Erasing hard disk drive data: How many passes are needed?

Over time, I've been repeatedly confronted with a persistent digital legend: the idea that data written to magnetic media, such as hard disk drives, can be recovered even if overwritten, due to a quirk in the way hard drives write and read data.

Some of this notion stems from the fact that when a drive's head seeks to a given spot, it does not always seek to the exact same spot. Therefore data written to the same track might exist in a number of side-by-side iterations. So if you want to guarantee the erasure of a piece of data from a hard disk drive, you need to erase it many times over.

Scrub that disk!
This notion spurred the creation of many data-erasure products that write randomly generated data to a file or a given piece of media, and use multiple iterations of the random-erase cycle to ensure the complete destruction of data. The more erase cycles, of course, the longer the process takes. The full implementation of Department of Defense's own 5220-22.M standard requires seven discrete passes. Imagine doing seven discrete full-surface formats of a hard disk drive and you'll have some idea of how tedious this is.

The idea that "erased" data wasn't really erased seemed plausible, but admittedly only because I hadn't solicited any second opinions about the matter. Is there any evidence supporting the hypothesis that to completely erase a drive, you must erase it multiple times?

The source for this primarily stems from a paper presented by Peter Gutmann at the 1996 Usenix conference. In his paper, entitled Secure Deletion of Data from Magnetic and Solid-State Memory, Gutmann claimed that it was possible to use electron microscopy to read the platters of a hard disk drive and ferret out images of data previously written and then overwritten.

Daniel Feenberg of the

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Disk Drives and Disk Arrays for Windows Case Study: Building a low-cost SATA array How to use the g4u network-based hard disk cloning utility Create a script to check integrity of your server's drives Can freezing a hard drive that's crashed restore it to life? Move from PATA to SATA could complicate data recovery Use RAID to increase write performance on three-drive arrays Stop disk drive overload to increase system performance A Windows administrator's guide to Diskpart commands Use RoboCopy to copy files from crashed hard disk drives Findpart utility locates lost partitions on disk Windows Hardware Strategies Troubleshooting your toughest Windows server crashes High-tech solutions for monitoring computer heat Server virtualization at the hardware level with Hyper-V Virtualization and 64-bit: A match made in Windows heaven How to use the g4u network-based hard disk cloning utility Multi-core processors on the desktop offer major boost When and how to migrate to a 64-bit platform 64-bit Windows – help or hype? How to install low-voltage wiring such as Ethernet or coax cable Bluetooth card reader/USB hub reads files from offbeat media

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

National Bureau of Economic Research in Cambridge, Mass., found the idea faintly fishy, and took Gutmann's premises to task in a 2003 essay entitled Can Intelligence Agencies Read Overwritten Data?. To Feenberg, the evidence that Gutmann had assembled in his paper didn't look very solid.

Feenberg pointed out that while it was possible to use scanning electron microscopy to view images of magnetic signatures on a drive platter, that was a long way from being able to decode such things, i.e., actually assembling usable copies of erased data from them.

In the essay, Feenberg also noted that if the effect Gutmann described was real, it would cut both ways. "In one section of the paper Gutmann suggests overwriting with four passes of random data," Feenberg wrote. "That is apparently because he anticipates using pseudo-random data that would be known to the investigator. A single write is sufficient if the overwrite is truly random, even given an STM microscope with far greater powers than those in the references. In fact, data written to the disk prior to the data whose recovery is sought will interfere with recovery just as much as data written after -- the [electron] microscope can't tell the order in which magnetic moments are created. It isn't like ink, where later applications are physically on top of earlier markings." [Emphasis mine.]

Can data be recovered from erased hard disk drives?

What do data recovery experts have to say? I asked Jim Reinert, senior director of software and services for Ontrack Data Recovery whether any of this was possible. His answer was a blunt "No."

Reinert admitted that it is possible to read traces of previously written or overwritten bits, but reconstructing any usable data from them was a horse of a different color. All that's possible, he said, is to infer that something was recorded there, but not to figure out what that something was. (I concluded that since most any spot on a hard disk drive has been written to at least once during its lifetime, that doesn't tell us anything we don't already know.)

What about the disk-seeking issue, where writes to the same track might end up being in parallel? "This was more true in older hard disk drive technology when track widths were wider and aerial densities were lower," Reinert said. "In modern disk drives, the tolerances have become much smaller, so this is becoming less of an effect."

To this end, the objections about this clandestine recovery technique seem to boil down to three things:

Data recovery is possible: Special circumstances
There are some circumstances where pieces of data that belong to an erased file can be recovered due to the way file systems handle data. One common example of this is the cluster tip phenomenon. A file can be written to a series of clusters on a disk, then overwritten by a slightly shorter file—one which uses the same clusters, but falls shorter of filling out to the end of the last cluster than the previous file did.

In such a case, it's possible—if you are diligent, and know where and how to look—to discover the tail end of a previous file. Not much data may be recovered from the cluster tip, but it might be enough to hint at the contents of the rest of the file. The freeware Eraser utility can clean up unallocated sectors and cluster tips as part of its erasure methodology.

So what are some of the practical ways to deal with protecting confidential data without going into total overkill? Here are a few:

About the author:
Serdar Yegulalp is editor of the Windows Insight, (formerly the Windows Power Users Newsletter), a blog site devoted to hints, tips, tricks and news for users and administrators of Windows NT, Windows 2000, Windows XP, Windows Server 2003 and Vista. He has more than 12 years of Windows experience under his belt, and contributes regularly to SearchWinComputing.com and SearchSQLServer.com.

[IMAGE]
[IMAGE]Hard disk drive management technical guide
[IMAGE]
[IMAGE]  Introduction
[IMAGE]  Be wary of preformatted external hard disk drives
[IMAGE]  Hard disk drive MTBFs: The four biggest misperceptions
[IMAGE]  Hard disk drives dying: Six signs a hard drive is about to fail
[IMAGE]  Storage management software helps when hard disk drives fail
[IMAGE]  Quick-formatting hard disk drives: A shortcut, but safe
[IMAGE]  Erasing hard disk drive data: How many passes are needed?

Rate this Tip To rate tips, you must be a member of SearchWindowsServer.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.