19

As far as I know, in order to securely delete the hard drive's contents, one should fill it with zeroes or, for added security and harder recoverability, random data first and then all zeroes.

In order to get rid of all the data wouldn't be simpler to fill it with all ones, thus minimizing the wear of repeated writes and being sure that all bits on the drive are now uniform and old data couldn't possibly be recovered in this state?

Jens Erat
  • 23,446
  • 12
  • 72
  • 96
Serban Razvan
  • 309
  • 2
  • 5
  • 17
    What's your basis for claiming that writing all ones is more beneficial? – Boann May 24 '15 at 20:44
  • 6
    I thought it was because you can do `dd if=/dev/zero` but not `dd if=/dev/one`. – Matt Nordhoff May 24 '15 at 20:52
  • Writing zeros or writing ones still entails writing the full sectors back to the disk. The operative being that you are creating a Manchester encoded ECC data stream that is being written to the hard drive surface, not just attempting to demagnetize it. – Fiasco Labs May 24 '15 at 21:03
  • 29
    As usual, an ounce of prevention is worth a pound of cure: if you encrypted the drive _before_ use, all you'd need do is throw away the key, rendering the drive unreadable. – Clockwork-Muse May 24 '15 at 22:10
  • @Clockwork-Muse I would upvote that if I could. – Steve Dodier-Lazaro May 24 '15 at 22:17
  • @SteveDL Why do you imply you can't upvote that? – Adam Jensen May 25 '15 at 06:51
  • @AdamJensen I can but no benefits attached. – Steve Dodier-Lazaro May 25 '15 at 08:44
  • @SteveDL - the reason I didn't post it as an answer was because this seemed to be more about the practice of erasure, especially for potentially historical reasons. It also wouldn't help him **now**, if his data is already written, because old sectors and scratch files wouldn't be encrypted unless done from the start. An existing answer mentioning it in an addendum on new best practice would probably be better. – Clockwork-Muse May 25 '15 at 23:21
  • I think the OP is assuming that a zero means NOTHING is written to that spot on the disk and a 1 means SOMETHING is written there. Writing all 1's would thus "fill in the holes". I have no idea how disks physically work but I'd guess this assumption is incorrect. – Rick Chatham May 28 '15 at 21:22

4 Answers4

17

The reason you write '0' instead of '1' has to do with the way magnetic storage encodes the 0 and the 1. a long explanation of it can be found on Wikipedia under Run-length_limited. In short RLL is the methodology used to store the '1' and '0' and it is more complex than just to store the bit values themselves.

On a side note to make the drive more like it was when it came out of the factory we need to have it store only 0's. (factory default state)

So to securely erase anything on a magnetic storage device you first need to change the magnetic encoded values to a 'stable' state, (that means as many '0' as possible). This makes it harder for anyone to retrieve what was there, and almost impossible for the build-in magnetic Reading head. (only specialist equipment can still reliably retrieve it) To combat 'magnetic memory' you can than write a random pattern to the same location, followed by a zeroing pass, this makes it nigh impossible for software to retrieve the values that were there.

Finally you leave the disc in a state that closely resembles the factory state.

Most of this does not apply to CMOS or SSD technology as long as they do not use magnetism to store the values. There are other techniques to securely erase a CMOS / SSD but that involves overpowering the 'memory' cell to erase all values inside it. (also known as a reset).

Most of the time you do not care about the wear and tear when 'securely' erasing the disk because you simply do not do it that often. and the benefits of the erase outweigh the cost of having to replace your drive a little sooner.

Deer Hunter
  • 5,297
  • 5
  • 33
  • 50
LvB
  • 8,217
  • 1
  • 26
  • 43
  • 4
    Your claim about combating "magnetic memory" would seem to go counter to the (cited) claims on Wikipedia (and in e.g. NIST 800-88) that with modern magnetic media, more than a single overwrite pass provides no additional protection against data recovery. Can you back up your claim with some sort of authoritative reference? – user May 25 '15 at 07:59
  • I base that claim on research like https://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html – LvB May 25 '15 at 08:29
  • 3
    Ah, the 1996 *Secure Deletion of Data from Magnetic and Solid-State Memory* paper by Peter Gutmann. Did you take [the epilogues](https://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html#Epilogue) into account as well? Notice that "at the time the Usenix article was written MFM and RLL was the standard hard drive encoding technique for the installed technology base" and "emergence of PRML and EPRML drives was why ... the rules for the older drives didn't apply any more for the newer technology". – user May 25 '15 at 08:41
  • 1
    Yes, but not from this source. I got that from talking to a HDD Data recovery Expert so I have no link to share of that. The guy told me that when you use a hyper sensitive Magnetic Electron head you can read the individual magnetic state of the atoms in the area, As long as not all of them change when a new write happens, the data can be recoverable (especially true for data that has been stored for a longer time). It is the type of equipment they use to measure quantum magnetism effects, so its in the range of universities and big corporations and governments. I never claimed it is easy. – LvB May 25 '15 at 08:54
  • 1
    Not to mention how hard it is to figure out if the data you read out makes sense - one thing is knowing what you're looking for in advance and interpreting the results of the scans in light of that, another to do a blind study. How would you know which anomalies correspond to older data, which are just random noise, and which are there from 3 erases ago? – Luaan May 25 '15 at 12:38
  • your absolutely right @Luaan, but that is out of scope for the question. For that all that matters "could it be down?", the answer is yes, that it is hard I Agree, and I only added it to the answer as background information. – LvB May 25 '15 at 14:07
  • 1
    @LvB Please see the references in the answer quoted by DataRecovery.com MK below. Your answer appears to be quite a bit out of date, and needs to be corrected. In addition, answers backed by "I was told by an expert" aren't verifiable, and don't really belong here. – Steve Sether Jun 25 '15 at 20:53
  • I know my source is old, I discovered there are no recent public materials about this subject due to in-house development. (same source) I am afraid you can not check this with a link because I simply do not have one I am allowed to share. I can say that while MK has valid points, its not the whole story. Yes the redundend track parts are 'gone' so that risk is lessened. but as I understand the expert you can still recover data from 'deeper; layers of the material. this obviously destroys the platter and is none repeatable. For all intends and purposes, – LvB Jun 25 '15 at 21:18
  • a single wipe is nowadays enough to destroy the data. it can however be recovered if someone has sufficient resources and will to do so. The people that can, are obviously the type of technicians that are working in the lithographic and adjacent nano-technology fields. (so not your average scientist / engineer but highly specialist and outside of the field of security expert) – LvB Jun 25 '15 at 21:22
9

If you're talking about modern hard disks (spinning platters, magnetic data), then it doesn't matter what is written as long as something is written. The NIST Special Publication 800-88 Rev 1 contains the relevant guidelines. It's updated and talks about different types of media. Now they do say that the overwrite should be verified (because maybe something didn't work and the overwrite didn't actually completely occur so data recovery is still possible).

"2.4 Trends in Sanitization For storage devices containing magnetic media, a single overwrite pass with a fixed pattern such as binary zeros typically hinders recovery of data even if state of the art laboratory techniques are applied to attempt to retrieve the data..." http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf

From the 2006 version:
"Advancing technology has created a situation that has altered previously held best practices regarding magnetic disk type storage media. Basically the change in track density and the related changes in the storage medium have created a situation where the acts of clearing and purging the media have converged. That is, for ATA disk drives manufactured after 2001 (over 15 GB) clearing by overwriting the media once is adequate to protect the media from both keyboard and laboratory attack." In the revision this whole section was rewritten, but the background hasn't changed.

Here is more reasoning behind it-
"Older disk drives left some space between tracks; data written to a track could occassionally be recovered from this inter-track region using special instruments. Today’s disk drives have a write head that is significantly larger than the read head: tracks are thus overlapping, and there is no longer any recoverable data ‘between’ the tracks."
"Remembrance of Data Passed: A Study of Disk Sanitization Practices" Simson Garfinkel, Abhi Shelat of MIT http://www.scribd.com/doc/7156294/Disk-Sanitization-Practices

Datarecovery.com MK
  • 215
  • 1
  • 7
3

Due to the microscopic nature of current HDD internals this may no longer be possible...

I once witnessed an 8" 12MB HDD having most of its data recovered after being "security wiped" with several passes of 0's, then 1's bit patterns. This may have been pre-RLL or RLE.

I do not remember if the method employed had a name, which makes it difficult for me to quote a source until the "major search engine HQ'd in Mountain View, CA" has a direct connection to my failing memory! They are probably working on that, just don't tell the tin-foil hat people that they were right all along OK?... shhhhh lol. [*]

"data recovery by adjusting head alignment" found seven million results, the first few were ads for Data Recovery services. The next few pages I looked at did not match what I had witnessed all those years ago.

As I understood it, the physical track on the cylinder surface was not fully covered by the recording head. This left a residual magnetic trace of 0's and 1's at the 'edges' of each track. So after the "erasure", the engineer slightly changed the head alignment until signals could be viewed on an oscilloscope. At that point a good percentage of the "security erased" data was recovered.

The date was not April 1st, and the engineer, a colleague, had nothing to gain, so if it was a hoax then it was a fairly elaborate one with zero payback.

I am not a hardware 'engineer' so I hope that describes the principle well enough. I am guessing that by using a more random pattern during the erase cycles, that would sufficiently 'garble' the edge of track data to make the method unviable.

I'm afraid the best tool for HDD or SSD data destruction does not run on Windoze, or any OS, not even Linux (gasp!) - First take a 20lb hammer, apply protective goggles and other safety equipment to yourself... then beat the living daylights out of it until it is dust. Then burn the dust. That method also has a side effect; it is said to be great stress reliever!

Just my two cents (two old British 'Pennies' even)

M.

[*] MartinRH's first law of security:-

"A diagnosis of Paranoia is an essential asset... for a security Professional".

MartinRH
  • 47
  • 2
  • 8" 12MB HDD? That dates this to at least before 1980 or so, possibly earlier, and makes it comparable to the [IBM 353](https://en.wikipedia.org/wiki/History_of_IBM_magnetic_disk_drives#IBM_353) (2^21 64-bit words = 16 MiB). – user May 24 '15 at 20:22
  • 2
    I would add one further part: use a large magnet or electromagnet (even homemade) to properly wipe it, once the whole hdd is magnetised you can probably discount anyone from being able to extract data. I have in the past seen data retrieved from physically smashed drives by reassembling platters like a jigsaw in a cleanroom and then to then read data from the reconstructed disk, so mag-wiping is always a safe bet. Belt, braces and then dynamite... just to be sure. – GMasucci May 24 '15 at 20:56
  • 2
    `...this may no longer be possible...` In general, it isn't. HDD tolerances in the past 15 years or so have become too fine. – user2338816 May 25 '15 at 05:02
  • 1
    @GMasucci I'd add disolving the whole thing in acid, just to be sure. I'd like to see someone solving *that* jigsaw puzzle :)) – Luaan May 25 '15 at 12:41
  • now that I would like to see as well, have seen all sorts of partial recoveried from drives which have been crushed, burned, military-grade wiped etc, however acid I would probably rank alongside a full mag-wipe – GMasucci May 25 '15 at 13:24
  • 2
    Please stop spreading this myth. A 12 MB HD from the 1980s is a completely different animal than a modern HD. – Steve Sether Jun 25 '15 at 20:47
2

Drives, especially flash based ones like SSDs, thumb drives and flash cards don't write single bits, they write whole blocks of a larger number of bytes. You'd have to rewrite all blocks not containing only zeros anyway, or might ending up rewriting a block multiple times, once for each "one" in there.

Worse, because of wear leveling techniques you can't even be sure a block actually was overwritten, writing everything at least increases chances. Read "Is it enough to only wipe a flash drive once?" for a more detailed discussion.

Community
  • 1
Jens Erat
  • 23,446
  • 12
  • 72
  • 96