It seems that there are still many people who do not understand what happens when storage media such as a hard drive or flash based thumb drive is wiped with a single pass. There were many comments left about my last article on other websites where people were still spreading the myth that a single pass is insufficient. So I’ve created yet another article, this time with screenshots.
I’ve outlined the entire process in the steps below. Basically what I’ve done is wiped a thumb drive with a single pass and then reformatted the thumb drive with the FAT32 file system. I then created a text document, documenting the sectors it was located in. I then re-wiped the thumb drive with a single pass and documented the results.
This was all done with EnCase Forensic, WinHex and the Hard Disk Wipe Tool.
Step 1
Using the Hard Disk Wipe Tool 2.35.1178 I have wiped my 1GB thumb drive.
Thumb Drive Being Wiped
Essentially what this software is doing is “writing zeros” to the storage media. This is done with one single pass, not multiple passes. Meaning it goes from start to end, zeroing every sector on the media.
Step 2
I then verified that the thumb drive was wiped. See the screenshot.
Sector 0 After Wipe – WinHex
This first screenshot is a view of the start of the thumb drive with WinHex. You can see that this portion is entirely zero’d out. No filesystem, no files, no data period exists on this thumb drive any longer. The rest of the drive (every sector) is completely zero’d as well.
Step 3
I then formatted the thumb drive with the FAT32 file system using Windows XP.
After clicking yes I then filled out the options to do a normal format of the media with FAT32.
After formatting the media I then proceeded to view the first sector of the disk with EnCase Forensic software as seen in the next screenshot. Notice that it has been formatted with the FAT32 filesystem.
Sector 0 After Formatting
Step 4
I then proceeded to create a text document on the media using Windows Explorer. The text document is named “JUSTATEXTDOCUMENT.txt” and you can see the title and file entry on the disk in this next screenshot.
Sector 4032 After Text File Creation
Notice the “name” of the thumb drive is “ANTIFOR” and you can also see the 8.3 file naming standard format of the file as well.
Step 5
A few sectors more and you can see the start of the text document which consists of the phrase, “I am just a text document.” copypasta’d quite a few times.
Sector 4040 After Text File Creation
You are seeing screenshots of all of this from actual professional computer forensics software. One of the most used computer forensics software in the world which carries a hefty price tag of right around $3,000 USD per license/dongle.
Step 6
I then re-ran the Hard Disk Wipe Tool 2.35.1178 and have re-wiped my 1GB thumb drive.
This first screenshot shows the first sector of the thumb drive where you previously saw data for the FAT32 file system.
Sector 0 After Wiping
Notice that there is now no data at this sector.
In this next screenshot you will see sector 4032 which previously had the file entry where you could see the filename for the document.
Sector 4032 After Wiping
Notice that there is nothing there anymore. The single pass has completely wiped out file information for the text document.
Let’s look at the contents of the text document now in sector 4040.
Sector 4040 After Wiping
Need I say more about this screenshot?
The fact is, nothing exists on this thumb drive anymore that can be recovered with any data recovery software or computer forensics software.
What about magnetic force microscopy?
There has been some confusion about magnetic force microscopy and what I’ve done (probably because my writing skills are a bit lacking). Magnetic force microscopes move across magnetic based storage mediums such as a modern hard disk drive. It then creates images based off of the previous values of bits in these sections. I of course have not used one and instead will base my information off of the sources at the end of this article.
Previous comments suggested that by using magnetic force microscopy data could be retrieved. To summarize and use plain english, this method determines the state a bit was in before it was changed. So if a bit were a 1 and now it is a zero, this method is supposed to be able to detect that previous state. It is said that in older disk media it is easier to do this and harder with newer media.
It will take many months to actually image a small hard drive using this method.
Lets try and understand this process though. First, human readable data is made up of many bits. A single human readable ASCII character is equal to 8 bits or a single byte. If even one of these bits is recovered incorrectly, then the byte is a completely different value and our human readable ASCII representation of those groups of bits is completely different.
For example, take the ASCII word “anti.” The binary equivelant of this word is: 01100001011011100111010001101001
Lets say using a MFM the last bit was read incorrectly as a zero when it used to be a 1, what do we have now?
The word: anth
This word is completely different. Now apply this to compound files such as databases, archives, or other files like encrypted containers. If one bit is recovered incorrectly it can negate all of the results and provide corrupted data.
I think I’m making it sound like magnetic force microscopy is only sometimes incorrect when imaging platters. This method is very unreliable, costly and time consuming. Right now, don’t count on this method really being utilized on modern hard drives.
Read More! Other sources for information on this.
Sans Computer Forensics on Magnetic Force Microscopy
“The basis of this belief that data can be recovered from a wiped drive is based on a presupposition that when a one (1) is written to disk the actual effect is closer to obtaining a 0.95 when a zero (0) is overwritten with one (1), and a 1.05 when one (1) is overwritten with one (1).
This can be demonstrated to be false.”
“In many instances, using a MFM (magnetic force microscope) to determine the prior value written to the hard drive was less successful than a simple coin toss.”
Secure Deletion of Data from Magnetic and Solid-State Memory by Peter Gutmann (35 pass wipe originated from Mr. Gutmann)
“Any modern drive will most likely be a hopeless task, what with ultra-high densities and use of perpendicular recording I don’t see how MFM would even get a usable image, and then the use of EPRML will mean that even if you could magically transfer some sort of image into a file, the ability to decode that to recover the original data would be quite challenging.”