Tuesday, 14 December 2010

Destroying disk drive data: No sledge hammer required | Naked Security

Kennedy Space CenterAgain, according to a report from The Register, a high-profile institution has failed to purge their hard disks before disposing of them.

An audit at the Kennedy Space Center in Florida uncovered the release of 14 computers to the public that had failed to demonstrate their data was destroyed properly. The audit covered a 12-month period starting in June 2009. This means not only a confidentiality threat for the Space Shuttle Program, but also a loss of public reputation and a violation of federal regulations.

Such pieces of news make it obvious that there still is no sufficient public awareness that data leakage through improper disposal of data carriers is a real threat. And in fact, wiping sensitive data means an additional step in the media sanitation process, and there seems to be a fair amount of uncertainty about how to do it right.

Well - if the commercial value of the respective hardware is of no importance to you, a stroke with a sledge hammer is still the cheapest way to irrevocably destroy your data. However, many of you will probably consider regaining some money with the discarded hardware, e.g. on eBay, rather than simply applying brute force. Fair enough.

And in fact - it's not that difficult to achieve this goal. Open source tools are actually sufficient. It's important to keep in mind here that simple deletion of files is not sufficient, though: When you delete a file in Windows, only its entry in the table of contents of its directory is erased, but not the very file content itself. It may or may not get overwritten by new file contents in the future. Furthermore, copies of the file content may actually exist in many more locations of your hard disk:

Outdated/deleted temporary files (e.g. from your Word processor), the paging file (pagefile.sys), the hibernation file (hiberfile.sys) and others.

This behaviour does not apply to Windows only, but actually to every modern PC operating system. Consequently it's necessary to wipe the whole physical disk rather than only fragments of it.

Before we're going into further details about this, let's review the history of proper data disposal of data carriers over the last, say, 15 years.

In 1996, Peter Gutman held a presentation which claimed that simple overwriting of hard disks was not sufficient to withstand magnetic force microscopy, and suggested a process of multiple overwrites with varying data patterns, the so-called Gutman method.

The essentials of this method were also accepted by US Department of Defense (DoD) standard 5220.22-M, which has been cited quite frequently since by many tool vendors.

Hard drive
Recent research, however, is showing that the principal threat of the Gutman paper no more applies to modern hard disks (NIST considers all ATA hard disks manufactured after 2001 to be modern hard disks).

Thus, it's sufficient to overwrite the entire physical disk once, preferably with a random value. The tool 'dd', which is available on common (free) Linux boot CDs, is sufficient to do that:

dd if=/dev/urandom of=/dev/sda bs=1M

/dev/sda stands for the first physical disk, /dev/sdb for the second etc. For older PATA disks, replace /dev/sdx by /dev/hdx.

Calculate some hours for wiping a modern disk entirely.

But what about fully encrypted disks (I'm talking about full disk/volume encryption here). Isn't elimination of the very Data Encryption Key (DEK) sufficient to wipe the disk?

It depends.

If you're able to eliminate all instances of the DEK in a fashion that it cannot be reconstructed anymore (e.g. with the help of intermediate keys), you've won. Encrypted data (as long as encryption was performed right) has a totally random structure, and no conclusions on the plain text are possible.

With Sophos SafeGuard Enterprise device encryption, you're off the hook: The command line tool BeInvVol.exe eliminates the two key stores (incl. the DEK) that exist on every volume encrypted by SafeGuard Enterprise. Simply call it from the command line of a Windows PE boot disk:

BeInvVol.exe xic:

In the twinkling of an eye, your C: volume is history, and subsequent reconstruction of data is impossible.

As you can see, proper disk encryption is no rocket science. It does not only protect your data assets against eavesdropping during the lifetime of the disk, but also helps you saving money when it comes to decommissioning it. Sounds like a good deal.

Eventually, this could be one more reason to complement your next Sophos Anti-Virus contract extension with a look into Sophos's new disk encryption technology.

Flickr - projectbrainsaver

www.flickr.com
projectbrainsaver's A Point of View photoset projectbrainsaver's A Point of View photoset