Erasing system drive


New Member
First post to the forums! I've used eraser for a fair while, and recommended it for, well since about version 2 or 3 just never hit something I was not certain of in general data security before with it, and this time around it may be a dumb question I answer myself, but I wanted more experienced input.

I plan to factory restore the HDD of my nephew's two netbooks (he works in a data sensitive business, but they are personal machines so I'd like to secure them as best as possible before he sells them) then Free Space Wipe the remaining area of the HDD. If I do this, I understand that all logfiles, free data etc will be wiped fairly thoroughly from the HDD, but what I am worried about is any data in the way of small documents etc that are "Underneath" the newly written system files.

According to old wisdom - before the recent posts about single pass wipes being more secure than previously thought - this would still be fairly vulnerable.

So I guess what I'm asking is, is it worth doing my alternative but more time consuming thought, of factory restore, remove the HDD, mount it in my main PC, clone the partition data, formatting the HDD, free space wiping the now blank netbook drive, then restoring the cloned partition data to the perfectly wiped drive? Or, is this overkill and the product of several years fairly paranoid work in early PC systems and network security?

Wide open for advice here, someone help?
Welcome to the forum. The question you raise has been asked on a number of occasions, but I think that you describe the issue in rather a helpful way.

In my opinion, restoring the machine to factory condition, provided that it involves formatting the drive (which it always has done in my experience), then erasing the free space using the default single pass method is sufficient to make any sensitive data unrecoverable, to a high degree of probability (99%+). This assumes of course that the free space erase is completed with no more than the usual crop of 'error' messages about files that cluster tips that could not be erased; these are not so much errors as facts of life.

Why do I take this view when, in the past, Peter Gutmann's 35 pass method has been regarded as essential to data security? The answer is that the Gutmann method, which was an essentially theoretical approach to dealing with all the variations of hard drive technology available in 1996 (when he wrote his original paper), has become something of a mantra (Gutmann himself says 'voodoo incantation') which has very little connection with practical necessity. Gutmann argued from the outset that, for the drive technologies in commonest use, "a few passes of random scrubbing" is the best one can do in practice. As you are obviously aware, recent studies have shown that overwriting an area of the disk even once effectively makes any data that previously resided there non-recoverable. I have not found any published findings that contradict this conclusion. Joel Low (the author of Eraser 6) decided to use Gutmann as the default file/folder erasing method only because he thought users would expect it.

You could use the method you suggest, but I think it would be overkill in your case. As a middle way, you could also use a multiple pass erasing method. Do bear in mind that the erasing time increases pretty much in proportion to the number of passes, so you'd probably not want to wait around for much more than, say, a seven pass erase.

To test the effectiveness of erasing, the best method is to scan the drive with a file recovery program such as Recuva. For even greater assurance, if you know a text search term that would indicate the presence of sensitive data on the drive surface (hint: use a term that is at least 7 characters long to minimise the chance of random hits), you could use a disk editor such as HxD to search the sectors without using the file system. But such a search will typically take a couple of hours per drive, as will a deep scan with a file recovery program. If you want to spend more time and effort, I think that you get more assurance from better testing than from making the erasing methodology (if I may put it this way) arbitrarily complex.

Your nephew should also consider the best method of disposing of his netbooks. If purchasers know nothing of his connections, they are that much less likely to even consider trying to defeat the security of what will present themselves as clean, empty machines.

I hope that this is the kind of answer you are looking for.

Most excellent reply, thank you for the help, it's put my mind at rest that I still, to an extent, (sort of) know what I'm doing! :D

Thanks again.