This residue may result from data being left intact by a nominalfile deletion operation, by reformatting of storage media that does not remove data previously written to the media, or through physical properties of the storage medium that allow previously written data to be recovered (Dell Studio XPS 1640 Battery) .
Data remanence may make inadvertent disclosure of sensitive information possible, should the storage media be released into an uncontrolled environment (e.g., thrown in the trash, or given to a third party).
Various techniques have been developed to counter data remanence (Dell Studio XPS 1340 Battery) .
These techniques are classified as clearing, purging/sanitizing or destruction. Specific methods include overwriting , degaussing, encryption, and physical destruction.
Effective application of countermeasures can be complicated by several factors (Dell Vostro 1710 Battery) ,
including media that are inaccessible, media that cannot effectively be erased, advanced storage systems that maintain histories of data throughout the data's life cycle, and persistence of data in memory that is typically considered volatile.
Several standards exist for the secure removal of data and the elimination of data remanence (Sony VGP-BPS13 battery) .
Causes
Many operating systems, file managers, and other software provide a facility where a file is not immediately deleted when the user requests that action. Instead, the file is moved to a holding area, to allow the user to easily revert a mistake (Sony VGP-BPS13/B battery) .
Similarly, many software products automatically create backup copies of files that are being edited, to allow the user to restore the original version, or to recover from a possible crash (autosave feature).
Even when an explicit deleted file retention facility is not provided or when the user does not use it (Sony VGP-BPS13/S battery) ,
operating systems do not actually remove the contents of a file when it is deleted. Instead, they simply remove the file's entry from the file system directory, because this requires less work and is therefore faster. The contents of the file—the actual data—remain on the storage medium (Sony VGP-BPS13A/B battery) .
The data will remain there until the operating system reuses the space for new data. In some systems, enough filesystem metadata are also left behind to enable easy undeletion by commonly available utility software. Even when undelete has become impossible, the data, until it has been overwritten, can be read by software that reads disk sectors directly (Sony VGP-BPS13B/B battery) .
Computer forensics often employs such software.
Likewise, reformatting, repartitioning or reimaging a system is not always guaranteed to write to every area of the disk, though all will cause the disk to appear empty or, in the case of reimaging, empty except for the files present in the image, to most software (Sony VGP-BPS13B/B battery) .
Finally, even when the storage medium is overwritten, physical properties of the medium may make it possible to recover the previous contents. In most cases however, this recovery is not possible by just reading from the storage device in the usual way, but requires using laboratory techniques such as disassembling the device and directly accessing/reading from its components (Sony VGP-BPL9 battery) .
The section on complications gives further explanations for causes of data remanence.
Countermeasures
Main article: Data erasure
There are three levels commonly recognized for eliminating remnant data (Sony VGP-BPL11 battery) :
Clearing
Clearing is the removal of sensitive data from storage devices in such a way that there is assurance that the data may not be reconstructed using normal system functions or software file/data recovery utilities. The data may still be recoverable, but not without special laboratory techniques (Sony VGP-BPL15 battery) .
Clearing is typically an administrative protection against accidental disclosure within an organization. For example, before a hard drive is re-used within an organization, its contents may be cleared to prevent their accidental disclosure to the next user (Dell Inspiron E1505 battery) .
Purging
Purging or sanitising is the removal of sensitive data from a system or storage device with the intent that the data can not be reconstructed by any known technique. Purging, proportional to the sensitivity of the data, is generally done before releasing media outside of control, such as before discarding old media, or moving media to a computer with different security requirements (Dell Latitude E6400 battery) .
Destruction
The storage medium is physically destroyed. Effectiveness of physical destruction varies. Depending on recording density of the medium, and/or the destruction technique, this may leave data recoverable by laboratory methods (HP Pavilion dv6000 Battery).
Conversely, physical destruction using appropriate techniques is generally considered the most secure method available.
Specific methods
Overwriting
A common method used to counter data remanence is to overwrite the storage medium with new data (Sony Vaio VGN-FZ31S battery) .
This is often called wiping or shredding a file or disk. Because such methods can often be implemented in software alone, and may be able to selectively target only part of a medium, it is a popular, low-cost option for some applications. Overwriting is generally an acceptable method of clearing, as long as the media is writable and not damaged (Sony VGN-FZ31S battery) .
The simplest overwrite technique writes the same data everywhere—often just a pattern of all zeros. At a minimum, this will prevent the data from being retrieved simply by reading from the medium again using standard system functions.
To counter more advanced data recovery techniques, specific overwrite patterns are often prescribed (Hp pavilion dv6000 battery) .
These may be generic patterns intended to eradicate any trace signatures. For example, writing repeated, alternating patterns of ones and zeros may be more effective than zeros alone . Combinations of patterns are frequently specified.
One challenge with an overwrite is that some areas of the disk may be inaccessible, due to media degradation or other errors (SONY VGN-FZ38M Battery) .
Software overwrite may also be problematic in high-security environments which require stronger controls on data commingling than can be provided by the software in use. The use of advanced storage technologies may also make file-based overwrite ineffective (SONY VGN-FZ31z Battery) .
Feasibility of recovering overwritten data
Peter Gutmann investigated data recovery from nominally overwritten media in the mid-1990s. He suggested magnetic force microscopy may be able to recover such data, and developed specific patterns, for specific drive technologies, designed to counter such. These patterns have come to be known as the Gutmann method (Sony VGN-FZ31Z Battery) .
Daniel Feenberg, an economist at the private National Bureau of Economic Research, claims that the chances of overwritten data being recovered from a modern hard drive amount to "urban legend". He also points to the "18½ minute gap" Rose Mary Woods created on a tape of Richard Nixon discussing the Watergate break-in (SONY VGN-FZ31E Battery) .
Erased information in the gap has not been recovered, and Feenberg claims doing so would be an easy task compared to recovery of a modern high density digital signal.
As of November 2007, the United States Department of Defense considers overwriting acceptable for clearing magnetic media within the same security area/zone, but not as a sanitization method (SONY VGN-FZ31J Battery) .
Onlydegaussing or physical destruction is acceptable for the latter.
On the other hand, according to the 2006 NIST Special Publication 800-88 (p. 7): "Studies have shown that most of today’s media can be effectively cleared by one overwrite" and "for ATA disk drives manufactured after 2001 (over 15 GB) the terms clearing and purging have converged (SONY VGN-FZ31M Battery) ."
An analysis by Wright et al. of recovery techniques, including magnetic force microscopy, also concludes that a single wipe is all that is required for modern drives. They point out that the long time required for multiple wipes "has created a situation where many organisations ignore the issue all together – resulting in data leaks and loss (SONY VGN-FZ31B Battery) . "
Degaussing
Degaussing is the removal or reduction of a magnetic field of a disk or drive, using a device called a degausser that has been designed for the media being erased. Applied to magnetic media, degaussing may purge an entire media element quickly and effectively (SONY VGP-BPS13 Battery) .
Degaussing often renders hard disks inoperable, as it erases low-level formatting that is only done at the factory during manufacturing. It is possible, however, to return the drive to a functional state by having it serviced at the manufacturer. Degaussed floppy disks can generally be reformatted and reused with standard consumer hardware (Dell Inspiron 1320 Battery) .
In some high-security environments, one may be required to use a degausser that has been approved for the task. For example, in US government and military jurisdictions, one may be required to use a degausser from the NSA's "Evaluated Products List" (Dell Inspiron 1320n Battery) .
Encryption
Encrypting data before it is stored on the medium may mitigate concerns about data remanence. If the decryption key is strong and carefully controlled (i.e., not itself subject to data remanence), it may effectively make any data on the medium unrecoverable (Dell Inspiron 1464 Battery) .
Even if the key is stored on the medium, it may prove easier or quicker to overwrite just the key, vs the entire disk.
Encryption may be done on a file-by-file basis, or on the whole disk. Cold boot attacks are one of the few possible methods for subverting a whole-disk encryption method (Dell Inspiron 1564 Battery) ,
as there is no possibility of storing the plain text key in an unencrypted section of the medium. However, even this is unlikely and difficult to execute in a non-laboratory situation, as a cold boot attack requires immediate network access to the computer and is only possible within several minutes or even seconds of the system being depowered (Dell Inspiron 1764 Battery) ,
depending on the kind of random access memory used. Even then there is still the possibility of the key itself being scrambled or otherwise protected, which may make even this method fail.
Other side-channel attacks, like the use of hardware-based keyloggers or acquisition of a written note containing the decryption key (Dell Studio 1450 Battery) ,
may offer a greater chance to success, but do not rely on weaknesses in the cryptographic method employed. As such, their relevance for this article is minor.
Physical destruction
Thorough physical destruction of the entire data storage medium is generally considered the most certain way to counter data remanence (Dell Studio 1457 Battery) .
However, the process is generally time-consuming and cumbersome. Physical destruction may require extremely thorough methods, as even a small media fragment may contain large amounts of data.
Specific destruction techniques include (Dell Latitude D610 Battery) :
- Physically breaking the media apart, by grinding, shredding, etc.
- Incinerating
- Phase transition (i.e., liquification or vaporization of a solid disk)
- Application of corrosive chemicals, such as acids, to recording surfaces (Toshiba NB100 Battery)
- For magnetic media, raising its temperature above the Curie point
- For many electric volatile and non-volatile storage mediums, application of extremely high voltage as compared to safe operational specifications (Toshiba Satellite M65 battery)
Complications
Inaccessible media areas
Storage media may have areas which become inaccessible by normal means. For example, magnetic disks may develop new "bad sectors" after data have been written, and tapes require inter-record gaps (Toshiba Satellite M60 battery) .
Modern hard disks often feature automatic remapping of marginal sectors or tracks, which the OS may not even be aware of. This problem is especially significant in solid state drives (SSDs) that rely on relatively large relocated bad block tables. Attempts to counter data remanence by overwriting may not be successful in such situations, as data remnants may persist in such nominally inaccessible areas (Dell Latitude D830 Battery) .
Advanced storage systems
Data storage systems with more sophisticated features may make overwrite ineffective, especially on a per-file basis.
Journaling file systems increase the integrity of data by recording write operations in multiple locations, and applying transaction-like semantics (Dell Latitude D620 Battery) .
On such systems, data remnants may exist in locations "outside" the nominal file storage location .
Some file systems implement copy-on-write or built-in revision control, with the intent that writing to a file never overwrites data in-place (Dell Studio 1735 Battery) .
Technologies such as RAID and anti-fragmentation techniques may result in file data being written to multiple locations, either by design (for fault tolerance), or as data remnants.
Wear leveling can also defeat data erasure, by relocating blocks between the time when they are originally written and the time when they are overwritten (Dell Inspiron Mini 10 Battery) .
Optical media
Optical media are not magnetic and are not affected by degaussing. Write-once optical media (CD-R, DVD-R, etc.) also cannot be purged by overwrite. Read/write optical media, such as CD-RW andDVD-RW, may be receptive to overwriting (Sony VGN-FW11S Battery) .
Methods for successfully sanitizing optical discs include delaminating-abrasion of the metallic data layer, shredding, destructive electrical arcing (as by exposure to microwave energy), and submersion in a polycarbonate solvent (e.g., acetone) (Sony VGN-FW11M Battery) .
Data in RAM
Data remanence has been observed in static RAM, which is typically considered volatile (i.e., contents are erased with loss of electrical power). In the study, data retention was sometimes observed even at room temperature.
Another study found data remanence in dynamic random access memory (DRAM), again with data retention of seconds to minutes at room temperature and "a full week without refresh when cooled with liquid nitrogen (Dell Studio 1555 battery) ."
The study authors were able to use a cold boot attack to recover cryptographic keys for several popular full disk encryption systems. Despite some memory degradation, they were able to take advantage of redundancy in the way keys are stored after they have been expanded for efficient use, such as in key scheduling (Dell Latitude E5400 Battery) .
The authors recommend that computers be powered down, rather than be left in a "sleep" state, when not in physical control of the owner, and in some cases such as one where you have the software program Bitlocker, that a boot PIN also be configured.Modern RAM chips have a built-in self-refresh module so they can retain data for as long as they have power supply and a clock signal (Dell Latitude E4200 Battery) .
It is also possible to prevent data remanence on RAM by running a memory testing tool, such as Memtest86, in order to overwrite the entire RAM.
Standards
United States
- NIST Special Publication 800-88: Guidelines for Media Sanitization, September 2006 (Dell Vostro A840 Battery)
- DoD 5220.22-M: National Industrial Security Program Operating Manual (NISPOM), February 2006
- Current editions no longer contain any references to specific sanitization methods. Standards for sanitization are left up to the Cognizant Security Authority (Dell Inspiron 300M Battery) .
- Although the NISPOM text itself never described any specific methods for sanitization, past editions (1995 and 1997) did contain explicit sanitization methods within the Defense Security Service (DSS) Clearing and Sanitization Matrix inserted after Section 8-306. The DSS still provides this matrix and it continues to specify methods (Dell Studio 1737 battery) .
- As of the Nov 2007 edition of the matrix, overwriting is no longer acceptable for sanitization of magnetic media. Only degaussing (with an NSA approved degausser) or physical destruction is acceptable.
- Army AR380-19 Information Systems Security, February 1998 (Dell Inspiron E1505 battery)
- Air Force AFSSI-5020 Remanence Security, August 1996
- Navy NAVSO P5239-26 Remanence Security, September 1993
Canada
- RCMP B2-002: IT Media Overwrite and Secure Erase Products, May 2009 (Dell Latitude E6400 battery)
- Communications Security Establishment Clearing and Declassifying Electronic Data Storage Devices, July 2006
Data erasure (also called data clearing) is a software-based method of overwriting data that completely destroys all electronic data residing on a hard disk drive or other digital media (Dell RM791 battery) .
Permanent data erasure goes beyond basic file deletion commands, which only remove direct pointers to data disk sectors and make data recovery possible with common software tools. Unlike degaussing and physical destruction, which render the storage media unusable, data erasure removes all information while leaving the disk operable, preserving IT assets and the environment (Dell XPS M1530 battery) .
Software-based overwriting uses a software application to write patterns of meaningless data onto each of a hard drive's sectors. There are key differentiators between data erasure and other overwriting methods, which can leave data intact and raise the risk of data breach or spill, identity theft and failure to achieve regulatory compliance (Dell XPS M2010 battery) .
Data erasure also provides multiple overwrites so that it supports recognized government and industry standards. It provides verification of data removal, which is necessary for meeting certain standards.
To protect data on lost or stolen media, some data erasure applications remotely destroy data if the password is incorrectly entered (Dell Vostro 1000 battery) .
Data erasure tools can also target specific data on a disk for routine erasure, providing a hacking protection method that is less time-consuming than encryption.
Importance
Information technology (IT) assets commonly hold large volumes of confidential data (Acer Aspire One battery) .
Social security numbers, credit card numbers, bank details, medical history and classified information are often stored on computer hard drives or servers and can inadvertently or intentionally make their way onto other media such as printer, USB, flash, Zip, Jaz, and REV drives (Toshiba Satellite P10 Battery) .
Data breach
Increased storage of sensitive data, combined with rapid technological change and the shorter lifespan of IT assets, has driven the need for permanent data erasure of electronic devices as they are retired or refurbished (SONY VGN-FZ210CE Battery) .
Also, compromised networks and laptop theft and loss, as well as that of other portable media, are increasingly common sources of data breaches.
If data erasure does not occur when a disk is retired or lost, an organization or user faces that possibility that data will be stolen and compromised, leading to identity theft, loss of corporate reputation, threats to regulatory compliance and financial impacts (Dell Precision M70 Battery) .
Companies have spent nearly $5 million on average to recover when corporate data was lost or stolen. High profile incidents of data theft include:
- Oklahoma Corporation Commission (2008-05-21): Server sold at auction compromises more than 5,000 Social Security numbers (Toshiba Satellite L305 Battery) .
- University of Florida College of Medicine, Jacksonville (2008-05-20): Photographs and identifying information of 1,900 on improperly disposed computer.
- Compass Bank (2008-03-21): Stolen hard drive contains 1,000,000 customer records (Toshiba Satellite T4900 Battery) .
- Lifeblood (2008-02-13): Missing laptops contain personal information including dates of birth and some Social Security numbers of 321,000.
- Hannaford (2008-03-17): Breach exposes 4.2 million credit, debit cards.
- CardSystems Solutions (2005-06-19): Credit card breach exposes 40 million accounts (Toshiba PA3399U-2BRS battery) .
Regulatory compliance
Strict industry standards and government regulations are in place that force organizations to mitigate the risk of unauthorized exposure of confidential corporate and government data (Toshiba Satellite A200 Battery) .
These regulations include HIPAA (Health Insurance Portability and Accountability Act); FACTA (The Fair and Accurate Credit Transactions Act of 2003); GLB (Gramm-Leach Bliley); Sarbanes-Oxley Act (SOx); and Payment Card Industry Data Security Standards (PCI DSS) (Toshiba Satellite 1200 Battery) .
Failure to comply can result in fines and damage to company reputation, as well as civil and criminal liability.
Preserving assets and the environment
Data erasure offers an alternative to physical destruction and degaussing for secure removal of all disk data (Toshiba Satellite M300 Battery) .
Physical destruction and degaussing destroy the digital media, requiring disposal and contributing to electronic waste while negatively impacting the carbon footprint of individuals and companies. Hard drives are nearly 100% recyclable and can be collected at no charge from a variety of hard drive recyclers after they have been sanitized (WD External HDD ---passport essential (500GB/640GB)) .
Limitations
Data erasure through overwriting only works on hard drives that are functioning and writing to all sectors. Bad sectors cannot usually be overwritten but may contain recoverable information. Software driven data erasure could also be compromised by malicious code (WD External HDD passport essential (250GB/320GB) .
Differentiators
Software-based data erasure uses a special application to write a combination of 1's and 0's onto each hard drive sector. The level of security depends on the number of times the entire hard drive is written over (WD External HDD ---passport essential SE (750GB/1TB)) .
Full disk overwriting
There are many overwriting programs, but data erasure offers complete security by destroying data on all areas of a hard drive. Disk overwriting programs that cannot access the entire hard drive (WD External HDD ---passport elite(250GB/320GB)) ,
including hidden/locked areas like the host protected area (HPA), device configuration overlay (DCO), and remapped sectors, perform an incomplete erasure, leaving some of the data intact. By accessing the entire hard drive, data erasure eliminates the risk of data remanence (WD External HDD ---passport elite(500GB/640GB)) .
Data erasure also bypasses the BIOS and OS. Overwriting programs that operate through the BIOS and OS will not always perform a complete erasure due to altered or corrupted BIOS data and may report back a complete and successful erasure even if they do not access the entire hard disk, leaving data accessible (WD External HDD ---passport studio for Mac(320GB/500GB)) .
Hardware support
Data erasure can be deployed over a network to target multiple PCs rather than having to erase each one sequentially. In contrast with DOS-based overwriting programs that may not detect all network hardware (WD External HDD ---passport studio for Mac(500GB/640GB)),
Linux-based data erasure software supports high-end server and storage area network (SAN) environments with hardware support for Serial ATA, Serial Attached SCSI (SAS) and Fibre Channel disks and remapped sectors. It operates directly with sector sizes such as 520, 524, and 528, removing the need to first reformat back to 512 sector size (WD External HDD ---Elements series(250GB/320GB)) .
Standards
Many government and industry standards exist for software-based overwriting that removes data. A key factor in meeting these standards is the number of times the data is overwritten (WD External HDD ---Elements SE(500GB/640GB)) .
Also, some standards require a method to verify that all data has been removed from the entire hard drive and to view the overwrite pattern. Complete data erasure should account for hidden areas, typically DCO, HPA and remapped sectors (WD External HDD ---Elements SE(750GB/1TB)) .
The 1995 edition of the National Industrial Security Program Operating Manual (DoD 5220.22-M) permitted the use of overwriting techniques to sanitize some types of media by writing all addressable locations with a character, its complement, and then a random character (WD External HDD --- Elements desktop(500GB/640GB)) .
This provision was removed in a 2001 change to the manual and was never permitted for Top Secret media, but it is still listed as a technique by many providers of data erasure software.
Data erasure software should provide the user with a validation certificate indicating that the overwriting procedure was completed properly (WD External HDD --- Elements desktop(750GB/1TB)) .
Data erasure software should also comply with requirements to erase hidden areas, provide a defects log list, and list bad sectors that could not be overwritten.
Data can sometimes be recovered from a broken hard drive (WD External HDD --- Elements desktop(1.5 TB/2TB)) .
However, if the platters on a hard drive are damaged, such as by drilling a hole through the drive (and the platters inside), then data can only be recovered by bit-by-bit analysis of each platter with advanced forensic technology. Seagate is the only company in the world to have credibly claimed such technology, although some governments may also be able to do this (WD External HDD ---passport essential SE (750GB/1TB)--USB 3.0) .
Number of overwrites needed
Data on floppy disks can sometimes be recovered by forensic analysis even after the disks have been overwritten once with zeros (or random zeros and ones). This is not the case with modern hard drives (WD External HDD ---passport essential (500GB/640GB)) :
- According to the 2006 NIST Special Publication 800-88 Section 2.3 (p. 6): "Basically the change in track density and the related changes in the storage medium have created a situation where the acts of clearing and purging the media have converged (WD External HDD ---passport for Mac(320GB/500GB)).
That is, for ATA disk drives manufactured after 2001 (over 15GB) clearing by overwriting the media once is adequate to protect the media from both keyboard and laboratory attack (WD External HDD ---passport for Mac(640GB/1TB)) ."
- According to the 2006 CMRR Tutorial on Disk Drive Data Sanitization Document (p. 8): "Secure erase does a single on-track erasure of the data on the disk drive. The U.S. National Security Agency published an Information Assurance Approval of single pass overwrite, after technical testing at CMRR showed that multiple on-track overwrite passes gave no additional erasure (WD External HDD ---My book essential 4 generation(640GB/1TB).
- re erase" is a utility built into modern ATA hard drives that overwrites all data on a disk, including remapped (error) sectors.
- Further analysis by Wright et al. seems to also indicate that one overwrite is all that is generally required (WD External HDD ---My book essential 4 generation( 1.5TB/2TB)) .
No comments:
Post a Comment