 | This articleneeds additional citations forverification. Please helpimprove this article byadding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Data erasure" – news ·newspapers ·books ·scholar ·JSTOR(November 2022) (Learn how and when to remove this message) |
Data erasure (sometimes referred to assecure deletion,data clearing,data wiping, ordata destruction) is a software-based method ofdata sanitization that aims to completely destroy allelectronic data residing on ahard disk drive or otherdigital media by overwriting data onto all sectors of the device in anirreversible process. By overwriting the data on the storage device, the data is rendered irrecoverable.
Ideally, software designed for data erasure should:
Permanent data erasure goes beyond basicfile deletion commands, which only remove direct pointers to the datadisk sectors and make thedata recovery possible with common software tools. Unlikedegaussing and physical destruction, which render the storage media unusable, data erasure removes all information while leaving the disk operable. Newflash memory-based media implementations, such assolid-state drives orUSB flash drives, can cause data erasure techniques to fail allowingremnant data to be recoverable.[1]
Software-based overwriting uses a software application to write a stream of zeros, ones or meaningless pseudorandom data onto all sectors of a hard disk drive. There are key differentiators between data erasure and other overwriting methods, which can leave data intact and raise the risk ofdata breach,identity theft or failure to achieve regulatory compliance. Many data eradication programs also providemultiple overwrites so that they support recognized government and industry standards, though a single-pass overwrite is widely considered to be sufficient for modern hard disk drives. Good software should provide verification of data removal, which is necessary for meeting certain standards.
To protect the data on lost or stolen media, some data erasure applications remotely destroy the data if the password is incorrectly entered. Data erasure tools can also target specific data on a disk for routine erasure, providing ahacking protection method that is less time-consuming than software encryption.Hardware/firmware encryption built into the drive itself or integrated controllers is a popular solution with no degradation in performance at all.
When encryption is in place, data erasure acts as a complement tocrypto-shredding, or the practice of 'deleting' data by (only) deleting or overwriting the encryption keys.[2]
Presently, dedicated hardware/firmware encryption solutions can perform a 256-bit fullAES encryption faster than the drive electronics can write the data. Drives with this capability are known as self-encrypting drives (SEDs); they are present on most modern enterprise-level laptops and are increasingly used in the enterprise to protect the data. Changing the encryption key renders inaccessible all data stored on a SED, which is an easy and very fast method for achieving a 100% data erasure. Theft of an SED results in a physical asset loss, but the stored data is inaccessible without the decryption key that is not stored on a SED, assuming there are no effective attacks against AES or its implementation in the drive hardware.[citation needed]
Information technology assets commonly hold large volumes of confidential data.Social security numbers, credit card numbers, bank details, medical history and classified information are often stored on computer hard drives orservers. These can inadvertently or intentionally make their way onto other media such as printers,USB,flash,Zip,Jaz, andREV drives.
Increased storage of sensitive data, combined with rapid technological change and the shorter lifespan of IT assets, has driven the need for permanent data erasure of electronic devices as they are retired or refurbished. Also, compromised networks andlaptop theft and loss, as well as that of other portable media, are increasingly common sources of data breaches.
If data erasure does not occur when a disk is retired or lost, an organization or user faces a possibility that the data will be stolen and compromised, leading to identity theft, loss of corporate reputation, threats to regulatory compliance and financial impacts. Companies spend large amounts of money to make sure their data is erased when they discard disks.[3][dubious –discuss] High-profile incidents of data theft include:
Strict industry standards and government regulations are in place that force organizations to mitigate the risk of unauthorized exposure of confidential corporate and government data. Regulations in theUnited States includeHIPAA (Health Insurance Portability and Accountability Act);FACTA (The Fair and Accurate Credit Transactions Act of 2003); GLB (Gramm-Leach Bliley);Sarbanes-Oxley Act (SOx); and Payment Card Industry Data Security Standards (PCI DSS) and theData Protection Act in theUnited Kingdom. Failure to comply can result in fines and damage to company reputation, as well as civil and criminal liability.[citation needed]
Data erasure offers an alternative to physical destruction and degaussing for secure removal of all the disk data. Physical destruction and degaussing destroy the digital media, requiring disposal and contributing toelectronic waste while negatively impacting thecarbon footprint of individuals and companies.[10] Hard drives are nearly 100% recyclable and can be collected at no charge from a variety of hard drive recyclers after they have been sanitized.[11]
Data erasure may not work completely on flash based media, such asSolid State Drives andUSB Flash Drives, as these devices can store remnant data which is inaccessible to the erasure technique, and data can be retrieved from the individual flash memory chips inside the device.[1]Data erasure through overwriting only works on hard drives that are functioning and writing to all sectors.Bad sectors cannot usually be overwritten, but may contain recoverable information. Bad sectors, however, may beinvisible to the host system and thus to the erasing software.Disk encryption before use prevents this problem. Software-driven data erasure could also be compromised by malicious code.[12]
Software-based data erasure uses a disk accessible application to write a combination of ones, zeroes and any otheralpha numeric character also known as the "mask" onto each hard disk drive sector. The level ofsecurity when using software data destruction tools is increased dramatically by pre-testing hard drives for sector abnormalities and ensuring that the drive is 100% in working order. The number of wipes has become obsolete with the more recent inclusion of a "verify pass" which scans all sectors of the disk and checks against what character should be there, i.e., one pass of AA has to fill every writable sector of the hard disk. This makes any more than one pass an unnecessary and certainly a more damaging act, especially in the case of large multi-terabyte drives.
While there are many overwriting programs, only those capable of complete data erasure offer full security by destroying the data on all areas of a hard drive. Disk overwriting programs that cannot access the entire hard drive, including hidden/locked areas like thehost protected area (HPA),device configuration overlay (DCO), and remapped sectors, perform an incomplete erasure, leaving some of the data intact. By accessing the entire hard drive, data erasure eliminates the risk ofdata remanence.
Data erasure can also bypass theOperating System (OS). Overwriting programs that operate through the OS will not always perform a complete erasure because they cannot modify the contents of the hard drive that are actively in use by that OS. Because of this, many data erasure programs are provided in a bootable format, where you run off alive CD that has all of the necessary software to erase the disk.[citation needed]
Data erasure can be deployed over a network to target multiplePCs rather than having to erase each one sequentially. In contrast withDOS-based overwriting programs that may not detect all network hardware,Linux-based data erasure software supports high-end server andstorage area network (SAN) environments with hardware support forSerial ATA,Serial Attached SCSI (SAS) andFibre Channel disks and remapped sectors. It operates directly with sector sizes such as 520, 524, and 528, removing the need to first reformat back to 512 sector size.WinPE has now overtaken Linux as the environment of choice since drivers can be added with little effort. This also helps with data destruction of tablets and other handheld devices that require pure UEFI environments without hardware NIC's installed and/or are lacking UEFI network stack support.
Many government and industry standards exist for software-based overwriting that removes the data. A key factor in meeting these standards is the number of times the data is overwritten. Also, some standards require a method to verify that all the data have been removed from the entire hard drive and to view the overwrite pattern. Complete data erasure should account for hidden areas, typically DCO, HPA and remapped sectors.
The 1995 edition of theNational Industrial Security Program Operating Manual (DoD 5220.22-M) permitted the use of overwriting techniques to sanitize some types of media by writing all addressable locations with a character, its complement, and then a random character. This provision was removed in a 2001 change to the manual and was never permitted for Top Secret media, but it is still listed as a technique by many providers of the data erasure software.[13]
Data erasure software should provide the user with avalidation certificate indicating that the overwriting procedure was completed properly. Data erasure software should[citation needed] also comply with requirements to erase hidden areas, provide a defects log list and list bad sectors that could not be overwritten.
| Overwriting Standard | Date | Overwriting Rounds | Pattern | Notes |
|---|---|---|---|---|
| U.S. Navy Staff Office Publication NAVSO P-5239-26[14] | 1993 | 3 | Preferred method: Write all ones[nb 1], then (pseudo)random data from non-linearPRNG. Alternative: Random character (byte), its complement, another random character. | Verification is mandatory Head stepping direction should alternate between tests.Read caching disabled. |
| U.S. Air Force System Security Instruction 5020[15] | 1996 | 3 | All zeros, all ones, any character | Verification is mandatory |
| Peter Gutmann's Algorithm | 1996 | 1 to 35 | Various, including all of the other listed methods | Originally intended forMFM andRLL disks, which are now obsolete |
| Bruce Schneier's Algorithm[16] | 1996 | 7 | All ones, all zeros, pseudo-random sequence five times | |
| StandardVSITR of GermanyFederal Office for Information Security | 1999 | 7 | The disk is filling with sequences 0x00 and 0xFF, and on the last pass - 0xAA. | |
| U.S.DoD Unclassified Computer Hard Drive Disposition[17] | 2001 | 3 | A character, its complement, another pattern | |
| GermanFederal Office for Information Security[18] | 2004 | 2 to 3 | Non-uniform pattern, its complement | |
| Communications Security Establishment Canada ITSG-06[19] | 2006 | 3 | All ones or zeros, its complement, a pseudo-random pattern | For unclassified media |
| NIST SP-800-88[20] | 2006 | 1 | ? | |
| U.S.National Industrial Security Program Operating Manual (DoD 5220.22-M)[13] | 2006 | 3 | ? | No longer specifies any method. |
| NSA/CSS Storage Device Declassification Manual (SDDM)[21] | 2007 | N/a | Degauss or destroy only | |
| New ZealandGovernment Communications Security Bureau NZSIT 402[22] | 2008 | 1 | ? | For data up to Confidential |
| Australian Government ICT Security Manual 2014 – Controls[23] | 2014 | 1 | Random pattern (only for disks larger than 15 GB) | Degauss magnetic media or destroy Top Secret media |
| NIST SP-800-88 Rev. 1[24] | 2014 | 1 | All zeros | Outlines solutions based on media type.[25] |
| British HMGInfosec Standard 5, Baseline Standard[26] | ? | 1 | Random Pattern | Verification is mandatory |
| British HMG Infosec Standard 5, Enhanced Standard | ? | 3 | All ones, all zeros, random | Verification is mandatory |
Data can sometimes be recovered from a broken hard drive. However, if theplatters on a hard drive are damaged, such as by drilling a hole through the drive (and the platters inside), then the data can only theoretically be recovered by bit-by-bit analysis of each platter with advanced forensic technology.
Data onfloppy disks can sometimes be recovered by forensic analysis even after the disks have been overwritten once with zeros (or random zeros and ones).[27]
This is not the case with modern hard drives:
Even the possibility of recovering floppy disk data after overwrite is disputed. Gutmann's famous article cites a non-existent source and sources that do not actually demonstrate recovery, only partially-successful observations. Gutmann's article also contains many assumptions that indicate his insufficient understanding of how hard drives work, especially the data processing and encoding process.[31] The definition of "random" is also quite different from the usual one used: Gutmann expects the use of pseudorandom data with sequences known to the recovering side, not an unpredictable one such as acryptographically secure pseudorandom number generator.[32]
E-waste presents a potentialsecurity threat to individuals and exporting countries.Hard drives that are not properly erased before the computer is disposed of can be reopened, exposingsensitive information.Credit card numbers, private financial data, account information and records of online transactions can be accessed by most willing individuals. Organized criminals inGhana commonly search the drives for information to use in localscams.[33]
Government contracts have been discovered on hard drives found inAgbogbloshie.[citation needed]
For sanitizing entire disks, built-in sanitize commands are effective when implemented correctly, and software techniques work most, but not all, of the time. We found that none of the available software techniques for sanitizing individual files were effective.
you may be able to quickly sanitize the device by deleting the encryption key, which renders the data on the drive irretrievable.
{{cite conference}}: CS1 maint: multiple names: authors list (link)