Altirium logo
Home Resources Articles Data Storage Data Erasure

Data Erasure

Celebrity's bank details found on computer stories crop up periodically, and with them a renewed debate about data erasure and whether data can ever be completely eradicated from a hard disk.

Whether it is your personal banking details, or sensitive client database, you don’t want data getting into the wrong hands.

Scare Stories

The eradication of data is an area where scare stories have developed, and remained in existence, over the years that people have been storing data on hard disks.

Statements such as "you cannot destroy all of the data on a hard disk" have been bandied about by some pretty authoritative figures in the data recovery and computer forensics arena.

Is it true that you cannot rid a hard disk of your sensitive data? Can experts get the data back, no matter what steps you have taken?

Erasure?

What is hard disk erasure? To start with it is important to understand the subject matter. Technically there is no such thing as erasure, except where devices using magnetic fields are concerned. Erasure, where you run software to remove data, is a process of overwriting.

When a file is deleted from a disk the actual file contents is not usually touched at all. Hit the delete key in Explorer and all that happens is that the file is marked as deleted, it can be restored from the Recycle Bin. Select "shift-delete" and the story is a little better in that no entry is put in the Recycle Bin, but the data is still exactly where it was.

Under normal circumstance the data stays exactly where it was until the space it occupied is re-used by something else.

In addition to this, data from files is often stored in transient memory. Most operating systems employ caches, areas where data being accessed is temporarily stored, the Windows swap-file being a good example of this.

If sections of data are held in temporary files then this data is present until the temporary space is re-used.

Degaussing

Degaussing involves the placing of the disk into a moving magnetic field that is strong enough to realign the molecules and removed any data. It does work if done properly, but there is not a way to check as the disk will not operated afterwards so how to you know the process has actually removed the data, or just blown some part of the disk circuitry?

You don’t, you cannot read the disk back and check it but there could still be data on it.

Erasure Software

Erasure software employed to get rid of data by writing over it with other data, and by accessing and overwriting space used for temporary storage.

In its most extreme operation erasure software will write data to every available sector on a hard disk. This is as comprehensive an eradication process as you can have via software. None of the original file system will remain and the disk will have to be re-partitioned and formatted before further use can be made of it.

Some erasure applications have options for a more selective erasure process. Deleted files, where the file allocation still exists, can be overwritten so that no un-deletion of the data can ever be done, slack space and unused space can be wiped, so any data that formed part of files now long deleted will be eradicated. Additional options for processing the swap file may be included.

Risks - What can be left behind

Data deletion, erasure or eradication (whatever you want to call it) is a process that should begin with a policy decision. What are you trying to achieve.

Periodic wiping of unused disk areas and deleted files might be considered beneficial as a precaution, but against what? If the system is still being used for sensitive data then this still exists within the operational file system. It is down to policy, if you want to make your best endeavours to ensure that no data exists that should no longer exist then add a selective deletion and wiping policy to your operational strategy. Make certain it is well documented and any wiping operations comprehensively logged, otherwise if it goes wrong and data does "escape" then your "word" that such a policy exists will not help in court.

It is well worth following a total wiping procedure if a disk is to be retired or moved within your organisation. Again this is a matter of policy and the risks should be understood and judged against the data that has been stored. If a disk has contained highly sensitive material then is it worth saving a few pounds by re-using it elsewhere rather than destroying it and buying a replacement?

There might always be some data left...

No software operation will entirely wipe the data from a hard disk. Let me explain. Data is stored on a hard disk in sections, each of 512 bytes (usually) known as "sectors". The capacity of a disk as far as the operating system is concerned is the number of sectors multiplied by the sector size.

This is not strictly the case in reality. The disk has more sectors that you are told about, it keeps some in reserve. The reason for this is that during normal operation a disk will develop the occasional surface failure causing a write error to a sector, and to prevent this causing a problem it will stop using the failed disk sector and use one from its spare set. So that this process is invisible, the disk "remaps" the failed sector by adding an entry for it to its defect list, and then adding an entry for the replacement. Henceforth any attempt to access the failed sector will actually use the one reallocated from the spare set.

A sector that fails in this way might still be readable, even if only by performing a read-ignoring-errors, and data could be returned from it. This is especially true if the failure was more down to drive wear and marginal quality of write heads. If the defect list was to be reset, then one of these re-allocated sectors could find its way back into the available data space.

Is this likely? Not very, put it could happen.

Is it likely that the sector, or sectors, concerned might be those that contain some critical confidential material? It is possible, but think about how many sectors exist on a disk, and how many contain critical data and the maths make this seem unlikely.

Factor in that some file types contain data stored in a way that would not be easily be read even if 512 bytes of it were to turn up (e.g. Exchange uses data compression so most email data would not be easily recognised from a single sector), and the chances are very small.

Process not technology

Our experience has been that the biggest risk of data escaping to the outside world related not to technology but to process. We have dealt with the checking of "erased" disks from a range of institutions and found not that the application being used failed to remove data if run correctly, but that if there was a problem during overwriting that went unnoticed, or someone in a hurry to get home decided to erase the fist bit of each disk so it looked like the job had been done, and if there were no checks in place to trap this type of behaviour, then data was left on disks.

Recovery of overwritten data from disks?

What about the boffins, those working for the security services or those warped genius type in the employment of Spectre. With their lasers and electron microscopes could they not work on the infinitesimal differences in recording strengths caused by the influence of the old data on the new data being recorded and find out what used to be there?

Er, No.

It might work in Hollywood but real life is well...real. It is science fiction.

There were techniques with older disks for identifying parts of data tracks that had not been entirely overwritten because of alignment variances between the original and new data, but even these never truly returned anything particularly useful. Modern disks are incredibly high density so even this technique is out of the question and, even if you could find data this way what use could it be?

Data on a disk is not the data written by the computer, it is the data from the computer encoded by a set of proprietary and highly confidential algorithms, property of the disk manufacturer. By the time the budding spy had infiltrated the development laboratories of Seagate, or whoever, become a trusted part of the design team and learned enough to be useful the algorithm in question would have long changed and the data would be several years out of date.

Even electron microscopes are out of the question, Methuselah would not live long enough for the reading process to finish, and then we are back to the problem of the data.

The moral of the story?

Probably to worry less about science fiction and more about method and process. Err on the side of caution, but don’t believe everything from the world of scaremongery.

Last Updated (Thursday, 18 June 2009 15:31)

 
contact-infoemail-buttonenquiry-buttonhelp-buttonchoose-altirium-button
QMD 9001 logo
ISO9001:2008 Certified