how well do those free disk space overright utilities work?

Factual Questions
1

If you delete something its not actually gone, it just makes that space available. There are some free utilities I’ve used to recover deleted files.

There are also utilities to overright the free space. You can chose 1 pass or 7 or 100. Supposedly it makes them unrecoverable. And it works at least with the freeware recovery utilities. But are there better programs that someone may have purchased that can still get the deleted data? Say after doing 7 oversights? I’m not talking about something the NSA or FBI may have. Just something a computer shop or IT professional may use.

No I don’t need answer fast, just curious. How about after a complete format and reinstall of the OS?

2

As a side thought. I read that Adam lanza , the sandy hook shooter smashed up his hard drive to try and make the data unrecoverable. I wonder why he didn’t just crack it open douse it in kerosine, burn it and throw the remains in a pond?

3

Overwriting the space just once works very well.
Writing random data is better than writing 0’s.

The shooter did a stupid thing because he was stupid.

4

Just overwriting it once is pretty sufficient for most utilities. Even at the NSA level, after a few passes the best they’re going to get is some garbled data and filenames. Enough to give them a lead, but it’s unlikely that if you had your 5000-step master plan on there that they’d be able to really decipher it.

5

[QUOTE=Quintas]
As a side thought. I read that Adam lanza , the sandy hook shooter smashed up his hard drive to try and make the data unrecoverable. I wonder why he didn’t just crack it open douse it in kerosine, burn it and throw the remains in a pond?
[/QUOTE]

A lot of drives use tempered glass platters instead of aluminum as it’s easier to make glass flat to the single-digits nanometer levels needed. Heads in today’s drives fly at around 5 nanometers over the platter surface.

As that site shows, glass platters shatter into a zillion or so shards when struck or bent. I’m not even sure the NSA has the patience to put that puzzle back together.

If you’re looking to destroy data quickly, it’s a lot faster to punch through the platters with a hammer and screwdriver than it is to find the proper screwdriver - often a T3 or T5 Torx head - and unscrew half a dozen screws that were never intended to be removed.

6

Overwrite…

I’ll provide a bit of background info. When you write a file you write in blocks. The typical block size is 4k so if you write a file that is 1k you have 3k of space not used within that block. The next file you write goes into the NEXT 4k block.

That is how info can be recovered. If you delete a large file and then rewrite to the same space with files that are less than 4k you can extract the info from the remaining space within that 4k. The info will be spotty but the file standards are known so you can determine what type of file it is and do quite a bit of reconstruction. Usually.

A noteworthy exception to this is anything solid state as they use “wear-leveling”. Think of a bunch of cubby-holes from “beginning” to “end”. As you write you write into the cubby hole from the beginning. If you delete that data, it is marked, but, the solid-state will write into the next cubby holes. You will still have the same amount of free space but it won’t write into the beginning holes until you get to the end. That is so you don’t keep writing to the same portion of the solid-state over and over again causing failure.

There is also space that is stored via the HDD itself as cache or for other disk operations that can be accessed via diagnostic/forensic tools. You may or may not be able to delete/write-over these sections. There is also some “overlap” each time you format that might not encompass all of the original data. There is a minor amount of variance that occurs.

So, to really clear out a drive you use a utility that will write random stuff in a bit-by-bit fashion. That is the only way. However, you still have those portions of memory on the HDD that the HDD uses for its own operations that may or may not get “cleared” out.

7

I used to work in commercial (i.e. non-NSA/FBI) computer forensics, and here’s how it rolled.

Deleting your file didn’t do squat on Windows PCs. It just moved it to the recycle bin, where it stayed.

IF the recycle bin was emptied, the files were eligible for overwriting. We could pretty easily recover these if they hadn’t been overwritten.

Once they were overwritten, the best we could hope for would be drive fragmentation such that we’d get SOME of the file, but not all.

When the entire file was overwritten, there was no record in the OS, and the actual sectors were overwritten so that at that point, EnCase and FTK couldn’t read them. Then it became a job for some sort of advanced data recovery firm that disassembled the drives and actually tried to determine what might have been stored on that drive at one time. This was by nature very fragmentary; it might not be so hard to tell that there was a file somewhere that had been overwritten once by zeroes because of a different pattern of magnetism for each bit, but this gets more and more murky with multiple overwrites, etc…

That’s why they recommend multiple overwrites if you’re totally paranoid.

I personally don’t bother beyond occasionally overwriting my free space with zeroes, because I don’t have anything on there worth the money for ANYONE to try and recover with anything more powerful than EnCase or FTK. Back in my forensics days, we cost something like $350/hr, and specialty data recovery firms were considerably more expensive than that.

8

What’s the Curie point for a modern hard drive. If low enough you could wipe your drive and make a meatloaf.

9

Right. In 99.9% of cases, overwriting the data is entirely useless.

Also Windows, at least, has a feature called ShadowCopy which purposefully re-organizes the drive to guarantee deleted files will remain intact as long as possible. (It’s a bit more complex than that, but that’s the gist.) Which is a Good Thing, ShadowCopy has saved my ass on more than one occasion. (OS X has Time Machine which is generally the same concept, but implemented much differently.)

If you overwrite with random data, once is generally enough.

If you’re an entity really concerned about data security, for example under HIPAA regulations, you remove the HD and physically destroy it.

OS installers don’t do complete formats by default because complete formats on modern multi-TB drives take hours and hours and hours and customers who buy a new OS generally want to install and use it right away.

If you really want a full format and are willing to wait, you can usually tick a box in the installer’s Disk Utility to enable that.

10

Close.
Disk management 101 -
As mentioned, data is written in blocks. The FAT table (or equivalent in other file systems) keeps a listof all sectors, whether they are used or free. There is also a link for each block inidcating either “next block” or “the end”

All free space blocks are kept in a chain (each block points to the next)
When you write a file, it gets the first free block and starts writing.
You adda “direcory entry” in the directory, or list of files. The directory entry includes the name, points to the first block.
It detaches the block from the list, and writes data on that block. If it goes past one block, it detaches another free block from the list, and writes to it, and so on until the file is written.

As mentioned, the file may not be even 4K multiple, so there may be a chunk of old data beyond the “end of file” marker on the last block.

When you erase a file, you mark the first character of the directory entry as “this file is deleted”. The directory entry is available for re-use and is ignored when listing files.
The data chain of blocks for that file is tacked onto the end of the free space queue.

So elementary file recover means guessing the first character, which tells you the statr of the file chain (and size). You recover that many 4K blocks from the free space queue - detach from free and add to recovered file directory entry. Since the chain stayed intact, it’s simple to recover the whole lot.

You can see where this fails. If the directory entry or any of the file blocks in free space gets reused, the chain is broken. You may recover some of the file. If the file is unreadable gobbldygook, like a photo, it’s harder to recover than if it’s text. You can easily read fragments of text.

“Cleaner” programs overwrite free space with random bits to remove readble files and fragments. They will verwrite the free space queue, empty space at the tails of all files, and erase file directory entries (so you cant tell what the filename was). of course, if you run such a program regularly, it may spend a lot of time rewriting tails of end blocks that were already erased the last time you ran the program.

Theoretically, an overwrite should be enough, but one theory says the write head can wander, so you may not completely overwrite the track - there may be residue of the previous write on one or the other edge of the recorded track. Similarly, writing may not flip all the particles 100%, so there may be a residue of the previous data detectable. Of course, this gets us into CIA/NSA territory. But, a good cleaner will overwrite all available blank space 1, 3, 7, or even 35 times with patterns and random bits so that there is no chance the empty space contains the residue of readable data.

Take a real-life example, that the computer 9/11 conspirator Moussaoui used for email was IIRC a copy shop public PC that got reconstructed regularly. If there was a time where any available resources probably were used, thi was it. Yet, at the trial they did not mention fnding any relevant data. After multiple reformats, probably they didn’t.

As mentioned, there’s also VSS which makes shadow copies of the disk in the free space. If this service is on, you want to turn it off and delete shadow copies before running the cleaner program. Plus, if the plug was yanked in the middle of running, there’s the swap file, where memory is freed up n the computer by swapping less-used memory to disk (pagefile.sys). Depending on disk use, that may or may not contain relevant data.

And, there may be various logfile , sent mail etc. that also track what you were up to. (The infamous IE cache, so you can tell if someone googled “Chloroform”). Empty that cache and delete all cookies before doing a disk clean to help hide your tracks.