Decommissioning systems for disposal or resale requires the secure deletion of data originally stored on the drives; however, the process of doing this is often based more in superstition than in science. These methods may have had some utility 20 years ago, but are not valid for newer drive formats.
Before moving forward, there are a few considerations to be mindful of in this inquiry.
- From a data security standpoint, destroying hard drives is preferable to wiping them. This is not always possible, and — depending on your level of precaution — you may want to wipe the drives before handing them off to a third party for destruction.
- The data on the drive should be encrypted to begin with, particularly on solid-state drives. Data recovery is basically impossible in cases where the drive data is encrypted.
Listen to Gutmann: Stop performing 35-pass writes
In 1996, Peter Gutmann presented a paper on how to erase data on Modified Frequency Modulation (MFM) and run-length limited (RLL) magnetic storage — the latter first used on the IBM 3370, which was released in 1979. Gutmann’s work has been continually misinterpreted and poorly applied in standard disk wiping programs; the “35-pass” approach to disk wiping is not recommended in Gutmann’s original paper — only a subset of the passes are intended for use, depending on the recording method of the drive in use.
The Gutmann method was intended to protect against everything except physical scanning, such as the use of a magnetic force microscope — the use of which in forensic data recovery would be an extremely arduous task. In any event, this provides no particular benefit for newer drive technologies, such as noise-predictive maximum-likelihood (NPML) or shingled magnetic recording (SMR) for which Gutmann notes that “A good scrubbing with random data will do about as well as can be expected.”
In the epilogues to that original paper, Gutmann provides practical insight and useful tips about data forensics and the secure erasure of modern disk drives:
“With modern high-density drives, even if you’ve got 10KB of sensitive data on a drive and can’t erase it with 100% certainty, the chances of an adversary being able to find the erased traces of that 10KB in 200GB of other erased traces are close to zero.
For the software-only option, to delete individual files under Windows I use Eraser and under Linux I use shred… To erase entire drives I use DBAN, which allows you to create a bootable CD/DVD running a stripped-down Linux kernel from which you can erase pretty much any media.”
So, what about solid-state drives?
Aside from using the same Serial ATA signaling — which is becoming less popular with PCIe drives — solid-state drives have no mechanical resemblance to traditional magnetic hard drives; as such, the methods used for magnetic hard drives are of no particular use with this hardware.
In theory, doing a simple overwrite would be an effective method of data erasure, but the drive controller and flash transition layer (FTL) sit between the user writing data and the actual NAND chips, making it difficult to properly determine what the drive is really doing. As such, overwriting data only wears down the lifespan of the drive. To add to the problem, many newer solid-state drives use overprovisioning, making the raw NAND capacity invisible to the user — the controller simply maps out blocks that have excessive wear, extending the life and performance of the drive.
The ATA Secure Erase command does exist, though a white paper from 2011 (PDF) (covered in greater depth on TechRepublic by Michael Kassner) indicates that only four of the 12 tested drives performed this task correctly, making it too unreliable to be of use. Hopefully, this issue has been rectified, as solid-state drives have matured since 2011, though no current research into this specific issue is widely available. As a result, it’s not possible to know that data has been deleted unless the FTL can be bypassed, allowing the NAND to be directly manipulated.
In a paper (PDF) on solid-state drive technology, Gutmann offers this insightful advice:
“The best defence against data remanence problems in semiconductor memory is, as with the related problem of data stored on magnetic media, the fact that ever-shrinking device dimensions is making it more and more difficult to recover data from devices. As the 1996 paper suggested for magnetic media, the easiest way to make the task of recovering data difficult is to use the newest, highest-density (and by extension most exotic) storage devices available.”
What’s your conclusion?
How do you approach secure drive erasure in your organization? Are you solid-state drive encrypted? Share your strategies in the comments.
Note: TechRepublic and ZDNet are CBS Interactive properties.