Text Only Version

Guideline for Sanitizing Data

Overview

For the general user, the delete or format command appears to be the logical method of removing unwanted data files. These methods, however, are like sweeping something under the carpet: you may not be able to see it, but it's still there. All that deletion has done is remove the pointer to the files, with the data itself residing in unallocated space on the hard drive. This means that data recovery is possible using various software tools.

When sensitive information is stored on the hard drive of a machine that is to be surplused or transferred to another individual or department, it is therefore imperative that extra measures be taken to wipe clean the hard drive before the computer leaves your area of responsibility. This document describes some common methods and software to assist you with the sanitization process. It also includes links to articles that provide detailed technical descriptions of what occurs during this process.

The destruction of media containing sensitive data should be accomplished through the University of Georgia Records Center. They provide this service to all UGA departments at no charge.

If you are going to surplus a computer, fax or printer, please certify that the device does not contain sensitive or critical data. Here is the Surplus Equipment Transfer List for Computer Equipment form for your convenience.


Strongly Recommended: NIST Special Publication 800-88

The UGA Office of Information Security strongly recommends reading and following the NIST Special Publication: Special Publication 800-88: Guidelines for Media Sanitization. This guide is intended to assist organizations and system owners in making practical sanitization decisions based on the level of sensitivity of their information. It does not, and cannot, specifically address all known types of media however; the described draft sanitization decision process can be applied universally to all forms of media and categorizations of information.

Sanitizing Techniques

As described in the much-referenced article Remembrance of Data Passed: A Study of Disk Sanitization Practices , the three most common techniques for properly sanitizing hard drives are:

1. Physically destroying the drive, rendering it unusable. This is a good alternative for defective hard drives or those that would be too costly to repair. For added security, the disk should be overwritten or degaussed prior to destruction.

2. Degaussing the drive to randomize the magnetic domains - most likely rendering the drive unusable in the process. Degaussing, or demagnetizing, applies a reverse magnetizing field to data stored on magnetic media, erasing the contents by returning the magnetic flux to a zero state.

3. Overwriting the drive's data so that it cannot be recovered. Overwriting replaces previously stored data on a drive or disk with a predetermined pattern of meaningless information, rendering the data unrecoverable.

It is recommended that a minimum of three passes are made writing alternating zero and one patterns over the data and then further passes with random data, the more passes the better the chance that no data can ever be recovered.

NOTE: When removing sensitive information, don't forget CDs and floppies. Also, be sure to erase any stored names and numbers from phones and fax machines.

Suggested software

The following chart is a collection of disk wiping software recommended by UGA Office of Information Security or listed on a variety of other University and security sites. The inclusion of any title does not indicate an endorsement by the University of Georgia or the UGA Office of Information Security, and has only been provided as an aide in making a decision that best matches your specific needs.

Program

Cost

Platform

Comments

Acronis DriveCleanser 6.0
www.acronis.com/products/drivecleanser/

$44.99

Windows

Deletes all the data and partitions on a hard disk. Wizard interface. Meets national data destruction standards.

AutoClave
staff.washington.edu/jdlarios/autoclave

Free

Windows

Writes just zeroes, DoD specs, or the Gutmann patterns. Easy to use. Erases the entire disk including all slack and swap space.

BC Wipe
www.jetico.com/download.htm

Free trial, purchase $39.95

Windows, Unix

 

Burn 2.5
http://www.securemac.com/burn.php

Free

Macintosh

Macintosh 8.5 and Mac OS HFS+ compatible

cyberCide 2.0 (CyberScrub)
www.cyberscrub.com/cybercide/

Free trial, purchase $29.95

Windows

Erases files, folders, cookies, or an entire drive. Implements Gutmann patterns.

Darik's Boot & Nuke (DBAN)
dban.sourceforge.net/

Free (accepts donations)

Windows

 Our favorite!!!

Disk Wipe
www.dtidata.com/products_disk_wipe.asp

Administrator  license - $49.00

Windows

 

East-Tec Eraser 2004
www.east-tec.com/eraser/index.htm

$49.95

Windows

Beats DoD standards, full support for popular browsers, intuitive interface for ease of use.

East-Tec Sanitizer 2004
www.east-tec.com/sanitizer/index.htm

Single license/1 computer - $9.95

Windows

Designed to remove all traces of data from hard disk, overwriting all data from every sector.

Eraser 5.7
http://sourceforge.net/projects/eraser

Free

Windows

Erases directory metadata. Sanitizes Windows swap file when run from DOS. Sanitizes slack space by creating huge temporary files.

GDisk
www.symantec.com/home_homeoffice/products/
backup_recovery/ghost10/index.html

$69.99

Windows

Bundled with Symantec's Ghost utility; GDisk.exe conforms to current US DoD specs

KillDisk (Active@KillDisk)
killdisk.com/

Free version, Pro version for $29.95

Windows , Linux, Unix for PC

Conforms to DoD sanitizing standards and uses Gutmann's data destruction method

M-Sweep Pro Data Eliminator
www.secure-data.com/ms.html
and Disk Scrub http://www.secure-data.com/diskscrb.htm l

$500 - part of Data Elimination Suite

Windows

M-Sweep: Exceeds DoD standards, can overwrite ambient data areas 9 times. Ideal for use with laptops.

Norton SystemWorks 2004
www.symantec.com/sabu/sysworks/basic/

$69.69

Windows

Norton CleanSweep%trade; and WebTools come bundled ($50 upgrade rebate)

NTI Dragon Burn
https://secure.ntius.com/esdsoft/dragonburn_v4_full.asp

Free trial, purchase $40.00 (OS X), $19.95 (OS 9.0.4+)

Macintosh

 

OnTrack DataEraser www.ontrack.com/dataeraser

$29 (personal)
$500 (professional, 50 licenses)

Windows

Erases partitions, directories, boot records, and so on. Includes DoD specs in professional version only.

Paragon Disk Wiper 7.0
www.disk-wiper.com/

$29.95 (personal)
$149.95 (professional)

Windows

Disk Wiper Pro meets DoD sanitizing standards. Special overwriting patterns with up to 99 passes for 100% erasure of all sensitive data.

ShredIt
www.mireth.com/text/shredit_sp.html

Free trial, $19.95 (download)

Windows , Mac OS8/9 & OSX

Easy interface, configurable overwrite pattern and number of overwrites

Shred 2
www.pcmag.com/article2/0,4149,219998,00.asp

Free

Windows

 

SuperScrubber
http://www.jiiva.com/superscrubber/

$29.99

Mac G3, G4 & G5

 

UniShred Pro
www.lat.com

Contact vendor for quote

Unix and PC hardware

Implements all relevant DoD standards and allows custom patterns

Wipe
sourceforge.net/projects/wipe/

Free

Linux, Unix

Uses Gutmann's erase patterns, erasing single files and accompanying metadata or entire disks

WipeDrive
www.whitecanyon.com/wipedrive-erase-hard-drive.php

$39.95

Bootable PC disk

DoD approved; securely erases IDE and SCSI drives

Removal Tips

Windows

Dell offers an overview document Erasing Data from Your Hard Drive and a link to CNET's (download.com) listing of rated disk wiping software.

Macintosh

In addition to the software offered above, Mac computer hard drives can be cleared by zeroing their data. The Apple site provides step-by-step instructions for both Mac OS 8.x/9.x and OS X plus a good overview of when to reformat a hard drive (see Troubleshooting Hard Drives: Reformatting ). Note that zeroing data (aka "low level" format) may take a long time and depends on the hard disk size. It is recommended to use the "8-way random" feature in conjunction with the "zero all data" option.

For a general search of the the Apple Knowledge Base, go to: kbase.info.apple.com/index.jsp .

Unix Secure File Deletions

Solaris

Related links

Other disk wiping software options:

Further Reading :

Related sites at other universities:

 

More on Clearing, Sanitizing, and Releasing Computer Components & Network Devices

Why Remove Data?

There are a number of reasons why the data maintained on university computer systems and devices would need to be securely removed. Perhaps a computer system is being replaced with a more powerful device and the old system is being transferred to another department or sold at surplus. Maybe the backup data stored on a CD-ROM has reached the end of its useful life and needs to be expunged. Perhaps a magnetic tape has been used the maximum number of times that it can be to reliably preserve data. Maybe a hard drive has become damaged and is inoperative.

In each of the aforementioned cases, the University has legal and ethical obligations to ensure that any institutional or university sensitive data is "securely" removed to minimize the risk of possible disclosure and liability.

Why Delete Is Not Enough?

There are a number of methods by which a file can be deleted from a computer's hard drive; by issuing an ' rm ' or ' del ' command from the command line, by highlighting a file in Windows Explorer and pressing the Delete key, or by emptying the Recycle Bin or the Trash folder. However, these methods only remove the pointers to the actual files - they do NOT remove the data. The data remains on the hard drive as unallocated space. In fact, even if the unallocated space were subsequently used by new files, there are sophisticated methods that can be used to obtain data previously stored in those locations by looking at disk remanence.

Another common misconception is that using system utilities (e.g., fdisk ) and re-formatting the hard drive will securely delete *all* data on the hard drive. Like ' rm ' and ' del ', these utilities modify file system attributes but do not remove the data.

CD-ROM's, since they are read-only, introduce a different challenge in that there is no way to programmatically and securely delete the contents of the CD. Inoperable hard drives are also troublesome in that they can not be connected to a system and accessed through software.

Secure Delete Methods

So, we can not rely on deletion alone and that there are certain devices that present special issues. So, what is available to help us securely delete and/or destroy the data?

Degaussing: Degaussing is a process by which the storage media is subjected to a powerful magnetic field to remove the data on the media. WARNING: Degaussing can make the media inoperable. Therefore, it is advisable that you do not use this method if the media needs to be reused and/or has resale value.

Destruction: For media that has contained highly sensitive data or for media that the cannot be wiped or degaussed (e.g., CD-ROM's), destruction of the media is the most effective means of ensuring that the data cannot be recovered. Destruction of the media can be accomplished via a number of methods; shredding disk platters, grinding the surfaces off of CD's, incinerating tapes, etc. NOTE: In order to be effective, the destruction has to be thorough. A simple whack with a hammer, for example, would leave the majority of the data on the media readable.

Summary:

The effort put forth to ensure that data is securely removed from storage media is in direct relation to the sensitivity level of the data that is (or has been) stored on that device. If a device contains highly sensitive data, wiping, degaussing, and destruction could all be used. If the device contains only public data, disk wiping would be
sufficient.

Q&A:

  1. I have an inoperable hard drive that contains sensitive data. What should I do?
    Disk wiping is out of the question since the drive is inoperable. In this case, degaussing is the best alternative. If the hard drive contained highly sensitive data, the disk platters should be destroyed as well.
  2. I have a computer that is being replaced by a newer model and I would like to transfer this machine to another user in my department. The system has been used to store FERPA protected student records. What should I do?
    Disk wiping is the best alternative. Degaussing might make the hard drives inoperable which would render the machine unusable.
  3. I have a computer that is being replaced by a newer model and I would like to transfer this machine to another department on campus. The system was bought new and used as a public access terminal. It has never maintained sensitive data, but it does have application installed on it that we licensed from a software vendor. What should I do?
    Since data storage is not an issue, the simplest method would be to fdisk the system and reformat the hard drive. This process will ensure that any individually licensed software is unusable.
  4. I have a computer that is being replaced by a newer model and I would like to transfer this machine to another department on campus. The system has been used to store sensitive data. What should I do?
    Once again, disk wiping is probably the best alternative. However, if the data is of a highly sensitive nature (e.g., medical data, FERPA protected student data), it would probably be best to degauss the hard drive and destroy the disk platters.
  5. I have a computer that has reached the end of its life and I cannot find another department at the University that wants it. What should I do?
    See University Policy that outlines "approved methods for the sale and disposal of university-owned equipment". The actual procedures for resale vary slightly.

Tools: