How To Wipe A Hard Drive
Wiping a hard drive is not a trivial task. The fact is that a simple delete function does not delete files. For some people this is hard to understand but this is how digital systems including computers operate.
Why Deleted Files Are Not Removed
What delete function does is it only marks file as deleted. In fact, it is not possible to delete data. You can only overwrite it with other data. This means that when you press delete button operating system (Windows, Mac OS, Linux, etc.) only marks file as deleted so it is not visible to users and updates allocation tables to signal that the space once used by this file is now available for writing. But the actual data is still there. And with proper data recovery tools it would be possible to get the file back.
Of course, it would be possible to overwrite the file with some random data. This would prevent simple file undelete operations but is presents many undesired side effects. If the operating system would have to actually overwrite every deleted file this would significantly slow down all operations. For smaller files this would probably not cause any major problem, but for larger files it would take some time. On the other hand, this proper deletion is not needed. Users don’t care what has happened with their deleted file. They don’t need it anymore. However, the situation changes if the file contained confidential data. In such case we would like to prevent any data recovery. Therefore, there are many methods how to wipe a file or even the whole hard drive. Let’s first take a look at what actually happens in operating system when we delete a file.
FAT32 Data Deletion
When you delete a file from FAT32 partition, the file allocation table is updated to reflect that clusters allocated to deleted file are now available and the first character of the file name is set to 0xE5. This is enough to indicate the file is not available and the space occupied is now available for other purposes.
NTFS Data Deletion
When you delete a file from NTFS partition, a flag in the File Record Header in Master File Table is changed to zero to indicate the file is deleted. The locations used by the file are returned to the pool of of available disk space.
Deleted Files and Forensic Data Recovery
Forensic data examiners use properties of deleted files, disks and file systems to recover hidden data. Their goal is to recover any data that may provide evidence for criminal activities. Even if you securely delete a file there may still be partial copies of your file. MS Word and similar software create many temporary files which are automatically deleted after you save and close the file. If you wipe the file there are still deleted temporary files on the disk which include content from your original file. These files can be used to recover the file that was securely wiped.
And forensic methods may go beyond recovering deleted files. Forensic laboratories use state-of-the-art methods to recover data where ordinary data recovery experts would stop.
Disk Wiping and Deletion Tools
Disk wiping means erasing all data from the disk. But because “normal” erasing is not possible disk wiping means overwriting disk data with random or predefined patterns. There are many methods on how to wipe a hard drive. Some are even required from various administrations that deal with sensitive data. Each method specifies pattern sequence and the number of times the disk must be overwritten. Many passes are needed because there are some exotic methods that can recover data from disks even when the files were overwritten.
There are many free and commercial wiping tool. One free tool is called Eraser which works in Windows XP, Vista, Windows 7 and Windows Server systems. It can be used to effectively erase (overwrite) all sensitive data. Eraser supports scheduled wiping, single pass, US DoD 5220.22-M (8-306 /E, C and E), Pseudo-random Data, First and Last 2kb, Schneier’s 7 Pass, and Gutmann wiping methods.