DoD Secure Erase
Users want and need a simple and secure way to erase all their data from disk drives, when releasing them from their physical control for resale or repair. Over a third of drives resold on eBay contain personal data such as credit and medical records. These drives come from PCs, servers, ATM machines, banks, and workstations. It is important to initially emphasize that erasure security can only be relative. When handling data classified at secret and higher, the edict is that ‘data must be destroyed using methods that assure that legacy information cannot be recovered by any means’. Government document DoD 522.22M is commonly quoted on erasure methods, and requires physical destruction of the storage medium (the magnetic disks) for data classified higher than Secret. [Ryk: subjective in most cases to the sensitivities of the Cognizant Security Authority responsible for the storage asset of data.]
However, even such physical destruction is not absolute if any remaining disk pieces are larger than a single 512-byte record block in size, about 1/125” [Ryk: this size is currently 1/250 of an inch due to the chemistry of current high capacity storage media] today’s drives. Pieces of this size are found in bags of destroyed disk pieces studied at CMRR. Magnetic microscopy can image the stored recorded media bits, using the CMRR scanning magnetoresistive microscope. Physical destruction nevertheless offers the highest level of erasure because recovering any actual user data from a magnetic image requires overcoming almost a dozen independent recording technology hurdles. This is an example of “exotic time consuming technology” necessary as the barrier to data recovery for the highest level of erasure security. Even if these hurdles were overcome, about an hour would be required to recover one single user data block out of millions on the disk. Recovering substantial amounts of data in less than months requires that the disk be intact and undamaged so that heads can be flown over it to obtain data playback signals, and also overcoming the technology hurdles. Simply bending a disk makes this impossible.
… DoD 5220 (The Secure Erase specification) [Ryk: Secure erase is an internal purge command that is part of the ATA specification and has been a standard feature in all ATA spec compliant devices manufactured since 2001. SE is launched by sending a device lock command followed by the Secure Erase Init command. The process has no external user controls and will process all storage regions of the media surface including the Protected Service Regions (if the host has an HPA aware host controller). Some software manufacturers are using the term Secure Erase incorrectly, and in my opinion deliberately, in order to confuse consumers. Don’t confuse DoD 5220 with SE] calls for multiple block overwrites for Secret data, which can take more than a day to complete in today’s drives. So users make a tradeoff between the time required to liminate his data and the risk that the next drive user will know and use recovery techniques to access weakly erased data. Figure 1 shows tradeoffs in security level vs. speed of erasure for various erasure options.
CMRR has studied secure erase for the Federal Government for seven years, and its research2 shows three distinct protocols used for user data deletion, with the following security levels:
- Weak deletion by users deleting files in public operating systems such as Windows or Linux (“usual computer erase’ in Figure 1). This deletes only file directory entries, not the user data itself. User data recovery is simple with utilities like Norton Unerase. Even reformatting a drive still only erases file directories, not user data. Low level formatting commands no longer exist in today’s disk drives.
- Block erasure utilities are widely available for purchase, which overwrite all user accessible blocks. Block overwriting gives a higher level of deletion confidence than (1) and these utilities claim to meet Federal Government requirements in DoD 5220. This document requires three writes – 0’s, its binary complement 1’s, and a then random data pattern which is verified by a read. However, block write software utilities cannot erase reassigned user blocks, since the se have no logical block address to write to and physical sector address drive commands no longer exist. Some utilities do not verify the final random write; and all can be vulnerable to malicious software attacks which modify the utility program to make it falsely report a successful erase. Operating system erasure commands using internal kernel security could eliminate false reporting risk, but MS Windows does not currently have such a secure erase commands. In Linux, a simple shell sequence can be run to overwrite all accessible disk blocks, but its security is not established.
- Disk drive Secure Erase is a drive command defined in the ANSI ATA and SCSI disk drive interface specifications, which runs inside drive hardware. It completes in about 1/8 the time of 5220 block erasure. It was added to the ATA specification in part at CMRR request. All recent ATA drives have the command and successfully pass secure erase validation testing at CMRR (see Appendix). The next section covers its technical requirements for erasure security. The command reports whether the secure erase is totally successful, through the ATA hardware interface. It has DoD 5220 Secret data erasure security and offers an opportunity for higher erasure security, if the Enhanced protocol requirements below are met. Its erase and malicious attack security meets DoD 5220, because attacking drive internal firmware is far more difficult than attacking computer software, and requires disk drive forensic technology.
(Above cited from the Center for Magnetic Recording Research, University of California, San Diego. Written by Gordon Highes, Associated Director. It was updated by Ryk Edelstein, an associate of Dr. Hughes on Jan 19, 2009. The complete, original paper can be read here.
Non-Windows Secure Erase Freebies:
[Ryk: So, why is SE not as popular as we would hope it to be? Risk .. if SE were to be exploited by virus or malware, then the potential for data devastation would be extreme … Hence, most computer manufacturers have inhibited SE from being launched in the BIOS. Likewise, in many cases the host controller is not HPA aware, and will not permit any modification of the HPA, and in some cases the Device Control Overlay. This means that any data stored in these regions will not be purged by the SE process. It is for this reason that software vendors can not create a product that will be reliable as a distributable software based product. It would just not work in most systems. the only way to effectively launch SE is to do it in a purpose built appliance such as is manufactured by Ensconce Data technology in their Digital Shredder line of Secure Erase appliances. SE is currently being used to purge up to secret level data. It is also categorized by the National Institute of Standards and Technology, in their Special Report 800-88 as a Purge level technology, which happens to be the same level as degaussing. Except, SE renders the processed device usable at the completion of the process. Currently SE is very valuable in providing users with the ability to purge a device on site giving them the ability to either repurpose the asset, or ship it to an external physical destruction facility without the risk of potential data exposure, should the device go missing in transit, or at the facility.]
The Secure Erase command [I believe that the Mac SE command is a software overwrite utility. Software overwrite utilities, of ay type are incapable of accessing protected service areas of the hard drive and are considered as susceptible to the laboratory reconstructive efforts. Please don’t get me wrong … software based overwrite tools are important for processing non-SE compliant devices such as SCSI, and older ATA product. As SCSI does not have an embedded controller, overwrite technology is more effective on SCSI drives than on ATA, as the controller is host based, and full control of the of the SCSI controller is possible. In the ATA world, the goal is to deliver high storage capacities at low cost, and as such, the embedded controller technology limits some of the features necessary for a host to access all storage regions] comes native in Mac OS X10.4, and as far as I am aware, Apple is the only vendor that includes this feature natively with the operating system.
If a windows-only secure erase product will not meet your needs (or even if you have windows and no need for other operating systems, then look at smartmon-ux by SANtools. It is ported to Solaris, AIX, IRIX, LINUX, HP-UX, Windows, and other operating systems, so you don’t have to temporarily install them in a PC that runs WIndows or boots DOS.
– David Lethe / Rick Edelstein
* Ryk Edelstein is the founder and a partner at Converge Net Inc., a Montreal based network and security solution provider specializing in applying expertise in packet level data analysis to the delivery of accurate and effective traffic efficiency and content level security solutions to enterprise clients.