Articles & Presentations

Wednesday, December 21, 2011

(I) How to erase a hard drive before re-using, a service call, giving away or selling a computer


In our business losing data is a bad thing... A very bad thing.  So what do we do when we need to end of life or recycle a PC, Server or anything else with a hard drive?

Do you have a computer you ever gave to someone?  Or someone gave to you?  What was on the hard drive?  Retired a server?  In our professional side we have to make sure these drives are wiped, erased or sanitized before they leave the building.  Or do we?

Let's take a look at some options to wipe, erase or sanitize drives to protect the data that was/is on them.  This blog will not address the ghost images that require a lab, and microscope or how many wipes.  it covers realistic every day needs for InfoSec and IT professionals.

Encryption as a protection:

If the hard drive was encrypted, then that is as good as wiping the drive.  Just format the drive and your done.  The encryption will sufficiently randomize the data since the data is protected with a key the new owner won't have or know about and hopefully you also formatted the drive hiding it further.  If you use BitLocker, Credant, PointSec, McAfee or other disk encryption solutions that encrypt your drive, you are going to be fairly sure the data will not be recovered if someone tries.

Warning:  Bit locker is not a full disk solution and will only encrypt the active data, so if you have a 1 TB drive and re-installed Windows and enabled Bit-Locker and protected say 25 GB, you will have an exposure of data that was once there past 25 GB before you encrypted.  Free space can be an issue if data was once there prior to using Bit-Locker.

If you use TruCrypt like I do to make encrypted volumes on hard drives and USB drives, this too should be sufficient to protect any data on the drive if you format it and give it away.  You could just create the biggest volume your allowed and encrypt it with TruCrypt.  Now there will be a big block of bits that once reformatted would be pretty much worthless to the new owner.



RAID:

If you think a set of drives in a RAID array would be safe if you broke the drive out of the array, you would be incorrect. I can tell you as I was involved with decommissioning a SAN and we tested a single drive of a RAID group and retrieved data. You will have to treat non-encrypted SAN drives the same as any other drive. Newer SANs have secure clearing options as a part of maintenance, so check if your system has the option, better yet, make it a requirement for your next SAN or RAID storage solution.
Wiping:

Wiping is where you write the entire drive with 0's, 1's or any other character(s) over the entire disk surface and then again and again to meet whatever legal or regulatory requirements you might have.  DoD wiping at a minimum is 3 passes, 
Standard DoD 5220.22-M, US DoD 5220.22-M (ECE) requires 7 passes and there are requirements for even more passes in order to cover up any ghost data that may reside on the drive that researchers have found can exist.... Using a fancy dancy microscope and lab.

Although writing 0's (filing with zeros) over the entire disk will not satisfy government data standards such as DoD 5220.22-M or (NIST) Special Publication 800-88, overwriting the entire hard disk prevents most forensic tools from gaining useful data, what we are most concerned with.

Reality... A 1 pass wipe with say, the Free version of KillDisk or vendor disk tool is plenty and an effective way in both time and cost to scramble data that might have been on the drive.  If you have requirements to wipe a drive more than 3 times... Do yourself a favor and just destroy the drive.. Shredding is faster, cheaper and requires less people time.

How long does wiping take? 
Wiping a drive takes a loooonnnng time...  Recently I wiped a 250GB drive with KillDisk (Free 1 pass wipe) that took 1.5 hours.  If that drive were a 1TB drive it would take roughly 6 hours just for a 1 pass wipe.  Using 'Boot and Nuke' a 3 pass wipe to meet minimum DoD would take roughly 44+ hours for a 1TB drive.  Actually the 3 pass wipe of the same 250GB drive using 'Boot and Nuke' took just short of 11 hours... For a 1 pass wipe it took almost 5 hours.  Clearly KillDisk is more efficient at wiping a drive.

This length of time for just one drive makes wiping a drive an extremely time consuming prospect.  You would have to setup several systems to attach drives to and run the utilities to wipe the disks.  A typical corporation would have too many drives and could make this a full time job, not a cost effective or a good use of people's time... Unless you are required for law or regulatory reasons.  You would then buy an expensive multiple drive unit or utilize a service.

By the Numbers... What it took me:

  • 250GB - Long Test using SeaTools = 1.0 hour (validate/repair drive)
  • 250GB - Full Erase using SeaTools = 1.5 hours
  • 250GB - 1 Pass wipe using KillDisk = 1.5 hours
  • 250GB - 1 Pass wipe using DBaN = 5.0 hours
  • 250GB - 3 Pass wipe using DBaN = 11.0 hours
  • 500GB - Long Test using SeaTools over USB = 2.5 hours
  • 1TB - Full Erase using SeaTools = 5.5 hours
  • 1TB - Full Erase using SeaTools over USB = 8 hours














Of course the type, speed and performance of the drive will vary by model how long wiping will take, but you can get an idea of what to expect with these numbers.

Tip:  If you get a drive that shows really long time estimates that are not what you normally see, just destroy it, it's not worth the time and is probably older and slow.

Drive vendor tools:

All the hard drive vendors have bootable or Windows utilities that can maintain/repair the drive and even wipe it.  Seagate/Maxtor, Western Digital, Samsung, Hitachi and others all have tools to help wipe drives.  I tested for this Blog Seagate SeaTools on a 1TB drive.  Wiping took roughly 5 1/2 hours, roughly the same as a 1 pass KillDisk wipe.

Use a service:

If you don't want to deal with this issue you can opt to take all the drives you retired and you give them to a service that will shred them for you and 'POOF' problem solved.  Just make a form to record the drive serial number, the system it came out of, date the drive was destroyed, who did it with a signature and you would be in good shape for an audit.  Destroying takes no time at all and is fun to watch too!!!  Damn loud.

These services may also provide wiping as well, but compare the cost to destruction.  You will find disk encryption on the system in thequantities you need may make disk encryption a cost effective time saving option vs. wiping more than 1 pass.  Keep in mind if you lease systems or have service contracts, you may have to negotiate what to do with the drive and get the proper wording in your contracts to allow you to wipe or destroy a drive before returning it to the vendor if the drive is NOT encrypted.  You may be in a pickle with your vendor needing the drive back if the drive is NOT encrypted and you can't wipe or destroy it.

So?

The whole purpose of this Blog entry was to develop a process to retire and recycle hardware where we have to ensure the data that was on the system has been wiped so a system can be reused by another party, either internal or external to the company.  The advantage of using a Windows based solution is you can save reports and logs or print the screen and use it in your report the wiping was completed and save it to a directory that matches a log of the disposition of your drives.  Using a IDE/SATA USB drive adapter you can easily plug in drives to a Windows desktop and run the tools against them, save the final screen to disk as proof the wiping occurred.  Good enough for any auditor that might review your data sanitization process.  For server drives like SAS, SATA II or Fibre Channel drives, there are controllers that can be added to a desktop to allow you to see and wipe these drives as well.  

Sanitization Station:

After running these tests to decide what the Policy, Standard and Procedure will be, the next step is to setup a system to do the wiping.  Keeping in mind that several pieces of information are needed to make sure your sanitization is complete and will stand up to an audit.  Here is what I came up with for a small Sanitization Station or stations:
 

  • Windows PC.. (Yeah I know we all love Linux)
  • Install all vendor disk tools for Windows
  • USB to SATA/IDE adapter
  • SAS/SATA controller
  • Install KillDisk Windows
  • Install Secure Erase
  • Install SDelete 
Optional:

Run SATA cable externally from internal controller to improve speed, though I found for this function speed  was not an issue using a USB connected solution.  We are not transferring any data, just a few commands.

This setup would let you wipe most drives we use today including flash, thumb, USB, SATA and SAS drives that are found in servers along with older IDE drives and many memory cards used in cameras, phones and smart devices.

A Windows system because it provides you a simple screen capture that you can then paste into a Word document to capture and save the Repair and/or Wiping of the drive for audit purposes.  This is difficult to do on a bootable ISO image as there is no easy way to grab the output of the results from the wiping unless the solution builds in saving to another USB device.
With any drive recycling, auctioning old hardware, service calls or whatever reason a drive must leave your building, the proper paperwork is needed to show it was accounted for and verified wiped or destroyed.

RESOURCES:

KillDisk is the clear choice as it has a FREE 1 pass wipe option and a commercial solution to do multiple drives on multiple systems, data verification and meet DoD wipe requirements.

The vendor tools finish a close 2nd as they are also fast and provide an option to repair/validate your drive in the case you are recycling a system for reuse.  For true drive repair and data recovery, nothing beats Steve Gibson's SpinRite!!

 
GRC SpinRite:
http://www.grc.com/spinrite.htm

Tools:

I hesitate to recommend 'Boot and Nuke' since it is so slow (3x+ slower) and drive wiping is time consuming, so I am pointing you towards the most efficient solution.  Nor can it provide a report like KillDisk and the Vendor Tools running under Windows can.

KillDisk:
http://www.killdisk.com/

Secure Erase:  (For all drive types, including thumb drives, flash and SSD's)
http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml

SDelete: (Microsoft/SysInternals) utility to wipe drives, files or free space)
http://technet.microsoft.com/en-us/sysinternals/bb897443

Drive Vendors Tools:

Hitachi:
http://www.hitachigst.com/support/downloads/#DFT

Samsung:
http://www.samsung.com/us/support/SupportOwnersFAQPopup.do?faq_id=FAQ00000083&fm_seq=251#

Seagate and Maxtor:
http://www.seagate.com/www/en-us/support/downloads/seatools

Western Digital: (Select your drive and select the correct version of DLGDiag)
http://support.wdc.com/product/download.asp?modelno=DLGDiag&x=0&y=0

General Info:

Security through data erasure website:
http://www.dataerasure.com/

Government Docs:

DSS Clearing and Sanitization Matrix:
http://www.oregon.gov/DAS/OP/docs/policy/state/107-009-005_Exhibit_B.pdf?ga=t

NIST 800-88:  Guidelines for Media Sanitization:
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf

Common Criteria Validated Products List: (approved wiping tools and other stuff):

 http://www.niap-ccevs.org/cc-scheme/vpl/ 
  • Be sure to use the FREE KillDisk version for home computers or Boot and Nuke to wipe your personal drives before you give or sell them to someone.