"Is there a method of erasing existing data or files from a disk drive - that is
secure enough to make it impossible for anyone to recover previously stored information
from the device?"
Methods commonly used to remove files from a hard disk drive include:
|
Delete Command
|
Top |
Deleting files is the quickest and most convenient method of "erasing" data. All
operating systems have some form of DELETE/ ERASE/ REMOVE command. Most of these
commands never even touch the actual data that is recorded on the disk drive. They
merely remove the index entry and pointers to the data file so that it appears the
file is no longer there, and the space allocated to that file is made available
for future write commands.
This is a very insecure practice and offers protection only against a computer neophyte.
Commonly available utilities allow any knowledgeable technician to move beyond the
operating system's file indexing scheme and examine or rebuild previously deleted
information.
There are available some advanced DELETE programs that go out of their way to actually
overwrite the sectors used by a file to store data. These are an improvement, but
still pose a security threat.
There are usually bits and pieces of data not associated or indexed with the actual
file that can be missed. For example, most application programs (and many operating
systems) will open temporary or swap/cache files while working on the data from
a file. When the program is closed or exited, the application "deletes" these temp
files. So even if the original file has been overwritten, multiple copies of the
raw data may still exist in various unused parts of the disk drive.
|
Re-Formatting or Re-Initializing
|
Top
|
The word FORMAT has come to describe several different processes in the set-up and
initialization of a hard disk drive. There are physical or low level formats, operating
system formats, quick formats, partitioning formats, etc...
Depending on the technology of the disk drive and the format utility that is used,
each of these may perform a different function. In many cases, previously written
data is unaffected. The format merely creates a new blank indexing scheme for the
operating system, making all the sectors available for the writing of new files.
Thus, making it appear that there are no files on the drive.
Unless you are fully aware of the exact reaction of each particular disk drive's
interface to a format command and are fully aware of the operations performed by
the format utility, this method is also very insecure.
|
Degaussing of the Media
|
Top
|
Degaussing is the use of an external de-magnetizer designed to reduce any magnetic
flux recorded on the media. It is accomplished by producing alternating currents
to create an Electro magnetic field that will reverse magnetize all fields on the
surface.
Degaussing is an acceptable and effective method - however, it is far more appropriate
for tape, diskettes, or removable media than it is for fixed hard disk drives.
Hard disk drive platters are mounted within a housing that in itself provide some
amount of shielding to prevent a degaussing process from being effective. In our
shop, we have exposed fully intact hard disk drives to very high levels of magnetic
fields and have seen much or most of the data still intact on the device. The strength
of any degaussing unit required to penetrate the Head Disk Assembly (H.D.A.) housing
would probably cause considerable damage to any other diskette or magnetic media
within several yards, perhaps even in the next room.
For conventional degaussing to be successful with a hard disk, you would have to
disassemble the drive and remove the platters. Once physically removed, it's questionable
whether the degaussing process would be required.
Also, most of today's hard disk drives rely on magnetically recorded servo-patterns
to allow control and movement of the read/write head assembly and the rotation speed
of the platters. Any degaussing powerful enough to remove the data would most certainly
destroy the servo, effectively rendering the drive non-functional.
|
Physical Destruction or Physically Damaging the Media
|
Top
|
Physically disassembling a disk drive and "randomly" removing the platters from
the spindle is a highly effective form of protection. Despite claims to the contrary,
technology does not exist to remove the platters (without extensive control measures)
from one device and read them back with another machine.
At the time of manufacture, control signals (servo information) are written to every
drive after is has been assembled. Any attempt to recreate or read back these
signals once the exact alignment and relative positioning of the platters
and the head stack have been altered is virtually impossible.
Commercial data recovery companies (including ourselves) have invested heavily into
research to overcome some of these problems. At Data Recovery Labs, we have been
successful in many forms of platter transplants - but in every case - the removal
of the disks must be done with exacting measurements to maintain the positioning
in relation to the spindle that they are mounted on. If the platters are removed
- without strict engineering methodologies - the surfaces are useless for data recovery
purposes.
Industry sales reps routinely boast of removing platters and reading them in another
drive and often allude to mysterious capabilities, but when specifically questioned
on their success with physically removed platters they claim that each case is different
and must be handled on a one by one basis. If pressed for examples of successful
platter removal and recovery, they will usually claim it's a matter of not wanting
to violate company confidentiality or reveal trade secrets.
Of course, once a platter has been physically removed, there is no reason not to
have them simply scored with a single line to scrape the magnetic coating right
off the platter. This would eliminate the one in a million miracle chance that alignment
in a new assembly is the exact same as the original.
|
Overwriting of the Data
|
Top
|
Overwriting of the data means replacing previously stored data on a drive or disk
with a predetermined pattern of meaningless information. This is an accepted and
effective means of rendering data unrecoverable but the process must be correctly
understood and carefully implemented.
If data is "successfully" overwritten, even a single time, it can be considered
as unrecoverable for all practical purposes.
Data is recorded onto magnetic media by writing a pattern of fluxes (or pole changes)
that represent binary ones (1) and zeros (0). These patterns can then be read back
and interpreted as individual bits, 8 of which are used to represent a byte or character.
For example, the letter "A" is written in a binary pattern as "01000001", the letter
"B" is "01000010", the letter "C" as "01000011", etc... If the data is overwritten
with a random pattern (let's say "11111111" followed by "00000000") the magnetic
fluxes have been physically changed and the drives read/write heads will only detect
the new pattern and for all intents the data has been effectively "erased".
CAN OVERWRITTEN DATA BE RECOVERED?
Good Question!
During the past few years I have been questioned on numerous occasions (by technicians
from Revenue Canada, the R.C.M.P., the Department of National Defense and several
Universities) about the availability of technologies to read trace magnetic signals
that have been overwritten. It is commonly quoted that data can be recovered if
it has been only overwritten once or twice and that it actually takes up to ten
overwrites to securely protect previous data.
If a head positioning system is not exact enough, new data written to a drive may
indeed not be written back to the precise location of the original data. Due to
this track misalignment, it is possible to identify traces of data from earlier
magnetic patterns alongside the current track. (At least that was the case with
high capacity floppy diskette drives, which have a rudimentary position mechanism.
Due to the embedded positioning systems and extreme high densities of new drive
technologies, it has yet to be proven if the same can be said for the latest high
speed, high capacity disk drives.)
It has been suggested that an electron microscope could be used to read and interpret
any patterns that were not fully overwritten by the process. Theoretically this can
be done - but in practice it is little more than a myth.
Electron microscopes have been used to detect and identify magnetic regions smaller
than the fluxes used to represent data on a 200 megabyte disk drive. Unfortunately,
at best, this type of process could be accomplished at a rate of perhaps 1 bit per
second. Furthermore, since virtually every drive in production today records two
or more magnetic fluxes (due to R.L.L. recording) to represent each bit the actual
rate could be considerably slower.
The number of bits in a single 512 byte (character) sector is 4096 and there are
over 200,000 sectors on a one hundred megabyte hard drive. This represents almost
820 million bits to be read back.
If data could be recovered at the rate of 1 bit per second - this process would
take 9,259 days (or over 25 years) to recover 100 MB of information. This is assuming
that you could read back and interpret each bit correctly, for example on data that
has never been overwritten. If you are trying to read "traces" of data that
were previously written there, in the most likely scenario you may be able to correctly
recover, interpret and identify 30-40 percent of the signals.
THAT DOES NOT MEAN YOU WOULD RECOVER 30-40% OF THE DATA - BUT ONLY 30-40% OF THE
INDIVIDUAL BITS IN EVERY CHARACTER.
A "10101011" pattern may come back as "?010?01?" and every single character on the
drive would be scrambled in a similar manner. The mathematical probability of decrypting
such a puzzle into usable data is infinitesimal.
It could be claimed that data can be recovered from any drive in the world with
a guaranteed success rate of 50% "at the bit level". This sounds interesting
until you consider that if you overwrote the entire surface of the drive with either
all "0" or all "1" and since the original drive contained nothing but patterns of
binary ones and zeros - half the bits would be correct - but obviously no data could
be recovered.
In conclusion, overwritten data cannot be read back or recovered by any current
disk drive technology or laboratory technique.
Problems with Overwriting Data
Even if successfully overwritten data is not recoverable in the real world, there
are still a number of complicating factors that may prevent successful erasure of
the information:
- Identifying and using the correct physical parameters of a drive to ensure that
every sector on the surface is in fact overwritten.
- Dealing with write errors on the surface. If for some reason the write command is
rejected, any previous data in that sector or track is still available and accessible
by low level techniques.
-
Selection of appropriate software that will work at a hardware level, independent
of the operating system and overwrite data on the entire surface, not just for a
single partition.
Notwithstanding any of these concerns, the process of overwriting data, if correctly
implemented, is by far the most secure and economical method of erasing data from
a hard disk drive.