Peter Cochrane's Blog: How to delete sensitive data

Written on BA289 flying from London to Phoenix, and dispatched to silicon.com a day later from my hotel via free wi-fi

I was recently handed a small number of USB memory sticks by people requesting copies of documents at a conference. On the face of it these folks appeared to have been sensible and gave me sticks that had been wiped clean - which, I might add, is not always the case.

So just for fun I thought I would dig a little deeper with a couple of simple utilities used for memory repair and file recovery. Within minutes each memory stick revealed a large number of files that I could access. I have no idea what the files contained (because I chose not to look) but some of the titles and sizes were intriguing.

I'm sure they held ammunition that would have embarrassed the owners and their organisations but fortunately for them I happen to be honest, and not a business competitor!

How come 'delete' doesn't actually invoke a full obliteration of files? It never does! In all our IT systems the prevalent mode is for the delete function to remove the link/pointer/identifier, directory and/or location header. This means the file icon disappears from our screens but the file itself remains. And this happens to be true on hard drives, flash memory and so on, and was also true of floppy discs and read/write CDs of our recent past.

It seems this fact has never been made clear to many people. The net result is a lot of undeleted information living on some of the most insecure memory devices on the market, which are carried in jacket pockets, cases and handbags.

As far as I am aware there are very few ways around this problem:

1. Use a 1kg hammer or a welding torch to destroy your physical media
2. Encrypt all sensitive files
3. Never store sensitive information on any portable device
4. Use a secure delete protocol

Unfortunately all of the above incur inconvenience and some expense, and even a secure protocol is seldom foolproof. Most systems have two file delete options: standard and secure. At an elementary level we should always opt for the secure option. Then you would think that would be an end to it - we should then be secure. Wrong!

The reality is that secure delete commonly employs one or more randomised overwriting sequences but someone armed with a deep knowledge of the operating system and the secure delete algorithm employed will most likely be able to reverse the process. Some companies boast their ability to recover data even after 10 overwrites.

If necessary, such abilities can be thwarted by using a large number of safe files, known only to you, to totally overwrite the memory device and fill up every available slot. A secure delete followed by a repeat of this entire process using a new set or randomised ordering of safe files each time more or less makes it impossible for anyone to recover the sensitive data once at risk. But this is inconvenient and really expensive in terms of time.

So there we have it! Security is only, and will most likely always be only, a relative condition. All we can do is make it really difficult for opportunists and attackers to get at our sensitive data.

Personally I use all of the above suggestions (1 - 4) as appropriate with a concentration on (3) when I can manage it, and (1) as my most certain method.