How many passes do you need to wipe/shred your files to make them not undeletable?

hard-drive data-recovery secure-erase

If you have a private data on a recent, normal hard drive - how many passes do you need to delete the data to make it unrecoverable?

Not in the sense, that a forensic team of 20 experts with a budget of 100 million euro or dollars and 10 years of time to restore a couple of bytes from a known address with 80% accuracy, but few people with a few 1000 €/$ budget, who wouldn't spend more than two weeks on the job, and who don't know where on the drive they are searching.

Linux/GNU shred says in the manual:

   -n, --iterations=N
          overwrite N times instead of the default (3)

but on the one hand I heard about an NSA suggestion to overwrite 27 times, and on the other hand professional data recovery firms could not recover data from a drive that was wiped just once.

Evidence, papers, proof?

Note: What this question is not:

  • It's not about bad sectors, where data might slip through
  • It's not about old MFM/RLL-drives from the early 90ies
  • It's not about different tools
  • It's not so much about the method (random numbers 0s, 0xFF and fancy patterns).
  • It's not about different techniques to wipe it securely (magnetic power, melting, filling with sand and turning).
  • It's not about special problems of flash drives

Solution 1:

Once.

Modern magnetic media are quite efficient, and leave behind very little evidence of former bit positions. What is left behind requires electron microscopes and/or high-tech magnetometric (or whatever they're called) scanners. All such devices are horrendously expensive, and even with the best equipment and most-skilled experts, it takes a monumental amount of time (think years for a single platter; all hard disks have multiple platters) and has a very high failure rate.

If you're dealing with government secrets (as the NSA is) then write-once probably isn't good enough, because China has no problem obtaining and using these devices, nor employing teams of hundreds of specialized experts to use them.

If, on the other hand, you're merely dealing with personal banking passwords and your secret pr0n stash, a single pass is plenty sufficient to render the data completely unrecoverable from any practical means.

That said, modern disks are quite fast, and unless you're wiping the entirety of a hard drive multiple passes take so little time that there's really no reason not to do them. Thus, while the fallacy that you have to overwrite multiple times with complex patterns of passes is widespread enough that all "secure deletion" software defaults to multiple passes, there's really very little point to overriding those defaults. When I used shred (default number of passes: 3) I let it do its 3 passes; when I use Eraser on Windows (default number of passes on a file: 35), I let it do its 35 passes. (Eraser defaults to only a single pass when deleting free space on a hard drive; this, too, I let run at the default.)

So the answer to your question (How many passes are needed?) is: "One." The answer to your implied question (Should I override shred's default 3 passes?) is: "Nah."

On the other hand, if you are a secret government agent, well, one pass really isn't enough because you do have China after your data. If this is the case, though, you should be asking your superior/handler what your agency's regulations are regarding secure deletion of sensitive data, not SU. ;-)

Caveat: Flash-based media employ a system called "wear leveling" to extend the life of the device. Without going into the details of what the term means or the reasons behind it, it means that you really can't securely delete files on flash-based media unless you securely wipe the entire media, and even that can't always guarantee that the wear-leveling algorithms didn't leave behind un-wiped data that you couldn't write to. In the case of flash-based media, your best bet is to simply encrypt any and all sensitive data that goes onto it, using a strong password.

TrueCrypt's documentation includes an excellent discussion of this problem, and ways to solve it.

Solution 2:

This is an old question but I felt compelled to throw in my two cents given that I have forensic data recovery experience.

The question being asked is purely academic, so this answer is also purely academic. Practically speaking, the accepted answer is correct; one pass is sufficient to make the data on a drive unrecoverable. However, there is a reason that governments mandate multiple passes.

People think of a hard drive as a digital device; that magnetic bits are arranged in a tight pattern and get "flipped" on or off by the drive heads. But in reality, a hard drive is an analog device as far as the physics of magnetic media is concerned. The surface of the platters are coated with a substrate full of magnetic dipoles that are smaller than the digital 'bit' they're encoding. Sufficient numbers of these dipoles in one orientation vs. the other constitutes a net electrical resistance at the individual bit level. It's the threshold of resistance that determines whether a bit is interpreted as a 1 or a 0, not a digital 'on' or 'off' polarity.

As far as the drive's electronics are concerned, the electrical signal coming from the heads is a modulated sine wave, not a bit stream of 1's and 0's. This is exactly the way magnetic tapes recorded audio signals decades ago -- only now the substrate is far more dense and we're using math to extract a digital signal out of the analog 'noise'.

Now, physically it's impossible to manufacture a 100% perfect platter, and even if you could the operating environment is never 100% perfect either. At the scale of physics that modern hard drives operate at, there are literally hundreds of factors that conspire to create microscopic imperfections in the signal, and they pose a problem significant enough that up to 1-2% of the space on a typical drive is "wasted" on error correction to deal with them. Your hard drive is literally recovering from errors all the time. Normal hard drive operation is actually a probability game wherein a "good" sector is merely an n% probability that the data encoded there is accurate.

Now let's look at the case of bad sectors, and you can see how the same technique can be applied to good ones.

If a sector is marked as "bad" (by the controller, not by the OS), that means that the probability of ALL of the data bits within a particular sector, when taken as a whole, have dropped below the threshold of mathematical recoverability by the drive's error correction algorithms. That does not mean the bits are actually dead; only that the controller can't be sure that they're correct.

You can, however, recover a bad sector by reading it hundreds, or possibly thousands of times depending on how bad the damage is. With each pass of the head over the "bad" sector, the sector reads in a slightly different way. The platter wobble, the temperature, the vibrations, the clock skew, etc. all may be slightly different. But if you compare each pass to the thousands of passes before it enough times, you can recover (with slightly less than absolute certainty) what data the bad sector contained before it went sour on you. This is exactly how data recovery software like SpinRite works.

Now let's apply that logic to a "good" sector. When you wiped the drive with a single pass, the controller is 100% certain that each sector contains whatever bit pattern you filled the drive with. But there are still errors in those reads, and the controller is still correcting them. Some of those errors are environmental, but there is a good chance that many of them are also remnants of whatever data was there before the sector was overwritten.

Remember that we're talking about the same technology we've used on audio tapes for decades here. Not all of those magnetic dipoles got flipped in that single pass, so there is still a "ghost" signal in the noise.

To quote Adam Savage (of the Mythbusters): "I reject your reality and substitute my own." If you take the drive's controller (with it's mathematical certainty of the wiped data pattern) out of the equation and just look at the sine wave coming off the drive's electronics, it might be possible in theory to reconstruct the data that was present on the drive before it was wiped -- just like we used to do with audio tapes that had been "erased".

Or maybe not. It didn't help with the missing 18 minutes of the Nixon Watergate tapes... Or did it? ;-)

Now, is this practical? Does such a device capable of doing this actually exist? Maybe. Maybe not. If it did, it would most certainly be a state secret. But since it's theoretically possible, you have to theoretically guard against it. That means doing multiple passes with multiple bit patterns to scramble that ghost signal as much as possible.

If you're a government trying to wipe classified data it's important to consider. If it's your secret pr0n stash it's probably not (unless your wife works for the NSA).

Related

How can I take screenshots of the PC before it boots up?
Permanently disable num lock in Windows?
Freeware local proxy engine for Windows? [closed]
MS-DOS command to delete all files except one
How do I recover a closed Sticky Note in Windows?
1.35 V RAM in a 1.5 V system - Will it fry or overclock?
Why is Windows' default IP address 169.xx.xx.xx?
What is the actual speed of SATA 3?
How do I turn off the little CTRL-SHIFT bubble that pops up on Windows 7 around my cursor?
Install a Windows 8 Modern UI app without the Windows Store
Remove all files but one with rm
Newly formatted (NTFS) external hard drive already has 'Used space'. What determines the used space's amount? Is it correlated to the HD's capacity?