Data Removal and Erasure from Hard Disk Drives
copyright (c) 1992 -1998
Nicholas Majors & ActionFront Data Recovery Labs Inc.
“Is there a method of erasing existing data or files from a disk drive – that is secure enough to make it impossible for anyone to recover previously stored information from the device?”
Methods commonly used to remove files from a hard disk drive include:
- Delete Commands or Emptying the Recycle Bin
- Re-Formatting or Re-Initializing the drive
- Degaussing of the Media
- Physical Destruction or Physically Damaging the Media
- Overwriting of the Data
Deleting files is the quickest and most convenient method of “erasing” data. All operating systems have some form of DELETE/ ERASE/ REMOVE command. Most of these commands never even touch the actual data that is recorded on the disk drive. They merely remove the index entry and pointers to the data file so that it appears the file is no longer there, and the space allocated to that file is made available for future write commands.
This is a very insecure practice and offers protection only against a computer neophyte. Commonly available utilities allow any knowledgeable technician to move beyond the operating system’s file indexing scheme and examine or rebuild previously deleted information.
There are available some advanced DELETE programs that go out of their way to actually overwrite the sectors used by a file to store data. These are an improvement, but still pose a security threat.
There are usually bits and pieces of data not associated or indexed with the actual file that can be missed. For example, most application programs (and many operating systems) will open temporary or swap/cache files while working on the data from a file. When the program is closed or exited, the application “deletes” these temp files. So even if the original file has been overwritten, multiple copies of the raw data may still exist in various unused parts of the disk drive.
Re-Formatting or Re-Initializing
The word FORMAT has come to describe several different processes in the set-up and initialization of a hard disk drive. There are physical or low level formats, operating system formats, quick formats, partitioning formats, etc…
Depending on the technology of the disk drive and the format utility that is used, each of these may perform a different function. In many cases, previously written data is unaffected. The format merely creates a new blank indexing scheme for the operating system, making all the sectors available for the writing of new files. Thus, making it appear that there are no files on the drive.
Unless you are fully aware of the exact reaction of each particular disk drive’s interface to a format command and are fully aware of the operations performed by the format utility, this method is also very insecure.
Degaussing of the Media
Degaussing is the use of an external de-magnetizer designed to reduce any magnetic flux recorded on the media. It is accomplished by producing alternating currents to create an Electro magnetic field that will reverse magnetize all fields on the surface.
Degaussing is an acceptable and effective method – however, it is far more appropriate for tape, diskettes, or removable media than it is for fixed hard disk drives.
Hard disk drive platters are mounted within a housing that in itself provide some amount of shielding to prevent a degaussing process from being effective. In our shop, we have exposed fully intact hard disk drives to very high levels of magnetic fields and have seen much or most of the data still intact on the device. The strength of any degaussing unit required to penetrate the Head Disk Assembly (H.D.A.) housing would probably cause considerable damage to any other diskette or magnetic media within several yards, perhaps even in the next room.
For conventional degaussing to be successful with a hard disk, you would have to disassemble the drive and remove the platters. Once physically removed, it’s questionable whether the degaussing process would be required.
Also, most of today’s hard disk drives rely on magnetically recorded servo-patterns to allow control and movement of the read/write head assembly and the rotation speed of the platters. Any degaussing powerful enough to remove the data would most certainly destroy the servo, effectively rendering the drive non-functional.
Physical Destruction or Physically Damaging the Media
Physically disassembling a disk drive and “randomly” removing the platters from the spindle is a highly effective form of protection. Despite claims to the contrary, technology does not exist to remove the platters (without extensive control measures) from one device and read them back with another machine.
At the time of manufacture, control signals (servo information) are written to every drive after is has been assembled. Any attempt to recreate or read back these signals once the exact alignment and relative positioning of the platters and the head stack have been altered is virtually impossible.
Commercial data recovery companies (including ourselves) have invested heavily into research to overcome some of these problems. At Data Recovery Labs, we have been successful in many forms of platter transplants – but in every case – the removal of the disks must be done with exacting measurements to maintain the positioning in relation to the spindle that they are mounted on. If the platters are removed – without strict engineering methodologies – the surfaces are useless for data recovery purposes.
Industry sales reps routinely boast of removing platters and reading them in another drive and often allude to mysterious capabilities, but when specifically questioned on their success with physically removed platters they claim that each case is different and must be handled on a one by one basis. If pressed for examples of successful platter removal and recovery, they will usually claim it’s a matter of not wanting to violate company confidentiality or reveal trade secrets.
Of course, once a platter has been physically removed, there is no reason not to have them simply scored with a single line to scrape the magnetic coating right off the platter. This would eliminate the one in a million miracle chance that alignment in a new assembly is the exact same as the original.
Overwriting of the Data
Overwriting of the data means replacing previously stored data on a drive or disk with a predetermined pattern of meaningless information. This is an accepted and effective means of rendering data unrecoverable but the process must be correctly understood and carefully implemented.
If data is “successfully” overwritten, even a single time, it can be considered as unrecoverable for all practical purposes.
Data is recorded onto magnetic media by writing a pattern of fluxes (or pole changes) that represent binary ones (1) and zeros (0). These patterns can then be read back and interpreted as individual bits, 8 of which are used to represent a byte or character. For example, the letter “A” is written in a binary pattern as “01000001”, the letter “B” is “01000010”, the letter “C” as “01000011”, etc… If the data is overwritten with a random pattern (let’s say “11111111” followed by “00000000”) the magnetic fluxes have been physically changed and the drives read/write heads will only detect the new pattern and for all intents the data has been effectively “erased”.
CAN OVERWRITTEN DATA BE RECOVERED?
During the past few years I have been questioned on numerous occasions (by technicians from Revenue Canada, the R.C.M.P., the Department of National Defense and several Universities) about the availability of technologies to read trace magnetic signals that have been overwritten. It is commonly quoted that data can be recovered if it has been only overwritten once or twice and that it actually takes up to ten overwrites to securely protect previous data.
If a head positioning system is not exact enough, new data written to a drive may indeed not be written back to the precise location of the original data. Due to this track misalignment, it is possible to identify traces of data from earlier magnetic patterns alongside the current track. (At least that was the case with high capacity floppy diskette drives, which have a rudimentary position mechanism. Due to the embedded positioning systems and extreme high densities of new drive technologies, it has yet to be proven if the same can be said for the latest high speed, high capacity disk drives.)
It has been suggested that an electron microscope could be used to read and interpret any patterns that were not fully overwritten by the process. Theoretically this can be done – but in practice it is little more than a myth.
Electron microscopes have been used to detect and identify magnetic regions smaller than the fluxes used to represent data on a 200 megabyte disk drive. Unfortunately, at best, this type of process could be accomplished at a rate of perhaps 1 bit per second. Furthermore, since virtually every drive in production today records two or more magnetic fluxes (due to R.L.L. recording) to represent each bit the actual rate could be considerably slower.
The number of bits in a single 512 byte (character) sector is 4096 and there are over 200,000 sectors on a one hundred megabyte hard drive. This represents almost 820 million bits to be read back.
If data could be recovered at the rate of 1 bit per second – this process would take 9,259 days (or over 25 years) to recover 100 MB of information. This is assuming that you could read back and interpret each bit correctly, for example on data that has never been overwritten. If you are trying to read “traces” of data that were previously written there, in the most likely scenario you may be able to correctly recover, interpret and identify 30-40 percent of the signals.
THAT DOES NOT MEAN YOU WOULD RECOVER 30-40% OF THE DATA – BUT ONLY 30-40% OF THE INDIVIDUAL BITS IN EVERY CHARACTER.
A “10101011” pattern may come back as “?010?01?” and every single character on the drive would be scrambled in a similar manner. The mathematical probability of decrypting such a puzzle into usable data is infinitesimal.
It could be claimed that data can be recovered from any drive in the world with a guaranteed success rate of 50% “at the bit level”. This sounds interesting until you consider that if you overwrote the entire surface of the drive with either all “0” or all “1” and since the original drive contained nothing but patterns of binary ones and zeros – half the bits would be correct – but obviously no data could be recovered.
In conclusion, overwritten data cannot be read back or recovered by any current disk drive technology or laboratory technique.
Problems with Overwriting Data
Even if successfully overwritten data is not recoverable in the real world, there are still a number of complicating factors that may prevent successful erasure of the information:
- Identifying and using the correct physical parameters of a drive to ensure that every sector on the surface is in fact overwritten.
- Dealing with write errors on the surface. If for some reason the write command is rejected, any previous data in that sector or track is still available and accessible by low level techniques.
- Selection of appropriate software that will work at a hardware level, independent of the operating system and overwrite data on the entire surface, not just for a single partition.
Notwithstanding any of these concerns, the process of overwriting data, if correctly implemented, is by far the most secure and economical method of erasing data from a hard disk drive.
The preceding article is copyright (c) 1992 -1998 Nicholas Majors & ActionFront Data Recovery Labs Inc. and is no longer available at the original location http://www.actionfront.com/ts_dataremoval.aspx. Mirrored from: https://web.archive.org/web/20111002050553/http://www.actionfront.com/ts_dataremoval.aspx.