Overwriting Properly
|
Previous Top Next |
|
A hard disk consists of one or several disk platters, which have been plated, with a very thin (a few millionths of an inch thick) layer of magnetic substance. One read/write head is being used to both read and write data from the platter. The head is positioned very close to the platter, only a few millionths of an inch away. The surface of the disk platter can be seen to consist of magnetic domains acting like small magnets, having both positive and negative poles. The data is saved to the disk in binary form - as ones and zeros - and millions of magnetic domains are used to save one bit. When writing new data to the disk, the read/write head reverses the magnetic pole direction if necessary.
|
|
When the read/write head reverses the polarity of a region of domains (presenting one bit of data), the polarity of most domains reverses, but small portions remain in their original state. The electronics of the drive ignore these small inaccuracies, but when studying the platter surface with a sophisticated electronic microscope it may be possible to recover data even if it has been overwritten.
|
|
The main purpose of overwriting is to alter the magnetic polarity of each domain on the disk platter as much as possible so it will be extremely hard to determine their previous state.
|
|
If the data was written directly to the disk, files could simply be overwritten with patterns consisting only of ones or zeros. However, various run-length limited encoding algorithms are used in hard disks to prevent read/write head from losing its position and therefore, only limited amount of adjacent ones or zeros will be written to the disk. This is why different encoding schemes must be taken into account when selecting overwriting patterns.
|
|
In his paper Secure Deletion of Data from Magnetic and Solid-State Memory, Peter Gutmann has discussed the subject further. In chapter Erasure of Data stored on Magnetic Media he suggests a 35 pass overwriting method which should erase the data despite the drive encoding and this method is used as the default overwriting method for Eraser.
|
|
After determining the proper pattern to be used, there remains a question where to write the data. When the objective is to overwrite all data that is stored in a file, the obvious destination would be from the beginning of the file to the end. However, not all people know that because of the file system design, the space allocated by a file can be larger than the file itself.
|
|
To be able to keep record of the drive contents, the file system divides each partition on the drive into small blocks called clusters. A cluster is the smallest data block, which can be allocated from a partition. The size and the number of clusters on a partition depend on the file system and the size of the partition.
|
|
It is relatively rare for the size of a file to be divisible by the partition cluster size, i.e., for the file to use completely all clusters it has allocated. Therefore, usually only a part of the last allocated cluster is used and the unused part of the last cluster (the cluster tip, or slack space) contains old and possibly secret data, which cannot be overwritten before the file that allocated the cluster has been removed.
|
|
This problem is not only present when overwriting single files, but it also opens a potential security problem when overwriting unused disk space. If one overwrites only the free space available on a drive, the cluster tip area still remains untouched - this is why Eraser overwrites also cluster tips when overwriting unused disk space or single files.
|
|
One more thing you can do to improve security is to close as many applications as possible before erasing unused disk space. This should be done to reduce the number of locked files so as much of the unused space as possible can be overwritten.
|
|
When a file is opened using exclusive access (e.g. when a program file is loaded into memory by the operating system), it will be locked to prevent other applications and the user from touching it. Because the file is locked, its cluster tip cannot be overwritten. Therefore, by closing applications you assure that all possible unused space can be accessed, but remember that even then the files locked by the operating system cannot be accessed.
|
[
|