How To Really Delete Your Files

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Hardware Secrets has put together an article that shows you how to really delete your files. We have a method that can be used on multiple drives at once. :cool:

A lot of people don’t known, but when we delete a file from a computer, it isn’t really deleted. The operating system simply remove it from the file list and makes the space the file was using available for new data to be written. In other words, the operating system doesn’t “zero” (i.e., doesn’t clean) the space the file was using.
Click to expand...
 
You'd have to be into some incredibly illegal shit to be worried about this kind of stuff. Single pass is probably more than good enough if you're paranoid enough to think that someone is going to pull your data.

I'd be more worried about the entries and file names that are left on the Master File Table. It's basically a history of everything you've ever deleted.
 
Megalith said:
You'd have to be into some incredibly illegal shit to be worried about this kind of stuff. Single pass is probably more than good enough if you're paranoid enough to think that someone is going to pull your data.

I'd be more worried about the entries and file names that are left on the Master File Table. It's basically a history of everything you've ever deleted.
Click to expand...

Unless you do financial stuff on your drive. Regardless it would be a healthy thing to do before trashing or donating or selling a used hard drive.
 
DBAN, DoD 3 long pass, degauss, shred. Been doing that for over a decade.
 
Megalith said:
You'd have to be into some incredibly illegal shit to be worried about this kind of stuff. Single pass is probably more than good enough if you're paranoid enough to think that someone is going to pull your data.
Click to expand...

I have never seen ANY evidence that single pass 0's is not good enough. I have only heard people say "The government has ways", but no actual evidence supporting that.

Can any one show me where a complete file was recovered after a single pass of 0's?
 
Unless you use a manufacturer utility to actually low level format an SSD you can't be guaranteed than anything is actually deleted anyway. These sort of software utilities rely on the drive reporting it's sector information to the OS, which SSDs totally abstract so they don't work on SSDs.

Even then the only way to make sure things are permanently unrecoverable is to use a hammer.
 
Quix said:
Unless you use a manufacturer utility to actually low level format an SSD you can't be guaranteed than anything is actually deleted anyway. These sort of software utilities rely on the drive reporting it's sector information to the OS, which SSDs totally abstract so they don't work on SSDs.

Even then the only way to make sure things are permanently unrecoverable is to use a hammer.
Click to expand...

What's funny is I recall reports from various police agencies complaining that SSDs will effectively secure delete things as soon as the OS deletes the file link as they are constantly moving things around and trimming.
 
Quix said:
Unless you use a manufacturer utility to actually low level format an SSD you can't be guaranteed than anything is actually deleted anyway. These sort of software utilities rely on the drive reporting it's sector information to the OS, which SSDs totally abstract so they don't work on SSDs.

Even then the only way to make sure things are permanently unrecoverable is to use a hammer.
Click to expand...

Couldn't you just fill the SSD with junk files after you delete any sensitive data?
 
westrock2000 said:
I have never seen ANY evidence that single pass 0's is not good enough. I have only heard people say "The government has ways", but no actual evidence supporting that.

Can any one show me where a complete file was recovered after a single pass of 0's?
Click to expand...

I have recovered files from having been partially 'zero'd' out. Its a real pain in the ass though, and if the entire drive is truly and fully zero'd out, it is extremely difficult, but not altogether impossible.

Quix said:
Unless you use a manufacturer utility to actually low level format an SSD you can't be guaranteed than anything is actually deleted anyway. These sort of software utilities rely on the drive reporting it's sector information to the OS, which SSDs totally abstract so they don't work on SSDs.

Even then the only way to make sure things are permanently unrecoverable is to use a hammer.
Click to expand...

There are utilities to secure erase SSDs, they don't rely on the OS at all, they have their own information. However, the do need to recognize the SSDs controller type, and as with most of these types of applications are not considered foolproof.
 
Fire is always preferable, but overwriting all sectors (multiple times if necessary) is a good alternative for most drives.

Well, there's always encryption with a "forgotten" password.
 
Megalith said:
I'd be more worried about the entries and file names that are left on the Master File Table. It's basically a history of everything you've ever deleted.
Click to expand...

I've long wondered if it's possible to directly access the MFT to view its contents, and subsequently modify/erase/format it, but I've never found any possible route to doing this, other than low-level access with specialized hardware. Is this the case?
 
and the article is blatantly wrong it says you need the paid version of dban to do more than a simply one pass write 00h.
thats not true the unpaid version of DBAn gives you 3 pass and 7 paas DOD standard wipe and evne the 30+ guntmann voodoo wipe as well as a custome numbers of random data wiping.
 
Hard drive zero fill is more than enough. With billions of bits per square inch, extreme precision head tracking, and PRML recording methods it is impossible to pull anything remotely useful from the surface of modern disks in any reasonable timeframe. All this 30-pass random pattern bullshit was from a time long gone, and even back then the justification for it took a research paper out of context.


As for SSDs, some, if not all, of them encrypt the contents on the fly. A secure erase essentially dumps the internally stored key making the contents of the drive unrecoverable

Besides, anything you think your hiding by destroying the drive has already been collected and stored somewhere in Utah..
 
westrock2000 said:
Can any one show me where a complete file was recovered after a single pass of 0's?
Click to expand...

Your skepticism is well founded, but I'd like to talk about it for fun.

I'd say that it's a rumour -- a rumour as residual as the zeroed-out data we are trying to recover. The days when you could reliably recover enough data from a zeroed out platter to completely satisfy any error correction algorithm in use are long gone. To produce a working demonstration we would have to do the following:
  • Go find an old drive
  • Solder in reference voltage lines to various components within the hard drive and to all MR heads.
  • Read multiple passes, and adjacent passes (tracks) to pick up residual changes in charge
  • build a very high density, multidimensional matrix of reference voltages for every potential bit change... and parse for encoding patterns used by that particular firmware and filesystem used. e.g. Modified Frequency Modulation (MFM) and Run Length Limited (RLL) and consider the particular maximum likelihood per bit dependent on the encoding algorithm used.

Pretty fucking boring. Your average "forensic" copy device or file carving software will not do anything for us here. We would need to closely analyze the relative changes from one charge of zero to the next. That's right. Not all zeroes are equal. Depending on the platter material and it's magnetic coercivity, and the magnetic direction per bit, and possible layered approaches in encoding bits (perpendicular recording, with multiple coercivities in layers on the platter surface to soften the effects of each flux point upon one another) it is in fact possible to read these slight changes with a highly sensitive ADC. Of course these small differences are well below the threshold of the drives normal operation, hence all the direct hacking to obtain them (not to say the drive doesn't analyze these numbers as well, but we are looking for patterns from minor voltage 'drift' over the lifetime of drive and possible exacerbation by applying a uniform, signature 'zero' level platter-wide in the first place.)

It would be facetious of me to say that the latest example of a hard drive upon which we could reliably harvest zeroed out data using these methods might have been a Maxtor Quantum. Anything later would likely yield unreliable results. We would have to use implicit reference data for comparison of our findings OR have intuitive knowledge of the type of data we are looking for to prove it once existed on the platters. It's likely that this exploit was rendered unreliable immediately after Maxtor stopped selling their abominations. Illuminati? The correlation between Maxtor hard drive exposure and the influx of autism in America is also no coincidence.

Ahem.

It is certainly conceivable to recover data from a "modern" disc using similar techniques, but it gets pretty slim after about 2003 to 2006. Platter surface tech, heads, and encoding has become pretty ludicrous. And I do mean ludicrous. It's silly how incredibly dense the data is AND unreliable the retrieval is these days. The chance of reliably recovering data under normal operation is getting slim (probability algorithms in firmware are starting to incorporate self diagnostics, device age, read/write cycles, and other factors), let alone read residual data that has been zeroed.

By the way, SSDs vary wildly. One may be exploited in a similar fashion, but the next brand -- not so much. There's too much variation from one to the next for me to even speculate, but I can believe that at least a few are very easily exploited.

Also, here's an article which covers this topic exactly: https://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
 
ryan_975 said:
All this 30-pass random pattern bullshit was from a time long gone, and even back then the justification for it took a research paper out of context.
Click to expand...
30 passes is ridiculous*, but pulling attenuated signals from overwritten sectors has actually been demonstrated. The average person has never had to worry about that, but there have been security standards of multi-pass wipes to thwart data recovery.

I agree that with very high density platters (perpendicular in particular), overwriting once basically destroys any chance of recovery**. A secure erase initiated on the drive should be good enough.

* it was not a standard, only Gutmann's patterns intended to make data even theoretically impossible to recover.

** but that's not good enough for extreme paranoia. The NSA apparently will degauss and destroy its unneeded magnetic media.
 
Streiw said:
Talk about overkill.
Click to expand...


DocSavage said:
Yeah, sorry about that project you wanted me working on, I still have to erase these hard drives 5 times over and then shred them.
Click to expand...

Overkill? Yeah, probably more so today, but it wasn't always overkill. As for how much time it took? Didn't really take that much time out of my day, I just put the DBAN cd in and tell it to run the pass, then come back when its finished. It's not like I had to sit there and watch it.
 
SSD, secure erase. HDD, overwrite twice with random data. If you have needs beyond that, then you probably have a department that does this stuff for you, and the drive is probably already storing in encrypted format via software ... if you've been storing in the clear, oops.
 
NoOther said:
Overkill? Yeah, probably more so today, but it wasn't always overkill. As for how much time it took? Didn't really take that much time out of my day, I just put the DBAN cd in and tell it to run the pass, then come back when its finished. It's not like I had to sit there and watch it.
Click to expand...

No, you don't have to watch it, but I find it extremely hard to believe that data could be recovered after degaussing/shredding.
 
Wow, I wonder if this is the procedure that Hillary Clinton and Lois Lerner followed?
 
Streiw said:
No, you don't have to watch it, but I find it extremely hard to believe that data could be recovered after degaussing/shredding.
Click to expand...

Which is why we degauss and shred... As to why we do the DBAN prior to that, in the past it was actually possible to read some data from bits of a platter. Today it is far less likely to be able to recover anything. But I do know of a few different times I sent a a disk with a broken platter into a recovery specialist who successfully pulled data from it as late as 2008. Given that it takes many companies 5 years or more to refine some of their policies, it is not unusual to still see those requirements.
 
NoOther said:
Which is why we degauss and shred... As to why we do the DBAN prior to that, in the past it was actually possible to read some data from bits of a platter. Today it is far less likely to be able to recover anything. But I do know of a few different times I sent a a disk with a broken platter into a recovery specialist who successfully pulled data from it as late as 2008. Given that it takes many companies 5 years or more to refine some of their policies, it is not unusual to still see those requirements.
Click to expand...

A broken platter means there is still data on the other platters to recover. A far different scenario than trying to recover from overwritten data.
 
ryan_975 said:
A broken platter means there is still data on the other platters to recover. A far different scenario than trying to recover from overwritten data.
Click to expand...

I was speaking of 2 different things, both can use the same recovery method, bit by bit data copy. In the past it was easier to do bit by bit copies of the data on the platter, not just 'pieces' of the platter. Bit by bit copies allowed more options on reading the data even if some of it was overwritten. Usually it was used for drives that had mechanical problems, but was not limited to that alone.
 
For a mechanical drive

I do mulitple 00 / RND writes, Then drill a hole through the case & platter fill it will glue and salt water, then drive a screw through the hole and the patters.

If someone wants to read go to the trouble of recovering that data, they probably already have a copy.
 
You must log in or register to reply here.
Back
Top