Tags:




Question about sensitive data, erasing files, and backup drives.
August 26, 2008 4:37 PM   RSS feed for this thread Subscribe

Question about sensitive data, erasing files, and backup drives.

If a file is deleted from a computer, I know that the data may be still be retrievable from the hard drive. I am aware that you can "wipe" unused data or an entire drive by overwriting with 1 or more passes of random data.

Rather than overwrite to erase unused space, I've chosen to upgrade to a new, larger, internal hard drive. I plan to destroy/discard the current one after the upgrade.

I have a bootable backup of my Mac's hard drive, created with SuperDuper. Here's my question... if I install a new hard drive and copy the entire contents of the old hard drive to the new one, am I also copying deleted files that may still exist in "unused space"?

In other words - are deleted files on my laptop duplicated on an external hard drive when creating a backup?
posted by anonymous to computers & internet (9 comments total) 1 user marked this as a favorite
It depends of how SuperDuper creates the backup. Does it make a _full_ disk image or does it copy all the files present in the HD and merges them into an image?

From what I can see in SuperDuper's webpage, it does the latter. So, deleted files wouldn't be added to the backup.
posted by Memo at 4:49 PM on August 26, 2008


Short: No

Long: SuperDuper is a file based backup, so you will not have any ambient data copied over. (The restore data you speak of is the result of files being "Deleted" from the allocation table, but not removed physically from the drive. These bits that are not referenced in the allocation table will NOT be copied over.
posted by SirStan at 5:38 PM on August 26, 2008


By the way -- if you are going to be paranoid about the deleted data, you might as well know that even a physically damaged drive can have data restored from it. Read the stories on Ontrack.com about data recovery from drives that were set on fire, at the bottom of the sea, etc.

If you want to be paranoid about it, find some utility that will write data to it over and over and let it run for a day. Free bootdisk that will wipe a OSX Drive. If your even more paranoid, sandpaper the drives, smash them up, toss them around with some hardcore magnets, then give the drive to a company that will physically shred and destroy the remaining pieces.
posted by SirStan at 5:46 PM on August 26, 2008


Short answer: you're fine.

Long answer is really long and my apologies up front for a post that will meander along to the answer. The reason why is because it's important to clarify the principle of deleting files as there are so many myths surrounding file deletion. Everyones got some ridiculous story about a nephew who recovered data from an exploded floppy disk or that they've heard of someone who recovered data from an 2 pass overwrite. On top of this is all the unnecessary arguments caused by people talking at cross purposes about deleting file data vs the deleting file reference. There are as many myths about file recovery as there are about programmers hacking the pentagon or whistling up some missile launch codes in a phone call. It's a big mess.

So let's get back to basics and, unfortunately, book analogies. If hard disk drives (HDD) had files stored sequentially you'd need to search the whole HDD to find a file and that would be very slow. It would be like using an encyclopedia without a table of contents; where there's no alphabetical/topical ordering; where you had to read every single page to find a particular file. That would be dumb and so all file systems have a Table Of Contents (TOC) with references to the file that you're after. TOCs are small and fast because they don't contain the data, just references to the data. TOCs are what computers use to list files.

When people talk about deleting a file they have usually just removed a TOC entry. The reason why this is considered "deletion" is because in most cases it's the same thing and because it's faster to delete a small TOC entry than it is to delete large data area. Deleting a TOC entry means that area is freed up for later use, so it may be overwritten at some later point. Until this happens however then data is still there and diligent recovery software can recover the data by looking over the whole HDD. Now it takes a while to read the whole HDD but if the data is still there it'll work.

Another way of recovering data comes from reading the unallocated ends of blocks. This is like if a page was full of text, then the TOC entry is deleted and the page is freed up for use, but then only a half page of text is stored there. The last-half of the pages text will still be recoverable. This will typically recover fragments of a file rather than the whole file. Again, this is practical and commonly understood.

What goes against conventional wisdom however is the fact that we can't recover data from a HDD made since about 1995* when it's been overwritten by even one pass. There is no technology or even proposed scientific approach about how we'd go about this.

These extra safe deletion programs that do 5 passes, or 10 or 1000 passes aren't more safe than a single pass. If you enjoy spinning your wheels or if you're paranoid then have fun with 10,000 passes but it's not science. You can read more about
this here on the SHSC wiki.

[*] post-MFM technology.

(ps. although I've written this with quite strong language I'm not as closed to argument as you might think so if you've got any references to argue this then please post them, cheers :)
posted by holloway at 9:02 PM on August 26, 2008


Just throwing this in (hopefully will save you the hassle....

I did exactly this - the superduper copy from one hard drive (smaller) to larger (new internal drive.)

I needed to use this fix prebinding script to get my copy to work.
posted by filmgeek at 9:57 PM on August 26, 2008


holloway, it was my impression that Guttman posted his widely distributed information not to sell a product originally, but as an academic effort.

It is good to know about the issue with wiping files and good to know that no one now thinks that wiping passes beyond "a few" are needed. (35 seemed like too too many to me, but I remember that being based on claims by SQuID owning data recovery firms that they could go 20 passes back in a drive's history.)

I feel I must remind you, anyhow, that the crypto/privacy nut communities that these sorts of arguments go on in are generally firmly convinced that scary shadow agencies of various governments in the free and non-free worlds are well ahead of private industry with respect to being able to peek in on our private-citizen secrets, so even if an argument is well-reasoned, most of your average crypto nuts are still going to go with 35 passes (if not 70) because Peter Guttman said so in 1996, and the NSA probably got to him since then.

But yes, seconding everything else. :) SuperDuper is a file copier, so ambient deleted data will not be duplicated. Data can be recovered from really effed up drives, but don't worry to hard unless you really are Neo or some other vitally important person in the universal sphere because the difference between "can" and "will" is measured in vast distances of effort and expense. Honestly, I'd just take the old drive and wipe it a couple times, then maybe delete the partition and if really paranoid take it apart and sandpaper it or something (hey the magnets from the drive are neat!). Or you could just use the old drive as a spare for storage in an external enclosure.
posted by kalessin at 5:52 AM on August 27, 2008


@kalessin: Yes, we're supposed to believe that there's secret government technology whose abstract scientific basis (with bearings on many fields of science) hasn't been talked about or independently rediscovered for over a decade now, and that the way that we defend against this secret technology is through 60 pass overwrites rather than 1, 2 or 3 pass overwrites.

Is that a fair assessment?

Overwriting is harmless so by all means do as many passes as you want, but it's good to clarify what kind of thing we're defending against... secret government technology!

(again, I'd like to hear if anyone has a scientific basis for a possible way of possibly recovering overwritten bits from even 1 pass)
posted by holloway at 3:21 PM on August 27, 2008


By the way I've met Guttman a few times (we're both kiwi's and computer nerds so we run in similar circles) and I didn't mean to suggest that money or products or any bias affected his research. Sorry if it came off that way.
posted by holloway at 4:36 PM on August 27, 2008


@halloway,

Yeah, that's fair. I don't mean to suggest that I am that paranoid or suspicious. But I do know folks who definitely are, and after even a possibility has been mentioned for the worst case scenario, they'll act as if the worst case is truth in order to be as paranoid and theoretically protected as possible, even if it's not in fact true.

It's cool about Guttman. I may have misread you anyhow.

Honestly, even the US DoD standard of 7 passes irritates the crap out of me when I'm flushing Limewire or Bittorrent failed transfers.

And no, I have no scientific or private industry basis for a possible way of recovering overwritten bits, beyond remembering that around the time Guttman suggested 35 passes, I had been reading various science.slashdot.org type reports of 21 rewrites back possible through SQuID techs. Wait, let me look for those citations now...

Nope, not in a reasonable search anyway.
posted by kalessin at 9:20 AM on August 28, 2008


« Older How do Utility Bills addressed...   |   I'm looking for book recommend... Newer »
This thread is closed to new comments.