macOS

Securely "Freeing" Free Space

What is this about?

Imagine the scenario: you are selling your PC to another person or returning a lease, of course you probably already deleted all your files from it, and even did a format of the drive. So is that all? Is your data really gone?

Not really! It is likely that all your files are still in the hdd, and a simple run of the mill recover software can recover a ton of stuff.

But why? After all you deleted everything and formatted the drive, right?

Disk Storage In a Nut Shell

Let's pretend our disk is a book. Most books have a structure, they have some sort of index in the beginning where you have a summary of what is inside, and when you open it in a specific page, there you'll have the information itself. Well disks are very similar to this.

They have a "small" index and most of the space of the disk is reserved to storing the data itself. When you write a file to the disk the data is stored somewhere on the disk and its physical location and some other infos are store in those indexes.

When you or the system tries to access that file the system does not know where the file is in the disk, so it reads the entry for the file in the index to find it's physical location, then goes after the data itself, reads it and take the appropriated action that was requested.

When you delete a file the regular way, that is sending the file to the Trash and then erasing the trash what the system does is in fact to remove just the index entry, and then it marks that physical space on the drive as free space (available to be used).

You may ask "why?", after all this seems dumb and dangerous. Well, I agree, it is, but systems do this mainly because of two reasons, the first is longevity and the second is speed. To delete a 5GB file takes no more than a second, but to write that same file takes way more than that. Imagine if you had deletion times as long as copying times. Thats the speed factor, additionally if the system had to overwrite the entire file every time you delete something that alone would stress the hardware a lot, and it would last way less than it does.

Consider the image below, you can see the index in the outer most part of the disk in red, and the corresponding data itself in the blueish "middle" of disk. While the entry in the index is deleted, the data itself stays. And can be recovered!

There is no way to "erase" the written data, what we do instead is to write zeros (00000000000...) to the physical space where the data was written, effectively destroying the data.

How to Zero Out

I'll cover the OS X solution for this problem. For those using Linux, well you should be able to do that using dd to write /dev/zero to /dev/sdX considering you're zeroing the whole disk (or partition), OR by installing some sort of package, such as zerofree that can zero out just the free space of the drive/partitions.

For Windoze, you are out of luck, at least here. I neither know nor care to know the process to accomplish this on Windoze. Maybe you can use SysInternal's SDelete to do it. I never did.

For the Mac we can use the build-in diskutil terminal tool or if you have a regular HDD you can also do it using the Disk Utility tool located in the /Applications/Utilities folder.

OS X actually hides this option if your disk is a SSD (Solid State Drive). But the terminal tool diskutil still can be used with SSDs, altho some say it will stress the SSD way too much. Well, I rather stress the drive than have my data floating around in uncharted waters.

The terminal command is this:

diskutil secureErase freespace X "Y"

Where X is the mode the tool will use (how many times will zero out the free space) and Y is the disk it will be zeroed out.

Modes are as follows:

  • 0 – Single-pass zero-fill erase.

  • 1 – Single-pass random-fill erase.

  • 2 – US DoD 7-pass secure erase.

  • 3 – Gutmann algorithm 35-pass secure erase.

  • 4 – US DoE algorithm 3-pass secure erase.

For SSDs a single pass will suffice, for regular HDDs more passes makes more difficult to restored the data. The US DoD 7-pass should suffice for most. If you are REALLY paranoid, go for the Gutmann 35-pass.

For instance if you want to zero out the Macintosh HD volume's free space using the US DoD 7-pass you should issue this command:

diskutil secureErase freespace 2 "/Volumes/Macintosh HD"

*The quotes are needed if your volume has spaces, in this case, it does.

It will take some time, when it is finished you can sell the computer and have some piece of mind that your data will not be recovered, at least not easily. I am sure some 3 letter government agencies still can recover data even after the zero out process. But that's another story.

If you want guarantees that 100% of the data will be destroyed beyond any question, that even super-natural hi-tech techniques won't do it, well.... then you can try to hammer the drive for 10 minutes, cook it in a microwave for another 10, throw some acid on top and in it, then throw it in the Pacific Ocean's Mariana Trench. That will, I am sure, guarantee that 100% of the data is in fact destroyed. Aside from this we can only talk about 99ish%.