According to a recent Infosec Island article titled “The Urban Legend of Multipass Hard Disk Overwrite” something that most of us have taken for fact is in fact, not fact.
As IT professionals, we’re often told that data that was previously stored on magnetic media can be extracted even if it’s been overwritten. Methods like magnetic force microscopy and scanning tunneling microscopy may be cited. However, modern hard drives no longer use the same storage methods or hardware that allowed those techniques to be successful.
Noticeably absent in many of the most modern government standards documents for information security is the requirement that drives have multi-pass formats performed on them. Most standards call for degaussing or outright pulverizing. The one standard that does mention formatting is NIST Special Publication 800-88 which says on page 27:
Writing patterns of data on top of the data stored on a magnetic medium. NSA has researched that one overwrite is good enough to sanitize most drives. See comments on clear/purge convergence.
Infosec Island reports that in a recent paper titled “Overwriting Hard Drive Data: The Great Wiping Controversy” single pass wiping is considered good enough to prevent data retrieval:
…a single overwrite using an arbitrary data value will render the original data irretrievable even if MFM and STM techniques are employed.
Of course, the question remains in my mind: Are there newer and more advanced techniques that are available to recover erased data? Apparently, even if they do exist, they are currently more advanced and expensive than many people are willing to worry about.
Ultimately, if you’re concerned about data security, your best bet will always be to physically grind the media to powder. Drilling and hammering isn’t enough. However, if you don’t have that option and you’re not hiding some of the world’s most valuable secrets, then a single pass wipe on modern drives is apparently good enough. I suppose that means that I’ll no longer need to let DBAN sit and wipe a retired mail server’s drives over a weekend.
What do you do for data security? Do you have a degausser? Do you contract with a physical destruction company? Or were you formerly only satisfied with a week-long DBAN session?