There are three main data sanitization techniques for the hard drive storage device. There is the physical destruction of hard drive where the drives are crushed or platters damaged to an inoperable state. The degaussing of a hard drive removes all data through the use of a powerful magnetic field. The third technique is overwriting of data contained on the hard drive, a process where each bit on drive is replaced with “white” information leaving no original data.
If you look around the industry, you will see all major OEMs and service providers utilizing all three of these techniques. Each technique has its own strengths and weaknesses and one technique may be more appropriate in a given situation than another based on data security or cost. The appropriateness of one over another is especially true for data centers.
The Physical Destruction Method
Physical destruction of storage devices is a means of making recorded data unrecoverable. The destruction can be accomplished by physically shredding the device, incinerating it, or punching holes in it.
Depending on the degree of destruction, data may still be recoverable in a laboratory environment if complete destruction is not accomplished. Using Magnetic Force Microscopy or similar forensic equipment, parts of the hard drives magnetic platters can be examined and data might be accessed.
Advantages of Physical Destruction: The process of physical destruction of a hard drive is straight forward and fast. This allows many service providers to compete for physical destruction which makes the price per unit an affordable option.
Disadvantages of Physical Destruction: Obviously, there is an economic loss in physically destroying a hard drive, which may be worth hundreds of dollars in actual resale dollars or by not repurposing the drive within an organization or corporation. In addition, the inability to obtain storage device serial numbers for records may lead to an unverifiable, insecure sanitization process.
The Degaussing Method
Degaussing is the process of using an external device to alter the recorded magnetic flux patterns on the storage device. A degaussing device may be:
- A magnetic wand used to demagnetize the storage media
- A powerful permanent magnet that imposes a static magnetic field
- A device that produces a strong fluctuating or pulse magnetic field that would alter the magnetic characteristics of a storage device to render it unreadable
How Degaussing Works
Degaussing is an appropriate method for sanitizing data. However, it is far more applicable for magnetic tape and floppy disks than for newer fixed disk drives. Older drives and disks were coated with gamma ferric oxides film, which can be demagnetized relatively easy. Modern high density disks use more sophisticated metal oxides and shielding that are meant to resist data degradation and stray magnetic fields to a certain degree. Thus, they are trickier to properly erase by degaussing. They require higher magnetic fields to degauss, which means bulky and expensive degauss equipment and proper isolation so other equipment (such as computers, phones, watches) in the vicinity is not damaged unintentionally. If using portable degaussers, the user may have to disassemble the drive enclosure and platters in order to degauss appropriately.
It should be noted that to erase recorded data, it is necessary for the strength of the degaussing field to be greater in value than the coercivity of the magnetic media. Coercivity is the intensity of the applied magnetic field required to reduce the magnetization of the storage device material to zero after the magnetization of the sample has been driven to saturation. Since different drives from different manufacturers may have different magnetic properties, there may not be a universal degausser suitable for all drives. This means the user has the added responsibility to ensure that the degausser being used matches the properties of the drive and the organizational requirements for acceptable demagnetization level. This could prove to be a difficult task for a large organization.
In addition to being cumbersome, an issue with degaussing is that depending on the orientation of the magnetic fields and manual process variations (preparation and placement of disk to be degaussed); complete demagnetizing of all data tracks may not be guaranteed. Also, after degaussing, the disk maybe damaged enough as to not allow verification of data erasure through common read/write processes despite the fact that some tracks may still contain sensitive data. Thus there is no easy way to ensure that a disk has been properly degaussed.
Advantages of Degaussing: Degaussing is relatively fast to implement and can work on any magnetic storage media whether it is functional or not.
Disadvantages of Degaussing: Degaussing equipment capable of erasing modern hard drives can be expensive, with the cost of an NSA approved degausser costing in excess of $25,000 USD. Another drawback to degaussing is the lack of feedback or verification that a device is completely wiped. There is no means to tell if all data has been removed from the storage media, and there is no way to verify which drive was degaussed when handling a large number of devices, since degaussers do not extract the device’s serial number prior to sanitization. Additionally, degaussing causes damage to the drive read/write and rotation servos. The degaussing permanently destroys the drive mechanics and consequently the storage devices lose any economic value for future re-use or warranty claims.
The Overwrite Method
Overwriting means that data blocks stored on a device are replaced with meaningless data blocks. If the overwriting procedure is implemented successfully, with the appropriate tool, the new data will completely cover the tracks of the original data so that the original data cannot be recovered for all practical purposes. Overwrite can be accomplished both at a file level and at the entire storage device level. When overwriting individual files, data still might not be secure because often operating systems make several copies of working files and store them in temporary directories.
How Overwriting Works
To understand how overwriting works, we need to understand how data is actually represented in digital format. Data is stored on a disk by writing tracks that contain binary patterns of 1’and 0’s. Each character is represented by a byte, which is 8 individual binary bits of 1s and 0s. For example, the letter A may be represented by “01000001,” the letter “B” is “01000010,” the letter “C” as “01000011,” etc. Meaningful information is represented by numerous bytes, and there are trillions of bytes on a typical hard drive.
When data is overwritten, the 1s and 0s are changed according to a predetermined or random pattern that makes it difficult or practically impossible to read the original pattern and thus to recover the overwritten information. Theoretically, it is possible that not all magnetic tracks are 100% overwritten; this may be true in older, low density drives, or in floppy drives that employ read/write heads that are not very precise. In modern higher capacity, higher density drives which employ highly-tuned read/write heads, it is possible to overwrite all tracks, thus changing each bit according to a predetermined overwrite pattern.
It should be emphasized that to minimize the chance of recovering any data from a disk sanitized by the overwriting method, the process should be understood and well implemented. One must select the appropriate tool that will ensure overwriting of all data on a drive. Furthermore, if an error is encountered during an erase process, the software should fail the hard drive overwrite operation and flag the user for further action.
Advantages of Overwrite: There are several benefits to sanitizing storage devices by overwriting the data. First, overwriting offers the ability to securely erase user data. In addition, there is a feedback mechanism to ensure the drive is correctly sanitized. This feedback is accomplished by reading every byte on the device to ensure it is of a certain value that matches the overwrite pattern. Overwrite allows traceability by generating a serialized log of each affected storage device. The overwrite software can read the drive serial number automatically and generate a log to verify the process. Additionally, a significant benefit, especially to businesses, is preserving the economic value of the device and the ability to reuse the equipment or re-sell it. The ability to reuse devices without compromising sensitive data can be a significant cost factor especially for large organizations.
Disadvantages of Overwrite: There are two disadvantages to sanitizing hard drives using the overwrite procedure. First it is time consuming when compared to the other methods. The size of the hard drive impacts the overwrite time. The second issue is about bad sectors. Bad sectors are bytes on the hard drive which quit working during the life of the drive. Most modern hard drives are smart enough to recognize when sectors are going bad and start to move data from bad sectors and into good sectors. However, when a sector is bad, it can no longer be read from or written to. Bad sectors have been a source of debate for overwrite software since if the sector is bad, no data can be retrieved from it and is that really a security issue. Read and write errors a limitation of overwrite sanitizing software.
Selecting the Appropriate Sanitizing Process
The decision on how to sanitize data on a storage device and the execution of the sanitization requires the following steps:
- Assessing the sensitivity, security category, or economic value of the stored data
- Assessing the economic value of the assets or device under consideration, and determining whether it can be re-used, re-sold, has warranty credit, etc.
- Selecting the appropriate data sanitization type based on the information category
- Selecting the appropriate data sanitization method for the media
- Sanitizing the media
- Verifying the result
- Ability to maintain accurate history of which devices were sanitized.
The level of data sensitivity and security as well as economic value varies between organizations. For example, security for intelligence applications is the primary concern. For a financial institution, security and economics may be equal driving factors.
An organization should assess the value of the stored information and the value of the equipment based on its operational and/or business requirements and guidelines. Then the most cost-effective technique for the media and sanitization type can be implemented. Cost considerations should include any loss of residual value from partial or complete destruction of a reusable data storage asset.
We recommend that at a minimum, the appropriate overwriting method should be employed, even when other processes are to be followed. This choice ensures:
- Verification of user data being wiped.
- Traceability – drives are logged as they are overwritten with device serial numbers, security erasing standard used, and date of sanitization.
- Reduced security risk during transportation since physical destruction often requires transportation of devices to specialized areas.