Many people are unaware of the threat posed by sensitive data left on disk drives when they are removed from use or reassigned. Correctly sanitising a drive is essential in order to destroy all the electronic data on it, as normal file deletion commands only remove pointers to the data, making it trivial to recover with common software tools.
Degaussing or physical destruction are fine if you don't want to reuse a drive, but both options cost money. Encrypting all the data on a drive is another approach if the drive is no longer needed, but this presents a couple of problems: First, you have to be sure all the decryption keys have been securely destroyed and, second, what is strong encryption now may be breakable in a few years' time. Exposure of data such as medical or personnel records could be a breach of the Data Protection Act, even if the data is deciphered some years later.
If you want to sanitise a hard drive before reuse, then hard disk erasure -- wherein meaningless combinations of 1's and 0's are written onto each hard drive sector to overwrite the stored data with random data -- is a secure way to go. Unfortunately, this can be a time-consuming process and the problem is exacerbated by modern hard drives that are slow relative to their increasing capacity.
Most data-cleansing tools can only work as fast as the physical limits of the disk allow because the CPU, memory and PCI bus in a modern computer are so much faster than the read-write speed of the hard drive. Also, the actual sustained performance of a hard disk during a wipe tends to be much less than that stated by the vendor, as maximum transfer rates only occur with cache hits. (Such hits take place when the disk returns data that is already in its internal buffer, which doesn't happen during a wipe.)
This means that data erasure on large drives can take more than a day to complete, and many people end up not bothering.
Other overwriting tools often only erase to a drive's maximum address space, which can be lower than its native capacity, or they can fail to erase reallocated error blocks even though data can reside on these sectors. Fortunately, the committee which oversees the ATA or IDE interface specifications saw the need to be able to erase data quickly, and they incorporated a command feature called Secure Erase into their standards. Most ATA disk drives greater than 15Gb manufactured after 2001 feature this command.
Secure Erase hard-drive eraser (.pdf) removes all a drive's data areas by overwriting them, including those that have errors in them. Since the Secure Erase command is carried out within the hard disk drive itself, it's far less susceptible to malicious software attack than other software utilities, but most importantly, it completes in a fraction of the time of common block-erasure programs.
So where is the Secure Erase command? Well, because it's such a powerful command, it's actually blocked by most motherboard BIOSes. If a virus or some form of malware did manage to exploit this command, it could wreak complete havoc with the world's data. Therefore, most computer manufacturers have inhibited Secure Erase from being launched in the BIOS. If you do have the Secure Erase command enabled, there's a good step-by-step guide to performing a Secure Erase on an ATA storage device at the Linux ATA wiki.
So what do the rest of us do? HDDerase is a software tool that erases data by accessing the Secure Erase command in the firmware of ATA drives. It was developed by the Center for Magnetic Recording Research and can be downloaded for free. Unlike many tools, HDDerase can erase the host protected area (HPA) and the device configuration overlay area (DCO) by first removing them and then erasing the entire drive.
One reason Secure Erase (and, by proxy, HDDerase) is faster than many commercial software packages is that it only uses a single overwrite pass. Many tools, which reference the US National Industrial Security Program's Operating Manual (DoD 5220.22-M) procedures and requirements, use up to 35 overwrite passes, greatly extending the time it takes to complete. But research into today's drives (.pdf) concludes that multiple overwrites are no more effective than a single overwrite, and one is enough to protect the media from both keyboard and laboratory attack. A single pass Secure Erase has been shown to result in no usable data signals, with a second erase reducing this signal only slightly more.
Obviously, not all hard drives will need to be sanitised: Those that contain non-confidential information can simply be reformatted. But this free tool enables administrators to balance the need for speed with risks to confidentiality.
However, no software data-erasure program can sanitize disconnected or forgotten internal hard drives, or hard drives that have actually physically failed. In these instances you need to look at destroying them by degaussing, melting, incineration, crushing or shredding. Also, make sure to keep an asset register to track all purchased hard drives so that none are forgotten.
Whichever method you choose -- either software wiping or physical destruction -- you must put in place policies and procedures governing hard-drive disposal, as well as appropriate employee training to ensure you have taken "reasonable measures" to safeguard your data. Copies of data can manifest themselves in a variety of ways, such as through manual and automatic backups and file system snapshots. Although sanitizing your drives takes some effort, the potential costs associated with compromised data make it an important task.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.