General thoughts on data security, destruction, protection
There are several ways to destroy the data on disk drives. This entry covers the basics of them and exposes their relative risks. Basically they range from erasing files from the O/S prompt, reformatting the file system, low-level formatting, DoD secure erase, to pulverizing the disk into little bits. If your organization deals with plutonium, for example, then your only option involves 12,000 pounds or more of pressure.
For the record, the best way to destroy data is to turn it over to a company that can turn it into a bag of metal confetti. Hammers, drill bits, and even your six-year-old with a screwdriver or an electro magnet won’t protect the surving bits & pieces from revealing your secrets.
The least effective way to destroy your data is to delete them! When you erase the file via the delete command, windows explorer, or
rm -r, then the corresponding references are deleted and the space formerly occupied by the file is marked as being free. The actual file data remains intact on the disk until the space is claimed by some other file (at which point the original data is overwritten). While data that has been overwritten isn’t generally recoverable, certain government organizations have the equipment necessary to recover what you “deleted”.
In addition, don’t bother trying to destroy data with the reformat command or icon from Windows. This doesn’t destroy data either. Next time you go to the computer store, look at all the software products that vendors sell that let you unformat your disk drive. ‘Nuff said on that.
A reasonably effective means to destroy all of the data on a disk is to use a program that issues the low-level command FORMAT UNIT. This command exists on all disks that speak the SCSI protocol. If you have ATA/SATA (also called IDE disks), then there is no equivalent ANSI command to reformat the entire disk. Some drive vendors have utility programs that send a vendor-specific command to reformat the entire disk. Luckily late-model SATA/ATA disks have an embedded SECURE-ERASE command which is discussed later in this post.
FORMAT UNIT Dangers
The problem with using utility software that reformats with the SCSI FORMAT UNIT command is in the options the command allows for, so it is critical that you not only understand what the program does, but also what options it uses. This command will not necessarily destroy data on any blocks that the disk previously marked bad. (Grown defect list). Unless your utility gives you the option to destroy the grown defect list, then you leave some data untouched.
A more subtle, but highly dangerous exploit is that one can issue a CHANGE CAPACITY command to a disk to make the disk behave as if it had a smaller capacity then it really has. With the right software, one can issue a single command to your 500GB disk drive and tell it that the capacity is as small as a few KB in size. Then when the unsuspecting system administrator reformats the disk, it will limit the reformatting to the beginning of the disk and leave the rest of it in tact.
So always check drive capacity to insure a format will reformat the entire disk drive.
The next step up from destroying data is to run software that utilizes the Dod Secure Erase.
Secure erase procedure is performed when it is for some reason necessary to irreversibly delete some data. This procedure was formally applied to “sensitive” (i.e. top secret) data only, but now that we have Sarbanes-Oxley, lawsuits over medical records, and news stories about lost disk drives with social security numbers and/or credit card info, then you would be wise to use secure erase. The secure erase command for data wiping is described in the DoD 5220.22-M specification.
Basically the DoD requires (3) iterations of writing all zeros, writing all ones, and writing random data to the entire disk. A total of nine iterations from beginning to end. The final pass is a verification pass that scans the disk to insure it contains random data.
Secure Erase Dangers
In general, human error and impatience is the enemy with Secure Erase. First, unless you have a utility like smartmon-ux for Secure Erase, then if the disks are in a SUN, IBM, IRIX, or any UNIX-based system, you’re probably going to have to move the disk(s) you want to erase to a windows or MS-DOS based PC. Secure Erase software generally isn’t available on non-Windows platforms. The only other significant issues that I have discovered are that secure erase can take days on a 1 TB drive, and that some software products don’t take the necessary step to insure that the disk drive wasn’t programmatically resized to appear smaller than it really is.