Occasionally, customers have requested my advice regarding which erasure standard that we recommend, or the optimal amount of erasure rounds required to securely erase a hard disk. Well, that’s a complex question and depends on several factors, particularly technology changes, research findings and recommended procedures, which I will try to touch on in this post. First, let’s take a look at the target of all these concerns: the hard disk.

The HDD
The magnetic Hard Disk Drive (HDD), introduced in 1956, didn’t gain prominence until the late 1980s. These days HDDs are by far the dominant medium for non-volatile data storage, and are expected to remain for some time despite the rise of flash based storage, including SSDs.

The HDD retains data on magnetic platters, where it can be preserved even without electrical power for many years. Though HDD technology is a huge asset in our data-centric world because of its large capacity and decreasing cost and physical size, it is a potential liability because it has to be disposed of properly. The safest and most cost effective way to make data disappear without having to destroy the HDD is to simply overwrite it.

The evolution of data removal procedures
The process of removing data from storage media has been examined by different government agencies and organizations during the past 20 years. Operating manuals usually specify two kind of procedures: clearing (to prevent recovering data using software) and purging/sanitizing (to prevent recovering data using laboratory techniques). While clearing procedures generally involve overwriting the HDD, purge procedures with higher security requirements can vary and range from overwriting techniques combined with the execution of internal HDD commands (firmware based erasure) to the degaussing or the physical destruction of media support. The nature of the data (confidential or not) as well as other considerations (drive leaving the organization or not) also define which procedure to follow.

Early 1990s
As early as the mid-1990s, operating manuals were released for classified information handling and data sanitization, the main one being the US Department of Defense’s National Industrial Security Program Operating Manual. This document specified that rigid magnetic disks should be sanitized by writing some “character, its complement, and then a random character” and is known as the “DoD 5220.22-M” standard.

Mid to late 1990s
In 1996, Peter Gutmann published a paper that upset the status quo by affirming that some laboratories were theoretically capable of retrieving data from overwritten hard disks by using sophisticated tools such as magnetic force microscopes. As a result, he proposed an overwriting method consisting of 35 passes! No need to panic, however, this algorithm was meant to be used on older HDD technology from the 1980s and 1990s that usedMFM/RLL line coding techniques. Also, this was a combination of three different algorithms to overwrite different line encoding schemes which partly explains the large amount of passes. The arrival of newer HDDs using PRMLtechniques in the late 1990s made the drives using MFM/RLL techniques obsolete, along with the Gutmann’s method. The same year security expert Bruce Schneier published a book containing a method for data overwriting using 7 passes.

2000
Curiously enough, early in 2000 several national agencies released operating manuals that recommended the use of more than 3 passes. A good example is the VSITR method by the German information security agency, BSI, which applied 7 overwriting passes. It became popular in Europe to use overwriting methods that consisted of 4 to 7 passes.

2006 and onward
Later in 2006, the DoD 5220.22-M operating manual removed all text mentioning any recommended overwriting method, and now leaned towards each entity making its own decisions based on its own risk and threat assessment. The US NIST in its Guidelines for Media Sanitization of 2006 stated that “for ATA disk drives manufactured after 2001 (over 15 GB) clearing by overwriting the media once is adequate to protect the media“. The HMG Infosec Standard 5 published by the British CESG currently defines two methods with 1 and 3 overwriting passes, the latter being almost identical to the 1996 “DoD 5220.22-M” standard. In 2012, the newer BSI GS/E standards were made public, combining 1-2 overwriting passes of random data with firmware based erasure.

Conclusion
The technology changes in the last 15 years such as the ever-increasing data density on disk platters have made all attempts to recover data after overwriting unlikely. Multiple overwriting is not an absolute necessity anymore.

Regarding which algorithm to use, Peter Gutmann has stated that “for any modern PRML drive, a few passes of random scrubbing is the best you can do“. The NIST Guidelines for Media Sanitization (2006) also mention that “the security goal of the overwriting process is to replace written data with random data” as well as “executing the firmware Secure Erase command (for ATA drives only) and degaussing are examples of acceptable methods for purging“. Other research also follows that trend.

To summarize, safe trends recommend:

• Using an erasure standard with no more than 3 overwriting passes with at least one pass of random data
• When available, utilizing the drive’s firmware based erasure commands is a valuable addition and indispensable for erasing sensitive data
• Additionally, several guidelines recommend removing and erasing any hidden area on the HDD as part of the erasure process
• Finally, the best erasure is the one you can prove, therefore, a report proving the erasure of a media support is a must.

Keep in mind too that the “optimal amount of rounds” is a compromise between the security you want in your overwriting process and the time you actually decide to spend on each processed asset.