Data Recovery after a Dell Factory Restore

In a related post from me relating to the theft of data off my external hard disk by my previous employer (http://mybroadband.co.za/vb/showthr...-email-backup-off-external-personal-hard-disk)
I have since come to learn that the employer is claiming to have recovered the data from my company laptop after I had performed a Dell Factory Restore. They are claiming that they were able to retrieve an 8GB file which was a pst backup of my gmail history. I would occasionally connect gmail to outlook and then make a backup and archive this backup on my external hard drive. It makes no difference to the case, its still data theft and unauthorised access to data, but this claim from them would have mammoth implications for Dell.

If you sell your Dell laptop after you have performed a Dell factory restore, they new buyer can access all your data, is essentially what they are saying.

I researched the dell system and factory restore process thoroughly and it appeared, from forums on Toms Hardware (will add link as soon as I find it) that it was impossible because the Dell process includes full disk write process as well as a disk format and finally, it writes an image to disk.

Does anyone know anyone with serious expertise in the field of data recovery, more specifically in the field of Dell system restore processes?

I made need you as a witness in a civil and criminal matter that is currently on going.

It is unlikely, but not impossible. Though it would cost a fortune..

If that is what they claim they either need to provide the invoice or discribe the work done. If they followed the correct steps , it can be verified.

Have a chat to south bit here and he will be able to enlighten you regarding all the fine detail...

Doable but not exactly worth the effort and expense - usually

While a Full Wipe does cover you somewhat ( as opposed to a quick format/delete ) Zeroing out the drives repeatedly is the only way to more permanently remove data traces

If memory serves the DoD standards doc for securely wiping data says you have to Zero out a drive 7 times for it to be up to scratch and irrecoverable

Hi Mylowbandwidth,
I read this and the other post. putting aside the legal issue for now.
If you just deleted the files then recovering them is pretty easy to do and I am sure that at the end of the day Dell will have covered that in their license agreement.
So you may be in a situatio where your previous employer has access to your personal mail. I think the link you put up had enough comments on that and I trust that you have seen a lawyer. I would recommend anyone reading this who has not read the other link do so.
So let us look at the challenge. I want to make sure that if I have had files on my computer that I can make data recovery extremely difficult.
I did some research on erasing data and came up with this article basically it is saying you may only need to do a one pass format to erase the data. Older disks you may need to do more.
Now zeroing out without doing a format is not easily done but maybe someone would like to comment on the effect that defragmenting a disk would have. In going through a defrag it does move and re-write data all over the disk. and that should make data recovery when you have just deleted a file more difficult as the sectors will no longer be in the same location.
Another simple suggestion would be to fill up the drive. Create a directory and start to copy files into it even from the same disk. This is going to overwrite the free sectors and you keep doing it until the disk is full. make sure though that the data you copy in there is not of a sensitive nature or against your company policy. Once the disk is full delete the folder.

regards

Tim

Tim the Techxpert said:

Now zeroing out without doing a format is not easily done but maybe someone would like to comment on the effect that defragmenting a disk would have. In going through a defrag it does move and re-write data all over the disk. and that should make data recovery when you have just deleted a file more difficult as the sectors will no longer be in the same location.

Another simple suggestion would be to fill up the drive. Create a directory and start to copy files into it even from the same disk. This is going to overwrite the free sectors and you keep doing it until the disk is full. make sure though that the data you copy in there is not of a sensitive nature or against your company policy. Once the disk is full delete the folder.

Click to expand...

Defragging is not a sure bet as it might not overwrite all areas of the disk. What you deleted could have been sitting at the 'end' of the disk and when you defragged stuff at the beginning was overwritten leaving the deleted 'space' towards the end untouched.

Filling up the drive with arb data would overwrite the sectors where the deleted data was stored but this takes long.

The fastest way to zero a drive is by using it's built in 'secure erase' ata command function. Most modern drives have this function and it's done by the drives onboard controller and not your OS, while you do this you will be completely locked out of the drive.

There is a DOS utility called HDDErase that essentially gives you access to the drives onboard ata secure erase facility, you can download it here http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml

You can also do this from linux using the hdparm command so if you have linux livecd then you can follow these instructions,
https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

There is no faster way of erasing a drive than the above method except hitting it with a 10lb hammer or using a stick of dynamite on it.

When you do the above use a simple password like 1234 and REMOVE it afterwards!!!

Those stories of having to do 4 passes etc is BS, no one has recovered data from a single pass erase before and even if it were possible (rumoured electron scanning microscope) it will take a lifetime and cost more money than the budget of a 3rd world country.

If you only want to zero unused space (deleted space) that's also possible ussing dd in linux, you can overwrite unused space with zeros in a currently used partition or you can zero an entire partition leaving just the recovery partition untouched. Personally I think it's easier just to image the recovery partition to external drive or usb stick, secure erase the entire drive and afterwards image the recovery partition back to the drive.

EDIT: You can also run the latest hdparm under Cygwin in windows, the 6.9 windows binary is buggy so don;t use that one.

Thanks guys. Much appreciated.

This matter is still going to get a lot more interesting. Hawks are investigating. Its a criminal case now.

Ponder, I agree with you if you want to zero the drive but MyLowBandwidth wanted to keep his personal data on the external.

MyLowBandwidth I wish you well with the case.

Regards

Tim

Restore disks use the quick format and erase function as opposed to a low-level format, which takes ages. I can easily recover data off a HDD reformatted once or even twice with freely available software. if they were able to retrieve a 8GB PST file, its bound to be fragmented and buggered up anyway following the first format and a few defrags. You'd still be able to get e-mails out of there, but some will have missing headers while others might lack attachments. Either way, factory restores don't erase data properly - for that, I use Recuva's secure format option, which erases and formats the drive 27 different times in different ways to make full recovery almost impossible.

Tim the Techxpert said:

Ponder, I agree with you if you want to zero the drive but MyLowBandwidth wanted to keep his personal data on the external.

Click to expand...

This post is related to the company laptop and NOT his external hard drive.

I have since come to learn that the employer is claiming to have recovered the data from my company laptop after I had performed a Dell Factory Restore.

Click to expand...

You could also just zero the unused space using dd without wiping the rest of your data even though it lives on the same partition/drive.

May I ask what type of company this was, bank or law firm maybe? Can't imagine many would go through all this trouble...

Tim182 said:

May I ask what type of company this was, bank or law firm maybe? Can't imagine many would go through all this trouble...

Click to expand...

What trouble? Sending a drive off for data recovery in this scenario (where it's not damaged & just formatted) is cheap, you're looking at a 2-3 day turnaround time if using couriers.