Does secure wipe work? - Darwin's Data

There has been a lot of debate over whether secure wipe tools can truly erase all traces of data from a hard drive. With concerns over identity theft and data privacy on the rise, many want to know if using these tools to wipe drives before disposal or reuse really works. In this comprehensive guide, we’ll examine if secure wipe lives up to its name.

Table of Contents

What is secure wipe?

Secure wipe refers to software tools that overwrite a hard drive’s data in order to permanently erase it. They work by writing meaningless dummy data over a drive’s existing data, thereby obscuring the original information. The goal is to render previously stored data unrecoverable, even using advanced forensic tools.

Some key things to know about secure wipe tools:

They permanently delete data by overwriting it multiple times, using algorithms to generate random data strings.
Many claim to meet Department of Defense standards for drive sanitization.
They often offer different levels of wiping, from a quick single pass to more secure multi-pass overwrites.

Popular options include Darik’s Boot and Nuke (DBAN), Active@ KillDisk, and Parted Magic.
Many can create a bootable disk or USB so you can wipe drives even if the OS won’t load.

The main question around secure wiping is whether it truly makes data unrecoverable against all attempts. We’ll dig into that next.

Can wiped data be recovered?

There has been debate over this question for years. Initially it was believed that overwriting data just a few times was sufficient. But with advanced forensic technology, some argued that even wiped data could be partially recovered.

Here are the main considerations around data recovery:

Undelete utilities: Simple undelete tools are ineffective on wiped drives. Secure overwriting thwarts basic attempts to recover deleted files.

Advanced forensics: It is possible skilled specialists with lab equipment can recover some overwritten data through magnetic force microscopy or scanning tunneling microscopy.
Partial recovery: Even if fragments can be recovered forensically, secure wiping still makes complete data reconstruction unlikely.
File system traces: Secure wipe may not erase file system structures like partition tables and journaling metadata.

So while there is some possibility of recovering traces of wiped data, the consensus is secure erase does make complete data recovery extremely difficult, if not impossible.

How many overwriting passes are needed?

Earlier thinking held that overwriting three or seven times was sufficient to thwart all data recovery attempts. But with magnetic storage able to retain traces of previous writes, views shifted to recommend more passes.

Here’s a quick history of recommended overwrite passes:

Year	Recommended Passes
1990s	3-7 passes
2001	35 passes
2006	Gutmann method (35 passes)
2014	1 pass sufficient for ATA drives
2022	3 passes typically used

Today 3 pass overwrites are generally considered sufficient for most use cases. However, up to 35 pass overwrites can provide extra assurance for highly sensitive data.

Is a single overwrite pass enough?

For a long time it was thought that multiple overwrite passes (up to 35 passes) were required to securely erase all data remnants. However, more recent research has challenged this view.

In 2014, the US National Institute of Science and Technology (NIST) published guidelines stating a single pass is sufficient to sanitize storage media. This was based on new evidence that current drives don’t retain data traces from past writes.

Key findings leading to this updated guidance:

Previous concerns applied mainly to older magneto-optical drives.
Modern perpendicular recording HDDs are more effectively sanitized with 1 pass.

Even if some remnant data persisted, the error rate would be too high for recovery.
No studies have demonstrated retrieval of data from sanitized HDDs.

NIST thus concluded there is negligible risk from a single overwrite pass for modern HDDs. However, for maximum security on sensitive data, more passes are still recommended.

Secure wiping SSDs vs HDDs

When evaluating secure wipe tools, it’s important to consider Solid State Drives (SSDs) versus traditional Hard Disk Drives (HDDs).

There are a few key differences between sanitizing these two media types:

Factor	SSDs	HDDs
Overwrite effectiveness	More passes recommended due to wear leveling algorithms.	Fewer passes sufficient as data remnants are less likely.
Built-in erase commands	ATA SECURE ERASE may have advantage over software tools.	No special built-in advantage.
Degaussing effectiveness	No benefit as SSDs have no magnetic media.	Can effectively sanitize magnetic platters.

The key takeaway is that SSDs may require more overwrite passes than HDDs to properly sanitize. Built-in SSD erase commands may also have an advantage over software tools. Degaussing is not applicable for erasing SSDs.

Can tools truly wipe SSDs?

There is some debate around whether software tools can fully sanitize SSDs due to the way these drives handle writes:

Wear leveling algorithms distribute writes across many NAND flash cells.
Old data versions can get trapped in cells no longer in use.

Overprovisioning keeps spare cells in reserve, preserving data traces.

These behaviors make it theoretically possible data remnants could persist after a wipe. However, the likelihood of forensic recovery is still very low. Some helpful context:

No published studies have demonstrated SSD data recovery after an ATA SECURE ERASE.

Such recovery would require specialist skills, sophisticated tools, and access to drive internals.
remnants would be fragmented and unusable for practical purposes.

So while software wiping SSDs has some limitations, in practice remnants left behind pose minimal risk. The more realistic threat is from file system artifacts that tools can’t erase.

Can wiping tools clear file system traces?

One limitation of software based secure wiping is it can’t necessarily remove all file system structures and metadata traces from the drive.

Examples of file system artifacts that may persist include:

Partition tables describing disk layouts.

Master file tables tracking used and vacant clusters.
Journaling metadata of recent file operations.
Unallocated space containing file fragments.

Such artifacts could provide clues to recovering past file names, timestamps, and even file contents. Wiping tools have limited ability to address these structures.

The only sure way to erase all file system evidence is to overwrite the entire raw disk at a low level. This requires bypassing the operating system.

Best practices for effective wiping

Given the nuances of trying to sanitize drives, what are some best practices to maximize the effectiveness of secure wiping?

Use a tool that wipes entire drive sectors, not just high-level files.
For HDDs, at least 1 pass is reasonable but 3+ passes add extra security.
For SSDs, more passes (7+) help account for wear leveling algorithms.

Verify the tool uses random data patterns for each pass.
Degaussing can supplement software wiping for HDDs but not SSDs.
Physically destroy drives storing highly sensitive data if feasible.

Following these tips will provide strong assurance that secure wipe has minimized recoverability of deleted data. But expect it can’t necessarily erase all forensic traces on storage media.

Should you rely on SSD built-in erase commands?

Most SSDs support a built-in ATA SECURE ERASE command designed to cryptographically sanitize all internal storage. This leverages intimate knowledge of the SSD architecture to effectively reset it to factory state.

Potential benefits of using SECURE ERASE instead of software wiping tools:

Directly addresses issues like wear leveling and overprovisioning.
Can access all internal cells, including spare areas.
Simpler process with less risk of errors.

Permanent erase happens quickly.
Meets NIST guidelines for sanitization.

The downside is that SECURE ERASE still can’t erase file system structures and metadata outside the SSD’s internal storage. So for highest security on SSDs, it’s best to combine built-in erase with software wiping of the full drive.

Challenges of trying to recovery wiped data

While traces of overwritten data may technically be recoverable in niche scenarios, there are many practical barriers to actually retrieving meaningful data from wiped drives.

Some key challenges faced by anyone trying to recover deleted data include:

Requires highly specialized forensic skills and equipment.

Very expensive process with low chance of meaningful data recovery.
Reconstructed data is fragmented and disconnected.
Advanced techniques like MRI have very narrow scope of success.

No guarantee sufficient traces still exist on the disk.
Error checking needed to distinguish traces from noise.

Given these constraints, data recovery from a wiped drive remains hypothetical. The resources required mean few could actually pull off such a challenging task.

Are there risks from remnants in disk slack space?

One concern with secure wiping is that it generally only overwrites the portions of a drive that have been logically formatted. Unallocated areas may retain so-called “disk slack space” that could contain remnants of old data.

This is a valid consideration, but slack space poses minimal security risks in practice:

Slack space is fragmented and discontinuous, complicating recovery.

It comprises only a small percentage of total drive space.
It may get automatically erased by the OS or drive reallocation.
Data remnants are likely just indecipherable fragments rather than coherent files.

Forensically parsing slack space is also challenging and not guaranteed to yield conclusive data. So while it’s a limitation, slack space is unlikely to undermine secure wiping in a meaningful way.

Can wiped data be recovered after a drive is reused?

Another question that sometimes arises is whether data could remain recoverable from a wiped drive even after it gets reused for new files.

In theory, traces of old data sectors could persist beneath the new data being written. But this scenario is impractical for several reasons:

Any remnants would be extremely fragmented and disjointed.
Noise from the new data would obscure traces from old data.
Reconstructing anything usable would be prohibitively difficult.

At most, scattered strings or patterns might surface.
Secure wiping seeks to prevent meaningful reconstruction, not detectability.

So while remnants may linger, they are effectively meaningless digital fossils rather than anything identifying or incriminating.

Do software wipers work on encrypted drives?

Many devices today use full disk encryption to protect their data. This introduces challenges for secure wipe tools trying to overwrite encrypted drives.

Issues that can arise trying to wipe encrypted storage:

The encryption key is needed to decrypt data before wiping.

Wiping tools often can’t bypass full disk encryption.
Deleting the key renders data unreadable but doesn’t overwrite it.
Remnant data could become readable again if the key is recovered.

Ideally, encrypted storage should be decrypted first before being wiped by software tools. Destroying the encryption key also provides protection against future data recovery.

Will degaussing reliably sanitize hard drives?

Degaussing is an alternative sanitization method that exposes magnetic media to a strong alternating field. This disrupts the magnetic domains to randomize any stored data.

Benefits of degaussing hard disk drives:

Completely resets all tracks and sectors.
Very fast, erasing an entire drive in under a minute.
No chance of remnant data fragments persisting.

Bypasses any disk locking mechanisms.
Renders drive immediately unusable.

Drawbacks of degaussing include destroying the HDD hardware itself and not working on non-magnetic media like SSDs. Overall it is an effective sanitization option, but drives must then be physically destroyed.

Do government agencies recommend secure wipe?

Government guidelines provide useful perspective on recommended practices for drive sanitization. Agencies like NIST and GCHQ have studied this issue closely.

Here are some key takeaways from official government guidance:

A single pass is approved for wiping most HDDs, but 3+ passes are still encouraged.

More overwrite passes (7+) should be used to wipe SSDs.
Degaussing can effectively complement software wiping for HDDs.
Physical destruction is warranted for drives with highly classified data.

Built-in SSD erase commands are approved and encouraged.
Verification passes should utilize changing data patterns.

Government recommendations demonstrate that secure wipe remains an approved solution. But multiple passes and physical destruction provide higher security for highly-sensitive data.

Conclusions

To summarize key findings on the efficacy of secure wipe tools:

They are generally effective at obscuring deleted files beyond recovery.
Traces of overwritten data may persist, but are fragmented and unreadable.

3+ passes provide strong assurance, though 1 pass is often sufficient.
Wiping SSDs presents greater challenges than HDDs.
Some file system structures can’t be erased by software alone.

Forensically recovering anything usable from wiped drives is difficult in practice.
Degaussing and physical destruction offer supplemental security for HDDs.

Secure wipe remains a reasonable method for sanitizing sensitive data from storage media. While no technique is perfect, overwrite tools combined with physical destruction provide excellent risk mitigation.