As an forensics professional, you are aware that magnetic force microscopy has never been used to recover data off once-overwritten magnetic media. I assume you are also aware of the 2006 NIST Special Publication which stated that using magnetic force microscopy to recover data from magnetic media of any considerable density is impossible. Since you would know all this, I wonder why you would make such a statement.
It is also irrelevant since the CVR/FDR would not be recording to magnetic tape on the accident aircraft.
There is a world of difference between being technically possible and realistically achivable hence my rather tongue in cheek comment about not coming to a PC World near you anytime soon.
Without wishing to don a tin foil hat (the world must be running short of tinfoil by now if this thread is anything to go by
), consider this. The DSS sanitisation processes for hard disks requires the devices to be either degaussed (complete magnetic wipe to the point the drive becomes effectively unusable) or destroyed. One wipe cleans the drive but does not sanitise the drive which is interesting if NIST insist this recovery is impossible and one wipe sufficient... suggests to me that not everyone is buying into that being an absolute fact
Although, even if you did get a mapping of the magnetic patterns, you are a long long way from reconstructing that to meaningful data. While it may be possible, the reality is that its very unlikely anyone actually will do this. In my experience the biggest things to worry about in computer forensic examinations are encryption and dealing with what you do find and making sure you do interpret that properly.
@Coastalpilot:
Since the FBI has had the Capt's computers almost a week, I wonder if the lack of information relative to them is meaningful. Seems to me that if they had found anything of consequence we would have heard of it by now. Further it seems to me that they would have found anything incriminating by now if it were there. Does that make sense? I'm not a computer guy
I did read this on CNN about their examination of the data:
Indications files deleted closer to final Malaysian Airline flight - CNN.com
The article suggests that on the 22nd the FBI examiners were just days into the examination of what they call a large volume of data. Depending on how much data they have, it can take a while to investigate all of it. It is not uncommon for forensic investigations to take weeks if there is a considerable amount of data so no response so far is not really conclusive of anything and examiners will generally want to examine in full before drawing any conclusions.
What I would be prioritising is retrieving deleted files and seeing if I could run those files in the simulator. This does also assume nothings encrypted and password protected... if there are passwords/encryption, then this data could take many months to restore and examine.
Interestingly there is a suggestion that the Malaysians may have messed up this part of the investigation. Firstly, they waited 6 days before searching the pilots home which would have allowed someone time to amend data on that. While they have strict laws on probable cause, the time delay would be of concern about tampering.
Also there seems to be some question about how they searched and seized - the whole CSI/Hollywood scenario of walk in, switch computer on, start typing on the keyboard looking for things springs to mind. If someone has hinted to CNN that they have concerns that the evidence wasnt secured immediately there will be concerns about the integrity of the evidence and that not securing it could have altered, deleted or added data which taints the whole process and casts doubt on any results they find.
What becomes more confusing is that 3 days ago when CNN were stating FBI experts were just days into the examination, this was stating with certainty there was no evidence on the computers:
Malaysia Airlines flight: investigators find nothing suspicious in pilot's flight simulator
The question then becomes the sources of these - is one based on an examination by Malaysian forensic examiners or from the FBI? Even this becomes a mess to determine reliable sources. It would seem rather odd for the Malaysian examiners to state that there was nothing suspicious if they hadnt examined all the data and then send the drive off to the FBI for retrieval of the deleted data. But I doubt the FBI would issue such a conclusive statement this early on in the examination if they havent examined all the data yet.
