17

Possible Duplicate:
Why is writing zeros (or random data) over a hard drive multiple times better than just doing it once?

Multiple overwrites have often been discussed as a secure way of erasing data. Some people say that the only way to securely erase a magnetic HDD is to physically destroy the device, grinding each platter to powder, incineration etc.

If I ask the question whether a single overwrite makes data permanently irretrievable, I get different answers. Some people say that it was an issue on older hardware, others that it still is. I have not come across a case where a single overwrite of zeros has been recovered, despite many people theorising that this could be done using techniques such as magnetic force microscopy.

It seems that in general people err on the side of caution under the assumption that one of the mysterious government entities has some crazy eletron-microscope equipment capable of recovering data after single, or even multiple overwrites.

While this is clearly the sensible option as it doesn't take a great deal of time to shred a disk this way, the question remains; is it necessary?

Community
  • 1
lynks
  • 10,636
  • 5
  • 29
  • 54
  • I can't provide any insight on the feasibility of examining the magnetic residues, but: The thing I'd be worried about is remapped sectors. Those are inaccessible to you when overwriting the drive with zeros but may still retain sensitive data. This data is definitely recoverable to a certain extent without spending millions of US$ and using secret military research labs. – us2012 Dec 28 '12 at 18:46
  • @us2012 a good point to raise, journalling/similar file systems move things around in mysterious ways making overwriting individual files very difficult. – lynks Dec 28 '12 at 18:48
  • 1
    Nowadays techniques like wear leveling (particularly on SSDs) cause much bigger problems, because it's hard to ensure that the data was actually overwritten once. Even with HDDs remapping defect sectors can cause issues. – CodesInChaos Dec 28 '12 at 19:28
  • I don't think this is about securely overwriting individual files. Yes that could pose problems if that was the goal. It's best to consider overwriting the entire device for the purpose of this discussion. File system issues and SSD wear leveling don't matter then. I could see remapped sectors being a possible concern but one sector doesn't have much data. – Datarecovery.com MK Apr 06 '16 at 13:39

2 Answers2

17

The best citation I can give is from Overwriting Hard Drive Data: The Great Wiping Controversy, which was published as part of the 4th International Conference on Information Systems Security, ICISS 2008. You can view the full text of the paper by viewing the book on Google Books, and jumping to page 243.

The following excerpt is from their conclusion:

The purpose of this paper was a categorical settlement to the controversy surrounding the misconceptions involving the belief that data can be recovered following a wipe procedure. This study has demonstrated that correctly wiped data cannot reasonably retrieved even if it of a small size or found only over small parts of the hard drive. Not even with the use of a MFM or other known methods. The belief that a tool can be developed to retrieve gigabytes or terabytes of data of information from a wiped drive is in error.

Although there is a good chance of recovery for any individual bit from a drive, the chance of recovery of any amount of data from a drive using an electron microscope are negligible. Even speculating on the possible recovery of an old drive, there is no likelihood that any data would be recoverable from the drive. The forensic recovery of data using electron microscopy is infeasible. This was true both on old drives and has become more difficult over tine. Further, there is a need for the data to have been written and then wiped on a raw unused drive for there to be any hopy of any level of recovery even at the bit level, which does not reflect real situations. It is unlikely that a recovered drive will have not been used for a period of time and the interaction of defragmentation, file copies and general use that overwrites data areas negates any chance of data recovery. The fallacy that data can be forensically recovered using an electron microscope or related means needs to be put to rest.

NIST also seem to agree. In NIST SP 800-88, they state the following:

Studies have shown that most of today’s media can be effectively cleared by one overwrite.

Purging information is a media sanitization process that protects the confidentiality of information against a laboratory attack. For some media, clearing media would not suffice for purging. However, for ATA disk drives manufactured after 2001 (over 15 GB) the terms clearing and purging have converged.

As such, I'd say that data remanence on modern hard drives is a complete myth, and it's likely to be infeasible for old drives too.

So, as a quick set of bullet points:

  • You might be able to extract individual bits after a single overwrite, but not any useful amount of data.
  • It is entirely infeasible to recover any data, even at the bit level, from a wiped disk area outside lab conditions, due to the effects of day-to-day use (file copies, etc).
  • A single overwrite, for all intents and purposes, provides complete protection against useful data recovery.
Community
  • 1
Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • Agree. Here is my related comment on this as well with a reference to Revision 1 of the same NIST document - http://security.stackexchange.com/questions/89994/why-is-writing-zeros-or-random-data-over-a-hard-drive-used-when-writing-all-on/92402#92402 – Datarecovery.com MK Apr 06 '16 at 13:34
  • Link to [Overwriting Hard Drive Data: The Great Wiping Controversy](https://www.vidarholen.net/~vidar/overwriting_hard_drive_data.pdf) (full PDF) – David Balažic Jan 07 '20 at 20:15
4

As usual, the Wikipedia page contains useful links (Wikipedia is not "The Truth" but it is a great starting point for investigating technical issues and making one's own mind). In particular, it says that:

As of November 2007, the United States Department of Defense considers overwriting acceptable for clearing magnetic media within the same security area/zone, but not as a sanitization method. Only degaussing or physical destruction is acceptable for the latter.

On the other hand, according to the 2006 NIST Special Publication 800-88 (p. 7): "Studies have shown that most of today’s media can be effectively cleared by one overwrite" and "for ATA disk drives manufactured after 2001 (over 15 GB) the terms clearing and purging have converged." An analysis by Wright et al. of recovery techniques, including magnetic force microscopy, also concludes that a single wipe is all that is required for modern drives. They point out that the long time required for multiple wipes "has created a situation where many organisations ignore the issue all together – resulting in data leaks and loss. "

So the generic conclusion seems to be that a simple overwrite will most probably erase all the data, but if you need some kind of compliance with regards to some bureaucratic regulations, then old-style physical obliteration may still be required. Note that, with regards to data cleansing, you have two needs:

  • you want to wipe the data out;
  • you want to be sure that the data has been thoroughly wiped out.

A sledgehammer or an acid cauldron will go a long way towards fulfilling the latter goal.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949