Community hub
0 subscribers7 pages, 0 posts
Recent from talks
All channels
Be the first to start a discussion here.
Be the first to start a discussion here.
Be the first to start a discussion here.
Be the first to start a discussion here.
Contribute something
Welcome to the community hub built to collect knowledge and have discussions related to Gutmann method.
Nothing was collected or created yet.
Gutmann method
View on Wikipediafrom Wikipedia
The Gutmann method is an algorithm for securely erasing the contents of computer hard disk drives, such as files. Devised by Peter Gutmann and Colin Plumb and presented in the paper Secure Deletion of Data from Magnetic and Solid-State Memory in July 1996, it involved writing a series of 35 patterns over the region to be erased.
The selection of patterns assumes that the user does not know the encoding mechanism used by the drive, so it includes patterns designed specifically for three types of drives. A user who knows which type of encoding the drive uses can choose only those patterns intended for their drive. A drive with a different encoding mechanism would need different patterns.
Most of the patterns in the Gutmann method were designed for older MFM/RLL encoded disks. Gutmann himself has noted that more modern drives no longer use these older encoding techniques, making parts of the method irrelevant. He said "In the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques".[1][2]
Since about 2001, some ATA IDE and SATA hard drive manufacturer designs include support for the ATA Secure Erase standard, obviating the need to apply the Gutmann method when erasing an entire drive.[3] The Gutmann method does not apply to USB sticks: a 2011 study reports that 71.7% of data remained available. On solid state drives it resulted in 0.8–4.3% recovery.[4]
Background
[edit]The delete function in most operating systems simply marks the space occupied by the file as reusable (removes the pointer to the file) without immediately removing any of its contents. At this point the file can be fairly easily recovered by numerous recovery applications. However, once the space is overwritten with other data, there is no known way to use software to recover it. It cannot be done with software alone since the storage device only returns its current contents via its normal interface. Gutmann claims that intelligence agencies have sophisticated tools, including magnetic force microscopes, which together with image analysis, can detect the previous values of bits on the affected area of the media (for example hard disk). This claim however seems to be invalid based on the thesis "Data Reconstruction from a Hard Disk Drive using Magnetic Force Microscopy".[5]
Method
[edit]An overwrite session consists of a lead-in of four random write patterns, followed by patterns 5 to 31 (see rows of table below), executed in a random order, and a lead-out of four more random patterns.
Each of patterns 5 to 31 was designed with a specific magnetic media encoding scheme in mind, which each pattern targets. The drive is written to for all the passes even though the table below only shows the bit patterns for the passes that are specifically targeted at each encoding scheme. The end result should obscure any data on the drive so that only the most advanced physical scanning (e.g., using a magnetic force microscope) of the drive is likely to be able to recover any data.
The series of patterns is as follows:
| Pass | Data written | Pattern written to disk for targeted encoding scheme | |||
|---|---|---|---|---|---|
| In binary notation | In hex notation | (1,7) RLL | (2,7) RLL | MFM | |
| 1 | (Random) | (Random) | |||
| 2 | (Random) | (Random) | |||
| 3 | (Random) | (Random) | |||
| 4 | (Random) | (Random) | |||
| 5 | 01010101 01010101 01010101 |
55 55 55 |
100... |
000 1000...
| |
| 6 | 10101010 10101010 10101010 |
AA AA AA |
00 100... |
0 1000...
| |
| 7 | 10010010 01001001 00100100 |
92 49 24 |
00 100000... |
0 100...
| |
| 8 | 01001001 00100100 10010010 |
49 24 92 |
0000 100000... |
100 100...
| |
| 9 | 00100100 10010010 01001001 |
24 92 49 |
100000... |
00 100...
| |
| 10 | 00000000 00000000 00000000 |
00 00 00 |
101000... |
1000... |
|
| 11 | 00010001 00010001 00010001 |
11 11 11 |
0 100000... |
||
| 12 | 00100010 00100010 00100010 |
22 22 22 |
00000 100000... |
||
| 13 | 00110011 00110011 00110011 |
33 33 33 |
10... |
1000000... |
|
| 14 | 01000100 01000100 01000100 |
44 44 44 |
000 100000... |
||
| 15 | 01010101 01010101 01010101 |
55 55 55 |
100... |
000 1000...
| |
| 16 | 01100110 01100110 01100110 |
66 66 66 |
0000 100000... |
000000 10000000... |
|
| 17 | 01110111 01110111 01110111 |
77 77 77 |
100010... |
||
| 18 | 10001000 10001000 10001000 |
88 88 88 |
00 100000... |
||
| 19 | 10011001 10011001 10011001 |
99 99 99 |
0 100000... |
00 10000000... |
|
| 20 | 10101010 10101010 10101010 |
AA AA AA |
00 100... |
0 1000...
| |
| 21 | 10111011 10111011 10111011 |
BB BB BB |
00 101000... |
||
| 22 | 11001100 11001100 11001100 |
CC CC CC |
0 10... |
0000 10000000... |
|
| 23 | 11011101 11011101 11011101 |
DD DD DD |
0 101000... |
||
| 24 | 11101110 11101110 11101110 |
EE EE EE |
0 100010... |
||
| 25 | 11111111 11111111 11111111 |
FF FF FF |
0 100... |
000 100000... |
|
| 26 | 10010010 01001001 00100100 |
92 49 24 |
00 100000... |
0 100...
| |
| 27 | 01001001 00100100 10010010 |
49 24 92 |
0000 100000... |
100 100...
| |
| 28 | 00100100 10010010 01001001 |
24 92 49 |
100000... |
00 100...
| |
| 29 | 01101101 10110110 11011011 |
6D B6 DB |
0 100… |
||
| 30 | 10110110 11011011 01101101 |
B6 DB 6D |
100… |
||
| 31 | 11011011 01101101 10110110 |
DB 6D B6 |
00 100… |
||
| 32 | (Random) | (Random) | |||
| 33 | (Random) | (Random) | |||
| 34 | (Random) | (Random) | |||
| 35 | (Random) | (Random) | |||
Encoded bits shown in bold are what should be present in the ideal pattern, although due to the encoding the complementary bit is actually present at the start of the track.
Criticism
[edit]Daniel Feenberg of the National Bureau of Economic Research, an American private nonprofit research organization, criticized Gutmann's claim that intelligence agencies are likely to be able to read overwritten data, citing a lack of evidence for such claims. He finds that Gutmann cites one non-existent source and sources that do not actually demonstrate recovery, only partially-successful observations. The definition of "random" is also quite different from the usual one used: Gutmann expects the use of pseudorandom data with sequences known to the recovering side, not an unpredictable one such as a cryptographically secure pseudorandom number generator.[6]
Nevertheless, some published government security procedures consider a disk overwritten once to still be sensitive.[7]
Gutmann himself has responded to some of these criticisms and also criticized how his algorithm has been abused in an epilogue to his original paper, in which he states:[1][2]
In the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques. As a result, they advocate applying the voodoo to PRML and EPRML drives even though it will have no more effect than a simple scrubbing with random data. In fact performing the full 35-pass overwrite is pointless for any drive since it targets a blend of scenarios involving all types of (normally-used) encoding technology, which covers everything back to 30+-year-old MFM methods (if you don't understand that statement, re-read the paper). If you're using a drive which uses encoding technology X, you only need to perform the passes specific to X, and you never need to perform all 35 passes. For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do. As the paper says, "A good scrubbing with random data will do about as well as can be expected". This was true in 1996, and is still true now.
— Peter Gutmann, Secure Deletion of Data from Magnetic and Solid-State Memory, University of Auckland Department of Computer Science
Gutmann's statement has been criticized for not recognizing that PRML/EPRML does not replace RLL, with critics claiming PRML/EPRML to be a signal detection method rather than a data encoding method. Polish data recovery service Kaleron has also claimed that Gutmann's publication contains further factual errors and assumptions that do not apply to actual disks.[8]
See also
[edit]Notes
[edit]- ^ a b Gutmann, Peter. (July 22–25, 1996) Secure Deletion of Data from Magnetic and Solid-State Memory. University of Auckland Department of Computer Science. Epilogue section.
- ^ a b Cranor, Lorrie Faith; Garfinkel, Simson (25 August 2005). Security and Usability: Designing Secure Systems that People Can Use. "O'Reilly Media, Inc.". p. 307. ISBN 9780596553852.
- ^ Clearing and Declassifying Electronic Data Storage Devices (PDF) (PDF). Communications Security Establishment. July 2006. p. 7. Archived from the original (PDF) on 2014-03-03.
- ^ Michael Wei; Laura M. Grupp; Frederick E. Spada; Steven Swanson (2011). "Reliably Erasing Data From Flash-Based Solid State Drives" (PDF). FAST'11: Proceedings of the 9th USENIX conference on File and storage technologies. Wikidata Q115346857. Retrieved 2018-01-08.
- ^ "Data Reconstruction from a Hard Disk Drive using Magnetic Force Microscopy" (PDF). UNIVERSITY OF CALIFORNIA, SAN DIEGO. 2013. Archived from the original on 2015-10-27.
- ^ Daniel Feenberg (2013) [2003]. "Can Intelligence Agencies Read Overwritten Data? A response to Gutmann". National Bureau of Economic Research.
- ^ "Clearing and Declassifying Electronic Data Storage Devices" (PDF) (PDF). Communications Security Establishment. July 2006. Archived from the original (PDF) on 2014-03-03.
- ^ Kaleron (2024). "Throwing Gutmann's algorithm into the trash". Retrieved 2024-11-22.
External links
[edit]
Gutmann method
View on Grokipediafrom Grokipedia
The Gutmann method is a data sanitization algorithm designed to securely erase information from magnetic hard disk drives by overwriting the target data multiple times, rendering it irrecoverable even with advanced forensic recovery techniques such as magnetic force microscopy.[1] Developed in 1996 by computer scientist Peter Gutmann of the University of Auckland and cryptographer Colin Plumb, the method addresses vulnerabilities in older hard drive technologies that used encoding schemes like modified frequency modulation (MFM) and run-length limited (RLL) encoding, where residual magnetic traces could allow partial data reconstruction after a single overwrite.[1]
The core of the Gutmann method involves 35 sequential overwrite passes, each applying a specific pattern to the disk sectors: the first four and final four passes use pseudorandom data to obscure patterns, while the intervening 27 passes employ deterministic bit sequences tailored to counter recovery from various drive interfaces.[1] For instance, patterns such as alternating 0x55 and 0xAA bits target MFM-encoded drives, while sequences like 0x92, 0x49, and 0x24 address (2,7) RLL encoding common in drives from the 1990s.[1] This multi-pass approach was intended to flip magnetic domains thoroughly, ensuring that no remnant signals from the original data persist, though it was primarily calibrated for older low-density magnetic drives.[1] The method applies only to magnetic media and is ineffective for solid-state drives.
Although influential in early standards for secure deletion, the Gutmann method has been widely critiqued as excessive for contemporary storage media.[1] Gutmann himself noted in a 2001 epilogue to his original paper that the full 35 passes are unnecessary for modern perpendicular recording or PRML-based drives, where a single random overwrite pass suffices due to narrower track densities and advanced error correction that eliminate recoverable remnants.[1] The National Institute of Standards and Technology (NIST) in SP 800-88 Rev. 1 (2014) recommends a single overwrite for clearing data on modern hard disk drives in most scenarios, rendering the Gutmann approach computationally intensive and largely obsolete except for legacy systems.[2] Despite this, the method remains implemented in some data erasure software for compliance with historical security protocols.[1]
These patterns collectively cover all possible 5-bit code groups used in RLL encodings, ensuring that any potential remanent signal is overwhelmed by contrasting magnetic fields.[1]
Passes 32 through 35 return to random data, generated using a cryptographically strong pseudorandom number generator contributed by Colin Plumb, to simulate future or unknown encoding schemes like advanced PRML variants where deterministic patterns could inadvertently reinforce noise patterns. The algorithm seeds the generator with the sector address and a time-based value, producing output bytes via a key-scheduling routine that mixes the seed with iterative feedback, ensuring non-repeating, unpredictable data that disrupts partial-response equalization filters in PRML systems. This final randomization acts as a safeguard against evolving technologies, prioritizing entropy over targeted disruption to prevent any coherent recovery of original flux transitions. No explicit verification pass is included, as the multiplicity of overwrites inherently confirms erasure through layered obfuscation.[1]
History and Development
Origins in Data Security Concerns
In the early 1990s, growing concerns about data remanence posed significant challenges to data security, especially on magnetic storage devices like hard disk drives. Data remanence describes the residual magnetic fields that persist on disk platters after files are deleted or the drive is low-level formatted, leaving traces that could potentially be exploited to reconstruct sensitive information. These remnants arise because standard operating system deletion merely removes file allocation pointers, leaving the underlying data intact and vulnerable to forensic recovery techniques.[1] Research from the late 1980s and early 1990s underscored the recoverability of overwritten data, fueling fears over unauthorized access in high-stakes environments. Scientists employed advanced imaging methods, such as magnetic force microscopy (MFM) and scanning tunneling microscopy (STM), to visualize magnetic domains at the nanoscale, revealing how previous data patterns could bleed through subsequent overwrites due to imperfect magnetic reversal. For example, studies between 1991 and 1995, including work by Rice and Moreland (1991) on tunneling-stabilized MFM, Gomez et al. (1992 and 1993) on MFM and microscopic imaging of overwritten tracks, and Zhu et al. (1994) on edge overwrite in thin-film media, demonstrated partial recovery of data traces from older drives using run-length limited (RLL) and modified frequency modulation (MFM) encoding, even after up to four overwrites in some cases. These findings highlighted vulnerabilities in drives with lower recording densities, where magnetic interference from adjacent tracks complicated complete erasure.[1] Peter Gutmann, a computer scientist in the Department of Computer Science at the University of Auckland, addressed these issues through his research on secure data deletion, driven by the need to protect against sophisticated recovery efforts that could compromise government and corporate information. His investigations revealed gaps in existing standards, such as those from the U.S. National Security Agency, which often relied on simple overwriting insufficient for emerging threats. Gutmann's work emphasized the espionage risks associated with remanent data on discarded or repurposed drives, prompting the development of more robust erasure strategies tailored to historical drive technologies.[1][3]Publication and Initial Impact
The Gutmann method was formally introduced in the 1996 paper titled "Secure Deletion of Data from Magnetic and Solid-State Memory," authored by Peter Gutmann and presented at the Sixth USENIX Security Symposium in San Jose, California, from July 22–25.[4] The paper analyzed data remanence risks in magnetic and solid-state storage, proposing multi-pass overwriting schemes tailored to various encoding technologies to prevent forensic recovery.[1] Gutmann collaborated closely with cryptographer Colin Plumb on the cryptographic elements of the method, particularly the generation of pseudorandom patterns for overwrite passes to ensure unpredictability and resistance to pattern-based recovery techniques.[1] Plumb's expertise in secure random number generation informed the design of these patterns, enhancing the method's robustness against advanced analysis.[5] Following its publication, the method saw early adoption in open-source data erasure tools, notably Darik's Boot and Nuke (DBAN), released in 2003, which implemented the full 35-pass overwrite scheme as one of its wiping options for hard disk drives.[6] This integration helped popularize the technique among users seeking compliant data destruction without proprietary software.[7] The paper's findings also entered standards discussions, with the USENIX publication cited in the bibliography of NIST Special Publication 800-88, "Guidelines for Media Sanitization" (initial draft circa 2003, published 2006), influencing recommendations for multi-pass overwriting in federal data disposal practices during the early 2000s. This contributed to broader incorporation of secure overwriting into corporate and government guidelines for handling sensitive media in the post-publication decade.Theoretical Foundations
Data Remanence and Recovery Techniques
Data remanence refers to the residual physical representation of data that persists on magnetic storage media after erasure or overwriting attempts. This occurs due to hysteresis in magnetic domains, where the magnetization of particles does not fully align with the new write signal, leaving behind weak echoes of prior data states. Partial overwriting effects exacerbate this, as variations in write head positioning, media coercivity, and signal strength result in incomplete domain flips—for instance, overwriting a zero with a one might yield a value closer to 0.95 rather than a full 1, allowing faint remnants to accumulate across multiple layers of writes.[1] Recovery of remanent data relies on specialized techniques that amplify these subtle magnetic signatures. Magnetic force microscopy (MFM) is a prominent method, employing a magnetized cantilever tip in an atomic force microscope to map stray magnetic fields from the disk surface at lift heights below 50 nm, achieving lateral resolutions down to approximately 50 nm. This enables visualization of overwritten tracks by detecting domain patterns and residual magnetization, with scan times of 2–10 minutes per track depending on the area and tip quality; for example, MFM has been used to image bit structures on high-density drives, revealing echoes from previous data layers even after single overwrites. Other approaches include high-resolution oscilloscopes to capture analog read signals or electron beam tools to induce currents from trapped charges, though MFM provides the most direct nanoscale insight into magnetic remanence.[1][8] Certain encoding schemes prevalent in 1980s–1990s hard drives heighten remanence risks by structuring data in ways susceptible to incomplete erasure. Frequency modulation (FM) encoding pairs each user bit with a clock bit, producing dense transition patterns that can leave low-frequency residues vulnerable to adjacent-track interference during overwrites. Run-length limited (RLL) codes, such as (1,7) or (2,7) variants, constrain sequences of identical bits to reduce intersymbol interference but still permit recovery of prior data through off-track writes or media variations, where the constrained run lengths amplify detectable echoes in adjacent domains. These schemes, common in drives with areal densities below 100 Mb/in², made remanent signals more exploitable compared to later partial-response maximum-likelihood (PRML) methods.[1] The recoverability of remanent data hinges on the signal-to-noise ratio (SNR), defined as the ratio of the desired residual signal power to background noise power, often expressed in decibels (dB) as . In overwriting contexts, each pass attenuates prior signals by a factor tied to the drive's performance, typically -25 to -35 dB, reducing the amplitude multiplicatively (e.g., two passes at -30 dB yield -60 dB total, or ~0.1% residual). Gutmann's analysis indicated that for older RLL-encoded drives, 4–8 overwrites with random patterns could diminish remanent SNR below practical detection thresholds (e.g., < -40 dB), rendering recoverability under 1% with conventional equipment, though specialized tools like MFM might still discern traces at higher costs.[1] The Gutmann method counters these remanence effects through multiple overwriting passes tailored to encoding vulnerabilities.Role of Magnetic Recording Technologies
The Gutmann method emerged amid the dominance of longitudinal magnetic recording (LMR) in hard disk drives during the 1980s and 1990s, a technology inherently susceptible to data remanence owing to adjacent track interference. In LMR, the write head's magnetic field extends beyond the target track, creating partial overlaps that leave remnant magnetization at track edges even after overwriting; this allows traces of prior data to persist and be superimposed over new recordings, as observed through imaging techniques like magnetic force microscopy.[1] Early magnetic storage relied on frequency modulation (FM) encoding for floppy disks, where a logical 1 was represented by two clock transitions and a 0 by one, enabling low-density storage but simpler overwrite dynamics with minimal adjacent interference. By the 1980s, hard disk drives shifted to modified frequency modulation (MFM) and run-length limited (RLL) encodings, such as (1,3) RLL/MFM, which increased areal density by constraining transition intervals— for instance, limiting the maximum gap between 1 bits to three zeros in MFM— but exacerbated remanence risks due to the denser packing and broader impact of write fields on neighboring tracks.[1] The mid-1990s introduction of partial response maximum likelihood (PRML) channels in drives represented a pivotal evolution, leveraging digital filtering and Viterbi detection algorithms to achieve 30-40% greater storage density over prior RLL methods by interpreting subtle read signal variations rather than relying on peak detection alone. Although PRML diminished some remanence vulnerabilities through smaller magnetic domains and enhanced overwrite coverage at track peripheries, residual recovery threats lingered, particularly in misaligned writes.[1] Gutmann's examination revealed that remanence recoverability is closely tied to track density, with older, lower-density systems like early MFM/RLL exhibiting more pronounced edge effects that demanded multiple targeted passes for sanitization, while higher-density configurations up to 6700 tracks per inch in emerging PRML drives benefited from overlapping write fields that naturally attenuated prior data layers. These technology-specific traits underscored the need for adaptive overwriting protocols in the Gutmann method to counter varying remanence behaviors across recording eras.[1]Method Description
Overview of the Overwriting Process
The Gutmann method employs repeated overwriting of data on magnetic storage media to mitigate the risks of data remanence, where residual magnetic fields may allow recovery of previously stored information. The core principle involves disrupting magnetic domains by flipping them multiple times through alternating fixed and random patterns, ensuring that any lingering echoes from original data are overwhelmed across multiple layers of the recording medium. This approach targets the physical properties of older hard disk drives, where imprecise head positioning could leave recoverable traces if only a single overwrite is performed.[1] The process consists of a total of 35 passes, structured into phases tailored to the encoding technologies prevalent in different eras of hard drive development, such as frequency modulation (FM) and run-length limited (RLL) schemes. The initial four passes use random data to obscure prior content, followed by 27 deterministic passes targeting MFM, (1,7) RLL, and (2,7) RLL encodings as detailed in the specific patterns, before concluding with another four random passes. This phased structure ensures comprehensive coverage for drives from various technological periods, maximizing the disruption of potential remanence without requiring prior knowledge of the exact drive type, as the full sequence serves as a universal precaution.[1] Implementation begins with identifying the drive's geometry, including the number of sectors, tracks, and encoding method if known, to map the overwriting accurately across the entire surface. Patterns are then generated: fixed ones for the deterministic phases and pseudorandom sequences for the random phases, utilizing a cryptographically strong random number generator developed with input from Colin Plumb to produce unpredictable data streams. These patterns are written sequentially to every sector in a permuted order, often disabling write caching to guarantee physical writes to the media rather than buffered operations. The order of the deterministic passes (5-31) is randomized using the PRNG to prevent prediction by forensic analysts.[1] Following the overwriting passes, a verification process is recommended to confirm the operation's success, involving read-back checks on a sample of sectors to ensure uniformity and the absence of readable remnants, typically covering at least 10% of the media through multiple non-overlapping samples. This step helps validate that the magnetic domains have been sufficiently altered, aligning with broader sanitization guidelines for magnetic media.[9]Specific Pass Patterns and Their Purposes
The Gutmann method employs a sequence of 35 overwriting passes designed to address data remanence across a range of historical magnetic recording technologies, including frequency modulation (FM), modified frequency modulation (MFM), run-length limited (RLL) encodings such as (1,7) and (2,7), and partial response maximum likelihood (PRML) systems. These passes combine random data with deterministic patterns tailored to exploit vulnerabilities in each encoding scheme, such as echo effects or partial domain saturation that could allow residual signal recovery using specialized equipment like magnetoresistive heads. The patterns are applied consecutively to the target sectors, with the order permuted randomly using a cryptographically strong random number generator to further obscure any potential forensic analysis. This comprehensive approach ensures compatibility with drives of unknown vintage or encoding type prevalent in the mid-1990s.[1] Passes 1 through 4 utilize random data generated by a secure pseudorandom number generator, serving as an initial scrubbing layer to disrupt any coherent magnetic domains without targeting a specific encoding, thereby providing a broad baseline erasure effective against early FM drives by fully magnetizing adjacent areas and preventing simple flux transition reads. This random approach avoids predictable patterns that might align with legacy low-density recording methods, where uniform fields could leave detectable biases. In FM systems, which rely on simple clock-embedded encoding, these passes saturate the medium indiscriminately to eliminate weak remanence signals.[1] Passes 5 and 6 use alternating bit patterns to counter clock recovery artifacts and intersymbol interference in MFM and (1,7) RLL encodings. Specifically, pass 5 overwrites with the repeating byte 0x55 (binary 01010101), which creates a high-frequency signal to overwrite low-level echoes in MFM flux transitions; pass 6 uses its complement, 0xAA (10101010), to reverse the magnetic polarity and further disrupt any residual alignment. Passes 7 through 9 employ cyclic three-byte sequences—0x92 0x49 0x24, 0x49 0x24 0x92, and 0x24 0x92 0x49, respectively—repeated across the sector, targeting (2,7) RLL and MFM by introducing complex bit sequences that violate run-length constraints and erase subtle remanence from partial writes or head positioning errors. These patterns are chosen to maximally desaturate domains affected by the encoding's sensitivity to consecutive zero bits.[1] Passes 10 through 31 consist of 22 deterministic patterns primarily aimed at (1,7) and (2,7) RLL encodings, which were dominant in mid-1980s to early 1990s drives and prone to remanence from zoned bit recording or variable density. Passes 10 through 25 use the 16 repeating byte patterns from 0x00 to 0xFF, covering all possible 4-bit combinations to target (1,7) and (2,7) RLL encodings; for instance, 0x33 (00110011) and 0x66 (01100110) address specific bit groupings that could leave echoes in (1,7) RLL's longer run constraints, while others like 0xCC (11001100) address (2,7) RLL's stricter limits on consecutive ones. Passes 26 through 28 repeat the cyclic 0x92 0x49 0x24 sequences from passes 7-9 for reinforcement in (2,7) RLL and MFM. Finally, passes 29 through 31 use another set of cyclic sequences—0x6D 0xB6 0xDB, 0xB6 0xDB 0x6D, and 0xDB 0x6D 0xB6—designed to scramble advanced (2,7) RLL patterns that might persist due to write precompensation errors. The full list of these passes is summarized in the following table for clarity:| Pass | Pattern (Repeating Byte(s)) | Targeted Encoding |
|---|---|---|
| 10 | 0x00 | (1,7) RLL, (2,7) RLL |
| 11 | 0x11 | (1,7) RLL |
| 12 | 0x22 | (1,7) RLL |
| 13 | 0x33 | (1,7) RLL, (2,7) RLL |
| 14 | 0x44 | (1,7) RLL |
| 15 | 0x55 | (1,7) RLL, MFM |
| 16 | 0x66 | (1,7) RLL, (2,7) RLL |
| 17 | 0x77 | (1,7) RLL |
| 18 | 0x88 | (1,7) RLL |
| 19 | 0x99 | (1,7) RLL, (2,7) RLL |
| 20 | 0xAA | (1,7) RLL, MFM |
| 21 | 0xBB | (1,7) RLL |
| 22 | 0xCC | (1,7) RLL, (2,7) RLL |
| 23 | 0xDD | (1,7) RLL |
| 24 | 0xEE | (1,7) RLL |
| 25 | 0xFF | (1,7) RLL, (2,7) RLL |
| 26 | 0x92 0x49 0x24 (cyclic) | (2,7) RLL, MFM |
| 27 | 0x49 0x24 0x92 (cyclic) | (2,7) RLL, MFM |
| 28 | 0x24 0x92 0x49 (cyclic) | (2,7) RLL, MFM |
| 29 | 0x6D 0xB6 0xDB (cyclic) | (2,7) RLL |
| 30 | 0xB6 0xDB 0x6D (cyclic) | (2,7) RLL |
| 31 | 0xDB 0x6D 0xB6 (cyclic) | (2,7) RLL |
Implementation and Tools
Software Supporting the Method
Several open-source tools implement the Gutmann method for secure data erasure on hard disk drives. Darik's Boot and Nuke (DBAN), first released in 2003, is a prominent bootable Linux-based utility that includes the Gutmann method as a selectable option alongside DoD 5220.22-M standards. However, DBAN has not been actively maintained since 2011 and may not be suitable for modern systems; consider alternatives like ShredOS for current use.[7] Users boot from a DBAN ISO image, press 'M' to access the method selection menu, and choose the Gutmann option to initiate the 35-pass overwriting process on detected drives.[10] The tool provides real-time progress updates and supports logging to external media like USB drives for verification, though completion on a 1TB drive often exceeds 100 hours depending on hardware speed and interface.[11] Eraser, an open-source Windows application, integrates the Gutmann method as its default erasure preset for files, folders, and unused disk space, allowing users to configure tasks via a graphical interface where the method is chosen from a dropdown menu.[12] Scheduled wipes can be set, and the software generates detailed logs of each pass, including timestamps and error reports, to confirm execution; for a 1TB drive, a full Gutmann wipe may require approximately 350 hours over USB 2.0 due to the multi-pass nature.[13] Bootable Linux distributions like ShredOS provide dedicated support for the Gutmann method via the nwipe utility, a command-line tool forked from DBAN's dwipe, which users invoke with the-m gutmann flag or select interactively in its menu-driven mode.[14] ShredOS boots from USB and automatically detects drives, allowing erasure of multiple disks simultaneously; logging is enabled with the -l option to output detailed pass-by-pass records to a file or console, and estimated times for a 1TB drive align with 100+ hours, scalable by drive speed.[15] nwipe can leverage underlying commands like dd for pattern writing or badblocks for verification in custom setups, though Gutmann mode handles this internally.[16]