If you need to sanitize (or, in less technical terms, wipe all data from) a hard drive, you can’t just delete it: You need to overwrite the file on a block level.
And if the file is especially sensitive, the National Institute of Standards and Technology (NIST) recommends multiple passes. That means overwriting the data several times. Many data sanitization programs have settings that allow for multiple passes, though the methods those applications use can vary.
That prompts an obvious question: Is data recoverable after a full overwrite?
Realistically, a single pass with data sanitization software is enough.
Hard drives read and write data using magnetic charges. Data sanitization software overwrites the area of a target file, using the magnetic equivalent of binary 1s, 0s, or random 1s and 0s.
In theory, data may still be recoverable after a single pass if engineers could accurately measure the precise magnetic qualities of the target area. In perfect conditions, the engineers could find “traces” of the material’s previous state. That would allow them to reconstruct the file, bit by bit.
This theoretical method was proposed by Peter Gutmann of the University of Auckland in a 1996 research paper. Here’s an excerpt:
In conventional terms, when a one is written to disk the media records a one, and when a zero is written the media records a zero. However the actual effect is closer to obtaining a 0.95 when a zero is overwritten with a one, and a 1.05 when a one is overwritten with a one.
Normal disk circuitry is set up so that both these values are read as ones, but using specialised circuitry it is possible to work out what previous “layers” contained. The recovery of at least one or two layers of overwritten data isn’t too hard to perform by reading the signal from the analog head electronics with a high-quality digital sampling oscilloscope, downloading the sampled waveform to a PC, and analysing it in software to recover the previously recorded signal.
But in practice, data recovery simply isn’t possible after a single, random pass.
Gutmann proposed that overwritten sectors — not blocks — could be recovered with appropriate equipment. He also proposed that it isn’t “too hard.”
Unfortunately for data recovery specialists, that’s not true. In our laboratories, we tested this hypothesis a long, long time ago using floppy disks (yes, those floppy disks). When data density was extremely low, some portion of overwritten data could be recovered with extremely powerful microscopes. The process was time consuming and not particularly realistic, even for a small portion of the paltry 1.4 megabytes of storage. Additionally, it was only possible when the data was overwritten with a consistent value (1s or 0s), not with random values.
For modern hard drives, this method is effectively impossible. While microscope technology has improved, hard drive data density has increased exponentially. Daniel Feenberg, writing for the National Bureau of Economic Research (NBER), goes into great detail about this in his response to Gutmann’s research:
The requirements of military forces and intelligence agencies that disk drives with confidential information be destroyed rather than erased is sometimes offered as evidence that these agencies can read overwritten data. I expect the real explanation is far more prosaic.
The technician tasked with discarding a hard drive may or may not have enough computer knowledge to know if running the command “urandom >/dev/sda2c1” has covered an entire disk with random data, or only one partition, nor is it easy to confirm that it was done. How would you confirm that the overwrite was not pseudo-random? Smashing the drive with a sledgehammer is easy to do, easy to confirm, and very hard to get wrong.
Even with unlimited time and resources, we’re confident that sanitized hard drive data is truly unrecoverable, provided that the initial pass was completed correctly.
So, are multiple passes necessary for secure sanitization?
Not really, but when data absolutely must remain within an organization, it’s still a good practice.
When security is paramount, it’s a good idea to exercise an overabundance of caution. Overwriting data multiple times — ideally, with suitably random values — simply removes the potential for human error.
And if the media is leaving an organization, other methods of sanitization should be employed. That means degaussing, incinerating, or shredding the media. We would discourage “smashing the drive with a sledgehammer,” however; if the drive’s platters are at all intact, there’s some potential for a successful data recovery.
Datarecovery.com provides secure media sanitization solutions, along with data recovery, ransomware recovery, and related services. To learn more, submit a case online or call 1-800-237-4200 to speak with an expert.