How many times do you have to write zeros or random data to a drive to securely delete data?

Conventional wisdom says that you need to do many passes of zeros, ones, combination of zeros/ones, and then random numbers in order to securely erase a drive so that its data cannot be recovered. But is this true?

The folks at HowToGeek make a good case for one pass of zeros being enough:
HTG Explains: Why You Only Have to Wipe a Disk Once to Erase It

From StackExchange, here is a shorter sum-up of the situation, though:
StackExchange answer to "Why is writing zeros (or random data) over a hard drive multiple times better than just doing it once?"

And an even shorter tl;dr version:
Summary: it was marginally better on older drives, but doesn't matter now. Multiple passes erase a tree with overkill but miss the rest of the forest. Use encryption.

The bottom line seems to be that there are some misinterpretations or misapplications of the Gutmann method, but more importantly that it's all about what can be done in theory. When it comes to practice, a single wipe of zeros is pretty much enough to take care of any basic data recovery methods.

If you're dealing with highly sensitive data, it probably still won't be recovered in any meaningful way after a single wipe of zeros, but you may not want to chance it, and end up doing several passes of zeros, ones, and then randoms, in addition to physically incinerating the drive.

DBAN's "autonuke" setting does three passes, and the nice thing about DBAN is that you can use it on pretty much any computer (it's a live CD or USB—so good for Windows, Mac, or Linux).

Mac OS X's Disk Utility has several built-in options.

securityoptions01
If you launch up Disk Utility, select the drive you want to delete, and then click Erase, and then Security Options..., you'll see a pop-up window with a slider.

securityoptions02
The first option doesn't do a secure wipe at all. It just "deletes" the data by marking it available for use.

securityoptions03
The next option will be secure enough in 99% of use cases (e.g., you have a personal computer with family photos and other personal documents that will not financially benefit any criminals or politically benefit any governments).

securityoptions04
This third option is about the same as the "autonuke" setting for DBAN.

securityoptions05
And this last option—according to Gutmann himself, to HowToGeek, and to a bunch of other folks who've examined the issue closely lately—is just overkill.

A lot of the discussion you'll read in the links I posted above have to do with theory (could someone with limitless time and really expensive equipment possibly recover some tiny scrap of data from your hard drive) and a lot less to do with practicality. More importantly, it's difficult to track down actually successful (and verifiable) experiments of the theory [that traces of previous data exist even when you zero out everything or write random data over the previously existing data].

Practical security focuses a lot more on how badly criminal elements want your data and how difficult you make it for them to get to the data. If all a criminal gets is unusable scraps of what might have been a text file, and all that's really on the drive to begin with is some music, family photos, and Word documents, who is really going to spend hours trying to get that stuff back?

If, however, I have a computer with millions of people's financial data or with highly classified military documents... I'm probably going to do at least three passes before totally incinerating (Terminator 2–style) the drive. And that drive would have been fully encrypted to begin with.

As a simple, practical test, though, I did the second Disk Utility setting (one pass of zeros over the entire disk) on a 500 GB drive. Then I did data recovery on it using both Photorec and Recuva.

Here are the results...

photorec01
Photorec took about 10 hours to scan the 500 GB drive, and it came up with 3 files—three .plist files and one .xml. I'm not 100% certain, but I believe those might be created by OS X itself when formatting the drive to HFS+

recuva01
Recuva took a little over 2 hours to scan the 500 GB drive, and it came up with 3 files. Again, not 100% certain on this, but I believe those may be hidden files created by Windows when formatting the drive to NTFS (Recuva wouldn't recognize an HFS+ drive, so I had to use Windows' disk management to reformat the drive as NTFS before scanning).

If you're inclined to say 3 passes isn't enough...

  1. Make sure you know what you're disagreeing with. I am not (nor is the StackExchange response or the HowToGeek post) saying that a drive with highly sensitive documents should be disposed of after a single pass of zeros. Those should have been encrypted to begin with, have three passes, and then be incinerated. But doing the full 35 is overkill and, worse yet, doesn't offer any additional security over the three passes. So if you're going to disagree, disagree with the correct assertion. Don't engage in any of this business.
  2. I am, however, saying that for a basic home user with no extremely sensitive information (maybe some family photos and a handful of documents with no financial information), you can safely dispose of a drive after doing a three-pass on it (and, most likely, even a one-pass).
  3. Don't say "I have software that can easily recover one-pass deletions" without saying what software you use. I used Photorec and Recuva. If you believe another piece of software can actually recover data that's been wiped, say what software it is, and then prove that using it you were able to recover usable data after a one-pass or a three-pass.
  4. If you can recover fragments of data that are totally useless, who cares? If it's a text file, it has to have readable text. If it's an image file, it has to be a viewable image. You can't just prove that there used to be "in theory" data there previously, but it's data you can't recover.

I'd love to hear that I (and the wise StackExchange user, and Gutmann, and HowToGeek) are all wrong, but if that's the case... prove it.

Further reading:
Securely disposing data on hard drives and other storage media
The urban legend of multipass hard disk overwrite and DoD 5220-22-M
Overwriting Hard Drive Data: The Great Wiping Controversy

1 thought on “How many times do you have to write zeros or random data to a drive to securely delete data?”

Leave a Reply

Your email address will not be published. Required fields are marked *