Jump to content
Piriform Community Forums
titanium

Drive Wiper "Simple Overwrite (1 pass)" - random or zeroes?

Recommended Posts

Does the "Simple Overwrite (1 pass)" overwrite method for Drive Wiper involve writing 0s, or does it use random data? The docs don't say, though I'm not sure why.

 

I'll be able to answer my own question before long, but I'd rather know going in.

Share this post


Link to post
Share on other sites

I'm genuinely curious....

 

does it make a difference if it's 0's, 1's, random or any other repeated character?

Share this post


Link to post
Share on other sites

I'm genuinely curious....

 

does it make a difference if it's 0's, 1's, random or any other repeated character?

I take this to read "Why do you care? Why do you think it matters?"

 

Yeah, it matters. According to various sources, you should overwrite more than once. How can you do that with zeroes? Clearly, you cannot.

 

To me, it only makes sense to overwrite with random data. I have a 4-TB drive that has developed bad sectors, and is going back on warranty. I wish I could just destroy it, but I cannot. So, I have to overwrite the whole damned thing, which takes days. I've already done a format /p:n, before some self-appointed tech wizard tries making a fool of me by pointing that option out.

 

CCleaner is clearly not a serious utility for this purpose, so I will not be using it. They could not even be bothered saying whether they write zeroes or random data.

 

FYI -- I will never be checking back on this thread.

Share this post


Link to post
Share on other sites

Geez Dude (adjusts baseball cap), chill out.

As I said, I was GENUINELY curious.  No angst toward you was implied or inferred.

 

When you "do that with zeroes?" you aren't writing nothing, you are writing the character "0".

 

My question still stands - what difference does it make if ASCII character 48 (0's) is written to your disk as compared to ASCII character 49 (1's) or any other random combination of characters.

Surely the main point is that your data IS overwritten.

 

It was (what I thought) was a harmless question, in case I was missing some simple point.

 

As to destroying your data, you have already done that with the format /p:n command - and it even does what you were initially after, it uses random numbers for each pass.  To quote MS;

 

"Zero every sector on the volume.  After that, the volume will be overwritten "count" times using a different random number each time.  If "count" is zero, no additional overwrites are made after zeroing every sector."

 

 

And as to CC being a serious utility for this sort of purpose, none are.

With the correct application of time, money, resources and perseverance, data can be recovered.

Yes it won't be that complete, embarrassing nude selfie you took but it will be bits (and bytes) of files that may contain just enough info to implicate you.

Share this post


Link to post
Share on other sites

To me, it only makes sense to overwrite with random data.

 

That seems to be the consensus from what I've read online. One interesting thing that I've seen mentioned is tools should run the first pass as Random, followed by a second and perhaps final pass as Zeros.

Share this post


Link to post
Share on other sites

Geez Dude (adjusts baseball cap), chill out.

As I said, I was GENUINELY curious.  No angst toward you was implied or inferred.

. . .

It was (what I thought) was a harmless question, in case I was missing some simple point.

 

I thought your question was completely harmless. I'll share the little bit I know about this data wiping business.

 

It used to be thought that certain multi-pass wiping strategies did a better job of rearranging the magnetic medium, therefore a better job of overwriting the original data.

 

I always assumed that multi-pass strategies were designed because either:

A. the different characters used for each pass addressed different areas on the medium,

or

B. successive passes changed the same areas on the medium back & forth to more thoroughly overwrite it. 

 

To be sure, I didn't look very deeply into the issue, because the deeper I looked the dizzier I got.  Such discussions go quickly into a morass of arcane knowledge. 

 

But to give a partial answer to your question, mta, one erasing software I know about uses different letters for each wiping pass. 

The procedure they call DoD 5200.28-std uses these letter combinations in this order:  35  CA  97  68  AC  53  random. 

CCleaner also has a 7 pass strategy but i don't know what it is. 

Someone apparently believes this 7 pass strategy has some advantage. 

I guess the theory is that more passes, when properly configured, erase the data better. 

 

The common wisdom now is that one pass is enough, and that the multipass procedures were designed for an obsolete type of HDD.

 

Anyway, IT DOESN'T MATTER.  If one doesn't destroy the hard drive completely, someone somewhere can find data on it.  If it was on there, it's probably findable. 

 

There are others on the forum who know far more than I about this, and if I have said something wrong I hope they will correct me.

Augeas, you out there?  :)

Share this post


Link to post
Share on other sites

thanks @login123, I agree with all that, and yes, a discussion on the topic does get its geek on very quickly.

 

I guess the angle I think of it is it overwrites the same amount of platter surface (or NAND cell) if you write a 0 or a 1.

(People don't think that because the 0 is a fatter font that it takes up more hard drive surface do they? :rolleyes: )

 

It doesn't matter if you use octal or hex, the bit addressing needed to write any character would surely be the same.

Hence my harmless question, if that's right, it shouldn't matter a damn what that character is then.

Share this post


Link to post
Share on other sites

I thought you probably knew all that already, but maybe the OP didn't.  Alas, now he never will since he isn't coming back.  

 

This topic has started me reading about the issue again.  Now I remember why I quit.  The headaches and eye tics are back.

 

Still, a follow up question:  Is it certain that "it overwrites the same amount of platter surface (or NAND cell) if you write a 0 or a 1."?

 

Because if so, it seems that the only advantage to a multi-pass strategy would be that it "flips" the magnetic media back and forth more times. 

... or ...

Maybe the different characters flip different bits of each byte but still within the same physical space??

Share this post


Link to post
Share on other sites
I dunno, I post what I consider to be the correct answer to the intemperate Titanium’s question before going away for the weekend, and all this breaks loose.

 

Well, it's all nonsense really. I’ll try not to be too geeky, I’m really too old to be a geek.

 

Data isn’t written to disks, it’s flux transitions, or the absence of them. It isn’t, and has never been, a Transition for a data bit one, and a No transition for a data bit zero. It couldn’t be, huge swathes of T’s, or N’s, would create havoc and be unreadable, and probably unwriteable. So coding systems, where the T and N runs are within limits, and incidentally more than one T/N represents a single data bit, were devised.

 

I’ve used the expression data bit. That’s because user data is never passed to the coding system just described. All user data is scrambled several times, and possibly expanded, to avoid long passages of ones or zeroes, and to be the optimum pattern for data integrity. Then that is coded and written to disk.

 

So if you could in some magical way look at the disk surface what you would see would appear to be some random string of T’s and N’s, whether the original user data was all zeroes, or all ones, or anything. Only the disk controller, with its proprietary scramble code, could translate the T/N’s back into user data.

 

Furthermore the data bits are not written independently but in small groups. Depending on what was written in the preceding group, a data bit one or zero could be represented by TN, NT, or NN. The corollary is that it is impossible to overwrite a user bit ‘one’ with a zero, and vice versa. It is not physically possible to do that, the whole concept is invalid.

 

Does it matter if you write zeroes or ones, to obliterate previously written data? As far as the disk controller is concerned then no, as it will always, always, return what was last written. Not the last but one, nor the one before that. Perhaps the question refers to examining the disk surface. On a spin stand you could read the ‘data’ and with extensive reverse engineering retrieve what was last written, but it would be far easier just to use the disk controller, it would be the same result. With an electron microscope? As close to impossible as it gets, and it would take a huge amount of resources to even try. So no, it doesn’t matter.

 

What’s also not often realised, when talking about multiple overwrites, is that an overwrite is not layered, like paint on a wall, but cumulative, like er, mixing the colour of the paint in the pot before painting the wall. You can’t tell when a T or a N was written on the disk, any more than you can tell if the blue went in before the red when you’ve stirred the paint. If the disk has been written to 200 times before, and you run one overwrite, it’s the same as running a 201 pass overwrite. There’s no way of knowing what the previous T/N value was.

 

Terms and Conditions: Put ‘As far as I know’ before everything I write. Subject to generalisation. Not applicable to SSD devices. Most of this sourced from papers published by Charles Sobey, formerly of Hitachi Corp (I think).

Share this post


Link to post
Share on other sites

Thanks, Augeas.  Quite clear. 

well...  clear enough to answer my concerns.  I'll still just stick to a low-level format, close enough for me.

 

hopefully when @titanium logs back on he may understand better, I know I have.

(come on, we all know he will, it'll be eating into his brain like an ear-worm)

 

and I probably should apologise for taking this (sort of) off topic.

Share this post


Link to post
Share on other sites

I've got a genuine and related question.

If I was the smartest and most resourceful data recovery person on earth, would I have a good chance of recovering data from a single pass / write all zeros drive wipe?

Because if not then doesn't that render any advanced drive wiping beyond this pointless?

Hypothetical thought scenario:

"OK. Let's see if I can recover some data. OK, yes I can see that this single bit on this area of the hard disk is currently a zero. But ah yes. I can extrapolate that 48 hours ago it was a one. And six months ago it was a zero..."

Share this post


Link to post
Share on other sites

In my opinion there's no practicable chance of recovering overwritten data no matter what the overwrite pattern was, so yes, multiple passes is pointless. And there's even less chance of recovering what was there 48 hours, or six months ago.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×