How many passes for the "free disk space" option?

Forums: 

Hi

How many passes Bleachbit does when you select the "free disk space" option ? 35 passes ? For example Ccleaner with the Gutmann option doeas 35 passes.
Is it as efficient as eraser for windows ? Or "secure-delete" for linux with the command : sudo sfill -v / ?

Regards

Sam

Good question.

I'm not familiar with Eraser for Windows, but if Eraser uses more than one pass, BleachBit is more "efficient" (I think you mean to ask "effective"). I briefly looked at Secure-Delete's sfill, and I think BleachBit is similarly effective.

BleachBit 0.6.5 uses a single pass secure erase method. There is no evidence that two or more passes are any more secure than a single pass. On modern drives, every pass after the first just wastes time---and lots of it! The Gutmann method is an urban legend: read "Data Remanence" in Wikipedia and the references there. Call the best, most expensive data recovery companies in the world, and they will tell you they can't recover data overwritten with a single pass.

Depending on your security needs and paranoia level, you may also want to wipe backups, portable media, slack space, fragmented files (SQLite3 databases such as Firefox URL history), RAM, swap**, cell phone, and other items. Of course don't forget to encrypt your hard drive, swap, portable media, and Internet connection. And there isn't much you can do about the data collected on online accounts (Gmail, Hotmail, Google Docs, Facebook), cell phone records at the phone company, or financial records at banks.

You need to ask yourself, "Who am I trying to hide data from?" If you are hiding from family, you can stop here. If you are hiding from someone highly resourced, skilled, and well funded (for example, the CIA), then the next most secure method is wiping the whole drive (not just the free space) including the whole operating system and every last file. Well, that isn't good enough because modern hard drives remap bad sectors and hide them from the operating system. The next step is physically destroying the drive by crushing it, burning it, degaussing, etc. However, the CIA will always find other ways to "make you talk"---and these methods have nothing to do with your computer.

That said, BleachBit version 0.6.5 is rather effective at wiping free space. BleachBit wipes all the free space and tries to wipe the MFT (master file table) or inodes (on Linux). My testing shows it is effective with the most popular file systems (NTFS on Windows and ext3 on Linux). BleachBit 0.6.5 does not wipe slack space.

** Months ago I wrote a RAM and swap space wiping option for BleachBit, but I haven't released it yet. I think BleachBit's is better than secure-delete's sswap and smem.

So my question back to you is what are your security needs? What are the resources, skill level, and motivation of the person who might see the data you are trying to hide?

---
Andrew, lead developer

Thanks for your answer. Yes I meant "effective". Sorry.
I'm not trying to "hide" any "particular" data but, for instance, if I sold one of my PCs, I would prefer it to be cleaned "effectively" before. That's all. I mean for people with any skill level although I am not talking about people such as CIA here... On the other hand, I do not want to ask myself, "What is the skill level of that person ?". If the cleaner is safe and effective there will be no problem. I will not go up to destrroy the disk anyway.
I discovered that Gutman in Ccleaner does 35 passes on data but not on free disk space (only one pass). On the contrary eraser for windows really does 35 or more passes on data and free disk space too, so it is more effective. How about bleachbit?
But let's say, just for the sake of it, if I wanted to hide deleted data from some organization with very high skill level (Of course, again, I will not go up to detroy my hard disk...), would bleachbit be effective enough to erase irreversibly "classically" deleted data (free disk space) and the PC as a all?
I heard that some specialist are able to recover deleted data where less than 22 passes had been done. That is why I doubt only one pass is enough.

Sam

If I were selling the PC I am using now (which I've been using for a long time and contains information such as passwords and personal documents), I would wipe the entire disk using DBAN. I wouldn't trust Eraser for Windows, Secure-Delete, or a hypothetical $500 "professional" program to wipe the free disk space. There are too many places data could potentially hide, and reinstalling the operating system is easy and faster (especially if you are waiting for 35 passes).

I discovered that Gutman in Ccleaner does 35 passes on data but not on free disk space (only one pass).

So do the authors of CCleaner not believe in the 35-pass Gutmann method? Either it is important or it isn't.

On the contrary eraser for windows really does 35 or more passes on data and free disk space too, so it is more effective. How about bleachbit?

Did you read the article I linked? This is the urban legend: two passes are not more effective. Neither are two, three, 22, 23, or 35. There's nothing magic about 35. Listen to Peter Gutmann himself, "[S]ome people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques. [...] [Y]ou never need to perform all 35 passes." Gutmann wrote his famous paper in 1996, and today's drives are much more bigger, dense, and complex. The Wikipedia article on the Gutmann method continues, "No private data recovery company claims that it can reconstruct completely overwritten data as of now."

BleachBit is not going to waste your time: it makes one pass.

I heard that some specialist are able to recover deleted data where less than 22 passes had been done.

From the linked article: ``Daniel Feenberg, an economist at the private National Bureau of Economic Research, claims that the chances of overwritten data being recovered from a modern hard drive amount to "urban legend". Daniel Feenberg also points to the interesting fact, that the "18 minute gap" Rose Mary Woods created on the tape of Nixon discussing the Watergate break-in, has not been recovered. And it would be an easy task compared to recovery of a modern high density digital signal.''

But let's say, just for the sake of it, if I wanted to hide deleted data from some organization with very high skill level (Of course, again, I will not go up to detroy my hard disk...), would bleachbit be effective enough to erase irreversibly "classically" deleted data (free disk space) and the PC as a all?

"As a all"? Free disk space cleaning in general (and BleachBit's in particular) is generally useful for hiding the majority of data from a person of an average skill level, but because of the problems I've mentioned, a highly skilled person will recover data from other parts of the computer (the parts of the computer that are not the free space). A person with a very high skill level could probably retrieve small fragments of data from slack space, RAM, swap, and re-allocated sectors. I believe it is for reasons like this that ``[a]s of the Nov 2007 edition of the DSS C&SM, overwriting is no longer acceptable for sanitization of magnetic media. Only degaussing (with an NSA approved degausser) or physical destruction is acceptable.'' ("Data remanence")

---
Andrew, lead developer

Thank you for your explanation.

I don't claim to know all the technical issues, but whether it is one pass or three, as seems to be for the average erasing pattern. It is the user who defines how much time they wish to devote to erasing.

Free space erasing can just be done on an unattended basis.

For erasing individual files, whether it is via one, two or three passes can't have much impact on the user's time.

I don't think giving consideration to speculating that user time is a good argument when considering how many passes are appropriate, keeping BleachBit to just one means all those government departments are deluding themselves with the certified 3+ overwrite patterns, why should they be wrong and BleachBit be more insightful? Many users must already be familiar with many other erasing programmes that operate on a 3+ overwrite basis and therefore user time can't be the only consideration.

A qwerty keyboard is a universal standard, though other designs are available, few use them, people prefer to build upon and work with familiarity, whatever the arguments are for newer keyboard designs.

Keeping to just a one overwrite function, seems like a doctrinaire stance, rather than just giving users options they can decide upon themselves, in terms of devotion of their time to 1+ erasing or whether any of the standardised 1+ erasing patterns are worthwhile.

I can accept that 1+ erasing patterns of free-space may be overkill, when used after data or a file or two has been overwritten, but just for reassurance I would like BleachBit to give 2 or 3 more erasing pattern options. Of course I can pass on the Gutmann and don't wish to use that method as the basis of any pro or con argument concerning all the other government approved patterns.

I don't think giving consideration to speculating that user time is a good argument when considering how many passes are appropriate,

Then read this thread again. Time is a minor problem: it is a worse problem to imply that two, three, or more passes is more secure than one pass. This makes users believe multiple passes is all they need to get rid of data. In the context of overwriting individual files, a million passes may not be enough (though probably still about as good as one pass). I say may because of the complex issues already mentioned here in regards to overwriting individual files (HPA, remapped sectors, etc).

keeping BleachBit to just one means all those government departments are deluding themselves with the certified 3+ overwrite patterns, why should they be wrong and BleachBit be more insightful?

Read the thread again--especially this part: "As of November 2007, the United States Department of Defense considers overwriting acceptable for clearing magnetic media within the same security area/zone, but not as a sanitization method. Only degaussing or physical destruction is acceptable for the latter." (Wikipedia, "Data remanence")

So the DOD approved standard is destruction (think physical shredding or degaussing). Also, I believe the "overwriting" there refers to the whole drive and not individual files. So in conclusion the DOD does not approve overwriting individual files .

just for reassurance I would like BleachBit to give 2 or 3 more erasing pattern options

The keyword here is "reassurance": that's an emotional problem that I hope to overcome with education. I want BleachBit users to make rational decisions based on solid information.

---
Andrew, lead developer

Yes, I agree rationality is always best.

But why so much conflicting opinions, such as the National Security Agency indicating one pass is enough then others like the Center for Magnetic Recording Research saying two or three, surely both must be operating from a rational stance? As highlighted here: http://bleachbit.sourceforge.net/forum/bleachbits-one-pass-overwrite-goo...

If you're so worried about your data and whether to overwrite 1 or more times, you should be writing everything onto an encrypted volume in the first place (LUKS, Truecrypt etc.).. Then, assuming your passphrase is a good one (128 bit+), then you don't even need to wipe the drive before giving it away or discarding it.

The two sources don't necessarily conflict

* NSA: Within a security zone, one pass [for entire hard drive, not individual files] is enough
* NSA: Outside the security zone, physically destroy the drive
* CMRR: Recommend two or three passes [for entire hard drive, not individual files]

First, notice the CMRR statement is fuzzy about "two or three," so why not one? Second, the basis and context of the CMRR recommendation is fuzzy: I don't see a solid claim from the NSA, the CMRR, or anyone else that any data can be recovered after it is overwritten once. CMRR claims data can't be recover after three passes, but CMRR doesn't deny (as far as I read it) that data can be recovered after one pass.

---
Andrew, lead developer