Editing Data remanence (section)

==Specific methods==

===Overwriting===

A common method used to counter data remanence is to overwrite the storage media with new data. This is often called '''wiping''' or '''shredding''' a disk or file, by [[analogy]] to common methods of [[paper shredding|destroying print media]], although the mechanism bears no similarity to these. Because such a method can often be implemented in [[software]] alone, and may be able to selectively target only part of the media, it is a popular, low-cost option for some applications. Overwriting is generally an acceptable method of clearing, as long as the media is writable and not damaged.

The simplest overwrite technique writes the same data everywhere—often just a pattern of all zeros. At a minimum, this will prevent the data from being retrieved simply by reading from the media again using standard system functions. The [[UEFI]] in modern machines may offer a ATA class disk erase function as well. The [[ATA-6]] standard governs secure erases specifications.

[[Bitlocker]] is whole disk encryption and illegible without the key. Writing a fresh GPT allows a new file system to be established. Blocks will set empty but LBA read is illegible. New data will be unaffected and work  fine.

In an attempt to counter more advanced data recovery techniques, specific overwrite patterns and multiple passes have often been prescribed. These may be generic patterns intended to eradicate any trace signatures; an example is the seven-pass pattern {{em|0xF6}}, {{em|0x00}}, {{em|0xFF}}, {{em|<random byte>}}, {{em|0x00}}, {{em|0xFF}}, {{em|<random byte>}}, sometimes erroneously attributed to US standard [[DOD 5220.22-M]].

One challenge with overwriting is that some areas of the disk may be [[#Inaccessible media areas|inaccessible]], due to media degradation or other errors. Software overwrite may also be problematic in high-security environments, which require stronger controls on data commingling than can be provided by the software in use. The use of [[#Advanced storage systems|advanced storage technologies]] may also make file-based overwrite ineffective (see the related discussion below under {{xref|{{slink||Complications}}}}).

There are specialized machines and software that are capable of doing overwriting. The software can sometimes be a standalone operating system specifically designed for data destruction. There are also machines specifically designed to wipe hard drives to the department of defense specifications DOD 5220.22-M.<ref>{{Cite book|title=Manual reissues DoD 5220.22-M, "National Industrial Security Program Operating|date=2006|citeseerx=10.1.1.180.8813}}</ref>

Writing zero to each block on hard disks and SSDs has the advantage of affording the firmware to deploy spare blocks when bad blocks are identified. Bitlocker has the advantage that data is illegible without the key. Seatools and other tools can erase disks with zero which is typical to revive old consumer class disks but they can wipe server disks albeit slowly. Modern 28TB and larger disks have an enormous number of LBA48 blocks. 40TB and 60TB disks will take proportionately longer times to wipe. 

====Feasibility of recovering overwritten data====

[[Peter Gutmann (computer scientist)|Peter Gutmann]] investigated data recovery from nominally overwritten media in the mid-1990s. He suggested [[magnetic force microscopy]] may be able to recover such data, and developed specific patterns, for specific drive technologies, designed to counter such.<ref name="Gutmann">{{cite journal|title=Secure Deletion of Data from Magnetic and Solid-State Memory|author=Peter Gutmann|date=July 1996|url=http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html|access-date=2007-12-10}}</ref> These patterns have come to be known as the [[Gutmann method]]. Gutmann's belief in the possibility of data recovery is based on many questionable assumptions and factual errors that indicate a low level of understanding of how hard drives work.<ref>{{Cite web|url=https://kaleron.edu.pl/throwing-Gutmanns-algorithm-into-the-trash.php|title=Throwing Gutmann's algorithm into the trash - about effectiveness of data overwriting.|website=kaleron.edu.pl}}</ref>

Daniel Feenberg, an economist at the private [[National Bureau of Economic Research]], claims that the chances of overwritten data being recovered from a modern hard drive amount to "urban legend".<ref>{{cite journal|title=Can Intelligence Agencies Recover Overwritten Data?|author=Daniel Feenberg|url=http://www.nber.org/sys-admin/overwritten-data-gutmann.html|access-date=2007-12-10}}</ref> He also points to the "[[18½ minute gap|{{frac|18|1|2}}-minute gap]]" [[Rose Mary Woods]] created on a tape of [[Richard Nixon]] discussing the [[Watergate break-in]]. Erased information in the gap has not been recovered, and Feenberg claims doing so would be an easy task compared to recovery of a modern high density digital signal.

As of November 2007, the [[United States Department of Defense]] considers overwriting acceptable for clearing magnetic media within the same security area/zone, but not as a sanitization method. Only [[#Degaussing|degaussing]] or [[#Physical destruction|physical destruction]] is acceptable for the latter.<ref name=DSSmatrix>{{cite web|url=http://www.oregon.gov/DAS/OP/docs/policy/state/107-009-005_Exhibit_B.pdf?ga=t| title=DSS Clearing & Sanitization Matrix|publisher=[[Defense Security Service|DSS]]| format=PDF|date=2007-06-28|access-date=2010-11-04}}</ref>

On the other hand, according to the 2014 [[NIST]] Special Publication 800-88 Rev. 1 (p.&nbsp;7): "For storage devices containing ''magnetic'' media, a single overwrite pass with a fixed pattern such as binary zeros typically hinders recovery of data even if state of the art laboratory techniques are applied to attempt to retrieve the data."<ref>{{cite journal
 | url = https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final
 | title = Special Publication 800-88 Rev. 1: Guidelines for Media Sanitization
 | publisher = [[National Institute of Standards and Technology|NIST]]
 | date = December 2014 | doi = 10.6028/NIST.SP.800-88r1
 | access-date = 2018-06-26
| last1 = Kissel
 | first1 = Richard
 | last2 = Regenscheid
 | first2 = Andrew
 | last3 = Scholl
 | first3 = Matthew
 | last4 = Stine
 | first4 = Kevin
 | doi-access = free
 }}</ref> An analysis by Wright et al. of recovery techniques, including magnetic force microscopy, also concludes that a single wipe is all that is required for modern drives. They point out that the long time required for multiple wipes "has created a situation where many organizations ignore the issue [altogether] – resulting in data leaks and loss."<ref>{{cite book
 | first = Craig | last = Wright
 |author2=Kleiman, Dave
 |author2-link=Dave Kleiman
 |author3=Shyaam, Sundhar R.S.
 | title = Information Systems Security | chapter = Overwriting Hard Drive Data: The Great Wiping Controversy | series = Lecture Notes in Computer Science | publisher = Springer Berlin / Heidelberg | isbn = 978-3-540-89861-0 | doi = 10.1007/978-3-540-89862-7_21
 | pages = 243–257 |date=December 2008
| volume = 5352 }}</ref>

===Degaussing===

[[Bulk eraser|Degaussing]] is the removal or reduction of a magnetic field of a disk or drive, using a device called a degausser that has been designed for the media being erased. Applied to [[magnetic storage|magnetic media]], degaussing may purge an entire media element quickly and effectively.

Degaussing often renders [[hard disk]]s inoperable, as it erases low-level [[disk format|formatting]] that is only done at the factory during manufacturing. In some cases, it is possible to return the drive to a functional state by having it serviced at the manufacturer. However, some modern degaussers use such a strong magnetic pulse that the motor that spins the platters may be destroyed in the degaussing process, and servicing may not be cost-effective. Degaussed computer tape such as [[Digital Linear Tape|DLT]] can generally be reformatted and reused with standard consumer hardware.

In some high-security environments, one may be required to use a degausser that has been approved for the task. For example, in [[United States|US]] government and military jurisdictions, one may be required to use a degausser from the [[National Security Agency|NSA]]'s "Evaluated Products List".<ref name="NSAEPL">{{cite web
 | title=Media Destruction Guidance
 | publisher=NSA
 | url=http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/
 | access-date=2009-03-01
 | archive-date=2012-09-28
 | archive-url=https://web.archive.org/web/20120928000816/https://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/
 | url-status=dead
 }}</ref>

===Encryption===

[[Encryption|Encrypting]] data before it is stored on the media may mitigate concerns about data remanence. If the [[Key (cryptography)|decryption key]] is strong and carefully controlled, it may effectively make any data on the media unrecoverable. Even if the key is stored on the media, it may prove easier or quicker to [[#Overwriting|overwrite]] just the key, versus the entire disk. This process is called [[crypto-shredding]].

Encryption may be done on a [[Filesystem-level encryption|file-by-file]] basis, or on the [[Disk encryption|whole disk]]. [[Cold boot attack]]s are one of the few possible methods for subverting a [[Disk encryption|full-disk encryption]] method, as there is no possibility of storing the plain text key in an unencrypted section of the medium. See the section [[#Complications|Complications: Data in RAM]] for further discussion.

Other [[side-channel attack]]s (such as [[keyloggers]], acquisition of a written note containing the decryption key, or [[rubber-hose cryptanalysis]]) may offer a greater chance of success, but do not rely on weaknesses in the cryptographic method employed. As such, their relevance for this article is minor.

===Media destruction===
[[File:Destroyed Hard Drive.jpg|thumb|250px|The pieces of a physically destroyed hard disk drive.]]
[[File:Hard drive destroyed using a data destroying device.jpg|thumb|Hard drive mechanically broken by a data destroying device (after degaussing)]]
Thorough destruction of the underlying storage media is the most certain way to counter data remanence. However, the process is generally time-consuming, cumbersome, and may require extremely thorough methods, as even a small fragment of the media may contain large amounts of data.

Specific destruction techniques include:

* [[Physical change|Physically breaking]] the media apart (e.g., by grinding or shredding)
* [[Chemical change|Chemically altering]] the media into a non-readable, non-reverse-constructible state (e.g., through [[incineration]] or exposure to [[causticity|caustic]]/[[corrosive]] chemicals) 
* [[Phase transition]] (e.g., liquefaction or vaporization of a solid disk)
* For magnetic media, raising its temperature above the [[Curie point]]
* For many electric/electronic volatile and non-volatile storage media, exposure to electromagnetic fields greatly exceeding safe operational specifications (e.g., high-[[voltage]] electric current or high-amplitude [[microwave]] or [[Ionizing radiation|ionizing]] radiation){{Citation needed|date=November 2009}}