Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
Gutmann method
open-in-new
<h2 id="background">Background</h2> <p>The delete function in most <a href="/facts/Operating_systems/8XTuvMh2">operating systems</a> simply marks the space occupied by the file as reusable (removes the <a href="/facts/Data_pointer/fPoNzy9b">pointer</a> to the file) without immediately removing any of its contents. At this point the file can be fairly easily recovered by numerous recovery applications. However, once the space is overwritten with other data, there is no known way to use software to recover it. It cannot be done with software alone since the storage device only returns its current contents via its normal interface. Gutmann claims that <a href="/facts/Intelligence_agency/r3kDlaeD">intelligence agencies</a> have sophisticated tools, including <a href="/facts/Magnetic_force_microscope/SUCYC7nj">magnetic force microscopes</a>, which together with <a href="/facts/Image_analysis/woLB8cX7">image analysis</a>, can detect the previous values of <a href="/facts/Bit/S972NSaD">bits</a> on the affected area of the media (for example <a href="/facts/Hard_disk/kekLSGSE">hard disk</a>). This claim however seems to be invalid based on the thesis "Data Reconstruction from a Hard Disk Drive using Magnetic Force Microscopy".<a class="footnote-ref" id="fnref:5" href="#fn:5"><sup>5</sup></a> </p> <h2 id="method">Method</h2> <p>An overwrite session consists of a lead-in of four <a href="/facts/Random/QJQBoEX5">random</a> write patterns, followed by patterns 5 to 31 (see rows of table below), executed in a random order, and a lead-out of four more random patterns. </p><p>Each of patterns 5 to 31 was designed with a specific <a href="/facts/Magnetic_medium/QaK6oArm">magnetic media</a> <a href="/facts/Code/CSntvnEo">encoding</a> scheme in mind, which each pattern targets. The drive is written to for all the passes even though the table below only shows the bit patterns for the passes that are specifically targeted at each encoding scheme. The end result should obscure any data on the drive so that only the most advanced physical scanning (e.g., using a <a href="/facts/Magnetic_force_microscope/SUCYC7nj">magnetic force microscope</a>) of the drive is likely to be able to recover any data. </p><p>The series of patterns is as follows: </p> Gutmann overwrite method<table><tbody><tr><th rowspan="2">Pass</th><th colspan="2">Data written</th><th colspan="3">Pattern written to disk for targeted encoding scheme</th></tr><tr><th>In <a href="/facts/Binary_numeral_system/a6JDSRPs">binary</a> notation</th><th>In <a href="/facts/Hexadecimal/02ohQW22">hex</a> notation</th><th>(1,7) <a href="/facts/Run-length_limited/WkGWpAGR">RLL</a></th><th>(2,7) <a href="/facts/Run-length_limited/WkGWpAGR">RLL</a></th><th><a href="/facts/Modified_frequency_modulation/XLIItN1f">MFM</a></th></tr><tr><td>1</td><td>(Random)</td><td>(Random)</td><td></td><td></td><td></td></tr><tr><td>2</td><td>(Random)</td><td>(Random)</td><td></td><td></td><td></td></tr><tr><td>3</td><td>(Random)</td><td>(Random)</td><td></td><td></td><td></td></tr><tr><td>4</td><td>(Random)</td><td>(Random)</td><td></td><td></td><td></td></tr><tr><td>5</td><td>01010101 01010101 01010101</td><td>55 55 55</td><td>100...</td><td></td><td>000 1000...</td></tr><tr><td>6</td><td>10101010 10101010 10101010</td><td>AA AA AA</td><td>00 100...</td><td></td><td>0 1000...</td></tr><tr><td>7</td><td>10010010 01001001 00100100</td><td>92 49 24</td><td></td><td>00 100000...</td><td>0 100...</td></tr><tr><td>8</td><td>01001001 00100100 10010010</td><td>49 24 92</td><td></td><td>0000 100000...</td><td>100 100...</td></tr><tr><td>9</td><td>00100100 10010010 01001001</td><td>24 92 49</td><td></td><td>100000...</td><td>00 100...</td></tr><tr><td>10</td><td>00000000 00000000 00000000</td><td>00 00 00</td><td>101000...</td><td>1000...</td><td></td></tr><tr><td>11</td><td>00010001 00010001 00010001</td><td>11 11 11</td><td>0 100000...</td><td></td><td></td></tr><tr><td>12</td><td>00100010 00100010 00100010</td><td>22 22 22</td><td>00000 100000...</td><td></td><td></td></tr><tr><td>13</td><td>00110011 00110011 00110011</td><td>33 33 33</td><td>10...</td><td>1000000...</td><td></td></tr><tr><td>14</td><td>01000100 01000100 01000100</td><td>44 44 44</td><td>000 100000...</td><td></td><td></td></tr><tr><td>15</td><td>01010101 01010101 01010101</td><td>55 55 55</td><td>100...</td><td></td><td>000 1000...</td></tr><tr><td>16</td><td>01100110 01100110 01100110</td><td>66 66 66</td><td>0000 100000...</td><td>000000 10000000...</td><td></td></tr><tr><td>17</td><td>01110111 01110111 01110111</td><td>77 77 77</td><td>100010...</td><td></td><td></td></tr><tr><td>18</td><td>10001000 10001000 10001000</td><td>88 88 88</td><td>00 100000...</td><td></td><td></td></tr><tr><td>19</td><td>10011001 10011001 10011001</td><td>99 99 99</td><td>0 100000...</td><td>00 10000000...</td><td></td></tr><tr><td>20</td><td>10101010 10101010 10101010</td><td>AA AA AA</td><td>00 100...</td><td></td><td>0 1000...</td></tr><tr><td>21</td><td>10111011 10111011 10111011</td><td>BB BB BB</td><td>00 101000...</td><td></td><td></td></tr><tr><td>22</td><td>11001100 11001100 11001100</td><td>CC CC CC</td><td>0 10...</td><td>0000 10000000...</td><td></td></tr><tr><td>23</td><td>11011101 11011101 11011101</td><td>DD DD DD</td><td>0 101000...</td><td></td><td></td></tr><tr><td>24</td><td>11101110 11101110 11101110</td><td>EE EE EE</td><td>0 100010...</td><td></td><td></td></tr><tr><td>25</td><td>11111111 11111111 11111111</td><td>FF FF FF</td><td>0 100...</td><td>000 100000...</td><td></td></tr><tr><td>26</td><td>10010010 01001001 00100100</td><td>92 49 24</td><td></td><td>00 100000...</td><td>0 100...</td></tr><tr><td>27</td><td>01001001 00100100 10010010</td><td>49 24 92</td><td></td><td>0000 100000...</td><td>100 100...</td></tr><tr><td>28</td><td>00100100 10010010 01001001</td><td>24 92 49</td><td></td><td>100000...</td><td>00 100...</td></tr><tr><td>29</td><td>01101101 10110110 11011011</td><td>6D B6 DB</td><td></td><td>0 100…</td><td></td></tr><tr><td>30</td><td>10110110 11011011 01101101</td><td>B6 DB 6D</td><td></td><td>100…</td><td></td></tr><tr><td>31</td><td>11011011 01101101 10110110</td><td>DB 6D B6</td><td></td><td>00 100…</td><td></td></tr><tr><td>32</td><td>(Random)</td><td>(Random)</td><td></td><td></td><td></td></tr><tr><td>33</td><td>(Random)</td><td>(Random)</td><td></td><td></td><td></td></tr><tr><td>34</td><td>(Random)</td><td>(Random)</td><td></td><td></td><td></td></tr><tr><td>35</td><td>(Random)</td><td>(Random)</td><td></td><td></td><td></td></tr></tbody></table> <p>Encoded bits shown in bold are what should be present in the ideal pattern, although due to the encoding the complementary bit is actually present at the start of the track. </p> <h2 id="criticism">Criticism</h2> <p>Daniel Feenberg of the <a href="/facts/National_Bureau_of_Economic_Research/oQREczIe">National Bureau of Economic Research</a>, an American private nonprofit research organization, criticized Gutmann's claim that intelligence agencies are likely to be able to read overwritten data, citing a lack of evidence for such claims. He finds that Gutmann cites one non-existent source and sources that do not actually demonstrate recovery, only partially-successful observations. The definition of "random" is also quite different from the usual one used: Gutmann expects the use of pseudorandom data with sequences known to the recovering side, not an unpredictable one such as a <a href="/facts/Cryptographically_secure_pseudorandom_number_generator/Kew9SdpN">cryptographically secure pseudorandom number generator</a>.<a class="footnote-ref" id="fnref:6" href="#fn:6"><sup>6</sup></a> </p><p>Nevertheless, some published government security procedures consider a disk overwritten once to still be sensitive.<a class="footnote-ref" id="fnref:7" href="#fn:7"><sup>7</sup></a> </p><p>Gutmann himself has responded to some of these criticisms and also criticized how his algorithm has been abused in an epilogue to his original paper, in which he states:<a class="footnote-ref" id="fnref:8" href="#fn:8"><sup>8</sup></a><a class="footnote-ref" id="fnref:9" href="#fn:9"><sup>9</sup></a> </p> <blockquote><p>In the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques. As a result, they advocate applying the voodoo to <a href="/facts/Partial-response_maximum-likelihood/n4pjxVv7">PRML</a> and EPRML drives even though it will have no more effect than a simple scrubbing with random data. In fact performing the full 35-pass overwrite is pointless for any drive since it targets a blend of scenarios involving all types of (normally-used) encoding technology, which covers everything back to 30+-year-old <a href="/facts/Modified_Frequency_Modulation/XLIItN1f">MFM</a> methods (if you don't understand that statement, re-read the paper). If you're using a drive which uses encoding technology X, you only need to perform the passes specific to X, and you never need to perform all 35 passes. For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do. As the paper says, "A good scrubbing with random data will do about as well as can be expected". This was true in 1996, and is still true now.</p>— Peter Gutmann, Secure Deletion of Data from Magnetic and Solid-State Memory, University of Auckland Department of Computer Science</blockquote> <p>Gutmann's statement has been criticized[<i>by whom?</i>] for not recognizing that PRML/EPRML does not replace RLL. They claim PRML/EPRML is not a data encoding method, but a signal detection method. <a href="https://kaleron.edu.pl/">Kaleron</a>, a Polish data recovery service has also claimed that Gutmann's publication contains more factual errors and assumptions that do not apply to actual disks.<a class="footnote-ref" id="fnref:10" href="#fn:10"><sup>10</sup></a> </p> <h2 id="see-also">See also</h2> <ul><li><a href="/facts/Data_remanence/xW7XvQsn">Data remanence</a></li> <li><a href="/facts/Data_recovery/KvNG11I1">Data recovery</a></li> <li><a href="/facts/Computer_forensics/g59dDNYz">Computer forensics</a></li></ul> <h2 id="notes">Notes</h2> <h2 id="external-links">External links</h2> <ul><li><a href="https://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html">Secure Deletion of Data from Magnetic and Solid-State Memory</a>, Gutmann's original paper</li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>Gutmann, Peter. (July 22–25, 1996) Secure Deletion of Data from Magnetic and Solid-State Memory. University of Auckland Department of Computer Science. Epilogue section. <a href="https://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html" target="_blank">https://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>Cranor, Lorrie Faith; Garfinkel, Simson (25 August 2005). Security and Usability: Designing Secure Systems that People Can Use. "O'Reilly Media, Inc.". p. 307. ISBN 9780596553852. <a href="9780596553852" target="_blank">9780596553852</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>Clearing and Declassifying Electronic Data Storage Devices (PDF) (PDF). Communications Security Establishment. July 2006. p. 7. Archived from the original (PDF) on 2014-03-03. <a href="https://web.archive.org/web/20140303210956/http://www.cse-cst.gc.ca/documents/publications/itsg-csti/itsg06-eng.pdf" target="_blank">https://web.archive.org/web/20140303210956/http://www.cse-cst.gc.ca/documents/publications/itsg-csti/itsg06-eng.pdf</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>Michael Wei; Laura M. Grupp; Frederick E. Spada; Steven Swanson (2011). "Reliably Erasing Data From Flash-Based Solid State Drives" (PDF). FAST'11: Proceedings of the 9th USENIX conference on File and storage technologies. Wikidata Q115346857. Retrieved 2018-01-08. <a href="https://www.usenix.org/legacy/events/fast11/tech/full_papers/Wei.pdf" target="_blank">https://www.usenix.org/legacy/events/fast11/tech/full_papers/Wei.pdf</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>"Data Reconstruction from a Hard Disk Drive using Magnetic Force Microscopy" (PDF). UNIVERSITY OF CALIFORNIA, SAN DIEGO. 2013. Archived from the original on 2015-10-27. <a href="https://web.archive.org/web/20151027143757/https://escholarship.org/uc/item/26g4p84b" target="_blank">https://web.archive.org/web/20151027143757/https://escholarship.org/uc/item/26g4p84b</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>Daniel Feenberg (2013) [2003]. "Can Intelligence Agencies Read Overwritten Data? A response to Gutmann". National Bureau of Economic Research. <a href="http://www.nber.org/sys-admin/overwritten-data-gutmann.html" target="_blank">http://www.nber.org/sys-admin/overwritten-data-gutmann.html</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> <li id="fn:7"><p>"Clearing and Declassifying Electronic Data Storage Devices" (PDF) (PDF). Communications Security Establishment. July 2006. Archived from the original (PDF) on 2014-03-03. <a href="https://web.archive.org/web/20140303210956/http://www.cse-cst.gc.ca/documents/publications/itsg-csti/itsg06-eng.pdf" target="_blank">https://web.archive.org/web/20140303210956/http://www.cse-cst.gc.ca/documents/publications/itsg-csti/itsg06-eng.pdf</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li> <li id="fn:8"><p>Gutmann, Peter. (July 22–25, 1996) Secure Deletion of Data from Magnetic and Solid-State Memory. University of Auckland Department of Computer Science. Epilogue section. <a href="https://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html" target="_blank">https://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html</a> <a href="#fnref:8" class="footnote-back-ref">↩</a></p></li> <li id="fn:9"><p>Cranor, Lorrie Faith; Garfinkel, Simson (25 August 2005). Security and Usability: Designing Secure Systems that People Can Use. "O'Reilly Media, Inc.". p. 307. ISBN 9780596553852. <a href="9780596553852" target="_blank">9780596553852</a> <a href="#fnref:9" class="footnote-back-ref">↩</a></p></li> <li id="fn:10"><p>Kaleron (2024). "Throwing Gutmann's algorithm into the trash". Retrieved 2024-11-22. <a href="https://kaleron.edu.pl/throwing-Gutmanns-algorithm-into-the-trash" target="_blank">https://kaleron.edu.pl/throwing-Gutmanns-algorithm-into-the-trash</a> <a href="#fnref:10" class="footnote-back-ref">↩</a></p></li> </ol>