Grading Secure Wipes
Most wiping software will sport a range of methods used to securely erase data. These are defined either by the number of times a file or disk is overwritten, the data that is used to overwrite, or a combination of both. At its extreme, many programs offer the option to do 35 passes, based on what's known as the Gutmann Algorithm.
Peter Gutmann and Colin Plumb first devised the sequences in 1996 to cater to the popular MFM and RLL encoding formats for magnetic media at the time. It uses a combination of random data and data patterns designed specifically to induce a magnetic signature that should guarantee no applicable recovery, even using advanced recovery equipment (which typically intercepts and analyses the analog signals on the media and compares this against the digital to determine previous data).
Ironically, Gutmann and Plumb's work is often taken out of context with software wipers offering to do the full 35 passes when, by the pair's own definition, only about 10 passes are required—depending on the media type (keeping in mind many of the passes were designed for the specific encoding mechanisms of different hard drives at the time). The sequences were designed back when 2G was a large hard drive, and advances in recording densities mean that most of the theories no longer apply (or apply to the same degree).
In fact, according to a 2006 NIST (National Institute of Standards and Technology) publication, nothing more than a single pass is required with modern drives to prevent recovery, including by magnetic force microscopy—which isn't the type of equipment many people have lying around.
Nevertheless, there are range of standards defined by various government and military agencies around the world—the type who take data security seriously—such as Australia's DSD (Defence Signals Directorate) and America's DoD (Department of Defence). Here the US DoD recommends three passes to securely erase data (presumably, to be sure, to be sure), while DSD doesn't recommend wiping at all—the correct security procedure is degaussing (see the 'Magnetic Degaussing' sidebox) or, ideally, destruction. Both of these methods, naturally, are going to be more effective (though with the obvious downsides of making the drive inoperable).
Wiping with Linux
As you'd expect, wiping under Linux can be done with free tools, and in fact, the tools are part of any mainstream distribution of Linux.
There may be other options, but these two are the easiest:
For wiping an individual file the shred command will perform a repeated wipe exactly the same as the Windows utilities mentioned here—performing any number of writes you specify, with random patterns (including some of Gutmann's sequences) in addition to both renaming the file multiple times (to purge directory tables) and finally zeroing the data. An example of the shred command is shred -zvun10 /home/CSO/testfile. This zeros the file at the end, removes it, runs for 10 iterations and reports verbosely. Incidentally, shred was written by Colin Plumb (see 'Grading Secure Wipes' sidebox).
For full disk wiping there's the venerable dd command. This tool has all sorts of uses, from mirroring drives to creating partition snapshots and raw-reading disks. It can also be used to securely wipe a disk with a very simple command: dd if=/dev/urandom of=/dev/sda bs=1M. The flags 'if' and 'of' are simply in-file and out-file (and here we specify a whole device), while 'bs' is block size. This command reads random data from /dev/urandom and outputs directly to the disk until the whole disk is filled. Alternatively, you can use /dev/zero to output all zeros.
Importantly, of course, you don't need to run these commands from Linux for a Linux system. You can boot a Linux Live CD (like the popular Ubuntu Live CDs) and run the commands on Windows drives in a machine. Again, unless you have very specific requirements, there's little need to pay for wiping software.
Magnetic Degaussing
Of course, software isn't the only option to wipe a drive. Mechanical drives rely on magnetic properties to store bits, so if you don't trust software wiping, you could wipe it with a magnet instead.
A very powerful magnet, that is. Known as degaussing, strong magnets are moved around the drive creating moving magnetic fields that scramble and effectively destroy the data stored on the media. Degaussing has an advantage in that the entire surface of the disk is affected, wiping out partition tables, boot sectors and low-level formatting information in addition to stored data. This usually renders (especially with low-level format data destroyed) the drive inoperable and recoverable only by sending it back to the manufacturer—assuming the magnetic pulse doesn't destroy the motor in the process, too. Considering commercial degaussing can cost anywhere between $30k and $140k, this is probably the type of result you're looking for.
That does leave the rest of us in a bit of a pinch, can you degauss a drive yourself with a strong magnet? Yes, mostly. Rare earth Neodymium magnets are readily available online and exhibit extremely strong fields—enough to lift a thousand times their own weight. Using them on a drive is said to be very effective, but like commercial degaussers, may leave the drive inoperable (which if you're planning to sell the cleaned drives, may not be what you want). We can't recommend this route as Neodymium magnets can be physically dangerous if not handled correctly.
How We Tested
A cleanly formatted disk was set aside for each test on the testing machine, to which example files were then copied across. For programs that could both individually wipe files, and programs that wipe whole disks, we first noted the sectors where the files reside by booting a Linux Live-CD from USB and using the hdparm command with the '-- fibmap' and '--readsector' switches. This allowed us to find and raw-read the sectors on the drive where a file resides.
The files or disk was then wiped from within Windows, after which the machine was again booted to Linux and the same sectors where the files resided were read to confirm they no longer contain the data (or more correctly, contained scrambled or zeroed data).
Wipe times weren't measured, as all products saturate and are limited by the speed of the I/O subsystem.
Adding SSDs to the Mix
SSDs (solid state drives) have rapidly gained popularity in the last few years in both business and the home. It's common knowledge they are fast, quiet, and use less power, but they come with another feature intrinsic to their design: they are also somewhat less secure. Unlike traditional spinning-platter media, the NVRAM on which SSDs are based have limited write-cycles. While in practice the shelf life of an SSD is still very decent—there are no long-term studies yet that accurately catalogue write-cycle lifetimes—they use firmware designed to extend their life by using a technique called wear levelling. This balance writes out across the media to ensure all cells get written-to evenly.
In practice this means when a file is overwritten in the operating system, the new file is actually written to a different location than the original. Hence, even though it may be 'deleted' from the drive, it's still recoverable. Securely deleting files or wiping free space is also a bit of misnomer for SSDs for the same reason. The translated sectors the operating system sees on the drive don't bear any relation to where the data is physically stored in the NAND chips.
Unfortunately, there's no real solution to this if security is paramount except to perform what's known as a secure erase. All SSDs support this and is similar to restoring the drive to factory condition (with the exception of wear on the chips), resetting all cells to 0s. While secure, it's an all-or-nothing affair, you can't selectively erase files, folders or partitions as you can with spinning-platter media.
Adding to the complexity, many SSDs keep of a pool of memory (which can be many gigs in size) to use either as scratch space for garbage collection routines or to allocate as new sectors if any cells become unusable. This pool may also contain old data that could be recovered with the right tools.
What about TRIM? Contrary to popular belief TRIM does not clear the cells, it sets a flag in the drive's cluster map to indicate these cells don't need to perform the full read/modify/write cycle which is normally required when writing to cells that already contain data. Until those cells are actually written over with new information, that data is also still present.
All up, this tends to indicate that if security is more important to you than speed, SSDs are perhaps not the best choice.
So what's the best tool for the job?
You know the inevitable answer—whatever works best for you, so you should install and play with any that take your fancy or have features you need. That said, our subjective choices are marked above with Gold, Silver and Bronze awards.
With the exception of some paid products—where commercial licensing is required or you need specific features like wiping over a network (such as withg East-Tec's Dispose Secure) or swapfile encyption (Jetico's BCWipe)—there really isn't a need to pay for wiping software. It’s basic, the methods are proven and they all execute it to the same standard.
You also don't necessarily need to slam a drive with a four-day run of 35 passes when you do want to wipe securely—Peter Gutmann, whose work on secure erasing inspired the most comprehensive 35-pass method used by most wipers today, has stated that with modern drives a single-pass with random data is usually enough.
Take some of these programs for a spin (as it were —fans of the platter drives) and happy wiping!
Follow @CSO_Australia and sign up to the CSO Australia newsletter.