0

I wanted to wipe free disk space of my PC, as I had accidentally deleted confidential data permanently without securely deleting them. So wiping the entire free disk seems to be the only option now.

I know that generally 1 overwrite is enough and no better than the 35 overwrites proposed by Peter Gutman. However, because I am a bit paranoid, and CCleaner names the 35 pass method as a very complex overwrite, I personally want to go for that. I understand it might be useless, but still, I hope you understand the paranoia.

So I was wondering whether 35 overwrites of the entire free space will cause any damage to the free disk space? How many overwrites generally make a hard drive unusable or inefficient or undesirable/problematic?

PS: Sorry, was unable to find a relevant tag. Help is appreciated.

Jay Shah
  • 339
  • 2
  • 4
  • 10
  • Are you using a SSD or HDD? – A. Hersean Jan 08 '21 at 16:47
  • @A.Hersean I use HDD – Jay Shah Jan 08 '21 at 16:48
  • And I also just wiped a flash drive but I am not sure it is HDD or SSD. – Jay Shah Jan 08 '21 at 16:52
  • If it's a USB key or SD card, it's flash and not SSD. The difference matters. In this case "secure erasing" works and one pass is enough. Secure erasing does not work on SSDs, so you should encrypt them before use. – A. Hersean Jan 08 '21 at 16:58
  • See: https://security.stackexchange.com/questions/10464/why-is-writing-zeros-or-random-data-over-a-hard-drive-multiple-times-better-th – Polynomial Jan 08 '21 at 22:59
  • @Polynomial Saw that, didn't help. This is a different question. – Jay Shah Jan 09 '21 at 07:46
  • @JayShah On SSDs you'll run into serious cell wear issues if you use a technique like this. But it's not really a security question, it's a hardware question. – Polynomial Jan 09 '21 at 08:53
  • @Polynomial Are Sandisk USB Flash drives an issue? – Jay Shah Jan 09 '21 at 08:55
  • @JayShah Yes, and they're a type of flash that will be particularly hard-hit by overwriting. Overwriting is also not effective due to overprovisioning and wear-levelling. USB flash drives are tricky to fully wipe, which is why you should encrypt data on them with FDE from the very beginning. [NIST SP 800-88 rev1 (2014)](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf) has some excellent guidance on this matter. – Polynomial Jan 09 '21 at 09:00
  • @Polynomial Okay so it will hit the USB drive hard. Assuming that I don't save anything on it from now, will my already saved data be affected by this? – Jay Shah Jan 09 '21 at 09:54
  • (2) Is overwriting an effective measure to securely erase a data on a Sandisk USB Flash drive? Can it be recovered with a software? Not asking about sophisticated physical equipment, just recovery software. Thanks – Jay Shah Jan 09 '21 at 09:56
  • @JayShah There's no way to know for sure, so you should just presume that any data that is already on there (or was ever written on there) may have been copied to overprovisioned space, and that the recovery space *may* be read by someone who has physical access to the drive. Whether or not the attacker can access the data on the slack space using just software is completely implementation dependent, so it's best to just presume that it would be accessible. Slack space is always accessible using physical recovery techniques. – Polynomial Jan 09 '21 at 16:59

3 Answers3

3

As A. Hersean said, if it's an HDD, as in spinning magnetic rust, multiple overwrites are not an issue.

"... 35 overwrites proposed by Peter Gutman {sic}. ..."

This is a holdover from the MFM drives used decades ago. Even Peter Gutmann has said that this is no longer useful.

"... because I am a bit paranoid ..."

I can appreciate that but you are putting your concern in the wrong place. I'm guessing you are probably using Windows as people who aren't generally specify. The more significant concern lies in a different place than pointless multiple overwrites.

In Windows, small files (up to 1.4KB but typically less than 900 bytes) are not written to their own file block on the HDD. Instead they are written directly to the Master File Table (MFT). Normally the MFT points to where a file resides on the file system, however each MFT entry has enough space to handle small file content directly, so it's written there instead of to a separate disk file block. When the small file is deleted, the MFT entry is marked as available but the actual MFT is never deallocated to become free space.

The other big concern with Windows is Shadow Volumes. This consists of back versions of your files. This is how Windows provides the capability to rollback. Deleting a file does not necessarily delete the older versions of the file in Shadow Volumes.

The most effective thing you can do is encrypt your drive. Bitlocker can encrypt a currently in use drive, so too can Veracrypt for Windows.

user10216038
  • 7,552
  • 2
  • 16
  • 19
1

Since you are using an HDD and this is a one (or few) time event, the only drawback you will obtain from doing a 35 pass overwrite is a huge waste of time. It will not be detrimental for your drive in the long run. For more details on the supported number of writes, you must read the datasheet provided the constructor of the drive. If you cannot find such a datasheet, find a similar model from another constructor and lower the bounds by 50% as a security margin.

If you still want to be very extremely paranoid but waste less time, you can use a 3-pass overwrite with one pass only zeros, one pass with only ones (in whatever order) followed at last by a pass of random data.

Do not forget to overwrite the metadata of NTFS if you are using it and some of your confidential files used less than 900 bytes.

A. Hersean
  • 10,046
  • 3
  • 28
  • 42
  • Thank you for answering, but my question is different. I am asking whether 35 passes will be bad for the drive **in the long run**? How many overwrites can make a drive unusable/inefficient/undesirable to use? 10 overwrites? 50? 60? Is there a general figure? What if I perform two 35 pass overwrites so that the total is 70 overwrites? Will my drive be ruined that way? – Jay Shah Jan 08 '21 at 16:58
  • @JayShah I completed my 1st paragraph. – A. Hersean Jan 08 '21 at 17:03
  • I had tried to find about it on the internet before posting this question but was confused by the terminology, can you help me find it? Can you give me a specific number? I use Windows PC with HDDs. – Jay Shah Jan 08 '21 at 17:06
  • @JayShah Please provide the exact brand and model number of your drive. Maybe the serial number too, if the model number is too generic. – A. Hersean Jan 08 '21 at 17:07
  • @JayShah I do not need to know what operating system you use. I also do not need to know the brand of your computer. I need the brand and serial number of your hard disk drive. You might need to open your computer and read it on the drive itself. – A. Hersean Jan 08 '21 at 17:16
  • Also, the information you provided is not that confidential. It's extremely common. – A. Hersean Jan 08 '21 at 17:17
  • Oh, I can't open the computer right now, I don't know how to do that and there is no technician near me... – Jay Shah Jan 08 '21 at 17:18
  • Then I cannot help you further for now. Please come back when you have this information. – A. Hersean Jan 08 '21 at 17:20
  • I understand, that's okay...can you do me a last favor then? If I would have told you the information you needed, you'd have checked it for me. Can you check it for your own PC or for any random brand for example? I just wanted to know the general number, not a specific one. Thanks! – Jay Shah Jan 08 '21 at 17:22
  • 1
    @JayShah [Here's](https://documents.westerndigital.com/content/dam/doc-library/en_us/assets/public/western-digital/product/internal-drives/wd-black-hdd/data-sheet-wd-black-pc-hard-drives-2879-771434.pdf) a PDF of a WD hard drive series. As you can see, there's no indication of how many writes you can do on it. This is because, unlike SSDs, hard drives don't really have a hard limit on how many times they can be rewritten. – At0mic Jan 09 '21 at 23:19
1

Devices such as USB sticks and SSDs use a type of technology called flash. A limitation of this type of technology is that flash cells (the individual elements that store data) can only undergo a limited number of write cycles, after which they wear out and cannot reliably store data. Put simply: every time you write data to the drive, you wear it out a little. There's another problem with this limitation, too - filesystems don't evenly write data across the whole disk, but instead write to certain locations (e.g. the file table) a whole bunch. This means that certain areas of the disk would be prone to premature wear, because of repeated writes.

Drives use a number of techniques in order to compensate for this aging limitation.

The first is overprovisioning, where the disk actually contains more flash cells than the advertised capacity of the disk. The idea is that worn-out flash cells can be detected and transparently replaced with others from the overprovisioned area, in order to improve the lifetime of the disk.

The second technique is wear-levelling, in which the logical disk blocks presented to the host system are randomly mapped to the actual physical cells in the device, and each new write goes to a random free cell. This causes the writes to be distributed across the cells, so they don't wear out so quickly. The actual implementation of this is a bit more complicated, but I'm keeping it simple for the sake of keeping this answer short.

Multi-pass wiping is never useful - all it does is waste time and wear out your devices. This is explained in detail in NIST SP 800-88 rev.1 (2014). The developer of the 35-pass method, Peter Gutmann, has stated many times that the technique was never intended to be used in practice - he goes as far as describing its use as a "voodoo incantation to banish evil spirits". The original justification for multi-pass wiping came from DoD 5220.22-M and other unclassified documents from the mid 2000s, which were largely based on paranoia rather than practicality. The newer NIST guidelines clarify this - you only ever need a single wipe pass.

Multi-pass wiping is particularly damaging to flash-based storage devices, because it causes multiple writes that wear out the disk. Even more importantly, simply overwriting the data from the OS does not overwrite any data in the overprovisioned slack space. This means any data you've written may have been copied to the overprovisioned cells, and will not be wiped.

Recovering data from overprovisioned (also known as "slack") space on the drive may be possible using only software, by sending certain commands to the drive. This is dependent on the specific make and model of drive. Hardware recovery should always be possible, by disassembling the device, desoldering the flash chips, and connecting them to a device that can read them directly. You should assume that this can be done.

Modern SSDs have a feature called Secure Erase to help work around these challenges. The storage controller on the drive contains a randomly selected key, which is used to transparently encrypt all data that gets written to the cells. When you send the drive a secure erase command, it discards the key and randomly picks a new one. This causes all of the data that was already written - even the data in the slack space - to become unreadable, because it is encrypted and the key is lost.

The Secure Erase feature is not usually available on USB sticks or other storage devices. In this case you should use full-disk encryption (FDE), such as BitLocker or VeraCrypt, from the moment you get the drive. This ensures that it is infeasible to recover data from the drive if you wipe it, because even if the attacker knows the disk unlock password it's unlikely that the disk encryption header (which contains values needed to decrypt any part of the disk) would be recoverable.

Polynomial
  • 132,208
  • 43
  • 298
  • 379