2

Mentioned here: https://discussions.apple.com/docs/DOC-5521

I was just curious if this would really work. It makes sense to me. As long as they don't do reverse forensics on the bits on the hard drive... But does that happen often?

I like to code
  • 121
  • 2
  • Theoretically, yes, but why go to that trouble when your can use the TRIM command to securely erase? – timuzhti Sep 19 '15 at 06:24
  • 2
    what happens if the drive implements deduplication... ? – Richie Frame Sep 19 '15 at 07:27
  • 2
    First, a **theory** won't wipe anything. Second, this method is not guaranteed to work. Ergo, it is snake oil waiting to happen. – Deer Hunter Sep 19 '15 at 07:42
  • @Alpha3031 Are you sure that the [TRIM command](https://en.wikipedia.org/wiki/Trim_(computing)) securely deletes data? I think it just manages free space and not secure erasing. – Neil Smithline Sep 19 '15 at 22:38
  • 1
    The author doesn't even seem convinced it will work: `don't bet your life on it.` and `I haven't tested this method`. It seems more a pipe dream than a strategy. – Neil Smithline Sep 19 '15 at 22:42
  • @NeilSmithline It's rather confusing, but that's what the TRIM command does, from Wikipedia: "Trim irreversibly deletes from the SSD the data Trim affects." There's also the ATA Secure Erase, but I'm not sure what it does, exactly. – timuzhti Sep 20 '15 at 00:17
  • Yes @Alpha3031. You're right per http://techgage.com/article/too_trim_when_ssd_data_recovery_is_impossible/ – Neil Smithline Sep 20 '15 at 00:34
  • possible duplicate of [Is it enough to only wipe a flash drive once?](http://security.stackexchange.com/questions/5662/is-it-enough-to-only-wipe-a-flash-drive-once) – timuzhti Sep 20 '15 at 00:36
  • 3
    possible duplicate of [How can I reliably erase all information on a hard drive?](http://security.stackexchange.com/questions/5749/how-can-i-reliably-erase-all-information-on-a-hard-drive); the answers provided there seem to answer to this question as well (ie. why the method described by the OP shouldn't be trusted), and the question itself links to [another thread](http://security.stackexchange.com/q/5662/32746) discussing how disk content rewrite could impact negatively SSD drives (ie. why the method described by the OP should actually harm the disk). – WhiteWinterWolf Sep 20 '15 at 08:56

1 Answers1

1

Not surely.

  1. If there is some data deduplication mechanism in the disk - even if it is only a side effect of its wear leveling mechanism - then your data multiplication will only result the low-level overwrite of only a small part of the disk, and not the whole one.
  2. If your file size is smaller, or isn't an exact multiplicate as page size of your CPU architecture, or as the physical sector size of your disk, then the last part of them may left without overwrite.
  3. Even if you fill all of the allocatable space in your filesystem with files, there may be blocks in the filesystem - directory entry tables, i-node tables, MFT, file metadata, cache/index data, any reserved data area - which won't be overwritten.
  4. Also the wear leveling mechanism can have a hidden reserved area for free / unused blocks
  5. Simply trimming (de-allocating the block on the hardware level) doesn't surely destructs all of its data. In many cases it only says the wear leveling mechanism, that it can re-use the block, and doesn't overwrite anything. Thus, not overwritten blocks may still remain intact, even after a block-level rewrite with random data (the idea what they suggest is much weaker as this).

In case of an Apple site, the probable reason behind that they suggest a lot of small files, that they have fear from filling the disk with a large, single one. But, if you want to make sure without block-level overwrite, this is what you had to do. On any unix system, incl. OSX, there is a command dd command for that, but there are also a lot of disk wiping tools for that.

In case of SSD: the disk sectors of an SSD disk can be overwritten only 10000 - 100000 times, after that they will die. The SSD controlling electronics has an internal reindexing mechanism to balance this load (some sectors are overwritten many times, these are re-mapped through the disk sectors). This is the wear leveling, and this will be overloaded if you overwrite the whole disk with random data on the sector level. Essentially, all of your data blocks get a single hit of overwriting. But a whole-drive wiping is not an everyday thing in the life of an SSD disk, doing this once is yet negligible harm, but it is better to know.

You can find some relatively sure ways to wipe the disk here.

On my opinion, a common "mortal" never meets technologies or organizations capable and willing to do such low-level data recovery techniques. Thus, the many question cycling on the about this is grounded mainly on the serious over-estimating the real threats.

For example, if you are a commoner trying to wipe a hard disk before selling it, a simple reformat will be enough. If it contains your very sensitive data, then wipe it with a specific tool. Even the forensics won't (be able to) go deeper.

Community
  • 1
peterh
  • 2,938
  • 6
  • 25
  • 31