In the past years, I have seen many many false and misleading statements about what is needed to securely erase or wipe a hard drive. The FUD surrounding this topic with many still purporting to have a means of recovering data using SEMs and AFM (electron microscopy will do) is incredible.
The problem is that it hurts us all.
This year alone (and we are not even through the first month) I have read supposedly reputable security professionals stating that X-Ray machines and scanners will erase a drive. I have read how you need to use a forklift to drive over them.
With the help of a few colleges, I tested the theory (as that was all it ever was) that a SEM or AFM could be used to recover data. There is a reason that NO organization has ever done this, it is not possible. Science is based on empirical testing. Before that point it is not science and is just a hypothesis. Data recovery from a single wipe is not possible. It is up to those who sell the snake oil to prove it. This is science people.
As for a couple of the other versions of FUD in drive wiping I noted?
- An airport body scanner will do nothing to any hard drive. I travel several times a year and I am yet to lose any data from an airport scanner.
- Driving over a drive with a roller (let alone a fork lift) will not damage all the platters and will leave a good level of recovery in most instances. The drive is not always crushed. Using a 2.5 tonne roller, I was able to recover the platters from 45% of drives without trying too hard.
And the Government cannot read your wiped drives either?
"Although somebody like the NSA might be able to use some sort of system to read the magnetic markings on the rest of the platter."
No, they cannot. The NSA does not do this, I hate these silly conspiracy theories. FUD hurts us all! Modern drives use a glass platter with a foil coating. They shatter with the right impact. They do not need to be broken though. They just need to have a secure process to wipe the information?
A secure process to wipe hard drives exists!
The simplest manner is to use the wipe function in the drive. On an ATA, SATA, PATA etc drive there is the firmware Secure Erase command. This is also supported in all good SCSI drives. Not all SCSI and Fibre Channel disk drives support a "Fast SecureErase" capability, but all good modern versions have an Erase function.
Secure Erase (SE) is a positive, simple data destruction process. It is in effect "Electronic data shredding." SE completely erases all possible data areas on a supported drive (and it is difficult to find platter based drives that do not support this command set any more) by overwriting.
A full erase using SE can take 30 minutes to over an hour to complete. The thing is that the drive will restart the wipe if it is power cycled. So just restarting the host will not stop the process.
To ensure that a user cannot take the platter and move it to another drive case (and new firmware) the Fast SE complete phase changes a key and effectively makes the drive unrecoverable in our lifetime.
Basically it is quick. It is non-recoverable. It saves all the BS. It removes the need for the FUD that still surrounds us.
The process is simple:
1.The user wanting to wipe the drive issues the SE security command
a.Set User Password, Security =Maximum (Master Password = Blank)
2. The drive completes a Fast SE process and changes an encryption key locking the drive
3.The SE process is run to do an in-depth wipe (taking 30 minutes to over an hour)
4.The drive is wiped and ready to use.
Once the SE security wipe starts, it cannot be stopped.
The BS and that is what it is around small bits of information being recovered using microscopy from shattered drives is also FUD. Think for a moment, what is there on an isolated 512bit section of drive that you randomly select that you can actually use?
So, how do I wipe my drive?
The utility hdparm [1] will allow this (replace /dev/sda with the drive you seek to wipe).
1Make sure you are logged into the system as root. You can use a boot disk.
2Issue the hdparm command as root and check the drive is not security frozen
a.hdparm -I /dev/sda
b.The result should contain the words "not frozen"
3Issue the command to
a.hdparm -user-master u -security-set-pass Eins /dev/sda
4Confirm the process
a.hdparm -I /dev/sda
b.look for the word "enabled" in the output
5 Issue the AT SE command
a.hdparm -user-master u -security-erase Eins /dev/sda
6When the drive is erased, the output verification will return "not enabled", check using the command:
a.hdparm -I /dev/sda
A DOS/ Windows version of this command also exists [2].
References
[1]http://sourceforge.net/projects/hdparm/
[2]http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml
Craig Wright is a Director with Information Defense in Australia. He holds both the GSE, GSE-Malware and GSE-Compliance certifications from GIAC. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial law and ecommerce law, A Masters Degree in mathematical statistics from Newcastle as well as working on his 4th IT focused Masters degree (Masters in System Development) from Charles Stuart University where he lectures subjects in a Masters degree in digital forensics. He is writing his second doctorate, a PhD on the quantification of information system risk at CSU.
