Disk wiping

In view of the foregoing, disk wiping (the process of overwriting all sensitive data on a hard disk so that such data cannot be retrieved by others) is a very complex business. Interestingly, Windows does not offer a single means for users to overwrite their sensitive files; rather, Windows makes it extremely difficult to remove sensitive files because of the many ways that it leaks sen- sitive information into assorted obscure places on one’s storage media.

As a result, numerous software packages have evolved (some for pay and some for free) that have varying degrees of success in truly eliminating sensitive data from one’s computers.

The problem is that even the best of them cannot work as well as one would have wished for the following technical reasons:

1. So-called low-level formatting of a hard disk does, in fact, “zero-ize” all contents of all sectors. Most integrated desktop environment (IDE) hard disk manufacturers do not provide a utility for doing this, however; only some Small Computer System Interface (SCSI) hard disk manufacturers do. Low-level formatting of a hard disk will defeat software-based means of recovering data from such a disk, but may or may not defeat microscopic examination of the magnetic particles of a disk.

1. Windows and Windows-based application software products create and use files that cannot be removed from within Windows (e.g., the swap file discussed in Section 2.3) while Windows is running. One has to exit Windows, reboot with a different operating system (e.g., DOS), wipe the sensitive files that Windows won’t let one touch, and then reboot. Most disk-wiping software does not do that. In fact this is one of many tests one should use in assessing if the disk-wiping software of one’s choice is acceptable or not: If it purports to do everything from within Windows, it is unsatisfactory.

2. Disk-wiping software has no way of knowing which legitimate- looking files created by assorted application software should be eliminated. For example, Netscape Navigator/Communicator’s netscape.hst has no socially redeeming reason to exist other than to compromise users’ security; it stores information about all that one has ever done with Netscape Navigator/Communicator since it was installed. This file needs to be overwritten manually every time one wants to clean up one’s disk.

3. Disk-wiping software usually does not touch the Registry files. Yet this is precisely where Microsoft’s Internet Explorer stores one’s Web-browsing activity. This way Microsoft could claim (when it tried to defend itself against the U.S. Department of Justice’s famous antitrust litigation) that its Web browser is an “integral part of the Windows operating system.” It is, but it doesn’t have to be as the Netscape and Opera Web browsers demonstrate.

4. Windows stores the names of files and data about those files in a dif- ferent place than the files themselves and treats those names differently. Even if a file has been deleted, Windows keeps its name forever and does not mark the space taken by that name as being available to be overwritten by newer data as it does with the space take by the deleted files themselves.

5. Even if one somehow manages to take care of all of the foregoing “gotcha” threats, an even more insidious one is next to impossible to get rid of: The typical high-capacity hard disks of today come with a number of sectors held in reserve. When a data-containing sector in the disk is deemed by the hard drive’s own “smart” firmware to be marginal (e.g., when there are occasional errors in reading the data from it), the hard disk’s own firmware does the following behind the user’s back without informing the user:

a. Copies the data from the marginal sector to one of the sectors held in reserve;

b. Assigns the logical address of the marginal sector to the new sec- tor that the data was copied to;

c. Mothballs the marginal sector without overwriting the data in it after that data was copied to the new sector.

No disk-wiping software in the world can touch the now mothballed sec- tor because it no longer has an address; hence it does not exist as far as any software is concerned. On the other hand, a forensic investigator with access to the disk drive manufacturer’s firmware can readily access those sectors and all data in them!

One can now readily appreciate why disk wiping is a very complicated task and why all software products that purport to do it fail quite miserably. Largely because of item (5) above, the reader is advised not to depend on any such software for wiping hard disks clean and to destroy physically the storage media before selling, donating, or disposing of magnetic storage media. The only secure fix is to physically destroy the magnetic media.