You may already know that "deleting" a file does nothing of the sort. But did you know that your disk drive has a built-in system for the secure erasure of data?
No? Then read on.
What do you mean "delete" doesn't delete? File information is maintained in a directory so your operating system can find it. All that "delete" does is erase the file's reference information. Your OS can't find it, but the data is still there.
That's what those "file recovery" programs look for: data in blocks that the directory says aren't in use.
You really want to do this If you keep business, medical, or personal financial information on disks, simple deletion isn't enough to protect the data when disposing of the equipment.
Besides identity theft, data loss may leave you or your company liable under federal laws such as HIPAA, Sarbanes-Oxley, Graham-Leach-Bliley or other state laws. Criminal penalties include fines and prison terms up to 20 years. Not to mention the civil suits that can result.
So what's the magic? Something called Secure Erase, a set of commands embedded in most ATA drives built since 2001. If this is so wonderful, why haven't you heard of it before? Because it's been disabled by most motherboard BIOSes.
Secure Erase is a loaded gun aimed right at your data. And Murphy's Law is still in force. But hey, if you're smart enough to read Storage Bits, you're smart enough to not play with Secure Erase until you need to.
How does Secure Erase work? Secure Erase overwrites every single track on the hard drive. That includes the data on "bad blocks", the data left at the end of partly overwritten blocks, directories, everything. There is no data recovery from Secure Erase.
Says who? The National Security Agency, for one. And the National Institute for Standards and Testing (NIST), who give it a higher security rating than external block overwrite software that you'd have to buy. Update: There is an open source external block overwrite utility called Boot and Nuke that is free.
Secure Erase is approved for complying with the legal requirements noted above.
UCSD's CMRR to the rescue The University of California at San Diego hosts the Center for Magnetic Recording Research. Dr. Gordon Hughes of CMRR helped develop the Secure Erase standard.
Download his Freeware Secure Erase Utility, read the ReadMe file and you're good to go.
To use it you'll need to know how to create a DOS boot disk - in XP you can do it with the "Format" option after you right-click the floppy icon in My Computer.
August 2009 Update: The NSA is no longer supporting Dr. Hughes research, so he and his grad students can no longer support the software. However it still works. I also updated the link above. End update.
Update: Some folks have commented that I didn't actually say how to use the utility, leaving that to the readme. For those of you who'd like to judge how tricky this is - and it is definitely not for newbies - here's a quote from the instructions:
Instructions for using HDDerase.exe ---------------------------------------- Copy the downloaded file, HDDerase.exe onto the created floppy/CD-ROM bootable DOS disk. Boot the computer in DOS using the bootable disk. Make sure to set the correct boot priority setting in the system BIOS. Type "hdderase" at system/DOS prompt to run HDDerase.exe. All ATA hard disk drives connected to the main system board will be identified and their information displayed. Make sure that the jumpers on the hard disk drives are correctly configured. Avoid setting the jumpers to CS (cable select) on the hard disk drives. Master or slave jumper setting is preferred.
There's more, but if this is more than you want to deal with then Secure Erase isn't for you. Update II: A late commenter says "Floppy boot does not understand SATA drives and thus the method described does not work." I don't know if it is true or not, but if it is it is worth knowing. Maybe someone well-versed in Windows floppy booting can confirm.
Update III: Well, it appears that bad information can be found on the web. Who knew? This just in from Daniel Commins, a grad student in the CMRR program:
SATA drives can be erased after being booted from a Windows XP MS-DOS startup disk using our software, with over a dozen such drives from various manufacturers I have tested as proof. Another excerpt from the FAQ section of the readme file:
Q: Can HDDerase.exe be used to erase my onboard SATA drive?
A: Yes, but some BIOS configuration may be required. Since hdderase.exe only detects drives on the primary and secondary IDE channels (P0, P1, S0, S1) the BIOS must be configured so that the SATA drive is detected one of these channels. This can be done by switching the SATA drive from "enhanced mode" to "compatibility mode" in BIOS (compatibility mode is sometimes called "native mode" or "IDE mode"). E.g. BIOS >> IDE configuration >> onboard IDE operate mode >> compatibility mode. Note - not all BIOSs support this feature.
Thanks for setting the record straight, Daniel.
The Storage Bits take Protecting data sometimes means erasing it. With this utility every storage pro has another tool to protect confidential information.
PS. Mac users already have a similar option under the Finder: "Secure Empty Trash". And with Disk Utility you can perform a secure erase of all drive free space.
Comments welcome. Another August 2009 update: Laptop users should have charged batteries and preferably wall power. If power fails during a secure erase the ". . . the drive will be in a locked state, preventing all I/O access." Since a large drive can take 2-3 hours to erase, I recommend plugging in wall power for all notebook machines. End update.