This could be important in determining the timeline of events; to see if the physical state of the drives match up with the data on the machines. Hard drives degrade over time naturally. They lose their charge or otherwise break down over time. I'm thinking if you looked really closely (like down to the molecular level) you could tell if the data was written on election night or if it was written over with falsified data.
You can not do this with an image copy of the original drives.
Technically, if you're looking for data, the original drives will be evidence. If you just dig through them you're altering the evidence and a defense attorney will have a field day. The correct way to do it is to make a forensic image of the drive and use that. This way your evidence doesn't get messed up (time stamps, etc). If it's imaged properly it is fine. I used to work with forensic computers.
An image can't copy magnetic hysteresis though, which is what I think OP is referring to.
In layman's terms, if you overwrite a hard drive's data in order to "erase" it, you can still measure traces of the old data. At the very least, you can show that the data was altered, but in some cases you can recover the old data.
What I'm saying though is the accepted method for examining a hard drive, forensically, is to create a forensic image of the drive and examine that. You never examine the actual drive directly as it alters the evidence. It's quite easy to obtain deleted data off of a forensic image of a drive. I've done it a lot. Maybe I'm not understanding what he was saying though.
Yeah, this person clearly didn't do forensics or eDiscovery themselves.
Why do people think they know more than people that did or do this for a living?
When data is typically deleted, those sectors on the hard drive are marked as being available and able to be written to. You can recover as much deleted data as you want as long as it hasn't be written over yet.
If a bad actor wanted to change/modify data to hide their bad acting, they would use bleach bit or some similar program that would flip all the bits on the hard drive 7+ times, making your highly experimental and not court-submissable method of checking for magnetic hysteresis rendered useless
but but but electron microscopes
I saw on TV...
You think they're going to bleach bit 30,000 machines? Is magnetic hysteresis data recovery just not feasible? I figure if there were even a slim chance of it being helpful, it would be worth doing to a few hard drives.
I guess it's a moot point if they use SSD or flash storage.
No, I don't, nor did I say that.
Not likely feasible at all and it's not admissable in court. Some random poster mentioned it just to sound smart.
Disagree. It's not worth it at all. Why would someone go out of their way to delete data in a way that MIGHT be ONLY recoverable using magnetic hysteresis but not use a bit flipping software like bleach bit? Makes zero sense.