To summarize this document: The US National Security Agency (NSA)
does not consider a hard disk completely erased and secure until
it has been incinerated.
Hard Disks, also known as non-volatile memory systems, hold data even when
the supply of power is discontinued. Volatile memory systems such as RAM
only hold memory when they have power, thus they are volatile. Hard disks
use magnetic media aligned in specific patterns to hold data. This paper is
a description of the security issues involved with hard disks.
The Microsoft File Allocation Table (FAT)
The Disk Operating System or DOS operating system uses a scheme known as the
File Allocation Table. The original was known as FAT16 which was a 16 bit
system. The next version introduced with Windows 95 was the VFAT or Virtual
File Allocation Table which enabled the use of filenames longer than 8+3
characters. With Windows 95 OSR2 or Service Release 2, came the FAT32 File
Allocation Table which is a true 32 bit filesystem.
In the FAT filesystem, the filesystem maintains an "inventory" of where files
are located on the hard disk. This inventory is known as the "table" of the
File Allocation Table. When you save a file to the hard drive, the operating
system tells the hard disk to write the file to an area of the hard disk that
is large enough to hold the file. Once the file is written, an entry is added
to the inventory table identifying the location of the file and the name of
the file. The entry may look something like this: abc.doc,2,12,21,34. That
would be interpreted by the operating system as: The file "abc.doc" is
located on the hard disk at the 2nd platter, sector 12, track 21, cluster
34.
The hard disk's inventory table is just the same as how a warehouse maintains
inventory of where items are, for example: building 2, section 12, isle 21,
shelf 34. The big difference is, data can be overwritten, items in a
warehouse have to be "moved". When you delete a file from the hard drive, the
only thing that is actually deleted is the entry in the inventory or table.
There is no reason to remove the data where the file was stored because once
the table is marked as not having any data there, the hard disk can write
over that area of the hard disk without any concern of what was once there.
The Problem
The security problem is that when you delete a file, the data the file
contained is still there, the only thing that was deleted is the entry in
the table which represented the file. As time goes on, eventually another
file will be written to that area and the data will be mostly destroyed.
With todays growing hard disks sizes, it may be some time before new data is
written to that area of the drive.
There are multiple applications that can recover data on a hard disk which
has been "deleted". One commericial application made by PowerQuest is known
as Lost&Found. I have used it to successfully recover lost files on a hard
disk that had even lost partitions. Any time I get a used hard disk, I scan
it with Lost&Found just for curiosity. What you will find will almost always
surprise you.
The Solution
The solution to preventing sensitive data from being recovered is to wipe the
file before deleting it. If you created a file in Word and saved it to your
hard disk, the data would be written to a specific section of the hard disk.
If later you opened the file and made changes, the entire file would be
re-written to the hard disk at the same location as the original, this would
be effectively wiping the old data with the new. Once this has been done,
there is no way to recover the old file. File wiping applications open files
that are to be deleted and write data to that area of the hard drive where
the files or file's data reside. The National Security Agency or NSA has
a standard known as the NSA file erasure algorithm which writes the file
seven times alternating between all 0s and then all 1s. Once this process is
done, the file can be deleted (or as we learned above, the table entry can
be removed).
There are many applications which will wipe files off the hard disk. One
free application Pretty Good Privacy or PGP can be used. PGP is an encryption
application but once a file is encrypted the original file must be removed
or wiped. PGP can be used to wipe files without encrypting them with the
command line switch "-w" (the w stands for wipe). I am not sure if PGP uses
the NSA erasure algorithm so I only use it for trivial files. I would assume
they employ a good standard since their encryption techniques are a very
high standard. What's the point in strong encryption if all one has to do
is recover the original; a backdoor approach.
The Catch
As with most things, there is a catch to all of this. Wiping files will
successfully clear the file from the local police or even a moderate
corporate espionage department. The catch is that wiping files will not stop
the FBI's forensic laboratories from recovering that data. The FBI has
methods of examining the magnetic patterns left behind (residue) on hard
disks. They might be able to recover 4 files from space where only one file
would reside. The good news is that I seriously doubt you have anything on
your hard disk worth the resources it requires for the FBI to do such
forensics.
Computer Forensic Analysis
Hard Disk Security Software
I use the Eraser program, it integrates into the Explorer shell and with
a right-click on a file, gives you the option to erase it. You can also
erase the Recycle Bin. Most other programs want you to go to the Start Menu,
open their application, browse to the file, select it, and then erase.
Eraser is always one right-click away. It is free, small, and elegant.
It is not too often I have to erase a file, as a matter of fact, I never
really use the program. I have found it good for deleting private key files
(password files) like those used by PGP. I don't do anything that is (in my
opinion) sensitive on my Windows based workstation but you may. Most of my
sensitive work is on my Internet accessible Unix SSL (HTTPS) server which
serves a website. This is the only machine where I have to delete sensitive
private keys (certificates).