Overwrite / Overwritten Data

The recovery industry uses “overwrite” with a specific technical meaning: new bytes have physically replaced old bytes at the storage location where the old data lived. This is different from deletion, which only changes the file system’s bookkeeping while leaving the actual data bytes untouched on the storage medium.¹

The two ways overwriting happens

Overwriting on a storage device occurs through two mechanisms with very different implications:

• Incidental overwrite during normal use: when the operating system writes new files (downloads, app installs, OS updates), it allocates storage space from the pool of available blocks. If those allocated blocks happen to contain the bytes of a previously-deleted file, the previous content is overwritten as a side effect. Most overwrites that frustrate recovery happen this way.
• Intentional secure-erase overwrite: a user runs a tool specifically designed to overwrite data: shred, sdelete, BleachBit, DBAN, or similar. The tool’s purpose is to make recovery infeasible, and it writes specific patterns (zeros, random data, or known patterns) to the target storage locations.

File-level vs full-disk overwrite

Different overwrite scopes produce different outcomes:

• File-level overwrite targets a specific file’s storage space, leaving the rest of the disk untouched. Tools like sdelete -p target individual files. The risk is that the file may have left fragments in slack space, journal entries, or temp files that aren’t covered by file-level overwrite.
• Full-disk overwrite writes new data to every accessible storage location on the drive. DBAN and similar tools work this way. More thorough than file-level but takes longer (hours for a multi-TB drive) and destroys all data on the drive.
• Free-space overwrite overwrites only the storage space marked as available; existing files are preserved. Useful for cleaning up after deletion of sensitive files without destroying the entire drive contents.

What makes overwriting different from secure erase

Overwriting is a software-level operation that uses the storage device’s normal write commands. Secure Erase is a firmware-level operation built into the device itself. For HDDs, both achieve the same result; for SSDs, only secure erase works correctly. The distinction matters because users who run multi-pass overwrite software on SSDs may believe they’ve achieved sanitization when in fact the SSD’s wear leveling has left old data scattered across NAND cells the overwrite never reached.

The recoverability story has a clear boundary: deleted-but-not-overwritten data is recoverable through standard means; overwritten data generally is not. The technical reasons explain why this boundary is harder than it might sound to cross in either direction.²

How HDD overwriting works at the physical level

Hard drives store data as magnetic patterns on the platter surface. When the drive writes new data to a sector, the write head’s magnetic field aligns the magnetic domains in that sector to encode the new data. The previous magnetic state is replaced by the new state; there is no separate copy preserved anywhere. After the write completes, the sector contains only the new pattern.

The Gutmann method myth

The most enduring myth in data sanitization is that residual magnetic traces of overwritten data can be recovered through specialized techniques like magnetic force microscopy. This belief originates from a 1996 paper by Peter Gutmann that proposed a 35-pass overwrite method based on the magnetic encoding of MFM and RLL drives of that era. The paper was technically reasoned for those specific drives. Modern drives use perpendicular magnetic recording (PMR) and shingled magnetic recording (SMR) at densities thousands of times higher than 1996-era drives, where the spacing between magnetic domains is so small that residual traces of previous states are not measurable in practice.

The Gutmann method has never been demonstrated to successfully recover data from a modern HDD that received even a single overwrite pass. Government and industry standards have moved on; the 35-pass method is considered legacy.

What residual data myths actually look like in practice

The DriveSavers documentation cites Mike Cobb, the company’s Director of Engineering, on this point: “Just because a drive has been ‘erased’ doesn’t always mean the data is truly gone.” The recovery industry’s perspective acknowledges that erasure can be incomplete, but the cases where data remains recoverable after attempted erasure are not the magnetic-residual myth; they’re cases where overwriting missed parts of the drive. Common gaps include:

• Remapped sectors: sectors that the drive’s firmware has marked bad and replaced with spares; standard overwrite tools don’t reach the original physical sectors.
• Host Protected Area (HPA): a hidden region of the drive that the BIOS/firmware can hide from the operating system; standard overwrite operations may not touch it.
• Device Configuration Overlay (DCO): similar to HPA; another hidden region that overwrite tools may miss.
• Overprovisioned space on SSDs: NAND cells the SSD reserves for wear leveling and bad-block replacement; not addressable from the host.
• Manufacturing service area: drive firmware and calibration data; not typically accessible for overwrite.

None of these are recoverable through magnetic residue. They’re recoverable because the overwrite never touched them. The fix is using firmware-level sanitize commands that reach these areas.³

When partial overwrite leaves recoverable fragments

If only part of a deleted file’s storage space has been overwritten, the unwritten portions may still contain the original data. Recovery software can sometimes reconstruct partial files from these fragments. Common partial-overwrite scenarios:

• A deleted file’s clusters are gradually consumed by new files; some clusters get overwritten while others don’t.
• A new file is smaller than the deleted file it’s replacing; the tail end of the deleted file may persist in unallocated space.
• Fragmented files have some fragments overwritten and others preserved.

These partial recoveries produce incomplete files (corrupt JPEGs that show partial images, truncated documents) rather than fully usable recovered files.

For decades, IT culture has believed that secure erasure requires multiple overwrite passes with specific patterns. This belief is no longer technically correct for modern storage.⁴

Where multi-pass requirements came from

Several historical standards specified multiple passes:

• DoD 5220.22-M (1995): required three passes for HDD sanitization; one with a fixed character, one with the complement, one with a random character, followed by verification. Widely adopted as a generic “secure erase” baseline.
• Gutmann method (1996): 35 passes with specific patterns designed to defeat residual magnetic traces on MFM and RLL drives.
• NSA/CSS Storage Device Sanitization Manual (1990s-2000s): multi-pass requirements for classified data sanitization.
• British HMG Infosec Standard No. 5: three-pass overwrite for sensitive data.

These standards were developed when drives used much lower data densities and different magnetic encoding. The technical concerns that motivated multi-pass requirements largely don’t apply to modern drives.

What current standards say

The most authoritative modern guidance comes from NIST SP 800-88 Rev. 2 (September 2025): “A single overwrite pass is sufficient for modern HDDs at the Clear level: multi-pass methods are legacy thinking.”⁵ The technical reasoning:

• Modern drives use PMR or SMR encoding at data densities where residual magnetic traces are too small to be detected reliably.
• Drive firmware translates writes through internal mapping and may handle multiple passes differently than expected.
• Single-pass-with-verification provides the same practical security as multi-pass and takes a fraction of the time.
• For Purge-level sanitization, firmware-level commands (Secure Erase, Sanitize) are preferred regardless.

When multi-pass is still relevant

Limited cases where multi-pass overwriting still has practical value:

• Compliance with legacy standards: some regulatory frameworks still reference DoD 5220.22-M; multi-pass may be required for documentation purposes even when not technically necessary.
• Very old drives (pre-2001 MFM/RLL): drives at densities where multi-pass concerns might still apply; rare in modern environments.
• Defense-in-depth policies: organizations choosing extra overwrite passes for risk-management reasons rather than technical necessity.

For practical purposes, single-pass overwriting with verification is the modern correct approach for HDDs. Multi-pass is overkill that takes longer without providing additional security.

For solid-state drives, the entire concept of overwriting needs reframing. SSDs cannot be “overwritten” in the simple sense that HDDs can. The wear-leveling mechanism that extends SSD lifespan also makes overwrite-based sanitization unreliable.⁶

How wear leveling defeats overwriting

An SSD contains many NAND flash cells, each with a limited number of write cycles. To extend the drive’s life, the SSD’s controller distributes writes across all cells rather than repeatedly writing to the same cells. When you tell the SSD to write to logical block 100:

1. The controller looks at its internal mapping table to find which physical NAND cell currently holds block 100’s data.
2. The controller selects a different physical NAND cell that has had fewer writes (the wear-leveling decision).
3. The controller writes the new data to the new physical cell.
4. The controller updates its mapping table so future reads of block 100 will find the new physical cell.
5. The original physical cell that held block 100’s old data is marked as containing stale data, but the data isn’t immediately erased; it sits there until the SSD’s garbage collection eventually clears it for reuse.

The result is that overwriting block 100 doesn’t actually overwrite block 100’s NAND cell. The old data persists in a different physical cell, no longer mapped to any logical address but still electrically present. Chip-off recovery can sometimes access this orphaned data because chip-off bypasses the controller and reads NAND directly.

The “full disk overwrite” deception

Running DBAN, sdelete, or similar overwrite tools on an SSD produces the appearance of a full overwrite but doesn’t deliver actual sanitization:

• The tool writes to every logical block address.
• The SSD’s controller distributes those writes across NAND cells via wear leveling.
• Many cells that contained old data may not be written to during the operation; they simply become unmapped.
• Overprovisioning space (NAND reserved for replacement and wear leveling) is not addressable from the host and is not touched by overwrite tools.
• The drive reports success, but old data persists in cells the overwrite never reached.

Correct SSD sanitization

Modern SSD sanitization uses firmware-level commands that the drive’s controller executes internally:

• ATA Secure Erase: the SATA-standard command for sanitizing SATA SSDs. The SSD’s controller clears all NAND cells, including overprovisioning space. Faster than overwriting (often minutes) and more thorough.
• NVMe Sanitize: the NVMe-standard equivalent. Three modes: Block Erase (clears all NAND), Crypto Erase (destroys encryption key), and Overwrite (writes pattern to all blocks).
• Cryptographic Erase on self-encrypting drives: destroys the encryption key; all data on the drive becomes encrypted ciphertext that cannot be decrypted. Effectively instantaneous.
• Vendor-specific tools: Samsung Magician, Crucial Storage Executive, Intel Memory and Storage Tool, and similar manufacturer utilities provide GUI access to firmware sanitize commands.

Practical SSD sanitization workflow

For consumers and IT departments wanting to sanitize SSDs:

1. Don’t rely on overwriting with traditional tools.
2. Use the manufacturer’s utility if one is available; it typically wraps the firmware sanitize command in a user-friendly interface.
3. For NVMe drives, use nvme sanitize from a Linux command line or equivalent.
4. For self-encrypting drives, cryptographic erase is the fastest and most reliable approach.
5. Verify the sanitization using whatever logging the firmware provides; the host operating system may not be able to verify completion otherwise.

The US National Institute of Standards and Technology publishes Special Publication 800-88, the most widely cited authoritative standard for media sanitization. The current version is Revision 2, published September 2025, which supersedes Revision 1 from 2014 and adds specific guidance for NVMe, flash storage, and self-encrypting drives.⁷

The three sanitization levels

Level	What it does	Appropriate when
Clear	Logical techniques (overwriting or vendor resets) that defeat basic recovery tools	Routine internal device reuse; basic risk reduction
Purge	Advanced techniques (firmware sanitize, cryptographic erase, degaussing for HDDs) that resist sophisticated forensics	Devices leaving organizational control; higher-sensitivity data
Destroy	Physical destruction (shredding, melting, incineration) that renders the medium unusable	Highest sensitivity; end-of-life disposal

Per-medium recommendations

NIST 800-88 provides specific recommendations by storage medium:

• HDDs (magnetic): Clear via single-pass overwrite with verification. Purge via firmware sanitize, degaussing, or cryptographic erase if drive is self-encrypting. Destroy via shredding to specific particle size.
• SSDs (SATA, NVMe): Clear via vendor sanitize/format that clears mapping tables. Purge via ATA Secure Erase, NVMe Sanitize, or cryptographic erase. Destroy via shredding or incineration.
• Self-encrypting drives: Cryptographic Erase meets or exceeds Clear; can satisfy Purge depending on encryption strength.
• Flash media (USB drives, SD cards): Sanitize via vendor command or cryptographic erase; physical destruction for highest sensitivity.
• Optical media (CDs, DVDs, Blu-ray): Destroy is the only reliable sanitization; logical erasure isn’t sufficient.

Why NIST 800-88 matters

The standard is referenced by major regulatory frameworks (HIPAA, GDPR, CMMC) and is the de facto baseline for enterprise data destruction policies. Compliance with NIST 800-88 provides documented support for the sanitization process, which matters in regulated industries and in cases where data destruction may be challenged. Consumer-tier sanitization decisions don’t require NIST compliance, but the standard’s technical recommendations (single-pass for HDDs, firmware commands for SSDs) are good guidance for any context.

What changed in Revision 2 (2025)

The September 2025 revision adds specific guidance for storage technologies that didn’t exist or were rare when Rev. 1 was published in 2014:

• NVMe-specific sanitization commands with detailed mode coverage.
• Self-encrypting drive guidance for cryptographic erase as a primary sanitization method.
• Updated SSD recommendations reflecting wear-leveling realities.
• Cloud and virtual storage guidance for sanitizing data in shared environments.
• Verification requirements emphasized more strongly.