It seems that there are still many people who do not understand what happens when storage media such as a hard drive or flash based thumb drive is wiped with a single pass. There were many comments left about my last article on other websites where people were still spreading the myth that a single pass is insufficient. So I’ve created yet another article, this time with screenshots.
I’ve outlined the entire process in the steps below. Basically what I’ve done is wiped a thumb drive with a single pass and then reformatted the thumb drive with the FAT32 file system. I then created a text document, documenting the sectors it was located in. I then re-wiped the thumb drive with a single pass and documented the results.
This was all done with EnCase Forensic, WinHex and the Hard Disk Wipe Tool.
Step 1
Using the Hard Disk Wipe Tool 2.35.1178 I have wiped my 1GB thumb drive.
Thumb Drive Being Wiped
Essentially what this software is doing is “writing zeros” to the storage media. This is done with one single pass, not multiple passes. Meaning it goes from start to end, zeroing every sector on the media.
Step 2
I then verified that the thumb drive was wiped. See the screenshot.
Sector 0 After Wipe - WinHex
This first screenshot is a view of the start of the thumb drive with WinHex. You can see that this portion is entirely zero’d out. No filesystem, no files, no data period exists on this thumb drive any longer. The rest of the drive (every sector) is completely zero’d as well.
Step 3
I then formatted the thumb drive with the FAT32 file system using Windows XP.
After clicking yes I then filled out the options to do a normal format of the media with FAT32.
After formatting the media I then proceeded to view the first sector of the disk with EnCase Forensic software as seen in the next screenshot. Notice that it has been formatted with the FAT32 filesystem.
Sector 0 After Formatting
Step 4
I then proceeded to create a text document on the media using Windows Explorer. The text document is named “JUSTATEXTDOCUMENT.txt” and you can see the title and file entry on the disk in this next screenshot.
Sector 4032 After Text File Creation
Notice the “name” of the thumb drive is “ANTIFOR” and you can also see the 8.3 file naming standard format of the file as well.
Step 5
A few sectors more and you can see the start of the text document which consists of the phrase, “I am just a text document.” copypasta’d quite a few times.
Sector 4040 After Text File Creation
You are seeing screenshots of all of this from actual professional computer forensics software. One of the most used computer forensics software in the world which carries a hefty price tag of right around $3,000 USD per license/dongle.
Step 6
I then re-ran the Hard Disk Wipe Tool 2.35.1178 and have re-wiped my 1GB thumb drive.
This first screenshot shows the first sector of the thumb drive where you previously saw data for the FAT32 file system.
Sector 0 After Wiping
Notice that there is now no data at this sector.
In this next screenshot you will see sector 4032 which previously had the file entry where you could see the filename for the document.
Sector 4032 After Wiping
Notice that there is nothing there anymore. The single pass has completely wiped out file information for the text document.
Let’s look at the contents of the text document now in sector 4040.
Sector 4040 After Wiping
Need I say more about this screenshot?
The fact is, nothing exists on this thumb drive anymore that can be recovered with any data recovery software or computer forensics software.
What about magnetic force microscopy?
There has been some confusion about magnetic force microscopy and what I’ve done (probably because my writing skills are a bit lacking). Magnetic force microscopes move across magnetic based storage mediums such as a modern hard disk drive. It then creates images based off of the previous values of bits in these sections. I of course have not used one and instead will base my information off of the sources at the end of this article.
Previous comments suggested that by using magnetic force microscopy data could be retrieved. To summarize and use plain english, this method determines the state a bit was in before it was changed. So if a bit were a 1 and now it is a zero, this method is supposed to be able to detect that previous state. It is said that in older disk media it is easier to do this and harder with newer media.
It will take many months to actually image a small hard drive using this method.
Lets try and understand this process though. First, human readable data is made up of many bits. A single human readable ASCII character is equal to 8 bits or a single byte. If even one of these bits is recovered incorrectly, then the byte is a completely different value and our human readable ASCII representation of those groups of bits is completely different.
For example, take the ASCII word “anti.” The binary equivelant of this word is: 01100001011011100111010001101001
Lets say using a MFM the last bit was read incorrectly as a zero when it used to be a 1, what do we have now?
The word: anth
This word is completely different. Now apply this to compound files such as databases, archives, or other files like encrypted containers. If one bit is recovered incorrectly it can negate all of the results and provide corrupted data.
I think I’m making it sound like magnetic force microscopy is only sometimes incorrect when imaging platters. This method is very unreliable, costly and time consuming. Right now, don’t count on this method really being utilized on modern hard drives.
Read More! Other sources for information on this.
Sans Computer Forensics on Magnetic Force Microscopy
“The basis of this belief that data can be recovered from a wiped drive is based on a presupposition that when a one (1) is written to disk the actual effect is closer to obtaining a 0.95 when a zero (0) is overwritten with one (1), and a 1.05 when one (1) is overwritten with one (1).
This can be demonstrated to be false.”
“In many instances, using a MFM (magnetic force microscope) to determine the prior value written to the hard drive was less successful than a simple coin toss.”
Secure Deletion of Data from Magnetic and Solid-State Memory by Peter Gutmann (35 pass wipe originated from Mr. Gutmann)
“Any modern drive will most likely be a hopeless task, what with ultra-high densities and use of perpendicular recording I don’t see how MFM would even get a usable image, and then the use of EPRML will mean that even if you could magically transfer some sort of image into a file, the ability to decode that to recover the original data would be quite challenging.”
Excellent article! Thank you for sharing.
hot article.
[...] Disk Wiping – One Pass is Enough – Part 2 (this time with screenshots) [...]
Yup.
That’s what dd if=/dev/zero of=/dev/hda does to a hard drive.
Provided you work in a shell in UNIX or Linux.
Or you could use,
for (( i = 0;i<10;i++ )); do
dd if=/dev/urandom of=/dev/hda
done
dd if=/dev/zero of=/dev/hda
Or
Shred -n 5 -z -v /dev/hda
Or just take a large sledge hammer to it and pretend it's a rail road spike.
Just saw this, and thought I’d comment on: “In many instances, using a MFM (magnetic force microscope) to determine the prior value written to the hard drive was less successful than a simple coin toss.”
If this is actually true, then whoever was doing the analysis was interpreting the results backwards. (IE, if the results were intepreted the opposite way, MFM would outperform the coin flip)
Sorry for the… pedant-ness, but when you’re talking about bits… that one should be obvious.
Thank you very much for this article you sure saved a lot of us a lot of hours just giving us this great piece of information!
Im no IT in fact Im just a nurse who knows enough about computers and this really helped me have a little peace of mind and a lot more hours of sleep… thanks!
Good article mate!
I’ve used wiping programs and encryption for years! Typically, I’d set the disks for a three-pass wipe, zeros,ones,zeros and then a file-slack wipe using the same pattern.
BCwipe for Linux is a fantastic product – I’ve a cron than wipes every disk, every night on my main file servers as it saves much hassle…
I’ll re-adjust my schedules now, save some wear and tear on my drives…
Yeah you’ll save a lot of wear and tear on your disks. BCWipe for Windows is really great as well. They make an excellent product.
If you’re using the bourne-again shell (bash) on those servers remember to wipe the .bash_history file under each user profile as well. Especially if it resides on an unencrypted partition. I think it can be disabled as well. I came across a warez server at one point which had encrypted partitions for file storage and log files had been moved to the encrypted partitions. Unallocated filespace was being wiped as well. The only thing is, the operators were not cleaning up their bash history and it wasn’t much of a secret what the server was being used for at that point.
I dont know if its truth, if it is then why top secret data has to be phisically destroyed?
I think it’s a combination of paranoia and ignorance mainly. I bet there’s also that fear of the unknown. What if someone somewhere has a working method or what if in the future a working method is found that is more reliable than MFM. You know it’s quicker and easier for the feds to just destroy the physical media and use their unlimited purchasing power to buy new hard drives as well.
Ok, so the test was done on a jump drive. Would the results from a HDD with platters have the same result? I’d love to see that test.
Hey Tim,
Yep, the exact same results. What it comes down to is that the data is all just bits or “1′s and 0′s”, a binary value. When you modify these 1′s and 0′s you change all data that is interpreted from those strings of 1′s and 0′s.
Take the ASCII character “A” for example. Maybe you have a text document that starts with the letter “A”. This ASCII character is made up of 8 bits in this order: 01000001
This is how the data will be interpreted from the HDD with platters or flash drive or whatever digital media you’re talking about. Now if you change those two bits with the binary value “1″ to “0″, then you’ve no more letter “A”. It is gone. If you do this to your entire digital media (HDD, Floppy Drive, flash drive, etc.), then you’ve effectively “wiped” all data.
There are advanced techniques for attempting to determine the previous state of the actual magnetized material on the platters of a hard drive but the success rate with modern hard drives and restoring just one bit successfully was less successful than flipping a coin. That reference is at the end of the article. Just think, you’d need 8 successful bit recoveries in a row to even recover the letter “A”. Now how about recovering more complex data stored in a complex structure such as a database or even just an image?
This all is very good and I have no doubts, that it works on either flash or HDD. But the problem is, that it is more often necessary to wipe only free space of a working HDD so, that in case if it comes into hands of a specialist, 1)no old (deleted) data can be restored from space marked as free and 2)no log files and different temp files are found. And I’m not sure if entire encripted HDD can help for 100%…
Yes you’re right, there are plenty other articles on here about deleting various logs and other active data on a Windows system and more often than not you’ll just need to wipe free space and logs.
Max, thanks for your efforts on this. Excellent!
maybe you’re right that one pass is impossible to recover erased data.
but then… why are there many data wipe software that do this in multiple passes? they lie to us?
the most recent example are the options that were added recently in the latest versions of CCleaner.
I use a combination of TrueCrypt, CCleaner, Active@ Zdelete, Active@ Eraser and some reg files to delete Flashget and other softwares history folder.