The Good News for Newtown Investigators: Destroying Hard Drives is Harder than You Think

Posted by: Paul Roberts   December 18, 2012 18:031 comment

Adam Lanza knew what he was doing. The 20 year-old man, who has been named as the killer of 27 people, including 20 children, six elementary school staff members and his own mother, deliberately destroyed the hard drives to personal computers he used before leaving his home to launch his attack on t the Sandy Hook Elementary School in Newtown, Connecticut. The hard drives are believed to contain valuable clues to Lanza’s online activities and could help establish a motive for the otherwise senseless crime.

Opened hard drive disk

According to reports from various news outlets, Lanza removed the hard drives and “smashed” them using what’s described as a hammer or possibly a screw driver. The drives are described as “broken into pieces.” A report on CBS quoted an unnamed source that was “working with the drives” as saying that they were “so badly damaged that authorities face a significant challenge in retrieving any data from them about Adam Lanza.” The drives have been turned over from the Connecticut State Police to the FBI to see if any data can be recovered from them.

But experts in data recovery said that data can be recovered even from grievously damaged drives, depending on how they were damaged. Even smashing the drive with a hammer or other heavy object could leave the data intact, said Alfred Demirjian, the CEO of data recovery firm Techfusion in Cambridge, Massachusetts.

“Even if he took a hammer to it, but didn’t open the case up, its most likely that the plates aren’t damaged, but not shattered, and that the data is recoverable,” he said.

Hard disk drives store information on a thin layer of magnetic recording material that coats hard  disks – or “platters” – located within the drive, Demirjian explained. Those drives are usually made of ceramic or an aluminum alloy. Smashing the drive itself typically only dents or scratches the platters, rendering the drive inoperable but leaving the data mostly intact.

To really erase data, you have to remove that chemical coating from the platters, which requires the assailant to take the drive case apart. Even then, most hard drives contain multiple platters, and data is written across them. That means that data destroyed on one platter may be reconstructed by looking at the adjacent data stored on other platters. Asked about drives that have had nails driven through them, Demirjian said that his company – which has worked with the U.S. military and law enforcement on data recovery – can usually get data off of them.

The challenge, he said, is when the platters have been methodically scraped, removing the magnetic coating from the disk. “Those chemicals are what hold the charges that translate into data. If that chemical is gone, your data is gone,” he said.

How successful Lanza was might depend on how much time he took to destroy the drives prior to carrying out the massacre that ended with his suicide. Trying to hastily destroy hard disk drive inevitably results in incomplete destruction of the data. As proof, a presentation at the DEFCON 19 in 2011 on “Emergency Data Destruction” had three security researchers trying to destroy a hard disk drive in less than a minute using power tools, acids and other means available to average consumers.

Most of what they tried didn’t fare well. Most hard disk drives are aluminum – but its hard to know what kind of platters any specific drive uses. “Hard drive manufacturers aren’t really transparent in telling you what is in hard drives,” said researcher Bruce Potter. Even then, drive cases are “extraordinarily resilient” while “woodworking tools don’t fare well on metal,” Potter said.

The best approach, said researcher Bruce Potter, was to physically remove the platters and heat them using a propane blowtorch. Heating the drive up to the “Currie point” for the plating on the drives (around 800 C for the plating used in the drives in the demonstration). At that point, magnetic material becomes non-magnetic, and the data is gone.

None of which means that Lanza – by all reports an intelligent and tech-savvy young man – wasn’t able to sufficiently damage his drives as to make their data unrecoverable. Investigators also have cell phone and video game consoles to go with. They’re also reaching out to the ISPs and carriers that Lanza and his mother used to try to recover any data trail lurking in the cloud.

And, of course, recovering the data won’t bring back the lives of the children who were murdered or their brave teachers and guardians. Still – there’s some hope that forensics experts will be able to wrest the reclusive killer’s story from the technology he lived for and maybe help the devastated parents and the Newtown community understand the killer’s thinking and motives.

Everyone’s up for that challenge, it seems. Demirjian of Tech Fusion said his firm has reached out to Connecticut’s governor to offer their support and would happily work for free to help recover data from Lanza’s drives, if asked.

Tags:
  • DME

    Tech Fusion is not a reputable company.

Security Ledger Uses:

%d bloggers like this: