Celebrity's-bank-details-found-on-computer type stories crop up every so often, and with them a renewed debate about data erasure and whether data can ever be completely eradicated from a hard drive.
Whether it is your own banking details, or a sensitive client database, you don’t want data getting into the wrong hands.
Erasure Scare Stories
The eradication of data is an area where scare stories have evolved, and remained in existence, over the time that data has been stored on hard drives.
Statements such as “you cannot remove all of the data from a hard disk” have been bandied about by some quite renowned figures in the world of data recovery and computer forensics.
Is it true that you cannot rid a hard drive of your sensitive data? Can forensic experts get the data back, no matter what steps you have taken?
Hard Drive Erasure?
What is hard drive erasure? To start with it is important to understand the subject matter. Technically there is no such thing as erasure, except where devices using dedicated magnetic erase mechanisms are concerned. Erasure, where you run software to remove data, is a process of overwriting and replacing data.
When a file is deleted from a hard drive the actual file contents is not usually touched at all. Hit the delete key in Explorer and the file is marked as deleted, but it can be restored from the Recycle Bin. Select "shift-delete" and the story is a little better in that no entry in the Recycle Bin, but the data is still exactly where it was.
Under normal circumstance the data stays in place until the space it occupied is re-used to store data from another file.
In addition, data from files is often stored in transient memory. Most operating systems use caches, areas where data being accessed is temporarily stored, the Windows swap-file being a good example of this.
If sections of data are present in temporary files then this data remains until the temporary space is re-used.
Degaussing of Hard Drives
Degaussing involves the placing of the drive into a moving magnetic field that is strong enough to realign the molecules and eradicate any data. It does work if done properly, but there is not a way to check as the hard drive will not work afterward so how do you know the process has actually removed the data, or just blown some part of the drive circuitry and stopped it working?
You don’t, you cannot read the disk back and check so there could still be data on it.
Disk Erasure Software
Disk erasure software is often used to get rid of data by writing over it with other data, and by accessing and overwriting space used for temporary storage.
In its most extreme operation erasure software will write data to every available sector on a hard drive. This is as comprehensive an eradication process as you can have via software. None of the original file system will remain and the hard drive will have to be re-partitioned and formatted before further use can be made of it.
Some hard drive erasure applications have options for a more selective erasure process. Deleted files, where the file allocation still exists, can be overwritten so that no un-deletion of the data can ever be done, slack space and unused space can be overwritten so any data that formed part of files now long deleted will be eradicated. Additional options for processing the swap file may be included.
Risks – What can be left behind
Data deletion, erasure or eradication (whatever you want to call it) is a process that should begin with a policy decision. What result are you trying to achieve.
Periodic wiping of unused hard drive areas and deleted files might be considered beneficial as a precaution, but against what? If the system is still being used for sensitive data then this still exists within the operational file system. It is down to policy, if you want to make your best endeavours to ensure that no data exists that should no longer exist then add a selective deletion and wiping policy to your operational strategy. Make certain it is well documented and any "erasure" operations comprehensively logged, otherwise if it goes wrong and data does "escape" then your "word" that such a policy exists will not help in court or the newspapers.
It is probably worth following a total "erasure" procedure if a disk is to be retired or moved within your organisation. Again this is a matter of policy and the risks should be understood and judged against the data that has been stored. If a disk has contained highly sensitive material then is it worth saving a few pounds by re-using it elsewhere rather than destroying it and getting a replacement?
There might always be some data left on the disk drive…
No software operation will entirely wipe the data from a hard drive. Data is stored on a hard drive in sections, each (usually) of 512 bytes known as "sectors". The capacity of a disk drive as far as the operating system is concerned is the number of sectors multiplied by the sector size.
This is not strictly the case in reality. The drive has more sectors than you are told about, it keeps some in reserve. The reason for this is that during normal operation a hard drive will develop the occasional surface failure causing a write error to a sector, and to prevent this causing a problem it will stop using the failed drive sector and use one from its reserve set. So that this process is invisible, the drive "remaps" the failed sector by adding an entry for it to its defect list, and then adding an entry for the replacement. Henceforth any attempt to access the failed sector will actually use the one reallocated from the reserve set.
A sector that fails in this way might still be readable, even if only by performing a read-ignoring-errors, and data could be returned from it. This is especially true if the failure was more down to drive wear and marginal quality of write heads. If the defect list was to be reset, then one of these re-allocated sectors could find its way back into the accessible data space.
Is this likely? Not very likely, but it could happen.
Is it likely that any sector, or sectors, concerned might contain some critical confidential material? It is possible, but think about how many sectors exist on a disk, and how many contain critical data and the maths make this seem unlikely.
Factor in to the equation that some file types contain data stored in a way that would not be easily be read even if 512 bytes of it were to turn up (e.g. Exchange uses data compression so most email data would not be easily recognised from a single sector), and the chances are very small.
Process rules, not technology
In our experience the biggest risk of data escaping to the outside world relates not to technology but to process. We have dealt with the checking of "erased" hard drives from a number of institutions and found not that the application being used failed to eradicate data if run correctly, but that if there was a problem during overwriting that went unnoticed, or someone in a hurry to get home decided to erase the first part of each drive so it looked like the job had been done, and if there were no checks in place to trap this type of behaviour, then data was left on drives.
Recovery of overwritten data from disks?
What about the boffins, those working for the security services or those warped genius types that turn up in James Bond movies with their lasers and electron microscopes? Could they not work on the infinitesimal differences in recording strengths caused by the influence of the old data on the new data being recorded and find out what was once there?
Hummmmmmmm, No.
It might work in Hollywood, but real life is well….real. It is science fiction.
There were methods with older disks for identifying parts of data tracks that had not been entirely overwritten because of alignment variances between the old and new data, but even these never truly returned anything particularly useful. Modern hard drives are very high density so even this technique is out of the question and, even if you could find data this way, what use could it be?
Data on a drive platter is not the data written by the computer, it is the data from the computer encoded by a set of proprietary and highly confidential algorithms, proprietary to the disk manufacturer. By the time the budding spy or mad scientist had infiltrated the development laboratories of Seagate, or whoever, become a key part of the design team, and learned enough to be useful, the algorithm in question would have long changed and the data would be several years out of date.
Even electron microscopes are not going to help, Methuselah would not live long enough for the reading process to finish, and then we are back to the problem of understanding the data.
The moral of the story?
Probably that we should worry less about science fiction and more about method and process. Be cautious, assess risks in a balanced manner, and don’t believe everything from the world of scaremongering.
