Thursday, 24 June 2010

Secure erase a.k.a. data wiping

If you need to delete a file irreversibly, it is not enough to just delete it and then empty the Recycle Bin. Data recovery software is quite capable of restoring data that was deleted in such a way.

In earlier days, when the FAT filesystem was widely used, it was sufficient to write some garbage data to the file. To overwrite the file data completely, the garbage data size should be no less than the original file size. This worked because FAT is rather simple filesystem.

With the filesystem complexity increasing, a number of filesystem features which should be taken into account is increased as well. Nowadays, it is no longer enough just to write other content to the file to delete it irreversibly.

For example, if a file is stored on the NTFS filesystem in compressed form, then depending on the compressibility of the data in the original file (to be secure erased) and a new content, most likely a new set of clusters would be allocated for the new file data. Therefore, the original file data would not be overwritten at all.

It is particularly useless to write zeros - if the NTFS compression is turned on, zeros would not be written at all (so called sparse file); and therefore original data would not be overwritten.

The next obvious step is to delete the file and write some incompressible garbage to all the free space. Sounds good, but unfortunately does not work because the original file may be “resident” and so its content would not be overwritten. Thus, you should not just write the free space, but also overwrite all the free MFT records.

In short, the secure erase is complicated and difficult to do properly. If you ever need it, use SDelete. SDelete is free, created by Mark Russinovich, and it was tested to work many times. Additionally, they have a good explanation of how does it work and what was taken into consideration.

No comments:

Post a Comment