Secure Data Deletion for the Average User
– by Rich O’Neil
There’s been a lot of talk about secure deletion of data from a hard drive. How do you ensure that no one will ever read your personal data once you’ve decided to dispose of or repurpose a hard drive? Maybe you want to hand down a hard drive to your kids but want to guard against them grabbing one of the many freely available data recovery utilities on the internet and taking a crack at your data. How do you deal with that?
Are You Sure It Has Been Deleted?
Everyone has their own idea about what level of security they need and how they should go about getting it. It’s typical to hear people talk about utilities which make multiple passes with 0’s, 1’s, and/or random data to overwrite a drive. Sounds pretty effective, but you might be surprised to learn that even that is not stringent enough for agencies like the DoD when it comes to securing data at the secret level and above. For the DoD, a degaussing or actual physical shredding of the hard drive is required. But for people like us, these methods are not practical and probably not accessible anyway. They are definitely not the way to go if you were planning to hand down a drive to one of your kids. As to why, physically shredding a hard drive to tiny little bits is fairly self-explanatory. As to degaussing, it not only wipes all user data, but every other bit of data on the drive including its firmware (its operating system) which renders the drive completely useless. So what works for us, the average user?
Some Familiar Options
Some folks think a simple partition delete, format or both is enough. That’s fine as long as they are aware that there are plenty of utilities which can easily recover data after such actions. Perhaps they truly have nothing of value on the drive though it’s unlikely. Either way, these methods only protect against someone who’s not interested in your data in the first place. Most people know better than to rely on simple measures and will choose an overwrite utility such as DBAN, CCleaner, Kill Disk, or one of a hundred others. This group of utilities all provide roughly the same functionality and level of effectiveness.
DBAN, for instance, is fairly effective and easy to use. Simply download and burn the latest .iso, then boot with it, select a hard drive, a wipe method (how many passes and what kind of data to use for the overwrite) and hit F10 to run. DBAN then runs until completion, taking your data with it. Now I kind of paraphrase here a little bit, but the DoD considers DBAN secure enough for repurposing a drive within the same organization. But it is not intended for, nor acceptable for secret levels and above. For those levels, sanitization by degaussing or shredding the actual physical hard drive is required. But we average users don’t typically have those needs, so we won’t worry about these methods.
With regard to overwrite methods – 0’s, 1’s, random data in single or multiple passes, there is considerable debate as to exactly what may be recoverable, even after a single pass. One hard drive forensics and data recovery expert, Scott Moulton, has stated (and he’s not the only one) that it is virtually impossible to read data from a hard drive even after a single over-write pass. His statement is based upon years of experience in the field of data forensics, and the fact that today’s hard drives are so much denser, with data being crammed closer and closer together which has an effect that I’ll cover in a bit. I take his statement to mean that he believes it cannot be done, and that he’s simply hedging his bets against a remote theoretical possibility when he uses the phrase ‘virtually impossible’. It’s interesting stuff, but one thing’s for certain: techs at your local big box store aren’t going to be doing any data recovery after a wipe utility has done its thing even if it was merely a single overwrite pass.
As for data itself, you may think it is nicely stored as absolute 1’s of 0’s on the surface of a spinning hard drive platter, but that isn’t the case at all. And there’s a lot more to this when you consider that the read/write head floating less than the thickness of a strand of hair above the platter surface isn’t actually reading the polarity of the tiny magnetic fields but rather the flux reversals between them. The problem that a drive head’s sense and amplification circuitry has to deal with is this: as hard drive data density increases, individual magnetic fields strength decreases making it more difficult to accurately read. In addition, there are synchronization and field separation factors to consider. But let’s keep this simple. Trying to recover data from an overwritten hard drive is an extremely complex and time-consuming process. And any chance of successfully doing so comes down to luck and some very expensive equipment.
A magnetic force microscope (MFM) is one such device, one that is far more sensitive to flux reversals than a regular hard drive head. If you work for one of those 3-letter agencies, you probably have one. So, a hard drive comes in, and you disassemble it so you can pull the platter assembly (watching the alignment between platters!) and mount it in the data recovery work station. Now all you have to do is to break out the MFM and voila!, data is recovered, right? Not exactly. Despite the advanced technology of this type of device there is still plenty of opportunity for misreads. And misreading a single bit can throw off interpretation of an entire sector. And let’s not forget other factors – encoding, interleave, etc. – that further complicate things. So where’s that critical data now? I should point out that it is generally acknowledged that the success rate in cases of overwritten data is fairly low, and even that may be talking it up some. The point is, overwriting data is a pretty darn effective way to guard against recovery. And you certainly won’t ever have to worry about your kid seeing it.
A Hidden Option?
So now perhaps we’re liking our favorite overwrite utility a bit more, right? Well before you get comfortable with that notion, you may want to familiarize yourself with Secure Erase, an ATA command set function that’s been available on all hard drives manufactured since 2001. The ATA command set specifies the set of commands which host systems (Windows, Linux, Mac, etc.) can use to access storage devices. And as it’s a part of hard drive firmware, it has advantages.
First off, Secure Erase is a higher-rated utility than those in the DBAN category because it goes beyond simply erasing all user-accessible areas. It can also wipe the normally inaccessible g-list, more commonly known as the bad blocks list. This is important because while we may think of bad blocks as areas of a disk that are unreadable, this is not always the case. More often than not, bad blocks are labeled so simply because they were taking too long for an OS to read. I believe Windows times-out a block after a period of 600ms. Regardless, the point is that there could be data on a sector that given enough time and another environment is recoverable. So that’s a +1 for Secure Erase.
Additionally, Secure Erase wipes HPA’s (Host Protected Areas) and DCO’s (Device Configuration Overlays) which are other inaccessible areas, though it’s not typical to have user data in those areas. Still…
Another plus for Secure Erase is that it performs faster that DBAN and others. That’s because while DBAN goes through the BIOS to access and control the hard drive, Secure Erase talks to the drive directly – no middleman here to slow things down. As to the actual difference in speed, I did a test pitting DBAN against SE. On a 320 GB Samsung hard drive, DBAN was able to complete a single 0’s pass in 89 minutes. SE completed its pass in 45 minutes – essentially half the time.
So that’s pretty cool. But it gets cooler still because there’s a 2nd, more advanced method of Secure Erase available. The first, which I’ve just described, is SE Normal. The second is ‘Enhanced Secure Erase’ and it claims to be faster still. Great, but what is the enhanced part?
The enhanced part involves the physical alignment of the drive head as it performs a pass. Enhanced SE makes use of an offtrack ATA command to position a drive head 5-10% to one side off the center of a track. Using offtrack positioning, Enhanced Secure Erase performs two passes – the first a little off to one side, the second a little off to the other. The end result is a wider overwritten area which assures that the edges of the track are positively overwritten. And that effectively puts an end to the idea of data recovery due to data remanance at the edges, something there’s been a lot of discussion about, mostly from days of yore. This is a beautiful thing, no? Absolutely!
So with all that going for it, why isn’t everyone using Secure Erase or Enhanced Secure Erase for data deletion? Well, mostly because it can be difficult to even begin to use. To protect against possible malware mischief or plain ol’ accidental erasure and maybe some other things, motherboard manufacturers use BIOS’s which lock out SE during boot with a Security Freeze Lock command. And this is not some user setting you might find and change, but a thing that is hard-encoded in the BIOS program itself. So if you would attempt to run SE on a drive in such a case, you’d get a message telling you that BIOS has frozen it. It can’t be done. So how does one get around this? Well you could try one of these workarounds:
1. Plug into another SATA connection on the motherboard besides SATA-0. Some BIOS’s do not send the Freeze command on all SATA channels, just to SATA-0.
2. If another computer is available, boot the drive from it. Since the freeze lock is entirely BIOS dependent, another computer’s BIOS may not freeze lock the drive.
3. If the aforementioned fail, try hot-plugging your SATA drive. Now please note before going any further that SATA cables are designed for hot-plugging, IDE cables are not. DO NOT try this with an IDE drive or you will certainly fry something. Starting with the computer off, disconnect the power cable from the drive you want to erase. Now boot up and wait until BIOS has finished the hardware detection phase. Reconnect the power cable to the drive and run the SE program. If that doesn’t work (it generally should), wait until you’ve actually booted the software, then reconnect the power cable to the drive.
One of those 3 thing should do the trick.
There are utilities out there for using Secure Erase, some of which come from SSD manufacturers, while others come from various sources including the Center for Magnetic Recording Research which provides a utility called HDDErase. My personal favorite is Parted Magic, a Linux-based utility CD which include Secure Erase. You can find Parted Magic here: http://partedmagic.com/doku.php
To run Secure Erase using Parted Magic:
- Boot with the CD to Parted Magic desktop > click the bottom left icon > System Tools > Erase Drive > and choose the last option
- Click “Continue…” > choose the drive > and click ‘OK’ to accept the empty password which is ‘NULL’
- Click ‘Yes’.
- At this point, and if your drive also supports Enhanced Secure Erase, you can select that by clicking ‘Yes’. If you choose ‘No’, you’ll simply run the normal pass. And that’s it. It’s really quite easy once you’ve bypassed the drive lockout. A word of caution here: be sure not to interrupt the process or you’ll be locked out from your drive, something you can likely recover from but not without some work.
In summary, I would say that the method you choose for data deletion will be based upon your needs. No critical data? Nothing you care really care about? Re-format and go. Personal and private data? Something from the DBAN group of utilities should cover it. If you’re a bit more paranoid, think about Secure Erase’ing the drive. It’s faster and more secure than anything out there except a shredder or big ol’ fat magnet.