Software that can securely erase free space

Discussion in 'privacy technology' started by freakish, May 13, 2006.

Thread Status:
Not open for further replies.
  1. freakish

    freakish Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    46
    Can anyone recommend good free software that can securely erase free space? The OS is Windows XP.
     
    Last edited: May 13, 2006
  2. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    Eraser 5.7. http://www.heidi.ie/

    Don't download 5.8, It's a beta and it's created serious problems with some systems including mine.
     
  3. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
    Note the following discussion about the Gutmann method (used by Eraser) in DBAN's FAQ:
    Q: Is the Gutmann method the best method?
    A: No.
    Most of the passes in the Gutmann wipe are designed to flip the bits in MFM/RLL encoded disks, which is an encoding that modern hard disks do not use.

    In a followup to his paper, Gutmann said that it is unnecessary to run those passes because you cannot be reasonably certain about how a modern hard disk stores data on the platter. If the encoding is unknown, then writing random patterns is your best strategy.

    In particular, Gutmann says that "in the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques. As a result, they advocate applying the voodoo to PRML and EPRML drives even though it will have no more effect than a simple scrubbing with random data... For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do".

    Read these papers by Peter Gutmann:

    * Secure Deletion of Data from Magnetic and Solid-State Memory
    http://www.cs.auchland.ac.nz/~pgut001/pubs/secure_del.html
    * Data Remanence in Semiconductor Devices
    http://www.cypherpunks.to/~peter/usenix01.pdf

    -- Tom

    P.S. Correction: 1st link above was not stale, my connection needed refreshing
     
    Last edited: May 14, 2006
  4. freakish

    freakish Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    46
    So, is Eraser still effective in securely deleting free space? If not, can you recommend another program?
     
  5. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
    I would think that with the DoD method (which scrubs 7 times) it would be sufficient on modern disks. My previous message was to point out what Gutmann himself now says in the Epilogue of his current paper originally published in 1996. The only identifying datable characteristic of his paper (since he didn't date his Epilogue) is that he now mentions 60GB disks, indicating that his Epilogue dates after 60 GB disks were available on the market. When that was, I don't know.

    -- Tom
     
  6. sweater

    sweater Registered Member

    Joined:
    Jun 24, 2005
    Posts:
    1,674
    Location:
    Philippines, the Political Dynasty Capital of the
  7. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
    For a really excellent discussion of erasing free space see here. This raises the question of how the other tools mentioned do it, and whether they really get it as right as the SDelete tool.

    -- Tom
     
  8. herbalist

    herbalist Guest

    Eraser is still very effective on free space as well as files. It's more than enough for any normal usage. The Gutmann, DOD, best method discussion is pretty well outside the scope of normal use. If you're trying to make sure the NSA can't recover the files with the best forensic methods available, then it could make a difference.
    If you're really concerned that a method may not be sufficient, use both methods. The launcher component (eraserl.exe) can overwrite the file without deleting it. Use it to give it a DOD or Gutmann overwrite, then hit it again with 5 or 6 passes of random data. You could always put together a script or batch file to make this easy.
    Rick
     
  9. freakish

    freakish Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    46
    How many wipes is truly necessary? (I use DOD 3-pass)

    Is the pseudorandom - 1 pass enough? I just want the free space to be unrecoverable using software programs like Restoration.

    Also, will using pseudorandom - 1 pass use significantly less time?
     
  10. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
    BunkFace,

    1 pass is clearly not sufficient to prevent recovery, and 3 passes is not as good as 7 passes. Try the SDelete program from sysinternals.com as previously recommended, and then attempt a trial run with Restoration. And, as the author of Restoration says, run the deletion function at your own risk.

    -- Tom
     
  11. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Try BCWipe also
    http://www.jetico.com/bcwipe3.htm

    Same issues wrt Gutmann wipe but should be OK

    Heh: Image, save , format 35 times and reinstall: but may not work?

    DO NOT GO TO Evidence Eliminator :thumbd:
     
  12. Genady Prishnikov

    Genady Prishnikov Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    350
    I've read in several places lately that the whole electron microscope recovery is basically a myth. With modern drives, one-pass and it can't be recovered. A forensic investigator on a podcast I heard said the same thing. He said all the exotic methods and wiping methods are no better than a single-pass. Bottom line: "layers" of recoverable deleted data is a myth!

    I found the following today and it says the same thing:

    From Action Front Data Recovery Labs (A Seagate Company) http://www.actionfront.com/ts_dataremoval.aspx :

    CAN OVERWRITTEN DATA BE RECOVERED?
    Good Question!

    During the past few years I have been questioned on numerous occasions (by technicians from Revenue Canada, the R.C.M.P., the Department of National Defense and several Universities) about the availability of technologies to read trace magnetic signals that have been overwritten. It is commonly quoted that data can be recovered if it has been only overwritten once or twice and that it actually takes up to ten overwrites to securely protect previous data.

    If a head positioning system is not exact enough, new data written to a drive may indeed not be written back to the precise location of the original data. Due to this track misalignment, it is possible to identify traces of data from earlier magnetic patterns alongside the current track. (At least that was the case with high capacity floppy diskette drives, which have a rudimentary position mechanism. Due to the embedded positioning systems and extreme high densities of new drive technologies, it has yet to be proven if the same can be said for the latest high speed, high capacity disk drives.)

    It has been suggested that an electron microscope could be used to read and interpret any patterns that were not fully overwritten by the process. Theoretically this can be done - but in practice it is little more than a myth.
    Electron microscopes have been used to detect and identify magnetic regions smaller than the fluxes used to represent data on a 200 megabyte disk drive. Unfortunately, at best, this type of process could be accomplished at a rate of perhaps 1 bit per second. Furthermore, since virtually every drive in production today records two or more magnetic fluxes (due to R.L.L. recording) to represent each bit the actual rate could be considerably slower.

    The number of bits in a single 512 byte (character) sector is 4096 and there are over 200,000 sectors on a one hundred megabyte hard drive. This represents almost 820 million bits to be read back.

    If data could be recovered at the rate of 1 bit per second - this process would take 9,259 days (or over 25 years) to recover 100 MB of information. This is assuming that you could read back and interpret each bit correctly, for example on data that has never been overwritten. If you are trying to read "traces" of data that were previously written there, in the most likely scenario you may be able to correctly recover, interpret and identify 30-40 percent of the signals.

    THAT DOES NOT MEAN YOU WOULD RECOVER 30-40% OF THE DATA - BUT ONLY 30-40% OF THE INDIVIDUAL BITS IN EVERY CHARACTER.

    A "10101011" pattern may come back as "?010?01?" and every single character on the drive would be scrambled in a similar manner. The mathematical probability of decrypting such a puzzle into usable data is infinitesimal.

    It could be claimed that data can be recovered from any drive in the world with a guaranteed success rate of 50% "at the bit level". This sounds interesting until you consider that if you overwrote the entire surface of the drive with either all "0" or all "1" and since the original drive contained nothing but patterns of binary ones and zeros - half the bits would be correct - but obviously no data could be recovered.

    In conclusion, overwritten data cannot be read back or recovered by any current disk drive technology or laboratory technique.
     
  13. [suave]

    [suave] Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    218
  14. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    @Suave
    Good one; i'd forgotten that. :thumb:
    Sysinternals has something for every one :)

    Good idea to Dl all their free tools and instructions before MS might remove the pages.
     
Loading...
Thread Status:
Not open for further replies.