Wipe out

Last month, I wrote an article about recycling your old computers (see link below). The methods I talked about included donating them to a charity or sending them to a recycling center that will reclaim usable parts and safely discard the rest.  A couple of readers wrote to tell me I failed to mention what I thought was obvious: the need to completely wipe clean the hard disk before giving away your computer.

Kate Mcgee of Oracle wrote, “You should be aware that data continues to exist on hard drives, PDAs, etc.  Before they are donated they need to be wiped to Level 2 for most company proprietary stuff, and anything that you may have used for classified projects will have to be wiped to Level 7, or anyone can access that data.”

Cigital security consultant James Stibbards sent me a link(https://www.sltrib.com/2003/jan/01162003/business/business.asp) to a recent story in The Salt Lake Tribune that points out what can happen if you fail to properly and completely remove all data from your hard drive before giving away the computer.  It seems that a pair of graduate students at the Massachusetts Institute of Technology’s Laboratory for Computer Science led a project to collect old hard disks to see what information could be harvested from them.

Students Simson Garfinkel and Abhi Shelat collected 158 used hard drives, most of which were purchased on eBay or at secondhand stores.  They discovered that 69 of those disks had recoverable files on them, yielding everything from medical correspondence, love letters, pornography, to credit card numbers and ATM transactions with account numbers.

As most IT professionals know, deleting a file does not mean it is gone from the disk; the file’s name is simply gone from the computer’s directory.  Even formatting a hard disk may not be enough to clear off the files.  The MIT students found that 51 of the hard disks they tested had been formatted; yet 19 of them still contained recoverable data.

The U.S. Department of Defense has outlined a number of methods to remove unclassified data from its computers before the PCs are redistributed.  The method chosen for use would be determined by the type of data on the disk.  Among the methods are:

* Deleting – making the files unreadable unless recovered by utility software or other techniques.

* Overwriting – replacing data with zeroes or other meaningless data.

* Degaussing – applying a magnetic field to a magnetic medium to make all data unreadable, typically making the disk permanently unusable.

* Destruction – physically destroying the disk so that no data can be recovered in any way.

The link to the DoD site below provides you with specifications for cleansing hard disks, as well as information on specific products or utilities you can use.  Among the products the government uses are:

* No Trace by Communication Technologies (http://www.comtechnologies.com).http://www.ontrack.com).http://www.lat.com).http://www.accessdata.com).http://www.infraworks.com).

* DataEraser by ONTRACK Data International (

* UniShred Pro by Los Altos Technologies (

* Clean Drive by Access Data (

* Sanitizer by Infraworks (

I would expect that most business users would find the use of such tools adequate for completely removing or overwriting data before redeploying a PC elsewhere, such as donating it to a charity.  If you intend to recycle your computer by allowing it to be disassembled for parts, you can play it safe by removing and physically destroying the hard disk before carting the computer off to the recycling center.

If you have classified information on computers that are headed for the trash heap, I recommend you contact the Defense Information Systems Agency (http://www.disa.mil) for advice on how to properly handle the data.

Linda Musthaler is vice president of Currid & Company.  You can write to her at Linda.Musthaler@currid.com