Single drive wipe protects data, research finds

A computer forensics specialist has a message for security-minded computer users: A single wipe will make drives impossible to read.

In research published on Thursday, auditor Craig Wright tested the ability of a special type of electron microscope, known as a magnetic force microscope, to read data that has been erased. While overwriting the data multiple times with a random series of 0s and 1s makes it harder to recover, Wright found that it is nearly impossible to recover any meaningful amount of data after a only single pass. Recovering a single byte of data, for example, on a used drive is successful less than one percent of the time, he found. Accurately recovering four bytes, or 32 bits, of data only works nine times out of each million tries.

(Editor's note: SecurityFocus is currently investigating the veracity of the research paper mentioned in this article. Peter Gutmann of the University of Auckland, an expert on secure deletion, has criticized the work in the epilogue to his paper on secure deletion.)

"Although there is a good chance of recovery for any individual bit from a drive, the chances of recovery of any amount of data from a drive using an electron microscope are negligible," Wright stated. "The fallacy that data can be forensically recovered using an electron microscope or related means needs to be put to rest."

Many software products designed to wipe hard drive allow for multiple passes to erase the data. Common wisdom holds that the more sensitive the data, the more times you should overwrite the drive. However, Wright's research suggests that a single pass is all that's necessary to protect the data on a hard drive.

Wright did find that multiple passes do make it harder to recover data and that data written to a pristine drive is much easier to recover. Yet, in the most common case, where the drive has been used and written to multiple times, a user can be assured of their privacy by a single pass.

"In many instances, using a MFM (magnetic force microscope) to determine the prior value written to the hard drive was less successful than a simple coin toss."

UPDATE: The article was updated on Monday to add a link to the original research and highlight criticism of the paper.

If you have tips or insights on this topic, please contact SecurityFocus.