What is secure deletion?

A keyboard key with a picture of a bin imprinted onto it
(Image credit: Getty Images)

Once upon a time, deleting a file meant it was gone for good. That was the assumption, but, in 1982, Peter Norton released the UNERASE tool, which could be used to magically restore files that had been wiped using the ERASE command in MS-DOS. Subsequently, Microsoft added its own official UNDELETE command to MS-DOS 5.

For careless users, these tools were a godsend, but for businesses that had made the early investment in storing sensitive information on computer disks, the idea of undeleting files was an alarming threat to data security. Since then, the threat has only grown: almost all of us have our own personal information stored somewhere in digital form that we wouldn’t want to fall into the wrong hands, while digital storage is now ubiquitous across businesses and governments.

Indeed, various regulations, such as the Data Protection Act 2018 and GDPR, make companies liable for ensuring certain data is kept secure and confidential, even after a computer is sold, donated or thrown into a skip. Secure deletion is more important than ever.

How does secure deletion work?

Undeleting is possible because “deleting” a file doesn’t actually remove its contents from the disk, it merely marks the space it occupied as available for reuse. Until new data is written into that space, a low-level tool can read the original bits and reconstitute the deleted file.

Deleting something securely, therefore, means overwriting it with fresh data, so the old data can no longer be recovered. If you’re wondering why this isn’t done by default, one reason is that it increases the wear and tear on a disk, shortening its lifespan. Another is that space can be deallocated in a tiny fraction of a second, whereas writing megabytes or gigabytes of data takes far longer, tying up the drive and slowing down performance.What’s more, simply overwriting the bits once might not be good enough. It’ll stop OS-based undelete tools from working, but a forensic analysis could still recover the old data.

To understand how, remember that mechanical drives store data by inducing tiny magnetic fields on the disk platter, with binary values of zero and one represented by opposing polarities. Overwriting a one with a zero means reversing the magnetic polarity on the disk’s surface, while writing a zero on top of a zero means magnetising it twice in the same direction. If a determined scientist were to pull the platter out of the drive and inspect it with a magnetic force microscope, they could measure the precise strength of the different fields to gain a clear hint of what their previous values might have been.

Solid state drives (SSDs) aren’t immune from this type of attack either. Rather than writing magnetic fields to a metal platter, solid-state disks store electric charges inside cells, but the upshot is exactly the same. Writing a zero on top of a zero is likely to leave a subtly different charge signature than writing a one on top of a zero, so with the right equipment it’s possible to work out the previous value of the cell.

The solution is to overwrite the deleted data not just once, but several times, typically using varying bit patterns, so that the original magnetic polarities or charge levels are impossible to separate from the noise.

How many overwrites is enough?

RELATED RESOURCE

Five common data security pitfalls

Learn how to improve your security posture

FREE DOWNLOAD

Almost any tool will give you a variety of overwriting patterns to choose from, probably including standards chosen by various national security agencies. It’s far from obvious which one to choose, as they use different numbers of write passes and different bit patterns.

There are also suggestions from tech security experts, including Bruce Schneier and Peter Gutmann. Schneier suggests overwriting deleted data with all ones, then all zeroes, then five passes of random bits. Gutman’s approach goes all the way up to a maximum of 35 passes, with a variety of bit patterns designed for the ways different types of drive store data.

In truth, that’s overkill. As Gutmann himself has explained, “performing the full 35-pass overwrite is pointless… if you're using a drive which uses encoding technology X, you only need to perform the passes specific to X, and you never need to perform all 35 passes.”

Indeed, these standards are almost all excessive for everyday use. While bit-by-bit reconstruction of overwritten data is possible, it requires the sort of specialist equipment and expertise that’s only likely to be found in academic or government organisations. Even professional data recovery specialists won’t normally attempt it.

While it’s understandable that military secrets are protected with maximum paranoia, we’d refer you to the 2014 recommendation of the US National Institute of Standards and Technology. This states that, for wiping both hard disks and SSDs, you merely need to overwrite media using organisationally approved software and perform verification on the overwritten data. The pattern should be at least a single write pass with a fixed data value, such as all zeroes. Multiple write passes or more complex values may be optionally used.

In other words, feel free to write complex bit patterns over and over, but a single pass is good enough to defeat undelete tools, and that’s really all you’re ever likely to need.

Is secure deletion guaranteed to work?

There’s a reason why the National Institute of Standards and Technology (NIST) secure deletion standard specifies that you need to “perform verification”. While it’s not likely, a software bug, a hardware restriction or a misconfiguration could mean your data isn’t really wiped. If you’re worried that something might be recoverable even after you’ve attempted to securely delete it, the best test is to see if you can undelete it yourself.

Another issue could arise if there are bad sectors on your disk. In this case, the drive controller may refuse to overwrite them, meaning that the last chunk of data stored in that area of the disk could still be recoverable. Since bad sectors are a warning sign of a bigger failure on the way, your safest bet is to check your disk health regularly, and if any errors are detected then copy your data onto a new drive and destroy the old one.

A similar challenge can arise with SSDs thanks to wear levelling, which dynamically updates and rotates the drive’s virtual geometry so that write operations are spread across all available cells. This means that no individual cell gets repeatedly flashed and re-flashed while others sit untouched, helping to maximise the lifespan of the drive. However, it also means that if you tell an SSD to overwrite a file, the new data will be written to a fresh set of cells, and those containing the original data won’t be touched at all.

If you want to be certain that the deleted files on an SSD have been purged, the surest way is to fill all available space with junk data. This ensures that every cell gets overwritten – after which you can delete the junk, freeing the space for use once more. The same technique can be used for drives of any type to ensure that nothing remains of forgotten files that might have been erased long ago; most secure deletion tools have the capability to overwrite all space that’s marked as free.

Securely deleting entire disks

We’ve focused on purging deleted files, but sensitive information can linger in other places, such as web caches, the system Registry or the Windows virtual memory file – which can contain information that was never even saved to a file. If you’re passing on a computer to someone else, the safest approach is to destroy or securely wipe the entire drive.

RELATED RESOURCE

A strategic guide for controlling and securing your data

Forrester's data security control framework

FREE DOWNLOAD

The former approach gives you some dramatic options. You could zap it with a strong electromagnet, melt it in a furnace or feed it into an industrial shredder. It’s probably more convenient, though, to use a tool that can comprehensively wipe the contents and allow you to reformat and use the disk again. There are several free options, and they should all work as well as one another, because they employ the native secure erase function that’s built into all modern hard disks. This ensures that the right procedures are followed to erase all data, on all partitions and in all locations, regardless of the disk’s type and physical format.

Remember that if you want to wipe your Windows system disk, you won’t be able to do it while the OS is running. You’ll need to connect it to a different computer, or create a bootable medium such as a USB flash drive containing a secure deletion tool, and boot from that.

Darien Graham-Smith

Darien began his IT career in the 1990s as a systems engineer, later becoming an IT project manager. His formative experiences included upgrading a major multinational from token-ring networking to Ethernet, and migrating a travelling sales force from Windows 3.1 to Windows 95.

He subsequently spent some years acting as a one-man IT department for a small publishing company, before moving into journalism himself. He is now a regular contributor to IT Pro, specialising in networking and security, and serves as associate editor of PC Pro magazine with particular responsibility for business reviews and features.

You can email Darien at darien@pcpro.co.uk, or follow him on Twitter at @dariengs.