Thursday 7 May 2009

Secure Hard Disk Wiping & Disposal

A study by researchers from the University of Glamorgan and BT, resulted in several alarming privacy headlines in the media today - http://news.bbc.co.uk/1/hi/wales/8036324.stm The study involved the purchasing of old computer equipment from trade fairs and online auctions from the UK, US, Germany, France and Australia, and the recovery of data from these purchased items. The researchers were able recover a raft of personal and sensitive data from hard disks, including detailed medical records from a Scottish NHS Trust, military secrets, business financial transactions and an variety of personal information, which included bank details, and the sorts of things identity thieves crave. The study concluded around 40% to 50% of the second hand hard disk drives they randomly purchased held sensitive data which could be recovered by pretty much anyone with half a brain.

I have to say, I am not surprised by this study’s outcome, which highlights the problem of hard disk disposal by both organisations and especially individual home users, who simply neglect to properly erase their personal information from their computer hard disks before selling or disposing of their old computers. Over a year ago I posted about this subject before using a hypothetical story - http://blog.itsecurityexpert.co.uk/2008/03/hard-disk-shredding-story.html I have come across several real incidences of where personal computers had been donated to charities by the way of the old computer equipment recycle bins at local supermarkets and rubbish tips (or as the Council calls them household waste and recycling centres) . These computers end up in places like West Africa, UK young offender’s institutions and youth clubs etc, where new PC users soon discover the original owner’s personal information and website access credentials, and unsurprisingly go on to compromised the bank account and the various online websites used by the original owner, now that’s gratitude for you!

Anyway on to the big question and what the media stories avoided explaining…

What should we do to ensure our personal information is "gone" from our old computer systems before flogging or binning them?

Well removing the hard disk drive from the computer and hitting it repeatedly with a sledge hammer is not quite the best approach. Physically damaging a hard disk does not necessary render it impossible to recovery the data held on it, but hey, it’s still better than doing nothing.

To do the job properly I recommend using a “Hard Disk Wiping” utility. Obliviously the first thing you should do before using such a tool, is ensure you have backed up all your the data, as once you use a hard disk wiping tool, there is no way back.

There are several commercial hard disk wiping utilities available, but there are also some good free utilities which can adequately do the job. My personal favourites are "Darik's Boot And Nuke” aka “dban” http://www.dban.org/, and Eraser http://www.heidi.ie/node/6 (includes dban), [edit based on comments] also Secure Erase is also highly recommended http://cmrr.ucsd.edu/hughes/SecureErase.html

Downloading and running these applications results in the creation of a bootable CD, which you use to boot your computer system direct into the tool operation. If you are a computer novice, you may want to ask that techie relative to help you out.In terms of the type of actual disk wiping method, I always go with securely wiping hard disks to the US Department of Defence standard, by selecting the “US DoD 5220-22.M” option, which will prevent even government secret service forensics experts from recovering the data, never mind petty ID thieves. Some say this level is a little over the top for a personal computer, but if you don't mind the "extra wait" for the process to complete, where's the harm hey!After completion of the hard disk wiping, it’s always a good idea to just double check the hard disk wiping actually worked by trying to boot the computer normally. And if you are super paranoid after applying the DoD 5220 disk wiping standard, go ahead and take your sledgehammer to the hard disk if you really want to.

There are file level secure deletion tools such http://www.fileshredder.org/, but for me, if you are selling or disposing of a computer holding a hard disk, or just a hard disk itself, which has held personal information, you should go with wiping the entire hard disk rather than individual files. This ensures nothing is missed, it is surprising where your personal details end up being stored within a Windows system.

If anyone has any other disk wiping utilities they would like to recommend or novel ways of physically destroying hard disk drives, please go ahead and post a comment.

[edit] NIST have the ultimate say on this subject, read http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf

12 comments:

  1. David Spigelman8 May 2009 at 15:54

    I've used DBAN, and it's a great product, but it does take quite a bit of time to run - depending on the size of the drive, of course.
    An alternative to consider is TrueCrypt, which can encrypt individual folders, or the entire hard drive, if you like. If the drive is thus encrypted, and you've used a strong password, it really doesn't matter whether you've wiped it or not. No one's getting access to your data.

    ReplyDelete
  2. Secure Erase is faster and more secure than DBAN.

    For a good guide check out NIST Special Publication 800-88: Guidelines for Media Sanitization.
    http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf

    ReplyDelete
  3. Many Thanks for the comments.

    The NIST guide is an excellent read, I will be checking out Secure Erase.

    ReplyDelete
  4. I've used TrueCrypt before and it is a great free tool. I recently met with a healthcare system here in the United States who now has a 3rd party company come in house to punch a 2 inch hole through the entire disk drive before it's taken off site to be recycled. This is the first time I've been to your blog but I'll enjoy reading future posts. If you'd like to follow my blog as well, I'm at www.iprotectyourdata.wordpress.com.

    ReplyDelete
  5. Very interesting study, thanks for sharing this. I'm always looking for the best programs to use for this procedure.

    ReplyDelete
  6. This guide does serve an essential and useful purpose. Thanks for sharing.

    ReplyDelete
  7. Pretty nice post. I just stumbled upon your weblog and wanted to say that I've truly enjoyed browsing your blog posts. In any case I’ll be subscribing to your rss feed


    Quick SSL Premium
    RapidSSL Wildcard | Verisign Secure Site Pro EV Available @ TheSSLstore.com

    ReplyDelete
  8. Any advice on how to go about this when the disk has physically failed. Degausing? Shredding?

    ReplyDelete
  9. Harddisk shredding is the best way to go, as you know for certain it can't be recovered, there are many companies which provide the service & also provides you with an independ destruction note, which may be important to prove to clients/auditors the hardisk was securely disposed of.

    ReplyDelete
  10. If you do not wish to re-use the hard drive forget all about wasting hours and hours running wiping utilities. Simply take out you faithful electric drill and and a 4mm drill bit, then proceed to drill half a dozen holes right through the platter area of the drive. Most likely you will feel/hear the platters actually shatter, even if they don't the inside of the case will fill with swarf and there will be zero chance of the drive ever working again. This method will also defeat a specialist data recovery company as even if they remove the platters (should they still be intact) in a clean room facility to try and read the data they will be defeated by the holes drilled in the discs.

    ReplyDelete
  11. I would recommend Secure Erase as well. It has been proven to wipe out the bits and pieces of digital signatures of the said files.

    ReplyDelete
  12. we would also recommend secure erase. Great article btw!

    ReplyDelete

Any comments with weblinks, or promoting/advertising company products and services will be rejected