Scrubbing Disks, Part 2



ITworld.com, Unix in the Enterprise 12/07/2005



Sandra Henry-Stocker, ITworld.com

In last week's column - Scrubbing Disks, Part 1, we asked a couple questions: "Why should you sanitize disks before letting them out of your sight?" and "How should you do it?". Given the availability of cheap data recovery tools and the ever-increasing population of hackers and identity thieves, releasing readable data into the used computer market can involve considerable risk -- a risk that far too many individuals and companies take on a routine basis.

If you are retiring a disk that contains high risk data (i.e., data that can land you or your company in a pot of legal soup if it is disclosed to the wrong people), you should seriously consider destroying the drives. What Top Secret is to the federal government, patient medical records ought to be to any medical practitioner and your personal letters, photos and credit card numbers undoubtedly are to you. The DoD's requirement for retiring disks containing its ultra sensitive data is destruction of the drives. Maybe the same treatment is appropriate for your personal or your company's sensitive data? The answer to this question depends on the value of the data and the risk of its exposure.

Assessing the Risk



Disk drives containing personal or proprietary data can be responsibly sanitized and released if you are willing to accept the risk that someone with extremely expensive and specialized equipment might yet be able to read residual magnetism on the drives -- and retrieve your old data -- even after you have wiped them clean with some variety of disk wipe software and can no longer pull data from the disks yourself. Fortunately, this risk is much reduced with newer drives for a couple reasons. For one, newer drives are more dense. More dense means less space between disk tracks and less space means a smaller chance that any residual data (i.e., the contents of the disk prior to sanitization) will remain readable. Further, these higher density disks generally have a write head which is larger than the read head, thus virtually eliminating the space between the tracks from which data may be read on older less dense drives.

While these characteristics of newer disk drives are reassuring for those of us who would prefer to see our old disks resurrected in elementary schools and rummage sales than broken to bits and dropped into our dumpsters, it's probably still too early to consider the disk disposal issue too easily resolved. I don't know about you, after all, but the disks that I am tasked to dispose of are not yet modern high-density drives. Instead, they are drives that range in size from 1 to 20 GB and are probably as much as ten years old. These drives require a more thorough and rigorous sanitization procedure.

What Sanitization Standards Exist?



The primary reference for disk sanitization procedures is a US DoD publication referred to as the NISPOM (National Industrial Program Operating Manual) or, more formally, as DoD 5220.22-M. You can find copies of this publication (in both Acrobat, MS Word and HTML formats) at http://www.dss.mil/isec/nispom.htm. Chapter 8 of the NISPOM details, among other things, how various types of media should be sanitized. In the oft-quoted "Clearing and Sanitization Matrix", sanitization of magnetic disks involves (NOTE: The letters in this list correspond to descriptions in the table): a) degaussing with a Type I degausser, b) degaussing with a Type II degausser, m) destruction or d) overwriting all addressable locations with a character, its complement, then a random character followed by verification.

The problem with degaussers is that it is hard to find a device that both thoroughly erases the disk contents and leaves the disk still usable. You are too likely to either leave data behind that you did not intend to leave or to render the disk worthless for any subsequent use.

Overwriting disks with various combinations of characters, on the other hand, is fairly easy to do with inexpensive software or even with a sequence of Unix commands. How much trouble would it be, for example, to put together a simple bash script like this and run it?

#!/bin/bash 

for i in `seq 1 100`
do
    dd if=/dev/random of=/dev/dsk/c0t1d0s2
    echo $i
done




This simple script would fill the target disk with random data one hundred times. Of course, the drive in question CANNOT be the boot disk unless you are running the command when the system is question is booted through some other means -- such as an installation CD or boot diskette.

Available Tools -- Commercial and Free



Numerous software tools are available for sanitizing disks. Some are free. Some are inexpensive. Others are quite costly. The one to use is the one you trust to wipe your drives and the one that is convenient to use. For example, a tool that runs off a DOS boot floppy can make wiping the data from PCs extremely convenient. If the tool in question allows you to select the number of passes and you go over the disk numerous times (3-7 seems to be the norm), you're probably in good shape for releasing all but the most sensitive drives. Tools of this type are numerous and will probably cost you between $50 and $100. Some work both with SCSI and IDE drives. Most will at least claim compliance with the NISPOM standards.

For Unix systems, there are tools such as Scrub from Lawrence Livermore National Laboratory. Tested on Linux, Solaris and AIX, this tool can be set to overwrite a single file, all unused space on a drive or an entire disk drive with six different patterns. See this link for more information on Scrub:

If you would like to do some additional reading on disk sanitization, I recommend that you read both of the following papers:

Remembrance of Data Passed: A Study of Disk Sanitization Practices by Simson L. Garfinkel and Abhi Shelat (local copy)

Secure Deletion of Data from Magnetic and Solid-State Memory by Peter Gutmann

The true stories of carelessly recycled disks in the Garfinkel/Shelat paper will give you a good case of the shivers -- especially if you have released disks without a thorough cleansing -- while the image of bad guys using magnetic force microscopy to retrieve your personal photos and credit card numbers from your discarded drives might make you wonder if it's time to go back to pen and paper.

Whether and how you can responsibly and securely release a used disk depends on the drive hardware, the data that the disk has contained and how thoroughly you are willing to wipe it clean. When making decisions about my electric fence, I have to ask myself three questions: how much my livestock want to get out, how much predators want to get in and how much I'm willing to spend on maintaining the status quo. Every decision involving exposure of sensitive data should follow a similar consideration of risk and expense.

Sandra Henry-Stocker has been administering Unix systems for nearly 18 years. She describes herself as "USL" (Unix as a second language) but remembers enough English to write books and buy groceries. She currently works for TeleCommunication Systems, a wireless communications company, in Annapolis, Maryland, where no one else necessarily shares any of her opinions. She lives with her second family on a small farm on Maryland's Eastern Shore. Send comments and suggestions to sandra@toadmail.com.