Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

What difference does multiple-overwrite delete really make?

Question:

CCleaner is one of my utilities for periodic “tuning” of my PC, but in a
recent version upgrade, I discovered that in my haste, I had not looked at the
options in a drop box that give several choices of file deletion overwrites.
I have always used the simple overwrite (one pass), but I would be interested
to know if using CCleaner’s other pass options would significantly affect
either the time or the security of my computer. One pass, three, seven or
thirty five; is one or the other better? Or does it even matter?

For most folks, it doesn’t matter at all.

However, for a select few, it’s actually pretty important.

It all boils down to how important your data is, how likely it is that
someone else would want to access it, and how much effort (and money) they’re
willing to spend to get it.

The bottom line is that there’s deleting, and then there’s
DELETING.

I’ll explain what I mean.

]]>

Simple delete

As I hope most folks realize by now, when you delete a file, the actual data is not overwritten or erased. The space that the file’s data occupies is simply marked as “unused” and will remain until some new file overwrites it at some point in the future.

File recovery or “undelete” utilities like Recuva make use of this fact and can often piece deleted files back together as long as the area occupied by the files hasn’t yet been overwritten.

That’s what “overwrite” options in tools like CCleaner are designed to prevent.

Simple overwrite: One pass

If deleting a file doesn’t overwrite the actual data, the fairly obvious solution is to … overwrite the data.

That’s exactly what secure delete programs and utilities like CCleaner do with their “Drive Wiper” option.

The concept is extremely simple: all of the space on your hard drive that does not currently contain data is overwritten with something else (typically random data is used or a simple repeating, but otherwise useless pattern.)

The net result is that those simple data recovery tools – and even many of the advanced ones – cannot recover what was previously on the disk.

And that’s plenty for most of us.

Hard core data recovery

Hard disks are magnetic material. Each bit of data is stored by changing the magnetic polarization of some space on that magnetic material.

Envision each bit as a kind of bull’s-eye – the goal is to write the bit dead-center.

In reality when data is written, it might be a little off-center. How far and how badly depends on many, many things. Perhaps what’s most important is that it does in fact change from one write to the next.

As long as the data is reasonably on-target, reading the data works, and this little detail about hitting the bull’s-eye is something that you’d never need to know about.

When data is written, if it’s a little off-center (as most writes will almost certainly be), the “left overs” from the previous write – meaning the data previously held in that spot – might still be visible at the edges of the bull’s-eye.

Advanced data recovery tools – typically requiring that the disk drive be physically disassembled in a clean room – can examine the area around the bull’s-eye and might possibly be able to reconstruct from that left-over data what had been previously been stored there.

Multiple overwrites: 3, 7, or more passes

By overwriting the data not once but multiple times, the data on the fringes of the bull’s-eye is very likely to eventually also be overwritten.

Overwriting multiple times makes the data effectively impossible to recover by any means.

Three times is plenty, but the more times that you do it, the more secure it is – perhaps to the point of ridiculousness.

37 times seems somewhat over the top.

On the other hand, there’s no question that 37 times means that data is completely, irretrievably, and forever gone.

But then, for most of us, unless we’re international spies or under severe government observation, three passes would be plenty.

Heck, for most of us, a single pass is enough.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

9 comments on “What difference does multiple-overwrite delete really make?”

  1. We usually describe it to our clients as “how paranoid are you”? Like you say in many of your other answers — “you’re just not that interesting”. (And most people just aren’t going to spend many thousands of dollars in forensic recovery just so they could steal a few hundred dollars from your PayPal account. Unless they know there’s something of value there in the first place, they’re not going to bother.)

    Though I suppose you could extend your other saying here — “if it’s not physically destroyed, it’s not destroyed”. Yes, we’ve given old hard drives to our daughter, along with a sledge hammer and claw hammer, to “take care of” the situation. But, that was more for our daughter’s enjoyment than anything else.

    Reply
  2. Hi

    I have often wondered if the same applies to documents created using a memory stick or the CD drive. Is the document also left on the main hard drive, after all MS Word is on the main hard drive?

    Depends on the program, but it’s very possible that temporary files are used and perhaps left in one form or another on your hard drive.

    Leo
    06-Mar-2012
    Reply
  3. What’s really important is to overwrite the disk before you throw it or give it away. Every few weeks I read of someone who bought a PC at a flea market and found all kinds of sensitive data on it from the previous owner.

    I encrypt my sensitive data (e.g., passwords) while I’m using a disk and overwrite or degauss the disk when I dispose of it, e.g., use Darik’s Boot and Nuke.

    Of course I spent my career in the classified world so it’s automatic for me.

    Reply
  4. I was under the impression that the study about the bulls-eye/leftover data thing was from the 1980s, when the hard drives were much less dense. Is it really still all that applicable today?

    I believe that it is, as the detection/forensic equipment and techniques have progressed as well.

    Leo
    06-Mar-2012
    Reply
  5. I also use use CCleaner as described, and have done so for a number of years. Have not noticed excessive slowing down from 3 or even 7 passes. At the moment use 7, but after reading Leo’s article am considering going back to 3 !!!!. Have tested with Recova and all seems to be OK.
    The “Bull’s-Eye” bit had not heard before but is very logical.
    Ta again Leo for dealing with the more mundane bits of Computing.

    Reply
  6. Note that this article is valid only for HDD (hard disk drives), not for SSD (solid state drives). It is my understanding that with SSD, your only safe option is to encrypt the files in the first place.

    I think the jury’s still out on whether SSD’s suffer from anything similar to the left over data that magnetic material has. That being said, encryption is a fine, fine approach.

    Leo
    06-Mar-2012
    Reply
  7. Overwriting to completely erasing old hard drive data. I have read different places that the government / military require 7 overwrites and then you could give the drive to someone that is interested in it’s data but there would be nothing left. Their requirement is 7 overwrites.

    Reply
  8. Here’s someone’s article suggesting that reading overwritten data hasn’t been established as at all practical, meaning that a single pass with a fixed pattern is as effective as multiple passes with random “data”, and much quicker, of course. However, he seems to talk only of lingering traces of the previous magnetisation, without any account of alignment differences. http://www.nber.org/sys-admin/overwritten-data-gutmann.html

    One other worry is when your disc remaps a sector because it found a bad bit somewhere in it. The original sector, with all you data excepting that odd bad bit, is then inaccessible from your operating system, and unaffected by any disc wiping you do from within it. However, there will be some way to read it, maybe with proprietary, low-level, commands, or else with physical intervention.

    There is a particular problem with flash drives, which remap their storage to achieve some wear levelling.

    Reply
  9. Your text is very good. It “kills” a lot of doubts. It’s what I was lookin for! In portuguese, I didn’t find anything like yout text.

    Thank you from Brazil

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.