The myth of the Gutmann method

Most people know that when you sell or give away a computer, you should format its hard drive to make sure your sensitive information doesn’t fall into the wrong hands. And most of those people know that formatting a drive doesn’t actually erase all the data. Instead, you should use a special utility that overwrites every block of data on the drive. And a smaller portion of those people know that overwriting a block just once isn’t enough. If you really want to be safe, you should apply the Gutmann method, which overwrites every data block 35 times. And an even smaller portion of those people know that the Gutmann method is a myth.

I had always thought that the idea of overwriting the same data block 35 times was a bit dubious. (Why would 35 times be secure but 34 times not be?) And yet, most disk utilities provide an option to erase a hard drive 35 times over.

Disk Utility erase options

In a recent Slashdot article, I discovered a comment that shed some light on this issue. User Psionicist wrote (with typos faithfully reproduced):

I would like to take the oppertunity here to debunk a very common myth regarding hard drive erasure.

You DO NOT have to overwrite a file 35 times to be “safe”. This number originates from a misunderstanding of a paper about secure file erasure, written by Gutmann.

The 35 patterns/passes in the table in the paper are for all different hard disk encodings used in the 90:s. A single drive only use one type of encoding, so the extra passes for another encoding has no effect at all. The 35 passes are maybe useful for drives where the encoding is unknown though.

For new 2000-era drives, simply overwriting with random bytes is sufficient.

Here’s an epilogue by Gutmann for the original paper:

Epilogue In the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques. As a result, they advocate applying the voodoo to PRML and EPRML drives even though it will have no more effect than a simple scrubbing with random data. In fact performing the full 35-pass overwrite is pointless for any drive since it targets a blend of scenarios involving all types of (normally-used) encoding technology, which covers everything back to 30+-year-old MFM methods (if you don’t understand that statement, re-read the paper). If you’re using a drive which uses encoding technology X, you only need to perform the passes specific to X, and you never need to perform all 35 passes. For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do. As the paper says, “A good scrubbing with random data will do about as well as can be expected”. This was true in 1996, and is still true now.

Looking at this from the other point of view, with the ever-increasing data density on disk platters and a corresponding reduction in feature size and use of exotic techniques to record data on the medium, it’s unlikely that anything can be recovered from any recent drive except perhaps one or two levels via basic error-cancelling techniques. In particular the the drives in use at the time that this paper was originally written have mostly fallen out of use, so the methods that applied specifically to the older, lower-density technology don’t apply any more. Conversely, with modern high-density drives, even if you’ve got 10KB of sensitive data on a drive and can’t erase it with 100% certainty, the chances of an adversary being able to find the erased traces of that 10KB in 80GB of other erased traces are close to zero.

So it seems my suspicions have been confirmed: You do not need to erase a hard drive 35 times before selling it on eBay. A quick zeroing out of the data is sufficient.

19 Responses to “The myth of the Gutmann method”

  1. Cadillac says:

    Unless that’s what the Government wants you to think!

  2. Jarrod1937 says:

    You got that “a quick zeroing out of the data is sufficient” from that? It is true, the 35 overwrite passes are quick often superfluous (read, not needed, but is far from not having any effect), but zeroing out is in fact less effective than a few passes of pseudo random data. I’d still opt for a 7 pass erasal algorithm over simply zeroing out the drive.

    • webgrunt says:

      No data is recoverable after being overwritten by a single-pass zero-fill. I work for the largest data recovery company in the world and have spoken to data recovery engineers who have more than twenty years of experience doing nothing but recovering data from all types of media. They have assured me that data which has been overwritten once is unrecoverable. The US DOD standard is a three-pass overwrite not because a single-pass isn’t secure, but because in matters of national security, you can’t be too careful–so why not make triply sure the data is gone!

      • John says:

        Yeah, sure, but for “the largest data recovery company” is inconsistent with “no data is recoverable after being overwritten by a single-pass zero-fill”.
        Stop spreading bullcr4p.

  3. Eridger says:

    Zero-byte formatting is absolutely not totally safe. Safer than simply formatting? Yes. But data erased this way can still be recovered. The best way to securely erase data short of physically destroying the medium that contains it is to run several random-byte passes on the data or disk.

    Just because the Gutmann method isn’t the best way to securely delete data doesn’t mean all secure deletion methods are pointless.

    • Trevor says:

      But data erased this way can still be recovered.

      Please explain your method for recovering data that has been completely overwritten.

      • Cex says:

        Hi Trevor, yes finally Government can still recovery completely overwritten data, by the pattern used for encoding data over the disk ( 2 or 3 or 4 ), they can go throught 7 – 11 levels of overwriting, i usually use “randomZero + UsArmy 3 pass + Gutmann + Schneier + randomZero “, and also in that case with a micromagnetoScope they can recovery ( it can take 1 month for 100 gb ) so i think its ok.

        • Gus says:

          Nonsense. The “Government” has no such capability. You’re inventing a boogeyman where none exists.

          • Reader says:

            There are many methods like Magnetic force microscopy (MFM) or scanning probe microscopy (SPM) or Magnetic force scanning tunneling microscopy (STM).
            And take really long time but technology goes on.
            So do not be naive talking for “boogeyman”.

            Reader.
            Electronic engineer.

          • creeper says:

            Gus, it’s now July 7, 2013. Would you care to re-think this post?

  4. None says:

    The statement below left by the respondent above is supported by the horses mouth. I was recently deployed to Afghanistan, and was converted to a Gutenite. I read all of his papers and got lost in his website, that all here should check out, but I wrote to Mr. Guttman, and he did backup the below statement.

    “There are many methods like Magnetic force microscopy (MFM) or scanning probe microscopy (SPM) or Magnetic force scanning tunneling microscopy (STM).
    And take really long time but technology goes on.
    So do not be naive talking for “boogeyman”.

    Reader.
    Electronic engineer.”

  5. Aaron says:

    I heard a G-man say that they could recover data that had been written over 250 times. And it’s 250 only because that’s as far down as they will look in most cases.

  6. nichoyie says:

    this was very helpful to read seeing as i store very important documents and am looking for a secure way to delete them but please can someone reply with a new updated version to deleting documents i was very confused on whats the bes way to delete data and documents so that it is unrecoverable…..

    please and thank you
    business ower

  7. pSynrg says:

    @nichoyie

    If you are so concerned then only real effective 100% method is to physically destroy the storage medium. By destroy I mean shatter it into many many pieces or use heat in some way to change its form (such as burning or melting.)

    Storage is cheap at the end of the day (unless of course you buy from EMC)

    Seriously though – secure data santisation methods discussed above are indeed enough to irretrievably destroy your data from any organisation. Yes, including the imaginary ones most people here seem to be fearful of.

    The fact that government agencies are intercepting our communications traffic does not correlate to them retrieving data from storage media which has been subjected to advanced data sanitisation methods.

    i.e. It is a concern but it is not as hopeless as the tin-foil hat brigade would have us believe.

    • Michael Hennessey says:

      Hi,
      I am just curious. Seeing the FBI was able to retrieve the deleted emails of Mrs. Clinton isn’t that proof they have ways beyond the normal retrieval? I would assume the company Mrs. Clinton used would have done a pretty secure job of deleting.
      Thank You,
      Michael

  8. Evert van der Hik says:

    If data can be recovered after a single pass then two times more information can be stored on a harddisk. If data can be recovered after a double pass then 3 times more information can be stored on a harddisk and so on. A single pass is sufficient. If the chance that a single bit can be recovered is very high but not 100% the product of chances goes exponentially to zero for large files.

  9. eman says:

    i did one day an error and began to dd my usb key with a debian live.
    hopefully i stopped the process.
    testdisk helped me to recover most of the files. but i couldn’t get filenames. which, in some cases, are really important (think about achive splitting encrypted: you need to know the order of these archives to get the whole file be decrypted correctly).

    so, in a word, one pass isn’t sufficient at all and it will never be.
    add the fact that it was an usb key.
    hard drives can have bytes easier to recover (as long as it is made out of solid thing making small scratches on a disk)

  10. Narkish says:

    Gutmann method is not an overkill

    Yes, 35 passes is needed if you are serious about your security, now days when you have advanced Forensics you need it, long time ago I had an FTK toolkit and tried Gutmann method, its impossible to recover files even with FTK, its an opensource and a must:

    https://sourceforge.net/projects/gutmannmethod/

    https://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

  11. Lou says:

    How long it normally takes to fully erase a 160GB hard drive by using Gutmann method?

Leave a Reply to Narkish