Simply delete files just won’t do

An article in describes secure methods of file deletion. A normal “delete” command does not actually delete files at all. But even when using more advanced “file wiping” utilities, some data may remain on the hard disk that maybe used for some malicious purposes. In particular, the magnetic properties of a hard disk can be exploited to recover data.

Not so long ago, simple Windows system commands were held to be a “secure” method of file deletion. When these were found to offer very little genuine security, specific utilities became available that were able to overwrite the related disk sectors. It seemed that these would surely be foolproof, however not all of these programs provided for the necessary level of security.

There are three areas of particular concern regarding secure files deletion:

1. When a file is written to a disk, it has a certain number of sectors or clusters allocated to it. The area of disk space provided, is always larger than the file itself. Deleting a file alone, leaves a space which can contain sensitive data. There are a number of ways in which this sensitive data can be deposited without a user knowing it.

2. It is in the nature of a computer, to always be updating one file or another. Every time a file is updated or “saved”, new copies are created and written wherever there is sufficient space. Applications can create huge numbers of such files. When a file is eventually deleted, only the last image is accounted for. All other images appearing as free disk space, unseen, unsuspected. That is until a disk is viewed with the appropriate software; then is all is revealed. Even when partially overwritten, these files can make interesting reading ! … As a precaution against this kind of threat, NEVER EVER “save” an edited plaintext file; use “save as” instead. All versions will then remain available for deletion.

3. As if the preceeding were not enough, applications also create “temporary” files as part of their normal execution. That these files are not so “temporary”, can now be appreciated.

Some would say that there is no chance of recovering data that has been overwritten just once or twice. These individuals are without awareness, of the “true” extent to which “data remanence” has been investigated ! Deletion by rewrite is never absolute; more of a sliding greyscale. Once magnetic media have been exposed to a structured magnetic field, it is in reality, very dificult to ever totally diguise the fact. This applies especially to present drive heads, and high coercivity media. When a write function is carried out, magnetic domains are created by the millions for each bit that is written. There is a limit as to how great the write current can be, or adjacent data will be corrupted. Increasing the spacing between adjacent data bit representations, would lower the total capacity of the media. Modern high coercivity magnetic coatings allow much greater data densities, but are more difficult to magnetize.

Consequently, when a rewrite is carried out, a significant number of these tiny molecular domains remain in their original orientation. This orientation is never the exactly the same twice. The precise orientation of the domain would have been influenced by adjacent bit representations. Each precise orientation being individualized like a finger print. With each subsequent rewrite, less of these “permanent” domains remain, and so a molecular history is encoded by a scale of relative molecular domain numbers.

In an age where molecular polarity is such a vital area of science, it should come as no suprise that special techniques exist for its determination. The obvious value of being able to recover data, is not lost to the malicious attackers.

This blog is run by the authors of QuickWiper, a file wipe utility.

Leave a Reply