Thursday, February 15, 2007

How Secure is a Secure Erase in Disk Utility?

I've been reading about the Secure Erase options in Disk Utility. The 7-pass erase and the 35-pass erase in particular.

This article gives an overview of the differences between the 7-erase pass and the 35-erase pass. I've decided to ignore the write zeros to disk option since it should be clear to most people that is pretty ineffective in real data scrubbing.

The 7-pass erase is based on the DoD 5220.22-M specification which demands 3 passes conforms to scrubbing data at a military standard. The Google Cache for the document describing this specification is available if you search for 5200.28-STD.

The 35-pass erase is a totally different beast. The implementation is based on research at the University of Auckland in New Zealand. The method uses information about how data is originally written to a magnetic disk in order to provide the best possible scrubbing of data. The author of this report notes that nothing short of using an extremely powerful magnet can guarantee the probable removal of data - and he cites a powerful navy magnet that actually warped the disk platters as a suitable magnet.

You might wonder why I am blogging about this? Well I found it to be interesting and I always wanted to know more about the implementation that Apple's Disk Utility uses and maybe now you can know more too.


blasdelf said...

All the "Secure Erase" stuff is pretty much pointless. Nobody's ever demonstrated a way to recover data that's been written over by zeros only one pass.

Peter Gutmann is the originator of most of this handwringing, and even he admits that the 35-pass was only relevant in the pre-ATA/SCSI days of MFM drives.

Desmond Elliott said...

That is an interesting comment that you make. Perhaps a more suitable time for me to take a closer look into your claim might yield some interesting reading on the subject.

I guess you make a valid point that people have an irrational fear that they believe is calmed by obsessive scrubbing of data that essentially doesn't achieve anything more than a zero pass.

steve said...

All concerns about data being recovered can be mitigated by simply inserting another layer between the disk and the data, one that obfuscates the data in such a way that reading the raw data and trying to reconstruct it doesn't get you anywhere. This has to be done as a preventative method, trying to wipe things obsessively after the fact is less likely to protect you.

If you simply use volume or even file level encryption, and then wipe the disk when necessary, you make it effectively impossible to read file system structures because the data can't be read back and reconstructed.

Even if you have a clear copy of the encrypted volume you need the key, and if someone wipes the disk even having the key wont help you read data.

Disk recovery sometimes uses the metadata from the filesystem to point to the real files for recovery, but if its encrypted you would have to get a readable copy of the entire volume first (not easy) and then break in somehow (almost impossible at this point).

John Smith said...

There is no such thing as '7-pass erase based on DoD 5220.22-M '. DoD 5220.22-M doesn't specify any particular algorithm.

Do not read NISPOM from Google cache, take it from first hands, from military:

What makes me sad, Snow Leopard, as of 10.6.3, continues to support the myth on DOD 7-pass :o(

man diskutil, scroll down to secureErase section

What can I say? Google cache rules?!