Unclear on how the function to clear unused disk space works

Gandalf

New Member
After reading through the manual and browsing through the FAQ and attempting some basic searches through the forum, I'm still unclear on exactly how the clear "unused disk space" function works. To effectively convey my question it might be best to describe a scenario and for that I'll use the following assumed settings:

Default file erasure method: Gutmann (35 passes)
Default unused space erasure method: Pseudorandom Data (1 pass)

Now assuming I create a task to clear unused disk space on one of my drives and assuming the task's erasure method is "(default)" it would seem to me that the entire empty space of my drive will be overwritten once by pseudorandom data. However, this brings up the following questions:

  • 1. If the "Gutmann (35 passes)" method is used when deleting files (which seems reasonable to me as a basic default) why shouldn't that also be the deletion method used when overwriting files that have already been deleted? What is it about deleted files that makes the data in them any less important than files that have not yet been deleted?

    2. If the clear "unused disk space" function does not overwrite all empty space with pseudorandom data as I assumed originally, does it instead use "Gutmann (35 passes)" when it finds deleted files and then use Pseudorandom Data (1 pass) in places where there are no deleted files?

    3. Finally, if indeed the clear "unused disk space" function does overwrite all empty space with pseudorandom data as I originally assumed, then is the use of the pseudorandom method in this case an acceptable and reasonable method since all deleted data will be obscured in a sea of pseudorandom data and thus it will not be clear where the actual deleted data is located vs. where the areas that are just empty space? But if this is the case, why not also use the pseudorandom deletion method for files that have not yet been deleted?
 

DavidHB

Active Member
Firstly, some background. I do strongly recommend that you browse through the threads in the companion forum to this one on Data Forensics. Some of the information there will surprise you. In particular, the myth that you have to have a 35-pass wipe to be fully safe (whatever that means) has now been well and truly busted, not least by Peter Gutmann himself, who has been quite forthright in saying that it is inappropriate to apply his findings of 15 years ago to today's technology. In my reading on the subject, I have yet to come across a single documented case of significant amounts of data having been recovered from a modern drive which has been given just a single pass wipe.

In those circumstances, I am personally comfortable in using a 3 pass wipe for erasing, and a single pass for wiping free space. The time it takes to wipe the free space on, say, a 1TB drive, is in any case such that more than a single pass is likely to be an unacceptably lengthy process. It's a lot better to run a single pass than none at all.

Now, to answer your questions, Eraser is in many respects a simple soul; it just does what it says it does. When you run an erase of specific files or folders, it uses whatever method you have specified for the default or for that particular task (HMG 3 pass in my case). When you run a wipe, it does the same (given that there are separate defaults for erasing and wiping), for all free space. Eraser wipes whatever space the MFT identifies as unallocated; it does not attempt to identify whether there is 'real' data there or not. For the reasons I have given, the fact that this is, by default, a single pass is not a worry (to me at least). Because a free space wipe effectively monopolises the machine for a significant period, the cost vs. risk trade-off may well be different for erasing and wiping, so it makes sense to have separate settings for the different types of task.

Eraser 6 allows you to specify the patterns to be used in a wipe (in part to assist in plausible denial); these settings apply to both erasing and wiping. The main difference between erasing and wiping is that the latter is intended to fill the whole drive. In the default case, rubbish files with random names, of varying lengths and filled with pseudorandum data are written to the drive until it is full and then deleted; the only data that can then be seen in the free space is random rubbish. If, in your question 3, you are saying that this seems to be a pretty secure method, I agree with you.

I think that this answers your questions. Please come back if it is not clear.

David
 

Joel

Active Member
To add onto David's post, the main reason free space erasures have a separate default is because the sheer amount of data required to complete the task prohibits the use of multi-pass erasures. Indeed, while Gutmann himself says that his 35-pass technique is not required on modern drives, Eraser still uses it as

  • it does not know what drive encoding your drive uses
  • the marginal cost of running the extra passes is quite negligible, for the majority of files
  • ups the paranoia factor for those who use Eraser

I am also of the belief (which may be completely unfounded -- I'm no mechanical engineer) that modern drives have such high areal densities that the mere job of seeking would require accuracy to the microns -- something that mechanical devices are not fantastically good at (imagine the speeds at which the disk head travels relative to its required precision) that the data storage encoding (can't remember the name) is designed such that such "near misses" are tolerated (imagine repolarising a point on the disk platter; certainly the neighbours will be affected, even if slightly.) If I am writing a file, it's just a small collection of points; by erasing the entire free space of the disk I effectively cover the entire drive and so I won't need to worry about "near misses."

Let me reiterate -- I don't work for the Hard disk companies so that's purely (ignorant) speculation (flawed beliefs?) if anyone out there knows better I'd be glad to learn as well.

As to whether Eraser uses the file erasure method during a free space erasure, no. Eraser has no idea where files start and end once they are deleted.
 
Top