It’s because physics is not perfectly binary, and doesn’t need to be in normal use. Normally your computer asks “is there definitely totally a 1 here” with a high threshold. But the forensics person can ask “*was* there a 1 here”, and there’s a difference between yes and no.

My understanding is that for modern, spinning disks, this isn’t an issue. The original conjecture that data could be recovered using expensive tools was from a paper presented at a conference in the late 1990s, and was an attack against hard drives that–even by then–were somewhat outdated. The attack was based on the idea that hardware back then wasn’t particularly precise, so a single overwrite may have left the magnetic signal in a not quite on or off state. If you could look at the physical media closely enough you might be able to tell that something which the hard drive equipment thought was a 0 actually wasn’t all the way in a 0 state, which could indicate that it had been a 1 at some point. The attacker would need to use very specialized tools that could read the magnetic signal in a more precise way than the hard drive itself could accurately read or write. Specifically, [Magnetic force microscopy](https://en.wikipedia.org/wiki/Magnetic_force_microscope) and [scanning tunneling microscopy](https://en.wikipedia.org/wiki/Scanning_tunneling_microscope).

The ELI5 for those is that you use a very sharp “needle” that can “see” the detail in incredibly small magnetic or physical spaces, including being able to see down to the single atom layer.

[It’s not ELI5 territory, but you can read more about it in this old article](https://web.archive.org/web/20121110053501/http://grot.com/wordpress/?p=154). A lot has been written about your question though, so you can find other sources in addition to this one.

Moden SSDs will mark sections of the drive as “bad” after they become unusable. I’m a little uncertain about what happens here, but I think that these drive sections may always be left in their last known state, even if you try to use software tools to overwrite the drive. If that is the case (and hopefully someone more knowledgeable can comment), data in bad areas has a decent likelihood of being recoverable to someone with sufficient means (albeit very well funded means). So, if you’re James Bond and worried that you might have to crash land in enemy territory, make sure your drives are encrypted from day 1, or have a spare vat of acid handy just in case.

The ‘7 overwrites to be completely irretrievable’ is mostly just an overabundance of caution.

For example, a single overwrite, there may be some residual charge left behind that could be interpreted as having previously being a 1 or 0. Enough so that strong forensics could make a more conclusive prediction.

It’s been awhile since I’ve read the specifics, but somewhere between 3 to 4 overwrites is enough to render virtually anything unrecoverable on the current tech of the time that it became a standard. However, the US government needing to be absolutely certain that even with current and future tech that they don’t know about (you know, the kind our adversaries *could* theoretically have), data *couldn’t* be recovered. They pretty much doubled (and rounded up) the average number of rewrites they found to be reliable in rendering data completely gone.

It wasn’t that at 6 overwrites they could still recover data but they couldn’t at 7….it was more of a “but what if our enemies have something we don’t know about and *can* recover data more reliably”.

Additionally, zeroing a drive isn’t that reliable in all honesty. If you only do it once or twice, you may still detect enough of a field anywhere there was a one to make the assumption that it used to be a one. Places that have weaker fields would likely have been a zero before the wipe. Realistically you don’t want to zero a drive….you want to overwrite it with random data multiple times and *then* zero, so even if they can recover anything it’ll just be a random assortment of 1s and 0s.

I’d add, for the average user a single overwrite/zero is enough to prevent your data from being recovered. Unless you have some high level forensics team trying to peek at your overwritten data, nobody is going to bother trying to recover something that’s been fully deleted.

When you write data the ones are magnetic in one direction and the zeros magnetic in the other. When you over write data, the length of the magnetic data block may not be the same size, resulting in residual original data on the edges. In addition, When you write a one on top of a one, the magnetic field is slightly stronger than if you write a zero on top of a one. With an extremely sensitive meter you can find these differences, The seven passes of all ones alternating with passes of all zeros ensure the residual magnetic differences and edge variations are removed.

This might get buried, but currently, the method used by the US government (such as US military, NSA, etc.) thinks that overwriting a magnetic disk (hard drive) is NOT acceptable anymore, and the degauss or physically destroy the drive and do not allow you to sanitize a disk via overwriting, at all.

They must know something that even security researchers don’t know, as only a few years ago, even a single pass was considered OK, but 3-7 was most secure and in most practices.

The short version is that it is enough these days, and maybe it always was.

As other people have said, it’s possible that years ago a sufficiently well funded person could have taken your hard drive into a clean room with custom equipment and scan the platters so they could see how the bits used to be set.

So, you know, even back when it was theoretically possible, would have been incredibly expensive, difficult, and probably not going to be 100% even if you could do it. So, you know, maybe possibly worth it to find designs for a nuclear superweapon. Not so much to find my old emails and tax returns.

Nowadays, the resolution of the bits on the platters and the magnetic signals so weak that there’s no way it’s possible on a modern drive. Could there be some super secret technology sitting downstairs in Langley that could do it? Really doubt it.

So yeah, go ahead and overwrite it once. Nobody’s getting it back.

Computer forensics is not unlike physical forensics in this regard.

Imagine you had a keypad that was worn down from constant use, and you could see the 4 numbers that had been pressed the most by simply observing the damage. You can press all the other buttons, but you’d have to press them a lot to make them equally worn down. And even then, someone with advanced equipment could tell the difference between the ones that you intentionally wore down if they were dedicated enough, since a button worn down over an extended period of time will be damaged differently and contain trace amounts of substances that can make it possible to differentiate.

This is the same concept here. Sectors of the hard drive are physically altered over time, and synthetic overwriting can be detected and accounted for in advanced recovery techniques.

But, for SSDs, this is largely irrelevant.

I just researched this extensively last week and found this excellent article explaining why one pass is sufficient:

[https://www.howtogeek.com/115573/htg-explains-why-you-only-have-to-wipe-a-disk-once-to-erase-it/](https://www.howtogeek.com/115573/htg-explains-why-you-only-have-to-wipe-a-disk-once-to-erase-it/)

I found several other articles which said the same. DuckDuck this for more info: how many passes to wipe hard drive

[removed]

Kind of have to remember that there are no actual 1’s or 0’s in a computer.
It’s all thresholds of charge.
If it has enough energy or strength its a 1 else it’s a zero.
So… Lower the threshold and you can get a 1 if there is any charge.
When it erases it just lowers the threshold enough that it can’t be seen as a 1 normally.

To get it really clear requires a lot of power.
If you really want to make the drive data free. Destroy it real good.