Summary: The most secure and appropriate way to completely erase data from a drive is to overwrite it. But how many times do you need to overwrite data on the drive? In this post, we’ve discussed the overwriting process in detail and mentioned the number of passes that are adequate for overwriting data on a drive.
You may have heard that you need to overwrite a drive multiple times to erase data completely. Many data wiping applications offer multiple passes for wiping the data. However, the question is: how many passes are sufficient to wipe the data completely from a drive? It depends on certain factors, like technology, research findings, and recommended processes.
इस पोस्ट को हिंदी में पढ़ने के लिए यहां क्लिक करें।
In this post, we’ll discuss these factors and find out the number of data overwriting passes that are required for complete data erasure.
What is Data Overwriting?
The data overwriting process includes writing of zeros and ones or some random pseudo characters on all drive sectors. It makes the data stored on the drive unreadable, thus preventing data breaches or theft.
The Emergence of Data Overwriting Processes
Many government agencies and organizations have examined the data removing process for over 20 years. According to this, the internal manuals, on the basis of NIST 800-88 Media Sanitization Guidelines, categorize the process into two types.
The “Clear” process includes using data erasure software to erase the data comprehensively from the hard drive. The “Purge” process comprises advanced overwriting laboratory techniques to wipe out the data completely.
Both processes are prominently recognized for the data sanitization process, which involves complete removal of data with the certification, ensuring successful data erasure. Moreover, both processes consist of overwriting the data with a fixed pattern, such as all zeros.
In short, overwriting a hard drive or SSD makes the data unrecoverable, achieving data sanitization eventually.
Journey of Data Overwriting (From Mid-1990s till Now)
Let’s start from the mid-1990s and travels along throughout the years till today to understand how data overwriting has evolved.
- Mid-1990s: 3-Passes Method Evolved
In the mid-1990s, many operating manuals were released. One among them was the U.S. Department of Defense (DoD) National Industrial Security Program, Operating Manual. The document has defined that magnetic disks are sanitized by writing some values, complement, and finally random values. So, those are the three passes that are required for the data eraser. This standard is known as the “DoD 5220.22-M” Standard.
- Mid to Late 1990s: 35 Passes
In 1996, Peter Gutmann published a paper that stated, “Theoretically, some people could recover data using laboratory techniques and sophisticated tools, such as magnetic force microscopes.” He proposed the data overwriting process with 35 passes. However, this approach was meant for the HDDs with MFM/RLL line coding techniques from the 1980s and 1990s.
However, in the late 1990s, the HDDs with PRML techniques have arrived and made older HDDs obsolete. Around the same time, the security expert Bruce Schneier published a book. The book included the data overwriting process using seven passes – one pass using ones, the next pass of zeroes, and the passes 3-7 with other random characters.
- Early 2000s: 4-7 Passes
In the early 2000s, several national agencies and organizations released the operating manuals that proposed using more than three passes.
One of them is the VSITR method, proposed by the German information security agency – BSI. It recommended the use of seven overwriting passes.
- 2006 till Today – 1 Pass and 3 Passes
NIST 800-88: 1 Pass is Sufficient!
In 2006, the U.S. National Institute of Standards and Technology (NIST) stated that for the ATA disk drives manufactured after 2001, overwriting the hard disk once is enough to wipe out the data entirely. When NIST recalled its guidelines in late 2014, it reaffirmed that viewpoint.
Further, the NIST stated that for ATA hard disk drives and SCSI hard disk drives, the overwriting “Clear” method should use at least a single pass with a fixed data value, such as all zeros or ones. Multiple passes can be optionally used. Even for “Purge”, one pass is sufficient, with the three-pass method as an option.
While HMG British Standard supports 1 to 3 passes to overwrite HDDs, BSI-GSE asserts that 1 or 2 passes are adequate.
As a final point, in 2012, the newer BSI-GS standards were made public that stated 1 to 2 overwriting passes are enough to erase data using the software.
This is all about the magnetic hard disk drives. Now, how many passes are sufficient to completely erase data from flash-based SSDs?
What about SSDs and Other Storage Media?
In the past few years, flash-based drives (solid-state drives) have seen an upsurge. These are faster, smaller, more resistant to damage, and even consume less power.
However, they also come with data erasure concerns. It is quite challenging to destroy these drives using approaches, like degaussing. Also, it is trickier to wipe data from them.
Nevertheless, NIST allows at least 1 overwriting pass for the SSDs. But, it is almost always combined with specialized technologies, commands, or tools with additional steps to reach all drive sectors. The reason is that the SSDs have a special mechanism of “wear leveling” to increase the life of the device. Unless you really wipe the entire media, you can’t be 100% sure that data is completely wiped out. At times, it can’t be guaranteed that the wear leveling algorithm didn’t leave the unwiped data behind that can’t be written. Also, multiple passes take much higher cost.
There is reliable data erasure software, like BitRaser Drive Erasure that supports both HDDs and SDDs. It is an easy-to-use tool that simplifies the complex process of data wiping from flash-based media and effectively optimizes the entire process.
We have seen a significant shift in technology in the last 15 years, e.g., the ever-expanding data density on the disk platters. Moreover, looking into various advancements in the drives, multiple overwriting passes are not required anymore to wipe out data completely.
Question: How many times should you overwrite a drive to completely erase data from SSD or HDD?
Answer: Only 1 time
However, an asset report or certificate is a necessity. The report includes the device and the system information, erasure summary, erasure and validation details, etc. This will serve as proof of secure data wiping of the drive.