Educause Security Discussion mailing list archives
Re: HD destruction
From: "Delaney, Cherry L." <cdelaney () PURDUE EDU>
Date: Thu, 15 Mar 2007 15:09:28 -0400
Thank you for the images and clear explanation of the different processes and options. We came to similar conclusions on destroying the drive since personnel time devoted to cleaning the hard drives was more than the destruction and considered more secure. Cherry -----Original Message----- From: Alan Amesbury [mailto:amesbury () OITSEC UMN EDU] Sent: Thursday, March 15, 2007 12:14 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] HD destruction Recently I did some research on this for the University of Minnesota. The information below is based on my findings, and is less than a year old. Short answers: Physical destruction is the most thorough way to ensure data on the drive is irretrievable. Overwriting may work, but tools like DBAN may not get *ALL* the data. Ray Bruder wrote:
We currently use an outside vendor to destroy our hard drives and receive a document of certification this work has been completed.
This is, without question, the safest way to go. It's very hard to recover data from a physically destroyed hard drive. That said, if you've the resources to expend towards wiping the drives, that's an acceptable route as well.
Does anyone simply have the HD's scrubbed and receive a certified doc and feel this is sufficient? I was led to believe in the past that you can still recover data from scrubbed drives.
Gordon Hugues at UCSD's CMRR has done a lot of research into this. He's actively involved in the definition of the Secure Erase capabilities that are a mandatory part of the ATA spec (and, perversely, NOT a mandatory part of the SCSI spec?) He claims that "ATA drives less then [sic] 3-4 years old (more than 15-20 GBytes) support secure erase."[1] As for overwrites, "[e]xperimental testing at CMRR on drives with secure erase demonstrates that a single verified write pass with a random data pattern makes all original data unrecoverable....."[2] In my own relatively crude testing (booted with Helix and examined the raw disk for data), I found that CMRR's Secure Erase utility[3] worked as advertised. A drive cleared with "fast erase" remained unusable until it had completed its overwrite. The biggest downside is that a drive blanked in this fashion lacks obvious external indicators that it's simply locked pending erasure; someone might hook it up, think it's simply not functioning, then toss it instead of letting it complete its erasure pass. An actual "secure erase" pass also worked well. In my testing, I found that CMRR's claim that drives with capacities of "more than 15-20 Gbytes" was not completely true. In particular, I found an old Maxtor 60GB drive which did NOT have Secure Erase capabilities. I think this was age-related, though, as the drive was older than the 3-4 year range CMRR specifies. An important thing to note about Secure Erase is that it does NOT use the drive's regular interface for overwriting. Modern ATA drives actually have some space reserved internally, and they can move data around on the platter without the user's knowledge or control. The data *appears* to always be in the same spot, but that's because the operating system is viewing the data as presented to it by the drive. (This is one of the downsides of having intelligent drive controllers.) Secure Erase, in theory, erases the *ENTIRE* drive, not just those areas accessible through the normal interface. For malfunctioning drives, physical destruction is arguably the safest, most scalable way to go. For example, when the hard drive in my workstation failed, I did this to it: http://www-users.cs.umn.edu/~amesbury/harddisk_before.png http://www-users.cs.umn.edu/~amesbury/harddisk_after.png There's a company located not far from my office that has a very LARGE shredder on site. They normally charge about $2-$3 per hard drive ($25 minimum order), but allowed me to run mine through their shredder free of charge for demo purposes. Their shredder took well under a second to shred my drive, and I watched several dozens of hard drives get shredded in a batch shortly before mine was run through the process. Very few organizations will be able to recover data from a drive processed in this manner. (I *really* want to take this drive to OnTrack to see what they can read.) The other way to destroy data (and the one I used on that old 60GB Maxtor) is to subject the drive to a magnetic field well in excess of what it's designed to handle. I contacted Seagate to find out what the maximum magnetic field strength was for their drives and, in an extremely short amount of time, their sales people came back with this answer: Seagate disc drives are specified to operate in 10 Gauss free air spec without error and are tested non-operating up to 30 Gauss. This specification is to insure the drive is not affected by stray magnetic fields that may be given off by adjacent drives within a computer system, and typically not considered for magnetic fields outside a computer system. Seagate has performed testing on some products to failure, while being subjected to steady state field. During operating conditions, they did not fail until approximately 2x the 1600 A/m spec. But the drive failed significantly under the 16000 A/m spec. Both test were performed in a steady state field. Where: 1 Oe = 1000/4xpi Am, in air H=B Note: This information is for Seagate's SCSI drives. ATA drives are not currently tested for magnetic interference. After wading through some of the units to try to figure out what strength field I might need to wipe a drive, I realized that I didn't really need to do any heavy math. Seagate plainly states that their (SCSI) drives are spec'ed to work in 10 Gauss fields, and that their failure testing was done with steady state fields. So, I took the drive to our own CMRR (Center for Magnetic Resonance Research), waved the drive several times through the force lines of a 9T field (approximately 90,000 Gauss), then tested the drive. It could no longer even pass its self-test, much less work. So, if you happen to have access to a helium-cooled magnet, this method might work for you, too. Downside: It really doesn't scale. Footnotes and links: -------------------- [1] http://cmrr.ucsd.edu/Hughes/SecurEraseNewsletter1004.pdf, page 3 [2] Ibid. [3] http://cmrr.ucsd.edu/Hughes/HDDErase.zip CMRR website: http://cmrr.ucsd.edu/ -- Alan Amesbury OIT Security and Assurance University of Minnesota
Current thread:
- HD destruction Ray Bruder (Mar 15)
- <Possible follow-ups>
- Re: HD destruction Matthew Keller (Mar 15)
- Re: HD destruction Greg T. Grimes (Mar 15)
- Re: HD destruction John Bullock (Mar 15)
- Re: HD destruction Roger Safian (Mar 15)
- Re: HD destruction Jeff Kell (Mar 15)
- Re: HD destruction Alan Amesbury (Mar 15)
- Re: HD destruction Delaney, Cherry L. (Mar 15)