While a lot of that is true dataeliminator, the testing which has recently been done with MFM on modern hard drives has shown that the chances of successfully determining the previous value of a bit that has been changed because of disk wiping or simple overwriting was worse than guessing heads or tails on a coin toss.
I wish I had the equipment to actually do the testing to back this up but at the end of this article I did add reputable sources for MFM and even ol' Gutmann (35 pass guy) and his new comments on modern hard drives:
http://www.anti-forensics.com/disk-wiping-one-pass-is-enough-part-2-this-time-with-screenshotsYou do bring up some extremely important information that I did not even address though. Mainly on what other areas of the drive may be hiding evidence. Such as cache files created by Windows. Now if you're just wiping unallocated or free space on a hard drive after browsing for porn on the Internet and not bothering to wipe these file caches (index.dat files and temporary Internet directory with IE) then the evidence will still remain as it is sitting in active files which were not part of the unallocated or free space wipe.
Also, your point on bad sectors. I believe that on modern hard drives, the determination for whether or not a sector is bad is stored somewhere in memory on the circuit board.
So for example if you've Internet cache/history that happened to be located in sectors that were later marked bad, someone may be able to swap the printed circuit board with a new working one and now read and extract data from these bad sectors. There may be other devices or software that can circumvent that as well without having to swap the board, I don't know.
The point is though, like you said, that there may be data that a software wipe will miss because it did not bother writing to these "bad sectors". Still, a sector usually consists of 512 bytes, which is really not a lot. So unless you've a lot of bad sectors and they just happen to store incriminating evidence (or your top secret files =P), then a forensic examiner will most likely end up finding meaningless and random data from these sectors anyways.
I should have mentioned that in the article where I performed the testing, CCleaner was set to do a single pass wipe over Internet cache and many other caches and logs. Now this should have deleted my search history entirely. However, CCleaner neglected to actually perform the 1 pass overwrite. It merely deleted the file. I also set CCleaner to perform a full single pass wipe of unallocated file space and it still did not overwrite this data again. This means that the software is not operating as advertised or there was some fluke or bug that occurred during the wiping process. I don't think it was a user configuration error on my end as I actually took screenshots of everything and the software was set to do a single pass wipe. If it had performed the single pass wipe, I would not have found the history of those searches again.
Now, afterwards I ran a task with the Eraser software to do a single pass wipe over unallocated (free space) file space which did eliminate the deleted cache entirely because it had been deleted by CCleaner, but not overwritten as it should have been.
If you are extremely paranoid and have the cash to throw around, you should do what dataeliminator is suggesting, by completely destroying the physical media entirely. I personally think it is overkill as I work with hundreds, maybe even thousands of hard drives every year that have been wiped or are going to be wiped, with a simple single pass wipe from software. The fancy forensic software that the FBI and all the other alphabet agencies are using is the same as all the private forensic firms. Most of the time it is either FTK by Access Data or EnCase by Guidance Software.
These federal labs at this point barely have time to wipe their ass. I apologize if any feds are reading this, but many times they do a real half-ass job on forensic examinations because they've so much work piled up they can't afford to spend too much time on a single case. I notice that if a federal lab is under a lot of stress and work load they are usually using FTK. Then there are usually 2 or 3 people who handle the work-load. Maybe one guy or more is acquiring the digital media (hard drives, cameras, xbox's, you name it) and a guy back at the lab index's the media and writes down all of the case facts and catalogs everything (the real exciting job). Then the next guy examines all of the file sharing software, Internet history, etc. (all depends on the type of case and the type of digital media) and then a third may generate a report with notes from the others. I mean it's scary in a way at how things are rushed through the system sometimes. It makes me wonder how many innocent people are in federal prisons around the US.
I'm not saying that's how it always is, there are agents out there who know what they're doing of course and ones who care about their job and whether the person they're investigating may be innocent.
Anyways, if you perform a simple, single pass write over every bit on every sector of every cluster of a hard disk or other physical and writable media, the data that was previously there is destroyed. All of those 1's and 0's will be changed as they are overwritten depending on your wipe pattern. A random single pass wipe will randomly write 1's and 0's over previous 1's and 0's and then the most popular is to just write bit value zero to the drive.
This is a great test that can easily be performed if you have a spare hard drive:
1. Use wiping software to perform a full disk wipe (single pass - all zeros) over a hard drive.
http://hddguru.com/content/en/software/2006.04.13-HDD-Wipe-Tool/2. Use a hex editor that can view a physical disk to access the drive and see what data is left. If the software you used did actually perform a full disk wipe (single pass - all zeros) you will see that every bit on the drive is now a "0". All of the previous data is now destroyed.
http://mh-nexus.de/en/hxd/
