Data Sanitization Methods

A list of software based data destruction methods

A data sanitization method is a specific way in which a data destruction program or file shredder overwrites the data on a hard drive or other storage device.

Most data destruction and shredding programs support a number of data sanitization methods so that you can pick and choose which one to use.

These methods are also often referred to as data erasure methods, data wipe methods, wipe algorithms, and data wipe standards. When you see terminology like this, the program is talking about data sanitization, as you'll see on this page.

Photo of a hand erasing equations on a blackboard

Jeffrey Coolidge / Getty Images

Technically, other methods of destroying data that are not based on software overwriting are also referred to as data sanitization methods, but most of the time the term is referring to these software-based methods of erasing data.

Below are several popular data sanitization methods used by data destruction programs, details on the particular method, and, when applicable, the organization or individual credited with coming up with it.

Secure Erase

Secure Erase is the name given to a set of commands available from the firmware on PATA and SATA based hard drives (it isn't available on SCSI drives).

Using Secure Erase to erase the data from a hard drive is often considered the best way to do so because the action is accomplished from the drive itself, the same hardware that wrote the data in the first place. Other erasing methods may be less effective because they rely on more standard ways of overwriting it.

According to the National Institute of Standards and Technology Special Publication 800-88, the only method of software-based data sanitation must be one that utilizes a hard drive's Secure Erase commands.

It's also worth noting that the NSA worked with the Center for Magnetic Recording Research at the University of California, San Diego, to research hard drive data sanitation. A result of that research was HDDErase, a freely available data destruction software program that works by executing the Secure Erase commands.

The Secure Erase data sanitization method is implemented in the following way:

  • Pass 1: Writes a binary one or zero

No verification of the overwrite is needed because the writing occurs from within the drive, meaning the drive's write fault detection prevents any misses. This makes Secure Erase fast compared to other data sanitization methods and arguably more effective.

Some specific Secure Erase commands include SECURITY ERASE PREPARE and SECURITY ERASE UNIT. Security Erase is another way you might see this discussed, but probably not often.

Some programs have the words secure erase in their names or advertise that they securely erase data from a hard drive. However, unless they specifically note that they use a hard drive's Secure Erase commands, they likely don't.

DoD 5220.22-M

The DoD 5220.22-M sanitization method was originally defined by the US National Industrial Security Program in the National Industrial Security Program Operating Manual, and is one of the most common sanitization methods used in data destruction software.

This data sanitization method is usually implemented in the following way:

  • Pass 1: Writes a zero and verifies the write
  • Pass 2: Writes a one and verifies the write
  • Pass 3: Writes a random character and verifies the write

You might also come across various iterations including DoD 5220.22-M (E), DoD 5220.22-M (ECE), and maybe even a few others. Each will probably use a character and its complement (as in 1 and 0) and varying frequencies of verifications.

While less common, there's another, altered version that writes a 97 during the last pass instead of a random character.

The NISPOM doesn't define any US government standard for data sanitization. The Cognizant Security Authority is responsible for data sanitization standards. The DoD 5220.22-M method is no longer permitted (nor is any software-based data sanitization method) for use by various members of the CSA including the Department of Defense, the Department of Energy, the Nuclear Regulatory Commission, and the Central Intelligence Agency.

NCSC-TG-025

The NCSC-TG-025 sanitization method was originally defined in the Forest Green Book, part of the Rainbow Series of computer security guidelines, published by the National Computer Security Center (NCSC), a group that was once part of the US National Security Agency.

NCSC-TG-025 is no longer a data sanitization standard for the NSA. The NSA/CSS Storage Device Declassification Manual (NSA/CSS SDDM) lists only degaussing and physical destruction via incineration as NSA approved ways to sanitize hard drive data. You can read the NSA/CSS SDDM here (PDF).

NCSC-TG-025 is usually implemented in the following way, combining zeros, ones, and random characters:

  • Pass 1: Writes a zero and verifies the write
  • Pass 2: Writes a one and verifies the write
  • Pass 3: Writes a random character and verifies the write

This is the same data sanitization method as DoD 5220.22-M, and variations in how it's implemented will be similar.

AFSSI-5020

The AFSSI-5020 sanitization method was originally defined in the Air Force System Security Instruction 5020 by the United States Air Force. It's unclear if the USAF still uses this data sanitization as its standard.

This data wipe method is usually implemented in the following way:

  • Pass 1: Writes a zero
  • Pass 2: Writes a one
  • Pass 3: Writes a random character and verifies the write

You might also see iterations that write a one for the first pass and a zero for the second. This method has also been seen implemented with verifications after each pass, not just the last one.

AR 380-19

The AR 380-19 sanitization method was originally defined in Army Regulation 380-19, published by the US Army. You can read the AR 380-19 data sanitization specification in AR 380-19 Appendix F (PDF).

According to Department of the Army Pamphlet 25–2–3, released in April 2019, it's clear that the US Army no longer uses AR 380-19 as its software-based data sanitization standard, but instead relies on the verification processes identified in NIST SP 800-88 Revision 1.

The AR 380-19 data sanitization method is usually implemented in the following way:

  • Pass 1 — Writes a random character
  • Pass 2 — Writes a specified character (e.g. zero)
  • Pass 3 — Writes the complement of the specified character (i.e. one) and verifies the write

It's sometimes used incorrectly by data destruction programs, so you might see it implemented without a verification of the final pass or without a third pass at all.

NAVSO P-5239-26

The NAVSO P-5239-26 sanitization method was originally defined in Navy Staff Office Publication 5239 Module 26: Information Systems Security Program Guidelines, published by the US Navy. You can read the NAVSO P-5239-26 data sanitization specification in 3.3.c.1 and 3.3.c.2 of NAVSO Publication 5239-26. It's unclear if the US Navy still uses it as its data sanitization standard.

NAVSO P-5239-26 is usually implemented in the following way:

  • Pass 1 — Writes a specified character (e.g. one)
  • Pass 2 — Writes the complement of the specified character (e.g. zero)
  • Pass 3 — Writes a random character and verifies the write

This method is the way most data destruction programs implement the standard. However, according to the actual specification, this is the less effective, "alternate method." The "preferred method" involves a more complicated overwriting pattern.

RCMP TSSIT OPS-II

The RCMP TSSIT OPS-II sanitization method was originally defined in Appendix Ops-II: Media Sanitation of the Technical Security Standards for Information Technology document, published by the Royal Canadian Mounted Police (RCMP).

However, RCMP TSSIT OPS-II is no longer the Canadian government's software-based data sanitization standard. The data sanitization standard in Canada is now CSEC ITSG-06, or a program that utilizes Secure Erase.

RCMP TSSIT OPS-II combines these methods and is usually implemented in the following way:

  • Pass 1: Writes a zero
  • Pass 2: Writes one
  • Pass 3: Writes a zero
  • Pass 4: Writes one
  • Pass 5: Writes a zero
  • Pass 6: Writes one
  • Pass 7: Writes a random character and verifies the write

This method is usually correctly used as shown above, but we've also seen it implemented with random characters in place of some of the zero/one repeating passes in some programs.

CSEC ITSG-06

The CSEC ITSG-06 sanitization method was originally defined in Section 2.3.2 of IT Security Guidance 06: Clearing and Declassifying Electronic Data Storage Devices, published by Communication Security Establishment Canada (CSEC).

CSEC ITSG-06 replaced RCMP TSSIT OPS-II as Canada's data sanitization standard.

It's usually implemented in the following way:

  • Pass 1: Writes a one or zero
  • Pass 2: Writes the complement of the previously written character (e.g., one if Pass 1 was zero)
  • Pass 3: Writes a random character and verifies the write

CSEC also recognizes Secure Erase as an approved method of sanitizing data.

HMG IS5

The HMG IS5 sanitization method was originally defined in the HMG IA/IS 5 Secure Sanitisation of Protectively Marked Information or Sensitive Information document, published by the Communications-Electronics Security Group (CESG), part of the National Cyber Security Centre (NCSC).

This method comes in two similar versions: HMG IS5 Baseline and HMG IS5 Enhanced.

HMG IS5 Baseline is usually implemented in the following way:

  • Pass 1: Writes a zero
  • Pass 2: Writes a random character and verifies the write

This is how HMG IS5 Enhanced normally works:

  • Pass 1: Writes a zero
  • Pass 2: Writes a one
  • Pass 3: Writes a random character and verifies the write

VSITR

Verschlusssache IT Richtlinien (VSITR), roughly translated as Classified IT Policies, was originally defined by Bundesamt für Sicherheit in der Informationstechnik (BSI), the German Federal Office for Information Security. You can read more about the BSI on their website.

This is how the VSITR data sanitization method is most often implemented:

  • Pass 1: Writes a zero
  • Pass 2: Writes a one
  • Pass 3: Writes a zero
  • Pass 4: Writes a one
  • Pass 5: Writes a zero
  • Pass 6: Writes a one
  • Pass 7: Writes a random character

We've seen various VSITR iterations, including one with only three passes, one that writes the letter A in the final pass instead of a random character, and one that writes alternating ones and zeros across the entire drive as the last pass.

GOST R 50739-95

There actually was never an official GOST R 50739-95 data sanitization method. There is a GOST R 50739-95 document, but it doesn't specify any data sanitization standard or methodology.

Regardless, the implementations mentioned below are labeled as GOST methods by most data destruction programs.

ГОСТ P 50739-95, translated as GOST R 50739-95, is an originally Russian-outlined set of standards designed to protect against unauthorized access to information. The full text of GOST R 50739-5 can be read (in Russian) here: ГОСТ Р 50739-95.

ГОСТ is short for государственный стандарт which means state standard.

The GOST R 50739-95 data sanitization method is usually implemented in one of these two ways:

First version:

  • Pass 1: Writes a zero
  • Pass 2: Writes a random character

Second version:

  • Pass 1: Writes a random character

One major difference between this method of erasing data, when compared with others, is that it's not a requirement for there to be a "verification" pass after the information has been overwritten. All this means is that the program using the wipe method can still claim to have used GOST R 50739-95, even if it doesn't double-check that the data was actually cleared away.

However, any program using GOST R 50739-95 can verify the overwrite if it chooses to; this is usually an option in data destruction programs and file shredders.

The Russian GOST R 50739-95 data sanitization standard is sometimes incorrectly called GOST p50739-95.

Gutmann

The Gutmann method, developed by Peter Gutmann in 1996, uses a random character, instead of just the zero used in other techniques, for the first 4 and the last 4 passes, but then uses a complex pattern of overwriting from Pass 5 through Pass 31. It writes a total of 35 passes.

Wikipedia's lengthy explanation of the original Gutmann method includes a table of the patterns used in each pass.

This method was designed in the late 1900s. The hard drives in use at that time used different encoding methods than the ones we use today, so most of the passes are completely useless these days. Without knowing exactly how each hard drive stores data, the best way to erase it is to use random patterns.

Peter Gutmann himself said in an epilogue to his original paper that "a few passes of random scrubbing is the best you can do."

Conclusion: the Gutmann method can do this, but so can other data sanitization methods.

Schneier

The Schneier method was created by Bruce Schneier and appeared in his book Applied Cryptography: Protocols, Algorithms, and Source Code in C (ISBN 978-0471128458).

This is how it's normally implemented:

  • Pass 1: Writes a one
  • Pass 2: Writes a zero
  • Pass 3: Writes a stream of random characters
  • Pass 4: Writes a stream of random characters
  • Pass 5: Writes a stream of random characters
  • Pass 6: Writes a stream of random characters
  • Pass 7: Writes a stream of random characters

Some programs may introduce small variations, like a verification after the first or last pass.

Pfitzner

Roy Pfitzner, the creator of this method, has said that data might be able to be retrieved if it's only overwritten 20 times, and that writing random characters more than 30 times should be sufficient. However, whether this is accurate is up for debate.

While most software implement this method in the following way, some may modify it and use a smaller number of passes (seven is common):

Pass 1 - 33: Writes a random character

It's sometimes written as Pfitzner 33-pass, Pfitzner 7-pass, random(x33) or random(x7).

In addition to this, most software will let you run the Pfitzner method more than once. So if you were to run it 50 times, the software will have overwritten the drive not 33 times, but 1,650 times (33x50)!

Some applications may also verify the passes after they've completed.

Random Data

Some data sanitization methods overwrite existing data with zeros or ones. Others include both zeros and ones, but also random characters as well. However, the Random Data method, as the name suggests, only uses random characters.

The data sanitization method is implemented in various ways:

Pass 1 - ?: Writes a random character

Most data destruction tools that provide a Random Data method use it as a kind of do-it-yourself sanitization method, allowing you to customize the number of passes. Therefore, you may see this method run as little as two passes or as many as 20 or 30 or more. You may also have the option of verification after each pass or just the final pass.

Some software let you customize not only the number of passes, but also the characters that are used. For example, you may be given the option to add a pass of just zeros. However, even though the program might let you customize the method, anything that deviates too far from what's explained above will result in a method that's no longer Random Data.

Write Zero

The Write Zero data sanitization method is, unsurprisingly, usually implemented in the following way:

  • Pass 1: Writes a Zero

Some implementations may include a verification after the first pass, may write a character other than zero, or may write zeros over several passes, but those aren't common ways of doing it.

Is Write Zero Sufficient for Erasing Data?

Some data sanitization methods replace your regular, readable data with random characters. As just mentioned above, Write Zero does the same thing but uses, well... zeros. In a practical sense, if you wipe a hard drive with zeros and then throw it away, your random dumpster diver won't be able to recover any of your deleted data.

If that's true, you may wonder, then, why other types of data wipe methods even exist. With all the options available, what's the purpose of a zero-fill utility? The Random Data method, for example, writes random characters to the drive instead of zeros, so how is it that different from Write Zero or any of the others?

One aspect is not just what character is being written, but how efficient the method is at overwriting the data. If only a single write pass is done, and the software doesn't verify that every piece of data has been erased, then the method isn't going to be as effective as methods that do.

In other words, if you use Write Zero on one drive, and it verifies that all the data has been overwritten, then you can be confident that the information is less likely to be recovered than if the same data were overwritten with the Random Data method but didn't verify that each sector was replaced with random characters.

However, certain characters might also provide better privacy than others. If a file recovery program knows that the data was overwritten with zeros only, it makes it significantly easier to sift through what data exists than if the program doesn't know the characters used, like those in the Schneier method.

Another reason for all the other methods is that some organizations want to prove that their information is being erased in a specific manner that's most likely to prevent recovery, so they use a certain data sanitization method with certain parameters for all their data wipe needs.

The Write Zero method is sometimes, and more accurately, referred to as the Single Overwrite method. It may also be called zero fill erase or zero-fill.

Which Data Sanitization Method Is Best?

Overwriting one or more files, or an entire hard drive, just once with a single character, should prevent any software-based file recovery method from recovering data from a hard drive. This is almost universally agreed upon.

According to some researchers1, a single overwriting of data is enough to prevent even advanced, hardware-based methods of extracting information from hard drives, meaning that most data sanitization methods are an overkill. This is not as agreed upon.

Most experts agree that Secure Erase is the best way to overwrite an entire hard drive in a single pass. The very simple Write Zero method accomplishes essentially the same thing, albeit much slower.

Using any wipe method to erase data is really just writing other data over top of your previous data so that the information gets replaced with something useless—each method works this way. The new data is essentially random and doesn't actually contain any of your personal information, which is why ones, zeros, and random characters are used. 

[1] Craig Wright, Dave Kleiman, and Shyaam Sundhar R.S. in Overwriting Hard Drive Data: The Great Wiping Controversy [PDF].

If a Single Overwrite Is Enough, Why Are There So Many Data Sanitization Methods?

As I mentioned above, not everyone agrees on a software-based data sanitization method that will prevent all possible methods of recovering the data.

Because advanced, hardware-based methods of extracting information from hard drives exist, several governmental organizations and researchers have independently devised certain methods of overwriting data that, according to their research, should prevent these advanced recovery methods from working.

What Does It Mean to 'Verify the Write?'

Most data sanitization methods run a verification after writing a character over the data, meaning that it checks the drive to ensure that the contents were actually written over.

In other words, a data write verification is like a "did I really just do this the right way?" sort of check. If the overwrite didn't complete for some reason, the software will most likely redo that specific pass until it can verify that the data has been overwritten, or it might just tell you that the verification didn't complete as expected so that you can manually rerun it if you want.

Some data wipe software tools will let you change the number of times it verifies that the files are gone. Some may verify just once at the very end of the entire process (after all the passes have been completed), while others will verify the write after each and every pass.

To check an entire drive after each and every pass to ensure that the files are being deleted will certainly take much longer to complete because it has to check it more often than just once at the very end.

Software That Support These Methods

In this table are file shredder programs and data destruction tools that support the data sanitization methods described above. If you're not sure which one to use, refer to this list of whole-drive data wipe programs or our list of file-level erasure tools.

   DBAN  HDDErase CBL WinUtil Eraser Catalano
AFSSI-5020 Yes* Yes Yes
AR 380-19 Yes* Yes Yes
CSEC ITSG-06 Yes*
DoD 5220.22-M Yes   Yes Yes Yes Yes
GOST R 50739-95 Yes* Yes Yes
Gutmann Yes   Yes Yes Yes Yes
HMG IS5 Yes* Yes
NAVSO P-5239-26 Yes* Yes
NCSC-TG-025 Yes* Yes
Pfitzner Yes Yes
Random Data Yes   Yes* Yes Yes
RCMP TSSIT OPS-II Yes   Yes* Yes
Secure Erase Yes Yes*
Schneier Yes Yes Yes
VSITR Yes Yes
Write Zero Yes Yes* Yes

*CBL Data Shredder lets you make custom wipe methods. So, technically, you can use it to wipe a hard drive with any of these methods. The items with an asterisk above mean that it's not apparent that the wipe method is supported, but you can modify the passes to create it.

Most programs also let you customize your own data sanitization method with whatever overwriting pattern and number of passes you want. For example, the program might let you choose to overwrite the data with a zero during the first pass, a one in the second pass, and then random characters for eight more passes.

Was this page helpful?