Some technical claims, even those emanating from self-avowed IT experts, are better left in the realm of urban...
legend. Call them "digital legends," if you will.
Over time, I've been repeatedly confronted with a persistent digital legend: the idea that data written to magnetic media, such as hard disk drives, can be recovered even if overwritten, due to a quirk in the way hard drives write and read data.
Some of this notion stems from the fact that when a drive's head seeks to a given spot, it does not always seek to the exact same spot. Therefore data written to the same track might exist in a number of side-by-side iterations. So if you want to guarantee the erasure of a piece of data from a hard disk drive, you need to erase it many times over.
Scrub that disk!
This notion spurred the creation of many data-erasure products that write randomly generated data to a file or a given piece of media, and use multiple iterations of the random-erase cycle to ensure the complete destruction of data. The more erase cycles, of course, the longer the process takes. The full implementation of Department of Defense's own 5220-22.M standard requires seven discrete passes. Imagine doing seven discrete full-surface formats of a hard disk drive and you'll have some idea of how tedious this is.
The idea that "erased" data wasn't really erased seemed plausible, but admittedly only because I hadn't solicited any second opinions about the matter. Is there any evidence supporting the hypothesis that to completely erase a drive, you must erase it multiple times?
Daniel Feenberg of the National Bureau of Economic Research in Cambridge, Mass., found the idea faintly fishy, and took Gutmann's premises to task in a 2003 essay entitled Can Intelligence Agencies Read Overwritten Data?. To Feenberg, the evidence that Gutmann had assembled in his paper didn't look very solid.
Feenberg pointed out that while it was possible to use scanning electron microscopy to view images of magnetic signatures on a drive platter, that was a long way from being able to decode such things, i.e., actually assembling usable copies of erased data from them.
In the essay, Feenberg also noted that if the effect Gutmann described was real, it would cut both ways. "In one section of the paper Gutmann suggests overwriting with four passes of random data," Feenberg wrote. "That is apparently because he anticipates using pseudo-random data that would be known to the investigator. A single write is sufficient if the overwrite is truly random, even given an STM microscope with far greater powers than those in the references. In fact, data written to the disk prior to the data whose recovery is sought will interfere with recovery just as much as data written after -- the [electron] microscope can't tell the order in which magnetic moments are created. It isn't like ink, where later applications are physically on top of earlier markings." [Emphasis mine.]
Can data be recovered from erased hard disk drives?
What do data recovery experts have to say? I asked Jim Reinert, senior director of software and services for Ontrack Data Recovery whether any of this was possible. His answer was a blunt "No."
Reinert admitted that it is possible to read traces of previously written or overwritten bits, but reconstructing any usable data from them was a horse of a different color. All that's possible, he said, is to infer that something was recorded there, but not to figure out what that something was. (I concluded that since most any spot on a hard disk drive has been written to at least once during its lifetime, that doesn't tell us anything we don't already know.)
What about the disk-seeking issue, where writes to the same track might end up being in parallel? "This was more true in older hard disk drive technology when track widths were wider and aerial densities were lower," Reinert said. "In modern disk drives, the tolerances have become much smaller, so this is becoming less of an effect."
To this end, the objections about this clandestine recovery technique seem to boil down to three things:
- Nobody has ever shown they can actually do this. (This, to me, is the most important fact: No one has ever actually taken a hard disk drive, recorded data on it, overwritten the data, then attempted to recover it—let alone demonstrated that they can do this reliably.)
- No reputable data recovery expert believes this is possible or advertises that they can do it. (Do you want to end up in the position of having taken money for a service you can't provide?)
- If it isn't possible to do it commercially, there's a strong chance no intelligence agency can do it either.
Data recovery is possible: Special circumstances
There are some circumstances where pieces of data that belong to an erased file can be recovered due to the way file systems handle data. One common example of this is the cluster tip phenomenon. A file can be written to a series of clusters on a disk, then overwritten by a slightly shorter file—one which uses the same clusters, but falls shorter of filling out to the end of the last cluster than the previous file did.
In such a case, it's possible—if you are diligent, and know where and how to look—to discover the tail end of a previous file. Not much data may be recovered from the cluster tip, but it might be enough to hint at the contents of the rest of the file. The freeware Eraser utility can clean up unallocated sectors and cluster tips as part of its erasure methodology.
So what are some of the practical ways to deal with protecting confidential data without going into total overkill? Here are a few:
- Perform a single-pass random wipe of the media with an appropriate program. I'm fond of Eraser; other folks swear by Darik's Boot and Nuke (DBAN)—for no-hassle, full-disk unattended destruction. Eraser is for erasing files and disks alike; DBAN creates bootable media that performs secure erasure on whole disks. The main problem with wiping a whole disk is that it's a very slow operation. But there are workarounds, like setting up the erase process to run overnight in a locked room.
- Use on-disk encryption. This solution is not always practical; setting up encryption software demands time and effort. However, an encrypted disk can be decommissioned very quickly, since without the encryption key, whatever's stored on it is indistinguishable from random data. I've had good results using the freeware TrueCrypt. Windows Vista's own BitLocker feature can also be used to encrypt the OS partition of a Windows Vista system.
- Degaussing the media. Hard disk drive degaussers do exist—the company Data Devices International offers devices for erasing hard disk drives—but they're expensive and probably not aimed at companies that have relatively few hard disk drives that need erasing.
- Physically destroy the media in question. This is the most cumbersome method (not to mention the most labor-intensive!), but the remnants of the destroyed media can be used as hard evidence that the data—or at least this particular copy of it—has indeed been deep-sixed.
About the author:
Serdar Yegulalp is editor of the Windows Insight, (formerly the Windows Power Users Newsletter), a blog site devoted to hints, tips, tricks and news for users and administrators of Windows NT, Windows 2000, Windows XP, Windows Server 2003 and Vista. He has more than 12 years of Windows experience under his belt, and contributes regularly to SearchWinComputing.com and SearchSQLServer.com.
Hard disk drive management technical guide
Be wary of preformatted external hard disk drives
Hard disk drive MTBFs: The four biggest misperceptions
Hard disk drives dying: Six signs a hard drive is about to fail
Storage management software helps when hard disk drives fail
Quick-formatting hard disk drives: A shortcut, but safe
Erasing hard disk drive data: How many passes are needed?