4

How secure do you consider this process?

  1. A drive has data from a previous OS installation.
  2. A new OS installation is made on the drive, and Heidi Eraser is run on free space.

What are the chances of data being recovered from the original install?

5 Answers5

5

As far as I can see from the documentation, Heidi Eraser makes a serious attempt at erasing all the unused space on the disk where old data may linger. Make sure to select “erase cluster tips”, as otherwise some hard-to-exploit data fragments could be left in blocks that are only partially used by a file (because the size of this file is not a whole number of blocks) (this is explained in the “cluster tips” entry in the glossary in the manual). Heider Eraser also takes care of erasing the filesystem table to wipe the names of old files. I have not seen any reference to erasing areas reserved for filesystem metadata which may not have been initialized (I don't know if NTFS has such areas).

Nonetheless, I strongly recommend wiping data before installing the new operating system, because it's simpler. Heider Eraser has to whitelist areas to wipe, because it must make sure not to erase live data. Wiping a blank disk is straightforward. Do this, then install the new operating system.

Note that overwriting once with zeroes is practically as good as overwriting with random data multiple times (there was a difference with 1980s technology, but not with today's denser disks). Also, note that against an attacker with physical access and some electronic equipment, wiping is not enough, especially with SSD, because the disks reallocate defective or worn sectors but you can still read them with the right equipment. See How can I reliably erase all information on a hard drive? and other [deletion] questions on this site.

Community
  • 1
Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
1

Any drive eraser app which overwrites every block on the partition even once will make your chances of data retrieval effectively nil. Check to see if Heidi was set to do this. Don't worry about the number of passes - it was useful when hard disks were not as well developed, as you could retrieve a lot of information by moving the read head slightly off the correct track, but this isn't the case any more.

If it wasn't a full erase, you may get some data back, but not from the areas the new OS was installed to as it will have overwritten it.

Have a look at this question on securely deleting files for more information.

Community
  • 1
Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
0

It depends on the algorithm used to over write the data. The most successful (probably an overkill but...) algorithm that Heidi Eraser uses is Gutmann (35 passes).

There are two methods of data recovery. One of which is just reading the deleted data from the hard disk. If it is the case just overwriting the deleted data is enough. But other recovery method is Magnetic force microscopy (MFM) in which the number of overwrites and even how you overwrite the data is very important.

Ömer Mert Ekşioğlu
  • 1
  • 2
  • 4
    The number of overwrites doesn't matter much, the main issue is making sure that you overwrite every physical bit you want gone at least once. It's very hard to do this, especially one SSDs. – CodesInChaos Jan 30 '12 at 14:08
  • @CodeInChaos - The only real way to do it with SSD is to encrypt the entire drive before any data is placed on it. This is of course because Solid State Drives have technology to prevent wear, so it will on its own, move data all the time. As with both mechanical drives and SSD deleted data is not actually deleted, its just marked as delete, and overwritten when the drive decides to do so. – Ramhound Jan 30 '12 at 15:08
  • One overwrite is enough with modern drives - except SSD's. – Rory Alsop Jan 30 '12 at 19:13
  • Even rotating disks have "spare sectors", and many disks with wear leveling are not called "SSD". – Ben Voigt Jan 31 '12 at 01:31
  • Well, there are two methods of data recovery. One of which is just reading the deleted data from the hard disk. If it is the case just overwriting the deleted data is enough. But other recovery method is Magnetic force microscopy (MFM) in which the number of overwrites and even how you overwrite the data is very important. – Ömer Mert Ekşioğlu Jan 31 '12 at 07:39
  • the most successful method of sanitizing or destroying media is degaussing multiple times, followed by shredding of the medium. – DTK Dec 03 '14 at 04:54
  • @BenVoigt, the spare sectors on a rotating disk are used only when a sector is confirmed as bad, because accessing data in a spare sector requires moving the drive head, which greatly reduces linear read speed. Solid-state drives don't have this problem, so spare sectors are used all the time for wear leveling. – Mark Dec 03 '14 at 05:04
  • @Mark: While you are correct, that changes nothing. A "bad" sector may still be 99% readable, so forensics can recover that data. And *all* flash disks (and most other NVRAM technologies as well) do wear leveling, not only those classified as SSDs, so they also are subject to having data left in spare sectors after even after overwriting every address. – Ben Voigt Dec 03 '14 at 07:31
0

Please download something like Parted Magic or Hirens boot cd. There are tools on these disks to secure erase your hard drive or SSD. I personally use Parted Magic just because I find it easy to work with. just start a ATA secure erase. The normal command will overwrite all user data with zeros, the enhanced version of the command will overwrite all bad sectors on hard disks with predetermined random data. On SSDs the normal command should delete the encryption keys (for self encrypting drives) or delete all data accessible to the user. The enhanced version should mark all blocks as invalid and garbage collection/TRIM would then clear the cells.

schroeder
  • 123,438
  • 55
  • 284
  • 319
TheShellshock67
  • 1
0

@JohnCharles117 Your media destruction policy should directly support your data destruction policy, and your data destruction policy should be based upon your threat model and hte value of your data assets.

Per NISPOM (DoD 5220.22-M, section 8, table 1) as recently as 1997 allowed for media destruction via securely overwriting the medium via a special procedure (this procedure can be executed using tools like DBAN). Post 1997, this procedure has been removed and the remaining acceptable media destruction techniques are degaussing, shredding or incineration.

Presuming your data dos not have the confidentiality requirements comparable to the data processed by personnel contributing to a SAP, you may accept the overwriting as sufficient. Fundamentally, this business decision can only be made by the person accountable for the confidentiality of the data that you process at your facility.

DTK
  • 1,190
  • 7
  • 8