Re: HD destruction

["Delaney, Cherry L." <cdelaney () PURDUE EDU>]

Thank you for the images and clear explanation of the different
processes and options. We came to similar conclusions on destroying the
drive since personnel time devoted to cleaning the hard drives was more
than the destruction and considered more secure. 


Cherry 
-----Original Message-----
From: Alan Amesbury [mailto:amesbury () OITSEC UMN EDU] 
Sent: Thursday, March 15, 2007 12:14 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HD destruction

Recently I did some research on this for the University of Minnesota.
The information below is based on my findings, and is less than a year
old.

Short answers:  Physical destruction is the most thorough way to ensure
data on the drive is irretrievable.  Overwriting may work, but tools
like DBAN may not get *ALL* the data.

Ray Bruder wrote:

> We currently use an outside vendor to destroy our hard drives and 
> receive a document of certification this work has been completed.

This is, without question, the safest way to go.  It's very hard to
recover data from a physically destroyed hard drive.  That said, if
you've the resources to expend towards wiping the drives, that's an
acceptable route as well.

> Does anyone simply have the HD's scrubbed and receive a certified doc 
> and feel this is sufficient?  I was led to believe in the past that 
> you can still recover data from scrubbed drives.

Gordon Hugues at UCSD's CMRR has done a lot of research into this.  He's
actively involved in the definition of the Secure Erase capabilities
that are a mandatory part of the ATA spec (and, perversely, NOT a
mandatory part of the SCSI spec?)  He claims that "ATA drives less then
[sic] 3-4 years old (more than 15-20 GBytes) support secure erase."[1]
As for overwrites, "[e]xperimental testing at CMRR on drives with secure
erase demonstrates that a single verified write pass with a random data
pattern makes all original data unrecoverable....."[2]

In my own relatively crude testing (booted with Helix and examined the
raw disk for data), I found that CMRR's Secure Erase utility[3] worked
as advertised.  A drive cleared with "fast erase" remained unusable
until it had completed its overwrite.  The biggest downside is that a
drive blanked in this fashion lacks obvious external indicators that
it's simply locked pending erasure; someone might hook it up, think it's
simply not functioning, then toss it instead of letting it complete its
erasure pass.  An actual "secure erase" pass also worked well.

In my testing, I found that CMRR's claim that drives with capacities of
"more than 15-20 Gbytes" was not completely true.  In particular, I
found an old Maxtor 60GB drive which did NOT have Secure Erase
capabilities.  I think this was age-related, though, as the drive was
older than the 3-4 year range CMRR specifies.

An important thing to note about Secure Erase is that it does NOT use
the drive's regular interface for overwriting.  Modern ATA drives
actually have some space reserved internally, and they can move data
around on the platter without the user's knowledge or control.  The data
*appears* to always be in the same spot, but that's because the
operating system is viewing the data as presented to it by the drive.
(This is one of the downsides of having intelligent drive controllers.)
Secure Erase, in theory, erases the *ENTIRE* drive, not just those areas
accessible through the normal interface.

For malfunctioning drives, physical destruction is arguably the safest,
most scalable way to go.  For example, when the hard drive in my
workstation failed, I did this to it:

        http://www-users.cs.umn.edu/~amesbury/harddisk_before.png
        http://www-users.cs.umn.edu/~amesbury/harddisk_after.png


There's a company located not far from my office that has a very LARGE
shredder on site.  They normally charge about $2-$3 per hard drive ($25
minimum order), but allowed me to run mine through their shredder free
of charge for demo purposes.  Their shredder took well under a second to
shred my drive, and I watched several dozens of hard drives get shredded
in a batch shortly before mine was run through the process.  Very few
organizations will be able to recover data from a drive processed in
this manner.  (I *really* want to take this drive to OnTrack to see what
they can read.)

The other way to destroy data (and the one I used on that old 60GB
Maxtor) is to subject the drive to a magnetic field well in excess of
what it's designed to handle.  I contacted Seagate to find out what the
maximum magnetic field strength was for their drives and, in an
extremely short amount of time, their sales people came back with this
answer:

      Seagate disc drives are specified to operate in 10 Gauss free
      air spec without error and are tested non-operating up to 30
      Gauss. This specification is to insure the drive is not affected
      by stray magnetic fields that may be given off by adjacent
      drives within a computer system, and typically not considered
      for magnetic fields outside a computer system.

      Seagate has performed testing on some products to failure, while
      being subjected to steady state field. During operating
      conditions, they did not fail until approximately 2x the 1600
      A/m spec. But the drive failed significantly under the 16000 A/m
      spec. Both test were performed in a steady state field.

      Where: 1 Oe = 1000/4xpi Am, in air H=B

      Note: This information is for Seagate's SCSI drives.  ATA drives
      are not currently tested for magnetic interference.


After wading through some of the units to try to figure out what
strength field I might need to wipe a drive, I realized that I didn't
really need to do any heavy math.  Seagate plainly states that their
(SCSI) drives are spec'ed to work in 10 Gauss fields, and that their
failure testing was done with steady state fields.  So, I took the drive
to our own CMRR (Center for Magnetic Resonance Research), waved the
drive several times through the force lines of a 9T field (approximately
90,000 Gauss), then tested the drive.  It could no longer even pass its
self-test, much less work.  So, if you happen to have access to a
helium-cooled magnet, this method might work for you, too.  Downside:
It really doesn't scale.



Footnotes and links:
--------------------
[1] http://cmrr.ucsd.edu/Hughes/SecurEraseNewsletter1004.pdf, page 3 [2]
Ibid.
[3] http://cmrr.ucsd.edu/Hughes/HDDErase.zip

CMRR website:  http://cmrr.ucsd.edu/


--
Alan Amesbury
OIT Security and Assurance
University of Minnesota