Thursday, January 22, 2009

Data Wiping Myth Put To Rest

Several computer forensic experts have tackled the legend that, in order to properly protect it from recovery, data stored on an HDD needs to be overwritten multiple times. According to their scientific study, doing it a single time is enough, despite the countless marketing campaigns that claim otherwise.

Secure data erasure has long been a controversial subject for both professionals and scientists. One of the most common claims consistent with the multiple suggested ways and techniques that can be used to destroy data is that information can be recovered if it is not overwritten multiple times. One of the reasons behind this idea is that the positioning of a hard disk drive's head is not precise enough to ensure that the data is overwritten with new information from the exact same byte.

Companies selling secure data erasure programs still market their software as being able to perform multiple passes and, according to the results of the scientific study performed by Craig Wright, Dave Kleiman and Shyaam Sundhar R.S., this is just a waste of time and offers no more than a psychological comfort.

“The controversy has caused much misconception, with persons commonly quoting that data can be recovered if it has only been overwritten once or twice. We demonstrate that the controversy surrounding this topic is unfounded,” the computer forensics experts write.

The study has been performed on both older and last-generation hard drives, of various sizes and produced by different manufacturers. The result is consistent throughout the tests, and the conclusion is that recovering more than a single byte of data after a complete overwrite is close to impossible.

Security researchers from Heise Security, who have reviewed the paper presented at last year's edition of the International Conference on Information Systems Security (ICISS), explain that a single byte of data can be recovered with a 56 percent probability, but only if the head is positioned precisely eight times, which in itself has a probability of occurring of only 0.97%. “Recovering anything beyond a single byte is even less likely,” the researchers conclude.

We recently reported the case of a respectful UK computer magazine suggesting that people should literally hammer their hard disks when disposing of them, in order to make the data unrecoverable. In response, Phil Bridge, managing director of well-known data recovery company Kroll Ontrack UK, has explained that they cannot recover data after a single zero fill (low-level format). This study comes to back up Mr. Bridge's, as well as other professionals' opinion that erasing data in a secure manner can be done for free and without much effort. We stress again that most HDD manufacturers offer their own free tools, which allow users to perform such low level formatting.

However, both corporate and end-users should keep in mind that data wiping is very important when disposing of old hardware, and not performing it is a serious security breach. There have been several incidents where second-hand storage devices bought from sites like eBay contained highly sensitive information. Doing the wiping in-house is also better than relying on third-party services to do it.

The Heise Security researchers point out another important aspect of why erasing the entire HDD, instead of just certain sectors, is important. Operating systems can create real-time backups and shadow copies or store information in swap files, depending on many settings and setups, so it is hard for someone to claim that some particular information is located just between sector X and sector Y, they explain.

No comments: