• United States

Destroying disk data

Jan 27, 20043 mins

* In the business of destroying disk data, how meaningful are “DoD standards”?

As a member of the High Technology Crime Investigation Association, I read around five to 10 interesting messages from the closed HTCIA list server every day from all kinds of law enforcement officials, private investigators and forensic specialists. Every now and then I get to respond with what I hope will be useful information. Recently, someone asked for the number of disk overwrites the Department of Defense recommends for destroying classified and secret information.

The writer noted that there’s contradictory information floating about, including explicit statements that three overwrites are required, vs. some claiming that seven are needed.

One of the fundamental resources is the Forest Green Book in the Rainbow Series (see Related Links section below) put out by the National Computer Security Center through the 1980s and early 1990s. At the time the booklet was written, the government recommended that physical methods of destruction be applied to magnetic media; overwriting was mentioned with approval, so long as users paid careful attention to the conditions and software used:

One of the best surveys of the issue of data remanence is a white paper written by DarkStone Data. The author(s) point out that many commercial products blithely reference “DoD standards” but, as they write, “Be very cautious of what software vendors claim their software does, particularly when it concerns security software. Whether you require more than three overwrite passes or not isn’t the point here. The fact is that these vendors have taken this standard out of context.” The author(s) continue with an explanation that the recommendation for three overwrites fails to mention that the Defense Department requires degaussing as well as overwrites to comply with its standards:

A valuable paper by Peter Gutmann recommends a complex sequence of multiple overwrites of up to 27 different patterns and provides extensive documentation about the theoretical and practical issues involved in preventing access to data remnants:

In addition, it is well established that the overwriting must include _all_ areas of the disk and not skip areas due to assumptions underlying the file system code. For example, overwriting the used space of files without overwriting the slack space (the unused space after the end-of-file marker in the last cluster or extent) will miss possibly significant leftover data from a previous file.

In summary, don’t be overly impressed by references to “DoD standards” in the marketing descriptions of file-destruction software. Instead, look into the details of the product if possible to find out to what degree the writers have paid attention to the principles of open design allowing inspection of their algorithms and that they use multiple overwrites of the entire disk surface.

And if you’re throwing dead disk drives out, where it’s impossible to apply software to rewrite the surface, destroy the disks physically. A good sledgehammer, bandsaw, and incinerator can do wonders for obliterating data permanently.