	MCSoft Security Solutions

Product Overview

Software

MCWipe

Detail Info

MCSoft MCWipe

Detail Information

Deletion vs. Data destruction

If one deletes files and folders in the Windows Explorer, these files are moved usually into the Recycler. If after that the Recycler is emptied or, however, during the deletion the Recycler was skipped, it looks like as if the files were deleted forever. This is not the case. The pointers in the file allocation table to the sectors on the harddisk which are occupied by the file are marked for their reuse. As long as these sectors are not overwritten with new data the before "deleted" file is still completely in time. With the huge storage capacity of nowadays used magnetic media it can take a while until it is overwritten. With specific hardware and software all files can be restored. Even then, if the data is overwritten, the hard disk is formatted or the Boot Sector was deleted. This are good news, if critical files should be restored again and bad news if some one wants to prevent that other persons can read private data.

Data destruction on magnetic media should prevent the recovery of data, even with a large effort and budget. It is believed that authorities or intelligence services can reconstruct data even if it is already 10 to 22 times overwritten. Procedures and standards were developed for the deletion of data which are based on the detailed knowledge of the data storage on magnetic media on a microscopic level. By these the recovery and/or the reconstruction of the data from the remanence on the medium is not possible.

Magnetic media, as for example a hard disk, stores a copy of all data which ever were written on it. The probability of the reconstruction of a certain data record in a sector of the medium becomes increasingly smaller, if more data is written in the certain sector onto the medium. Procedures for the reconstruction of overwritten data are technically extensive and require also a certain budget. In this case data can be reconstructed, which on the one hand was overwritten only through the daily use of the medium or on the other hand also purposeful with a small number at repetitions. The reconstruction expenditure increases with the number of the repetitions. It is important to notice that the simple overwriting of the data will not erase it. Wipe mechanisms which securely erase information require a thorough change of the magnetic field on the hard disk. For this purpose it is important to select different, but specific bit patterns for the write sequences onto the medium. The writing process must be repeated some times.

Principle of storing Data and hidden Data on media

The magnetic medium stores information as a stream of 0's and 1's, where 0 represents no magnetism and 1 the full magnetism. During the daily use of the hard disk data is written on it again and again. According to that also the absolute value for a 0 and the full magnetic field strength changes. This means, that when one 0 is overwritten with one 1 then the new magnetic field strength does not reach the full one 1, but for example only 95 %. That is good enough for the correct interpretation by the hard disks electronics. There all values larger than 50 % are treated as one 1. However, it is revealed by that what was stored before on the medium. If the bit in question shows only 90 % of the full magnetic field strength, then it can be assumed that there possibly two 0 bits and two 1 bits were written . This example can be continued in any way.
By using these facts forensic analysis software can now be extremely successful. Complete layers of former data can be reconstructed on the hard disk.

But one does not have to go that far to find something useful:

Every formated hard disk in windows is set up with the file system FAT, FAT32 or NTFS. The file system subdivides the hard disk into allocation units, so-called clusters. They represent the smallest unit of a hard disk which can be used by the operating system. At big hard disks the size of an allocation unit can actually be 32 KByte and more. For the organization of the hard disk this results in the consequence, that small files occupy (of for example a few KByte) a complete cluster block. The remaining storage space of the alloction unit remains in this case unused.
If clusters are overwritten with a file that is smaller than the previous one, then a area remains in the last cluster that is not overwritten. In this cluster which is declared as occupied the free area cannot be accessed without a corresponding tool. This means that there the information of the former file is kept. This information can already be read out with a simple disk editor.
Hidden data can also be found in defect sectors of the medium. If faulty sectors are recognized by the operating system or the hardware itself, these are marked as defect. In this way no further data can be written onto these clusters.

Deleting by using MCWipe

MCWipe is a specialized software which allows the secure deletion of data. It uses specific procedures which for example were suggested by the US American Ministry of Defense (Department of Defense, DoD). Wipe software tools arose from the aim to conscious resist the forensic analysis and the data rescue. In MCWipe the data on the physical sectors of the medium are overwritten with up to 36 specific bit patterns. Through that from the remaining remanence no useful data can be reconstructed anymore.
The usual Wipe algorithms that are offered in many Wipe tools overwrite the available files with random character strings, mostly one or three times and are therefore acceptable in limited cases only. Effective algorithms for the elimination of all traces of the data are based on the most precise knowledge of the storage of bits and bytes on the magnetic medium. Several algorithms which were implemented in MCWipe write on the medium (mostly these are hard disks) with many different bit patterns. These patterns are based on this knowledge in order to guarantee that the information is surely deleted.
The extended US DoD 5220.22-M (ECE) which is described in the NISPOM (National Industrial Security Program Operating Manual) defines a seven times overwriting procedure. It is one of the best known algorithms. The procedure developed by Peter Gutmann is regarded as the most secure method until now. The Gutmann method overwrites the data 35 times. The new method developed by MCSoft uses a CSPRNG (cryptographically secure pseudo random number generator) for the overwriting of the data. A method that contains a good CSPRNG is treated as being still more secure. This is a complicated method which does not use any defined bit patterns, but overwrites the data 36 times by the use of cryptographically secure pseudo-random sequences.