ARTICLES

LATEST RELEASE

More information ...

Registered Office:
NotsoSoftware Ltd.
Westfield House
Bratton Road
Westbury
Wiltshire
BA13 3EP
United Kingdom
+44 (0)117 907 7037

File destruction - How many times to wipe?

One of the questions we're often asked about file destruction is about how many wipes it takes to destroy a file. Computer users create and delete files all the time, and quite apart from those files the user deliberately creates, many applications will also write temporary files while they're being worked on, viewed or modified. Left to its own devices, a typical hard drive will eventually contain many thousands of recoverable files, including temporary working copies. Deleting a file will not remove it from the drive. Deletion simply marks the space as re-usable, and the file will remain fully (or partially) recoverable until such time as the space it occupied becomes overwritten in turn by new files.

Use a utility to wipe a specific file and any temporary copies that may have been created and deleted by the system will likely still be in recoverable, initially at least. Even wiping the free space on a drive will still leave a record of deleted files in the file table, so any utility worthy of the name needs to be able to clean these records as well. Lastly, one thing lacking from the vast majority of free space cleaning utilities is the ability to self-verify, probably because these products would have to develop beyond free space cleaners into full-blown drive analyzers which could recover files as well as eradicate their traces.

Many people are aware of Peter Guttman's seminal work on hard drive wiping which describes the theory behind recovering residual data traces from historically overwritten data. Some people are aware the US military recommends seven wipe passes. Others may be aware that the US military standard isn't good enough for the British military, which advocates melting hard drives down completely. Some may even be aware that many hard drive cleaning utilities seem determined to offer ever more wipe pass capability in their product than in their competitors, using it as a selling point.

Most of the time, it may be true that 'more-is-better'. It's certainly an easy argument to make because it can sound convincing, but this time? How many times should we wipe file data to be sure of total eradication?

The truth is that the error correction technology necessary to recover files from underneath wiped data is highly technical, very demanding, not necessarily capable of accuracy (depending on the make and capacity of the drive) and has its limitations.

When a file is written to the drive, millions of magnetic molecular domains are created for each 'bit' of data that is written. To prevent the corruption of adjacent 'bits', the write current is held to the minimum necessary to perform a write operation. Conversely, if we wanted a stronger charge to apply to the polarity of the magnetic media we're writing to, we would need to increase the space between the 'bits' in order to prevent corruption, but then the drive capacity would drop commensurately.

As a result, modern magnetic coatings allow much greater data densities, but the price paid is that they're more difficult to magnetize. Because the magnetizing charge is held as low as practicable, when the same area of the disk is re-written to, many of these molecular domains stay in their original orientation. Every additional time a write operation occurs to that area, fewer of these residual domains remain in their original polarized state.

Error canceling technology works by creating a copy of the data written to the surface of the disk, cleaning it up to make a perfectly representative copy as if no magnetic domains remained unaligned at all, then comparing that to the data on the disk. Subtract one from the other by canceling out the top surface data and all we have left are the magnetic resonance traces from previously written data which can then be amplified. In theory, it’s possible to repeat the process a number of times, canceling out successive traces in turn to reveal what was written to the disk prior to the previous deleted (and overwritten) write operation.

There is a limitation to error canceling methodology, and that’s seven read / write operations. After seven writes, all residual magnetic resonance traces are so degraded they’re simply impossible to analyze. That’s why seven is the absolute maximum writes necessary to degrade trace data and why a variation of the wipe standard specified by Guttman is the one recommended by the U.S. Department of Defense.

Because the complexity of analyzing residual data traces is extremely technically demanding and expensive, the average computer user doesn’t need to be concerned with the theoretical possibility that their disk drive might be examined in this way. For them, one wipe pass is perfectly adequate. Zeroing the free space on the drive, i.e. resetting all the unmapped data ‘bits’ to null values (or randomized data) is perfectly adequate. For those working with highly sensitive data, perhaps the top levels of commerce or government, seven wipe passes is the maximum necessary to totally degrade trace data and so defeat magnetic resonance trace analysis using error correction technology.

There are though practical problems for those seeking to thoroughly clean hard drive free space of historical data traces which could, in theory, be analyzed. If we imagine a computer user has one of the new high capacity drives with perhaps 500gb of free space on it, this will typically take around twelve hours to clean with one wipe pass. Depending on how carefully (or not) the wipe software has been constructed, seven wipe passes could take up to seven times longer, or around three and a half days! This isn’t the fault of the software developers; it’s simply down to drive technology limitations on read / write speeds coupled with our desire as consumers to have ever increasing amounts of storage available to us.

For those working with highly sensitive data, the solution is perhaps obvious. Keep all such data on small capacity drives (or virtual drives) which can be realistically cleaned with multiple wipe passes and set paths for the creation of any temporary working files to the same media. For the average user, one wipe pass is perfectly adequate. There are no software based recovery utilities (such as our own Discovery Recovery) which can read data which has been wiped even once. Don't forget pluggable memory devices, such as USB memory sticks only ever require one wipe pass. For these devices, magnetic resonance isn't an issue.

If you want to know what’s on your drive, then download a copy of Discovery Recovery (or similar file recovery utility). Ours is capable of performing a forensic scan which uses pattern matching algorithms as well as signature analysis. And that means it’s capable of doing the one thing a free space wiping tool can’t do – telling you whether you should even bother with any file destruction!

For those interested in checking for themselves whether high volume data re-writes have any effective value, Peter Guttmann's own communication to the University of Stuttgart is perhaps worth reading. http://archive.cert.uni-stuttgart.de/archive/bugtraq/2005/07/msg00466.html. For your information, Peter Guttmann himself now considers anything more than two or three wipe passes to be superfluous with modern drives. When it comes to file destruction, any more than this isn't necessary.