Forensics: Deleting and Wiping Data

The subject of hard drive destruction, data wiping, and data deletion is source of numerous, forums, websites, and blogs. Sadly, the vast majority of the information being published is rubbish, and is based on urban myth.

In Yahoo! Answers one commentator described deletion of files as “compression”, with the more a file is deleted the “more it is compressed”, and it just gets” smaller and smaller”, until “only the police can recover it”.  Bizarrely this was voted “best answer”, hopefully “best  surreal answer”.

A lot of the debates about data deletion and hard drive destruction is due to a combination of urban myth, misinformation, old technology, misunderstanding, exaggeration, blaggers and trolls.

This article attempts to resolve some of these issues, and possibly explain why these myths came into existence.

File Deletion: Does this destroy data?

When a file is deleted what happens depends on a variety of factors, how the users deletes the file, what operating system they are using, where the file exists, etc.  However, in the most common file system on PCs (the Windows based NTFS), deletion does not destroy a file but merely prevents the user from accessing the file. Then using “specialist tools” deleted files can, sometimes, be recovered.

Over a period of time the deleted file, if its not recovered, will become destroyed/overwritten by the computer. This is not a deliberate action, rather a by product of computer use.

[Specialist tools are not rare any more, and many can be picked up for free, however they will not always work due to issue such as file fragmentation and user error]

It is possible that a user, in a Windows PC, can hit delete, and then moments later be unable to recover the contents of that file, even with the help of a professional data recovery company. But, this is not common and can not be guaranteed. For this reason deletion of data can not be considered “destruction”.

Hard Drive Wiping: Does this destroy data?

This is the most common myth on the internet. The term “to wipe a drive” means overwrite every single sector on a modern hard drive with another character often FF, or it can be a random character sequence.If this is done correctly the data cannot be recovered.

For the purposes of clarity, this will be repeated: If every single sector of a modern hard drive  is overwritten, then NO DATA can be recovered, and especially not by the police. In fact companies such as Ontrack, who spend millions of dollars on research into data recovery are not able to do this. This wiping does not need to be done 33, 12, or even 3 times. Just once.

The caveats here are “modern hard drive” and “every single sector”.

If every single sector is not over written then data can be recovered, even a fragment of a file stating “The super secret account number is XXX-XXX-XXX and the password is YYYYYY” takes up just a few characters and would easily fit into a single sector, for example the file slack of an active file, can store 100s of bytes of data.

Therefore if the wiping tool does not work correctly, then a sector could be left unwiped, and that sector could contain a fragment of useful text. But with over 1,000,000,000 sectors on a 500 GB hard drive, the chance of one of them not being wiped and containing data that can be understood is minimal. In fact if 1 sector is not over written the chance is just 1 in a billion.

This probability of recovery is reduced when the data type is taken into account. File types such as pictures, PDFs, emails, etc, are not stored in plain text and therefore are even harder to recover. E.g a fragment of an email with the above statement would look like total garbage when recovered from the hard drive, therefore even recovering a fragment, if that did occur may be pointless.

The second caveat is “modern hard drives”.

Old hard drives, the old 10 mb physically large style hard drives were not very efficient or accurate at writing the data to the platters.

For this reason each time data was written onto a hard drive it was feasible that data would be written onto a different place on the physical hard drive, i.e the actual location of data on the platters would change slightly, as the heads did not write the data correctly. Therefore, the theory goes, by using electron microscopes, it was possible to pull out the previous “shadow” data. i.e DataTrack 1 is written onto a hard drive, then DataTrack 2 is  used to “overwrite” DataTrack1, however due to poor alignment of heads, and low quality hard drives, its possible to read /recover DataTrack1, and then piece together this information.

This technology makes several assumptions. 1) The hard drive is old. 2) The hard drive is not working very well. 3) The data can be recovered. 4) Enough data can be recovered, de-coded, and re-constructed to produce any information. 5) The data being recovered is so hugely valuable that it is cheaper to do this, than gain the data than any other way.

Having been invited to a tour of a facility in the US, which claims to do exactly this type of recovery, it is fair to say that type of recovery attempts of this nature did, at some point exist.  However, technology has long since moved on.

Modern hard drives are far more compressed, with a smaller hard drives containing a 1,000 times more data. This alone makes the old method redundant. In addition to this modern hard drives have multiple heads, with data on both sides. This means that piecing together data on different sides of a multiple platters is an almost impossible task.

For this reason no commercial company is able to recover data from wiped data. It should be emphasized that US and UK government agencies use commercial companies for even the most sensitive data recoveries,  as the corporate sector is far more advanced in this arena.  The Columbia NASA disaster, parts of the 7/7 investigations, and the Madrid bombing investigations all required data recovery and all were passed out to commercial companies.

Therefore the idea that GCHQ or MI5 has a super secret lab that can recover data from a wiped drive, is the world of fantasy.

With that said the government has still some pretty old technology in existence and tools (and users) cannot be guaranteed to work properly first time. For this reason Government approved wiping tools are always required to wipe data using multiple attempts.  This is the most likely reason why the myth about multiple wipes, and electron microscopes,  still persists.

But, in the real/modern world any data wiped once is destroyed, and unrecoverable.

How to destroy a hard drive?

Due to stories in the media, which are carefully placed by the PR companies for data recovery companies, it is often believed that anything can happen to a hard drive and the “experts in clean rooms” can recover this data.

Sadly, this is simply not true. The deliberate damage being forced on the innocent hard drives, by the PR controlled media,  is almost as controlled as the reporting, with predicable outcomes. This gives the data recovery company the best chance of recovering the data.

Firstly it must be understood how a hard drive works. A hard drive, in brief, has: Platters which contain the data, heads which read the data on the platters, a motor which spins the platters, and a circuit board which controls the heads and motors, and talks to the computer.

Out of all of these  parts the platters are the only parts which cannot be replaced in a data recovery process.

Data Recovery Myth 1: Fire

Hard drives are often set on  fire to test the ability of a company to recover them. Fire will not touch the platters which are well protected in the casing. Though it may damage the circuit board, which is the easiest part of the hard drive to replace.

Data Recovery Myth 2: Water

Water is more of a risk to hard drives than fire, as the water and  dirt, can get in through the hard drive casing and onto the platters.  This can be resolved by washing the platters with clean water, drying them out, polishing them, and replacing them into a working hard drive

Data Recovery Myth 3: Electric Shock

Electric shocks are sometimes put  through hard drives, this will only damage the electronics, and not the data.  All of which can be placed.

Data Recovery Myth 3: Drop/Hit

Hard drives are often subjected to a variety of impacts. Being dropped out of a window, driven over by a tank, or thrown out of  a car.  Most of these tests have little effect on the hard drive, as it has been powered down first and therefore the heads will not “crash” into the platter. The tests are also not as bad as some may seem – the tank does not put all its weight onto the hard drive, only some of it, being dropped from a car, is only being dropped from a car is only being dropped a few feet and the computer/laptop will act as much of the crumple zone. Dropping the drive out of a window is likely to damage the hard drive circuit board, but this can be replaced.

The results would be very different, i.e from 100% recover to 0%,  if the hard drive was hit while it was spinning. Simply placing a scratch along the length of a platter would  prevent recovery of data.

Advertisements

13 Responses to “Forensics: Deleting and Wiping Data”

  1. Forensics: Wiping a Drive « Data - Where is it? Says:

    […] by Rob There is a lot of misleading information on the internet in relation to the deletion and destruction of data. Some of this is due to confusion in language, e.g. the difference between wiping and deletion and […]

  2. Forensics: NTFS Deleted Entry « Data - Where is it? Says:

    […] NTFS Deleted Entry Posted on April 28, 2009 by Rob When a file is deleted in NTFS, it is marked as deleted within the MFT entry for that […]

  3. How do you get a job in computer forensics? « Data - Where is it? Says:

    […] a couple of days), strange terminology (MFT, resident data, imaging, cloners, etc), urban myths of recovering data from fried hard drives, and an almost mythical elite of counter terrorism specialists with  ninja skills picking their […]

  4. Forensics: Can data forensic companies retrieve overwritten data? « Data – Where is it? Says:

    […] Though its a common fallacy that data be recovered once overwritten […]

  5. How do you destroy a hard drive? « Data – Where is it? Says:

    […] wiping data is not formatting or deleting data. It is wiping every single sector on a hard […]

  6. Bill Bartmann Says:

    Cool site, love the info.

  7. Brian Says:

    Yea, well. I am in construction and due to the economy and rainy weather we are not working much.. Because of this I am going to take 3 of my 4 hard drives “about 3.5 TB” in all and put them in old computers I have stored away, rebuild the computers and try to sell them for extra cash.

    I run/ran a side business of computer repair, consulting and business logo/graphics design. So therefor I do a lot of financial and related business on my computer. I have account information and my CC transactions on file on my computer. Thanks for the information on whiping my hard drives properly. I will likely sell the computers at a large flea market for $150 to $200 each. I REALLY do not want some no-name “or anyone” getting my financial information. Thanks again everyone.

  8. Strokerace Says:

    Too bad any data can be recovered from your hard drive, even after its been wipe. Where this person came up with this info is beyond me. I wrote a paper on this in 2005 and was posted on a securities site. I have used simple free software for my test, and they call all recover data that has been WIPED. I have been doing it for years. Can even recover data after a gutman wipe has been preformed on a hard drive. I have recovered data after its been 33 layers deep.

    • 585 Says:

      I am quite convinced you can’t, though would be very happy/pleased if you were right. I can send you blanked device and see if you can recover the data, if you like.

    • PD Says:

      Would it be possible to direct me towards your paper? I’m carrying out an Investigation on data wiping and recovery and if I’m honest, I’m at a loss. I’m really at the end of my tether and would be really grateful for some help and a point in the right direction.

    • Kevin Egelston Says:

      I have performed the same tests unsuccessfully. No data was recoverable after a single wipe. I used multiple tools. I think you may be confusing format/delete with wiping or the wipe tools you tested with are subpar.

  9. secret.rar – jan huijben Says:

    […] another 64 character string  for the password. I wiped (35 passes) the notepad file containing both passwords and deleted it. […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: