It seems that there are still many people who do not understand what happens when storage media such as a hard drive or flash based thumb drive is wiped with a single pass. There were many comments left about my last article on other websites where people were still spreading the myth that a single pass is insufficient. So I’ve created yet another article, this time with screenshots.
I’ve outlined the entire process in the steps below. Basically what I’ve done is wiped a thumb drive with a single pass and then reformatted the thumb drive with the FAT32 file system. I then created a text document, documenting the sectors it was located in. I then re-wiped the thumb drive with a single pass and documented the results.
This was all done with EnCase Forensic, WinHex and the Hard Disk Wipe Tool.
Step 1
Using the Hard Disk Wipe Tool 2.35.1178 I have wiped my 1GB thumb drive.
Thumb Drive Being Wiped
Essentially what this software is doing is “writing zeros” to the storage media. This is done with one single pass, not multiple passes. Meaning it goes from start to end, zeroing every sector on the media.
Step 2
I then verified that the thumb drive was wiped. See the screenshot.
Sector 0 After Wipe - WinHex
This first screenshot is a view of the start of the thumb drive with WinHex. You can see that this portion is entirely zero’d out. No filesystem, no files, no data period exists on this thumb drive any longer. The rest of the drive (every sector) is completely zero’d as well.
Step 3
I then formatted the thumb drive with the FAT32 file system using Windows XP.
After clicking yes I then filled out the options to do a normal format of the media with FAT32.
After formatting the media I then proceeded to view the first sector of the disk with EnCase Forensic software as seen in the next screenshot. Notice that it has been formatted with the FAT32 filesystem.
Sector 0 After Formatting
Step 4
I then proceeded to create a text document on the media using Windows Explorer. The text document is named “JUSTATEXTDOCUMENT.txt” and you can see the title and file entry on the disk in this next screenshot.
Sector 4032 After Text File Creation
Notice the “name” of the thumb drive is “ANTIFOR” and you can also see the 8.3 file naming standard format of the file as well.
Step 5
A few sectors more and you can see the start of the text document which consists of the phrase, “I am just a text document.” copypasta’d quite a few times.
Sector 4040 After Text File Creation
You are seeing screenshots of all of this from actual professional computer forensics software. One of the most used computer forensics software in the world which carries a hefty price tag of right around $3,000 USD per license/dongle.
Step 6
I then re-ran the Hard Disk Wipe Tool 2.35.1178 and have re-wiped my 1GB thumb drive.
This first screenshot shows the first sector of the thumb drive where you previously saw data for the FAT32 file system.
Sector 0 After Wiping
Notice that there is now no data at this sector.
In this next screenshot you will see sector 4032 which previously had the file entry where you could see the filename for the document.
Sector 4032 After Wiping
Notice that there is nothing there anymore. The single pass has completely wiped out file information for the text document.
Let’s look at the contents of the text document now in sector 4040.
Sector 4040 After Wiping
Need I say more about this screenshot?
The fact is, nothing exists on this thumb drive anymore that can be recovered with any data recovery software or computer forensics software.
What about magnetic force microscopy?
There has been some confusion about magnetic force microscopy and what I’ve done (probably because my writing skills are a bit lacking). Magnetic force microscopes move across magnetic based storage mediums such as a modern hard disk drive. It then creates images based off of the previous values of bits in these sections. I of course have not used one and instead will base my information off of the sources at the end of this article.
Previous comments suggested that by using magnetic force microscopy data could be retrieved. To summarize and use plain english, this method determines the state a bit was in before it was changed. So if a bit were a 1 and now it is a zero, this method is supposed to be able to detect that previous state. It is said that in older disk media it is easier to do this and harder with newer media.
It will take many months to actually image a small hard drive using this method.
Lets try and understand this process though. First, human readable data is made up of many bits. A single human readable ASCII character is equal to 8 bits or a single byte. If even one of these bits is recovered incorrectly, then the byte is a completely different value and our human readable ASCII representation of those groups of bits is completely different.
For example, take the ASCII word “anti.” The binary equivelant of this word is: 01100001011011100111010001101001
Lets say using a MFM the last bit was read incorrectly as a zero when it used to be a 1, what do we have now?
The word: anth
This word is completely different. Now apply this to compound files such as databases, archives, or other files like encrypted containers. If one bit is recovered incorrectly it can negate all of the results and provide corrupted data.
I think I’m making it sound like magnetic force microscopy is only sometimes incorrect when imaging platters. This method is very unreliable, costly and time consuming. Right now, don’t count on this method really being utilized on modern hard drives.
Read More! Other sources for information on this.
Sans Computer Forensics on Magnetic Force Microscopy
“The basis of this belief that data can be recovered from a wiped drive is based on a presupposition that when a one (1) is written to disk the actual effect is closer to obtaining a 0.95 when a zero (0) is overwritten with one (1), and a 1.05 when one (1) is overwritten with one (1).
This can be demonstrated to be false.”
“In many instances, using a MFM (magnetic force microscope) to determine the prior value written to the hard drive was less successful than a simple coin toss.”
Secure Deletion of Data from Magnetic and Solid-State Memory by Peter Gutmann (35 pass wipe originated from Mr. Gutmann)
“Any modern drive will most likely be a hopeless task, what with ultra-high densities and use of perpendicular recording I don’t see how MFM would even get a usable image, and then the use of EPRML will mean that even if you could magically transfer some sort of image into a file, the ability to decode that to recover the original data would be quite challenging.”
Related posts:
- Disk Wiping – One Pass is Enough Many people are under the impression that hard drives need...
- Disk Wiping with dcfldd Did you know that a real ninja was once employed...
- Full Disk Encryption With TrueCrypt on Windows XP TrueCrypt is a piece of amazing, free and open-source encryption...
- Delete USB Device History from the Windows Registry (USBSTOR key) and the setupapi.log This article covers the USBSTOR registry key and the setupapi.log...
- Modify TrueCrypt Encryption Boot Loader Strings In a previous post I mentioned that TrueCrypt leaves behind...
28 Comments
Trackbacks
Leave a Reply
Related Posts
Disk Wiping – One Pass is Enough
Many people are under the impression that hard drives need to be wiped with multiple passes to prevent recovery of data. This is simply untrue with modern hard drives. more
Excellent article! Thank you for sharing.
hot article.
Yup.
That’s what dd if=/dev/zero of=/dev/hda does to a hard drive.
Provided you work in a shell in UNIX or Linux.
Or you could use,
for (( i = 0;i<10;i++ )); do
dd if=/dev/urandom of=/dev/hda
done
dd if=/dev/zero of=/dev/hda
Or
Shred -n 5 -z -v /dev/hda
Or just take a large sledge hammer to it and pretend it's a rail road spike.
Just saw this, and thought I’d comment on: “In many instances, using a MFM (magnetic force microscope) to determine the prior value written to the hard drive was less successful than a simple coin toss.”
If this is actually true, then whoever was doing the analysis was interpreting the results backwards. (IE, if the results were intepreted the opposite way, MFM would outperform the coin flip)
Sorry for the… pedant-ness, but when you’re talking about bits… that one should be obvious.
Thank you very much for this article you sure saved a lot of us a lot of hours just giving us this great piece of information!
Im no IT in fact Im just a nurse who knows enough about computers and this really helped me have a little peace of mind and a lot more hours of sleep… thanks!
Good article mate!
I’ve used wiping programs and encryption for years! Typically, I’d set the disks for a three-pass wipe, zeros,ones,zeros and then a file-slack wipe using the same pattern.
BCwipe for Linux is a fantastic product – I’ve a cron than wipes every disk, every night on my main file servers as it saves much hassle…
I’ll re-adjust my schedules now, save some wear and tear on my drives…
Yeah you’ll save a lot of wear and tear on your disks. BCWipe for Windows is really great as well. They make an excellent product.
If you’re using the bourne-again shell (bash) on those servers remember to wipe the .bash_history file under each user profile as well. Especially if it resides on an unencrypted partition. I think it can be disabled as well. I came across a warez server at one point which had encrypted partitions for file storage and log files had been moved to the encrypted partitions. Unallocated filespace was being wiped as well. The only thing is, the operators were not cleaning up their bash history and it wasn’t much of a secret what the server was being used for at that point.
I dont know if its truth, if it is then why top secret data has to be phisically destroyed?
I think it’s a combination of paranoia and ignorance mainly. I bet there’s also that fear of the unknown. What if someone somewhere has a working method or what if in the future a working method is found that is more reliable than MFM. You know it’s quicker and easier for the feds to just destroy the physical media and use their unlimited purchasing power to buy new hard drives as well.
Ok, so the test was done on a jump drive. Would the results from a HDD with platters have the same result? I’d love to see that test.
Hey Tim,
Yep, the exact same results. What it comes down to is that the data is all just bits or “1′s and 0′s”, a binary value. When you modify these 1′s and 0′s you change all data that is interpreted from those strings of 1′s and 0′s.
Take the ASCII character “A” for example. Maybe you have a text document that starts with the letter “A”. This ASCII character is made up of 8 bits in this order: 01000001
This is how the data will be interpreted from the HDD with platters or flash drive or whatever digital media you’re talking about. Now if you change those two bits with the binary value “1″ to “0″, then you’ve no more letter “A”. It is gone. If you do this to your entire digital media (HDD, Floppy Drive, flash drive, etc.), then you’ve effectively “wiped” all data.
There are advanced techniques for attempting to determine the previous state of the actual magnetized material on the platters of a hard drive but the success rate with modern hard drives and restoring just one bit successfully was less successful than flipping a coin. That reference is at the end of the article. Just think, you’d need 8 successful bit recoveries in a row to even recover the letter “A”. Now how about recovering more complex data stored in a complex structure such as a database or even just an image?
This all is very good and I have no doubts, that it works on either flash or HDD. But the problem is, that it is more often necessary to wipe only free space of a working HDD so, that in case if it comes into hands of a specialist, 1)no old (deleted) data can be restored from space marked as free and 2)no log files and different temp files are found. And I’m not sure if entire encripted HDD can help for 100%…
Yes you’re right, there are plenty other articles on here about deleting various logs and other active data on a Windows system and more often than not you’ll just need to wipe free space and logs.
Max, thanks for your efforts on this. Excellent!
maybe you’re right that one pass is impossible to recover erased data.
but then… why are there many data wipe software that do this in multiple passes? they lie to us?
the most recent example are the options that were added recently in the latest versions of CCleaner.
I use a combination of TrueCrypt, CCleaner, Active@ Zdelete, Active@ Eraser and some reg files to delete Flashget and other softwares history folder.
I have just read this :
“the most recent example are the options that were added recently in the latest versions of CCleaner.”
CCleaner is a shit software : I have repaired so many config in spain damaged by this shit.
“why are there many data wipe software that do this in multiple passes? they lie to us?”
Exactly they lie :
The hard disk drive with RLL encoding : 512 bits of data + 160 bits for integrity data check.
When you fill up the hard drive with 00 hexa value, you change the 512 bits sector and the 160 bit integrity check, the only thing that you don’t check is the bits leaved for localise physically the sector (this not true for hitachi/ibm drive for example).
This is since a while that I know that multiple pass erasing is a bad joke.
The worst thing :
when you use multiple pass wiping, you reduce your hard drive life time, and this is …true à 1 000 000 % !!
So don’t listen to the “stupid security guys” about multiple pass…
I have 15 years of experience in this : when I told to these “guys” ok, I give you a full wiped drive, prove me that you recover the data, they don’t try to prove their saying about the multiple pass : they lie that’s all.
Thanks for the article. I’m in the data recovery business and have been telling people this for years. Most people just don’t want to listen. The next time I get a customer requesting data be recovered from an overwritten drive I’m sending them to this article for an education.
I recently did a free space wipe on my Mac with the Disk Utility. The problem is that now when I start the computer the hard drives don’t show up on my desktop and the last time I had to perform a complete re-imaging of the drive because no OS would boot up.. Does the free space wipe sometimes write over boot sector data or ???
In 05 I regularly used Windows Washer with Gutmann passes. It didn’t stop en-case finding stuff on my pc.
I’m now using ccleaner, but I don’t have faith it can defeat en-case. Windows Washer made the same claims ccleaner does, and look where that got me.
I found out the hard way that en-case can get around so-called file deleters and hdd wipers.
CCleaner and Window Washer are really just part of the package of file destroying tools you should be using. There are so many artifacts that Windows creates that it boggles the mind.
Now had you wiped a hard drive fully, every sector, there would have been little to nothing found. An examiner would view the disk with EnCase and not discover anything.
Feel free to share more about your situation if you would like. Such as what artifacts got you convicted.
Use a LIVE Linux CD or DVD.
Learn how to use a Live Linux CD.It already has Firefox and all the web utils plus you can add packages and REMASTER IT to suit your needs.
It requires NO–Yes i said NO Hard Drive.
You can remove that Hard Drive from the computer and it still works. you just have to run the internet setup or (connection) should be on the virtual desktop to get on the web.
Save all your stuff you get off the web in your documents folder but before shutting down put your thumb drive in and save to it cause once you shut it all off everything you did in that session is HISTORY!.
Learn puppy–it’s the smallest and friendliest Linux OS .
If they cannot unerase it they have NOTHING.
And what about space between tracks? Write should affect the neighborhood of block.
This used to be a problem and is the reason for the old wives (geeks) tale of wiping a bazillion times, just to be sure. HDDs have come a long way and where they use to have tracks about 3 inches wide (not really, but you get the point), the tracks are so small that this is a non-issue with “modern” drives.
what about “ERASER” from SourceForge dot net? this offers 1, 7 (DoD) and the 35 Guttman pass options. At work, we use that for sensitive files (financials, clients, etc) but is it just providing a false sense of security or is it really doing the job?
I use eraser as well and it does as advertised. You only need to perform a single pass in the end but if you are using Windows, there are a lot of areas that data can be cached to. Best thing to do is take your most common file type that you wipe that is client related, and see where it is cached across the drive, besides the active file itself. Then you can use something like CCleaner with custom rules to erase/wipe the various locations and perform a wipe of unallocated or free filespace with eraser after.
Another thing to look into obviously is full disk encryption on your systems.
It doesn’t offer a false sence of security, there’s no way anyone will recover any files after you do that gutmann wipe but the same would be true if you made a 1 pass wipe. You’re just wasting time and shortening the lifespan of your hdd by doing so many passes. I can assure you no one will be able to restore anything that has been wiped with a single pass. So I recommend stop wiping those sensetive files with 35 passes and just do a simple overwrite (1 pass).
Has anyone ever heard of QUINCY? It’s supposedly a CIA computer forensics tool that has been used by DCFL (Defense Computer Forensics Laboratory) in at least two military child pornography cases. In one case, it was supposedly used to “find” deleted and overwritten data that ENCASE and iLook and several other forensic tools couldn’t “find”. When the defense asked to have access to QUINCY, they were denied and told that QUINCY was actually never used except to “verify” what ENCASE supposedly found after two years of searching! One of the agents who conducted the forensic examinations and who later testified at trial had actually lied on the stand during another high profile case (U.S. v Al Halabi). The agent’s name is Eric O’Keefe. Does anyone know anything about QUINCY or O’Keefe?