Blog Post

Mac 101: Deleting files and erasing drives

Mac 101 is an ongoing series aimed at bringing attention to important technical issues facing Mac owners.  A wide variety of topics will be explored  in an effort to inform as well as help make your day-to-day Mac computing experience a better one.

There are two ways to think about securing information: Enabling access to information that you want to keep, and disabling access to information you no longer want to keep.  In this post, we will focus on the information Mac users no longer want to keep.  If you are thinking that this is as easy as moving a file to the trash, then emptying the trash, think again.  There are numerous data recovery utilities on the market that can recover lost or deleted files.  And these utilities work because most of us do not know how to securely erase information off of our Macs.  The following are some tips on how you can at least make if very difficult for others to recover your unwanted files.

Finder’s Secure Empty Trash

When you just empty the trash on a Mac, OS X no longer keeps track of where the data associated with the file is stored on the hard drive.  The data is still there, it’s just that the Finder can no longer find it.  As you continue to work and OS X saves new files on your hard drive, OS X could write over parts of your deleted files data with the new files data.  What many data recovery utilities take advantage of is the chance that old data is still there, and has not yet been written over by new data.  When you instead elect to use Secure Empty Trash, OS X does in fact ensure that the old data is written over with new data, which will ensure that the old data is no longer there — think of it like scribbling out a written message on a post-it note.  What is not known for sure is how many times Secure Empty Trash writes over the old file’s data.

Finder's Secure Empty Trash

The U.S. Department of Defense data erasure guidelines require that erased data be written over no less than seven times.  Why seven times?  It just so happens that because of the way hard drives work, there is an opportunity for parts of the data to remain on the physical disk.  There is a mechanical arm that reaches out across the hard drive to read and write data off of a magnetic platter.  That mechanical arm may not pass over exactly the same spot on the hard drive with each pass.  If you remove the platter from the drive, you can actually scan the surface of the drive using a much more precise mechanical arm to read old data off of the drive.  Writing over the data seven times compensates for this opportunity.  Think of it like plowing a field: The more times you plow over the earth, the less likely you are to see last season’s crop lines.

Permanent Erasure Utility

There are utilities that you can use that take this even further.  Available in the Mac App Store is a free utility from Edenwaith called Permanent Eraser.  Tools like Permanent Erasure give the user greater control over how the old data is written over with new data when you empty the trash.  For instance, Peter Gutmann, a computer scientist in the Department of Computer Science at the University of Auckland, had devised a method of overwriting data 35 times, each pass utilizing a different pattern of ones and zeroes.  Permanent Erasure is configurable to take advantage of Gutmann’s research and can apply his technique of writing over old data when the trash is emptied.  In fact, Permanent Erasure goes even further by also scrambling the original file name and truncating the file size to nothing before finally unlinking it from the system.

Edenwaith's Permanent Eraser

Gutmann’s technique is quite dated, as it was originally applied to a variety of consumer grade hard drives available back in the late 1990s.  While widely considered the most secure means of erasing data off of an old hard drive that you still intend to use, some have speculated that this technique is no longer entirely necessary on modern-day, high-density and large-volume SATA drives.  Some security forums online have speculated that a single pass of random ones and zeroes is sufficient on modern equipment.  Even though there are tools that make utilizing even the most secure of techniques easy, you do wear down the drive and decrease its lifespan by overemploying this technique on a daily basis.  It is probably best to utilize the Finder’s Secure Erase on a daily basis, and use tools like Permanent Erasure when you have recently deleted something important that you want to make absolutely sure no one will be able to access again.

Time Machine Backups

Lets not forget about Time Machine and other backup solutions you may have implemented.  Going to extremes to erase a file from a hard drive that you routinely back up could be seen as a fool’s errand if you neglect to erase all of the backup copies as well.  But there is a way to delete all backed up versions of a file from within Time Machine.  Before you delete the file you want to remove permanently, open Time Machine and click on the gears to expose a menu.  From the menu select “Delete all backups of this file.” This will remove all references in Time Machine showing that the file ever existed.

Time Machine's Delete All Backups

This feature of Time Machine will not implement the same technique as Secure Empty Trash or any more advanced utilities like Permanent Erasure by writing over the data on the drive that the original file occupied.  It just so happens that a halfway decent automated backup strategy could end up being the Achilles’ heel of a halfway decent security strategy.  Once you backup your files online for instance, you may not have any way to delete individual files from all of the redundant backups that your cloud-based service provider has elected to employ.  The data is still out there, somewhere.

Disk Utility’s Secure Erase Options

Looking at this problem from an individual file perspective is good if you intend to keep using all of the old hard drives you have ever owned.  But what if you want to sell or give away your old equipment to somebody else?  At such a time it is a good idea to securely erase an entire drive’s data.  Fortunately Mac OS X’s Drive Utility has you covered.  Just open Disk Utility and select the drive you want to erase.  Choose the selector labeled “Erase” and click on the “Security Options” button.  Here you will find a range of options from “Fastest” to “Most Secure.”

Disk Utility Secure Erase Options

Unfortunately, Disk Utility stops short at just a seven pass overwrite and does not employ any other technique of securely erasing an entire drive.  And since OS X 10. 7 Lion, you no longer have the option to boot from DVD in order to gain access to Disk Utility in order to wipe the internal hard drive of your Mac clean.

Alternative Disk Wipe Boot Utilities

One of the most widely used and highly recommended tools to use in cases like this, Darik’s Boot And Nuke (DBAN), can be accessed from a bootable CD/DVD on your Mac.  You can also create a customized USB drive that will boot to Ubuntu where you can install and use the terminal command “wipe” (there is also a GUI interface for “wipe called Parted Magic).  Your best bet is to stick with something like Micromat’s TechTool Pro Wipe Disk feature, which will also boot from DVD or USB.  Any one of these three tools will wipe the internal drive of your Mac completely clean.

Hardware-Based Accessories

You can always try booting your MacBook in target disk mode in order connect to the hard drive externally and securely wipe the internal hard drive.  However, wiping a drive clean may be difficult if the Mac that the drive is in no longer boots up.  There are two hardware accessories for sale at MacSales by NewerTech that can come in handy once you have decided to remove the hard drive from your old Mac.  If you only need to do this on a rare occasion, consider the SuperSpeed USB 3.0 Universal Drive Adapter.  It supports both IDE and SATA formats for 5.25-inch, 3.5-inch and 2.5-inch drives.  If you are looking for a more permanent SATA solution, one that you can connect to via eSATA, then get the NewerTech Voyager hard drive dock.

Hardware Wipe Accessories

If you happen to do this a lot, or if you are the go-to person when it comes to IT issues, you may consider investing in a hardware-based wipe solution to securely erase all of the hard drives you have to work with.  WiebeTech’s Drive eRaser Ultra will wipe your IDE and SATA drives clean and won’t lock up your Mac in the process as it is a standalone wipe accessory.

Physical Destruction

There are ways to render a hard drive completely useless to others through the means of bashing, grinding, shredding, incinerating and even exposing the raw elements of the drive to a phase transition by vaporizing all of its components.  Rather than try to handle this yourself by purchasing your own Model 22 HDD Hard Drive Disintegrator, there are services that will take care of this for you.

Hard Drive Disintegrator

But even professional disintegration services recommend that you first perform your own due diligence by securely wiping off any private information before submitting the equipment to them for disposal.  One thing to look for when shopping around for such a service is to see if they are NAID Certified, if they offer an audit trail of the destruction process and will issue some sort of certificate of destruction.

Solid State Drives

This is all well and good provided you only have a traditional IDE or SATA hard drive that uses mechanical arms to read and write data off of rotating platters.  But what if you have a solid state drive (SSD), what then?  SSDs utilize a completely different technology that renders many of the above techniques ineffective.  The Non-Volatile Systems Laboratory of the University of California San Diego’s Computer Science and Engineering department has commenced a study to look at the effectiveness of various sanitizing techniques on SSDs. What researchers found was that a new approach to securely wiping a drive is needed.

Results from Reliably Erasing SSDs

The SSD’s wear-leveling technology, while designed to prolong the lifespan of the drive, makes it almost impossible to guarantee that a given file has been overwritten.  The implementation of many SSDs’ buffering technology, which was designed to help compensate for memory failures, also challenges many of the established erasure techniques.  The only recourse then is to always use full disk encryption on SSDs.  SSDs store the encryption keys in a Key Storage Area (KSA).  This KSA can be cleared to make the data that remains on the drive practically impossible to recover.  Some newer SSDs provide an “erase unit” command, but this has not been implemented uniformly across all drives and is not exposed in popular drive utility tools currently available to consumers.

When thinking about both your security as well as your backup strategy, think also of the reverse side of the equation — not just how can you continue to securely access your most private information, but also how can you prevent access to your private information by wiping it clean off of any device it has been stored on when you no longer want that device.  Paying attention to someone can access your files stored on old discarded computer equipment is key to any good security strategy.

4 Responses to “Mac 101: Deleting files and erasing drives”

  1. Clmberboy

    “ And since OS X 10. 7 Lion, you no longer have the option to boot from DVD in order to gain access to Disk Utility in order to wipe the internal hard drive of your Mac clean.”

    You can boot to a bootable external volume and run the same Disk Utility mentioned in your article. In fact, Lion has a built-in Recovery Partition which can be accessed but starting up holding the “command” + “R” keys. Then just pull up Disk Utility and choose how securely you would like to erase the drive – no need for external drives or disks.

  2. Thanks for the comprehensive article. I have a large number of files and some software to delete, so this article helps me understand the environment better. I don’t have any critical information I feel I need to obliterate, but it’s good to know what is available to me. Thanks again.