The process of permanently removing every trace of data from storage is termed ‘sanitisation' and for business use is served by a small elite of expensive tools that will do the job to meet compliance and auditing standards.
But what if the home or small business user wants something more occasional? Well, there are a slew of tools out there, some open source, others proprietary, and with a variety of different methods.
Before using one of these it is important to understand some of the issues surrounding the task of sanitising a disk for re-use, re-sale, or disposal.
First of all, for most users a single pass over a hard drive with one of these tools will probably be fine. But for businesses with sensitive data you might want to clear them a few more times than that. If it's really highly sensitive then the best option is to grind them into dust with heavy machinery. There are businesses that will do this for you.
For everyone else, a few rules of thumb:
Forget default commands
The first rule is not to rely on file deletion, quick formatting or re-formatting through an operating system such as Windows – all of these methods either don't delete the file on the drive (simply the reference to it in the file allocation table) or can be reversed later with the right tool. Low-level formatting can securely wipe data but the effectiveness could still depend on the operating system used to carry out the action so it's best not rely on it.
The tool depends on the task
Disk wiping is a non-destructive way of permanently removing data very different from data destruction, either physical or using a degaussing system that does the same job at the expense of destroying the drive itself.
There are a surprising number of high-quality tools (see end for selected suggestions), most offered as freeware or as limited versions of paid products.
Simple file or directory shredding can be done from within the OS as can the wiping of a partition. However, deleting an entire drive running an OS requires using a tool that can create boot media to do that from outside the environment, either on media or a USB stick.
Thinking laterally, it is also possible to fully encrypt data on a drive before deleting the key. The main issues with this – first deleted data on the surface of the drive won't be encrypted unless full-disk encryption is being used, and then there is always the very remote chance that the encryption scheme will be cracked in the future.
All wiping tools randomly overwrite storage but the method used to do this varies from tool to tool. One way is to use products that adopt a defined method while all will also usually allow the user to implement a random 1-pass approach.
Amidst a blizzard of standards, the baseline is probably the US Department of Defense's DoD 5220.22-M (3 or 7-pass), but a selection of others including the Russian GOST R 50739-95 (2-pass), Schneier (7-pass), Gutmann (an extraordinary 35 passes) will also turn up on the spec sheet along with several others. Arguments abound about where the point of overkill kicks in but we can't recommend one over another. All of the above will do the job on a technical level and originate in governments at some point in the last 10-15 years with occasional revisions.
Note: if the device is being used in a BYOD setting it is wise to check any policies on data retention first. The user will own the device but not necessarily the data.
Proof of erasure
Products will normally offer the option of verification, at the expense of adding time, plus a log of some kind showing what the utility has done to the drive and its data. Anyone wiping a drive of any kind in a commercial organisation should hold on to this as proof that the data on it was wiped.
Mobile devices offer a particular challenge although there seem to be plenty of apps that claim they can do the job. Certainly, device reset functions should not be relied upon. The simplest method, where supported, is simply to encrypt the internal storage before initiating a factory reset. Some also suggest filling the phone with dummy data before repeating the process. As for removable microSD cards, the best option is to take them out of the device as use a PC utility to wipe them.
The disk wiping tools
There is a plethora of freeware data wiping tools but it's important to consider whether they will do the job asked of them – it might in some circumstances be worth paying for a utility. The biggest problem is simply finding one that can be relied upon from a field full of strong contenders.
We've chosen a selection of the better-known ones here to offer some direction. There are a lot more out there.
DBAN (Darik's Boot and Nuke)
The small company that established this software, Geep, was bought out by Blancco 2012 but the utility lives on for anyone wanting to erase a hard drive as an open source project for home use only. Works by writing an ISO to a CD or USB stick, then used to boot into the utility. Supports six sanitisation standards including DoD 5220.2M, Gutmann and NIST 800-88 that offer a log but no certifiable erasure proof. It has a good reputation for sanitising ATA, SATA and SCSI hard drives, and it's easy to use. However, it doesn't support SSDs and there's no updates or support.
Although DBAN was bought in 2012 there is a free software fork of DBAN called Nwipe available, which is still being updated.
A FOSS fork of DBAN, the developer of Nwipe says it was created out of their need to run DBAN dwipe commands outside of DBAN, which allows Nwipe to use any host distribution. It will require a little more technical knowledge than some of the other applications out there.
Eraser is another free and open source lightweight tool that's easy to use and is available for most Windows operating systems, including XP, Vista, 7, 8, 10, and Windows Server 2003 to 2012.
Unlike DBAN, Disk Wipe is a portable, free utility that works within Windows and can't therefore be used to wipe the primary hard drive. It is, however, perfect for sanitising other drives, including USB sticks, external hard drives and memory cards. Supports DoD 5220-2.M and Gutmann and can also be used by commercial organisations in a highly usable manner.
Not to be confused with the Linux ransomware of the same name, Killdisk is another piece of proprietary code that has freeware flavours available for Windows and for MacOS, and for money, Linux too. The freeware version sanitises storage with the One Pass Zeros method and can be pointed at hard disks, memory cards and USBs, SCSI, RAID disk arrays, and SSDs too, according to the developers.
The freeware version includes a boot disc ISO with the software pre-installed and a bootable disc creator for CD, DVD, Blu-ray, and USB.
BCWipe Total WipeOut is a proprietary data erasure offering developed by Jetico, which boasts that its solution has been used by the Department of Defense in America along with the top 10 US defence contractors and national laboratories for "military-grade" disk wiping. Jetico also says that by supporting the logical device interface specification for SSDs, NVMe, it can also clear SSDs too.
Secure Erase for SSDs
SSDs have a reputation for being difficult to erase thanks to the different way they operate at a low level compared to hard drives. One cited solution is to use something called Secure Erase (HDDErase) from the Center for Memory and Recording Research, executed the Secure Erase function built into Serial ATA (SATA) and Parallel ATA (PATA) hard drives. It's a simple DOSlike utility that runs as a boot utility from media or a USB stick, basic but said to work.
Proprietary company Blancco (which earlier bought DBAN) says that its software erases to 22 standards and can be used to generate reports to meet security and regulatory compliance standards. Free trials are available through the Blancco website. Enterprise options are available too for bigger scale end-of-life needs. This will also wipe SSDs as well as hard drives and has a good reputation. Given the dearth of tools that can cope with this type of storage we'd recommend at least considering the single-PC licence fee for its Home Edition for £37 for the capability it offers.