March 11, 2009

Multi-Pass Erasure Myth Debunked

In his latest LTN column, Ball in Your Court, Craig Ball debunks the long-held hard drive multi-pass erasure myth, that goes like this:

"Top notch computer forensic examiners have special tools and techniques enabling them to recover overwritten data from a wiped hard drive so long as the drive was wiped less than 3 or 7 or 35 times."  The myth also goes that someone using a magnetic force electron microscope would be able to discern the trace magnetic signal left behind on a drive that wasn't wiped enough times, and somehow piece together the underlying wiped data.  Which is a leading reason why common file and disk wiping tools have included all kinds of multi-pass wiping options, ranging from the DOD-specified wipes to the massive 35 times Gutmann wipe.

One part of the myth also says that one can recover trace magnetic data from the spaces between the tracks as the drive heads don't track exactly the same on each pass when writing data.  (Think of this as the space between the grooves on a vinyl record, for those of us who fondly remember them.)

To which Craig says, "Nonsense!" and "[i]t's all a lot of hogwash, at least with respect to any drive made this century."  He explains how the vastly increased "areal density" of modern hard drives leaves little room for wiped data to be resurrected, even if it's only wiped with a single pass.  Areal density simply refers to how closely packed together all the data bits are, which allows manufacturers to place hundreds of GB on a single hard drive platter these days.

Like him, I've heard the myth for years and questioned the ability to use a magnetic force electron microscope to resurrect wiped data.  First, it would be incredibly expensive to do (but that factor only makes it impracticable).  So it was interesting to hear the results, as Craig related from several professionals performing such an experiment, was that it was less successful than a simple coin toss.

Thus he concludes:

"You only need one complete pass to eviscerate the data (unless your work requires slavish compliance with obsolete parts of Department of Defense Directive 5220.22-M and you make two more passes for good measure).

No tool and no technique extant today can recover overwritten data on 21st century hard drives. Nada. Zip. Zilch."

While fascinating from a technical perspective, the real take-away from Craig's article is the reminder that:

"The most egregious is the assumption that formatting a hard drive is the same as wiping its contents. In fact, formatting obliterates almost none of a drive's contents. Any eBay purchaser of a formatted drive can easily restore its contents."

If only I had a Google share for every time I advised someone about this danger and resulting risk.  If you are disposing of a hard drive or giving it to someone else to use, use a proper drive wiping tool first, not a simple format command.

Another good take-away is Craig's discussion of the "G List" sectors on a hard drive, and why conventional wiping cannot touch that data.  So what are those?

In essence, modern hard drives have the ability to sense when a sector is going bad (i.e., not able to store information reliably).  When that is detected, the hard drive automatically copies the contents of the ailing sector to another unused sector on the hard drive, and remaps (points) to its new location on the drive.  This map is kept in the G List on the drive, which stands for Growth List or Growing Defect List.  This is a good thing so you don't lose data to bad spots on the hard drive.  However, when you use wiping software to wipe the drive's data, it can only wipe data in the accessible areas of the drive (which include the second copies of the bad sectors).  However, the original "bad" sectors cannot be wiped by conventional software as they are not accessible to it.

But as Craig points out, for the industrious there's a cure for that as well:

"Remarkably, nearly all hard drives manufactured after 2001 incorporate the ability to rapidly and securely self-erase everything, including the G List; but, drive and computer manufacturers are so petrified you'll mess that up, they don't offer an easy way to initiate a self-destruct sequence.

For those at ease with command line interfaces, the Secure Erase commands can be run using free tools developed for the NSA and available at But be careful with these as there's no road back."

It's a good read for anyone curious (and paranoid) about securely deleting data.

Topic(s):   Electronic Discovery  |  Privacy & Security
Posted by Jeff Beard