6

As one can find in the Disk Utility/Erase/Security Options section, there are two options for erasing disks securely - zero out 7 times or zero out 35 times. Where these numbers come from?

CodesInChaos
  • 11,854
  • 2
  • 40
  • 50

3 Answers3

11

The 7 and 35 passes very probably come from the paper "Secure Deletion of Data from Magnetic and Solid-State Memory" by Peter Gutmann. There, he described various overwrite patterns targeted at specific hard drive write encodings.

However, the paper, and the 35 passes, are now obsolete, as they were for old hard drive technology, as even the author readily admits. Nowadays, to delete a disk, a single pass with zeroes is enough. Even better, use the SECURE ERASE feature of all modern drives.

For more discussion see the Wikipedia article on the Gutmann method.

sleske
  • 1,622
  • 12
  • 22
  • 1
    Just a quick note for future readers: For more info on the ATA Secure Erase command, and why it's the preferred choice for magnetic disks today, see http://security.stackexchange.com/a/5784/2122 . Also, don't wipe SSDs by overwriting, and be cautious with ATA Secure Erase, see http://security.stackexchange.com/q/5662/ –  May 12 '13 at 14:20
  • Use secure erase, but verify. I've seen drives out in the wild with firmware bugs that prevent secure erase from working properly. For instance, older WD Caviar Black 1TB disks would only erase about 2/3 of the disk, or would brick before completing the erase. In the latter case, physical destruction would be required. – Michael Hampton May 12 '13 at 17:12
  • Any recommendations for the verification tool? – moey Apr 03 '14 at 04:15
  • @moey: Sorry, no idea. Better ask that as a new question. – sleske Apr 03 '14 at 08:41
  • 1
    Done, here's the new question: http://security.stackexchange.com/q/54822/43367 – moey Apr 04 '14 at 03:17
0

Writing information to a hard drive once will thoroughly replace all data that's under the drive head with the new data, but requests to write a particular track won't always cause the head to pass over exactly the same spot. Especially with older drives, various factors like aging and temperature are likely cause the head to pass slightly to the left or right of its "ideal" location. If e.g. information was written when the drive was cold, causing the head to be to the left of its ideal position, and it was later overwritten when it was warmer causing the head to be to the right of ideal, it's possible that enough residue of old information might remain on the left edge of the track to be readable with suitable equipment. Note that overwriting the track dozens of times may not help; depending upon the design of the drive, it might be possible to influence the heat position other ways (e.g. if the information in question is on track 53, accessing track 52 and then 53 may leave the head in a different place from accessing track 54 and then 53, but there's no guarantee that would be sufficient).

Flash drives present a different challenge, because repeated requests to write the same sector will actually cause the data to be stored in different areas of memory. Flash memory can generally be written in 528-byte pages (each holding 512 bytes of data plus some bookkeeping information), but once a page of flash is written it cannot be rewritten until a bulk-erase request is used to clear all of the pages in a rather large area (hundreds or thousands of pages). Rather than erasing a sector as soon as a request is received to rewrite it, the flash chip simply stores the new version and keeps track of the fact that the old one has been superseded. When the number of completely-blank blocks reaches a certain threshold, the drive will try to find find a block with relatively few pages that are still valid, copy those to a completely-blank block, and then erase the block. When a block is erased, any information which had been on it but wasn't copied will be thoroughly destroyed, but if a page happens to reside in a block with hundreds of pages that are still in use its storage may not get recycled even other, more-recently-written pages do.

supercat
  • 2,029
  • 10
  • 10
-2

Neither of those should be considered the least bit secure. Just zero-ing out the data is not enough, no matter how many times you do it.

All so-called secure erase software should follow recommendations such as those given in Secure Deletion of Data from Magnetic and Solid-State Memory by Peter Gutmann. This paper recommends 35 write passes, some of which use random data and some of which use specific patterns, only one of which is all zeroes.

Celada
  • 656
  • 4
  • 9
  • 1
    Has there ever been a well-documented case where a significant amount of data (i.e. not some impractical value like every 1000th bit) could be recovered after overwriting it once with zeros? –  May 11 '13 at 13:10
  • @FredOverflow I don't know. I'm not an expert, I'm just citing the literature. But my view is: why take the chance? Use a secure eraser. – Celada May 11 '13 at 16:08
  • 3
    Number of passes is irrelevant. If you actually overwrite the data once it's enough. Multiple overwrites were only necessary decades ago. The real problem is that it's hard to ensure that the data is overwritten at least once. Things like wear-leveling, defect sectors, shadow copies etc. can lead to copies of the data remaining even after you tried to overwrite them. – CodesInChaos May 11 '13 at 17:24
  • 2
    -1 Just zero-ing out *is* enough. No one has *ever* demonstrated data recovery. Some agency might be able to do it and keep it secret, but that's very speculative. – sleske May 11 '13 at 18:04
  • @FredOverflow - it used to be necessary with old low density drives where the head tracking was poor enough that previous tracks were readable by deliberate head positioning. It was also possible with MFM drives were overwriting with zero didn't really do much to the recording. –  May 11 '13 at 18:45
  • Citing ancient literature for old servo motor head technology with GIANT inter-track spacing is cargo cult programming practice. Times have changed and other issues are more pertinent. – Fiasco Labs May 12 '13 at 01:24
  • The paper cited above is out of date. The 35 passes was arrived at by careful calculation based on drive technology of the 1980's. For any drive made in the last 15 years a single overwrite is enough. – Tracy Reed May 12 '13 at 01:27
  • 2
    Also even in the 1980's you never needed all 35 passes. 35 passes covers all types of drives. Given that any given hard drive uses a single physical encoding you only needed to apply the passes applicable to that encoding. – jhoyla May 12 '13 at 12:17
  • @Celada - There is one way I know how only wiping a hdd once is secure, one of many, but trying to address your false statement. You only need to zero a hdd once, encrypt the entire drive, and any data was there cannot be recovered. You could even encrypt the current data on the drive, wipe the drive once, and nonthing on the drive including the free space could be recovered. – Ramhound May 13 '13 at 11:12