most computer forensics specialists? What qualifications are important for such a career?
datarecoveryengineer1 karma
Define "broken." What's wrong with them?
I answered this earlier in the thread, but experience/projects are more important than degree choice. Check the other answer for more info!
ManInAmsterdam1 karma
Thank you for your reply :)
With broken I mean, the computer doesnt recognize the hard drives at all. Both of them are portable external hard drives without an external power supply, just mini USB to USB. They are from different manufacturers as well and broke roughly around the same time. They are not damaged from the outside.
datarecoveryengineer2 karma
Hmm.
Most of those externals have internal hard drives that you can remove and read with a standard SATA connection. You could remove them from the enclosures and see if you can get them to read -- be sure to ground yourself before you touch them -- but I'd have to see it to say for sure.
Past that point, it would likely require professional treatment, but I'd need detailed information about the drives (model number, including model/serial of the internal drives, full description of what happens when you plug them in -- do they spin? make sounds? etc.)
Many data recovery companies (including mine) offer free evaluations, so that might be your best bet. If it's something simple it'd be really affordable.
I don't want to be too promotional, but make sure you choose a company with a clean room and free evaluations. You might get lucky, though, it could be a power issue that you can get around by accessing the drives directly.
Fipilele1 karma
Remove them from their caddies and get the hard drive out. Find another hard drive caddy such as an Icy Box one. See if the drive is then seen, when it is not in its original caddy.
datarecoveryengineer1 karma
Honestly, I'd just skip the caddy altogether and hook the drive up directly to the computer. That removes the possibility that the computer's USB port could be the problem.
hmmpepsi1 karma
So why hasn't the feds contact you to help them with Hillary Clintons and the IRS servers?
datarecoveryengineer2 karma
We'd certainly help if they'd want it. The FBI has their own forensics team, though, so they probably wouldn't want to outsource. We do have a GSA number, though, so we can work with the government.
ZZZlist1 karma
Did you have an Ashley Madison account? If yes, did you ever score with any sexy adulterers?
QuestionsAre1 karma
Say someone took a screenshot of an important password. Then he securely wants to delete that screenshot (for example an .jpg or .PNG file). That person thinks he is extra clever and careful and before running a "secure deletion" program (overwriting the file multiple times with random data) he does the following: Open the .jpg with a text editor (then you see all the seemingly random letters, numbers and symbols that "make the jpg") He deletes all that (or part of it) and writes in some random letters and saves the file. Afterwards the .jpg can't be read any more by an image viewer. Only THEN does he run the secure deletion program. Is that more secure or less secure? Does the Computer write the changed .jpg file on a completely different position on the hard drive or on the same? Hope you know what I mean?
QuestionsAre2 karma
(Also before running the secure deletion program he sometimes changes the .jpg to an .txt or some other extension. I guess this very action doesn't actually make the whole process any more secure or less secure, since you are not actually changing the file, just the extension/association?)
P.S.: What are the most trustworthy secure deletion programs recommended by experts (Sorted by trustworthiness, no backdoors etc... e.g. sending every to be deleted file to the NSA or some sketchy developer first.) Probably most American secure deletion software have some required backdoor by the NSA?! Probably the same for Britain, Australia, Russia, China and of course N-Korea?! Thank you very much for this AmA!!
datarecoveryengineer1 karma
I wish I could recommend one, but we focus on wiping a drive after it's been used. Relying on file deletion is risky, since multiple copies could be hiding on your HDD somewhere.
datarecoveryengineer1 karma
I think I know what you mean. He is probably not affecting the image itself, and the content of the jpg might be viewed in another program, or by repairing the header of the jpg file. There is too much compressed data within a jpg picture to manually erase it, unless you ahve a good hex editor and a lot of time to waste. Hopefully I understaood that question correctly.
SmartAlice0 karma
Question??? This guy got fired because he made a video on the technical implications of Hilary's email situation for YouTube. Did he really do anything wrong? Here's the link to the video (and link to his thread)
https://www.reddit.com/r/tifu/comments/3h9vp8/tifu_by_getting_fired_for_pissing_off_hillary/
datarecoveryengineer1 karma
I can't really say -- where did he work? Why did they tell him he was fired?
venmpwr32 karma
Lets say I was the secretary of state and I wanted you to drop by the house to dest..wipe my personal server (not with a cloth). Would you put your neck out for that?
View HistoryShare Link