Cleaning up your disks [LWN.net]

Simson Garfinkel has written another story on the interesting things he has found on used disk drives; this one appears in CSO magazine. He looked at some 150 drives, and found that only 10% of them had been sanitized.

One of the drives once lived in an ATM. It contained a year's worth of financial transactions--including account numbers and withdrawal amounts--from a organization that had a legal requirement to not divulge such information. Two other drives contained more than 5,000 credit card numbers--it looked as if one had been inside a cash register. Another had e-mail and personal financial records of a 45-year-old fellow in Georgia. The man is divorced, paying child support and dating a woman he met in Savannah. And, oh yeah, he's really into pornography.

In general, one need not think to long before realizing that letting an unsanitized disk out of your possession is not a particularly good idea. One might well wonder, however, what the best method is for cleaning up a disk. There are a few different options available. Note that running fdisk or mkfs is not an option, however; those utilities leave most of the information on the disk intact.

The safest way, perhaps, is to encrypt the contents of your disks from the beginning. Such disks should be safe even if they leave your possession in an unexpected, undesired way. Most Linux distributions do not come with easy disk encryption options now, but that is likely to change within the next year or so. The inclusion of the crypto-API code in the 2.6 kernel, combined with the block encryption capabilities being patched into the device mapper code, should make this capability widely available.

The GNU shred utility is part of the "coreutils" package. It can be used to overwrite the contents of a single file or an entire device. The single file mode can be tripped up by things like journaling filesystems and should not be relied upon for too much security. When shred is applied to an entire block device, however, it should be effective.

Lacking a tool like shred, one could always overwrite a device with a command like:

    dd if=/dev/urandom of=/dev/disk-to-wipe

The truly paranoid among us will want to run that command more than once.

Another option is the standalone disk wiper, which boots from a diskette or CD to do its cleanup work. This sort of utility is useful when an entire computer is being surplussed, and the person doing the cleanup does not, necessarily, know how to log into and clean the system. Besides, wiping the root disk on a running system can be a difficult operation to complete. A couple of offerings in this area are autoclave and Secure Harddisk Eraser. Both of these are compact Linux systems which boot in a standalone mode and trash the disk. Autoclave goes to some lengths to ensure that the user knows what is about to happen; Secure Harddisk Eraser, instead, simply waits a minute and goes to work.

The final option is the physical destruction of the disk drive. Modern drives can be surprisingly hard to destroy, however.

The one course which is not an option is getting rid of drives without cleaning them up first. It has become clear to a lot of people that used drives can be gold mines of information which should not be disclosed. If you throw away a loaded disk, chances are good that somebody else will go digging through it.

(Log in to post comments)

Cleaning up your disks

Posted Mar 25, 2004 13:48 UTC (Thu) by beejaybee (guest, #1581) [Link]

Lots of newer hard disk drives - especially those fitted to notebook systems - have glass platters. Not too hard to damage beyond any reasonable hope of recovery.

Cleaning up your disks

Posted Mar 25, 2004 20:52 UTC (Thu) by smoogen (subscriber, #97) [Link]

We used to use 4 .44 notched bullets shot at four corners of the drive. I dont know if it really made the disks unreadable, but it kind of felt better after doing it to a drive that had been a thorn in our sides for 6 months.

Cleaning up your disks

Posted Mar 25, 2004 10:00 UTC (Thu) by jmshh (guest, #8257) [Link]

This is probably due to a too bad price/performance ratio. The data salvage companies often have a flat fee per MB for salvaging, and no, you can't have just the one file you are interested in. So the answer is just "sorry, we can't help"

Reading data off an overwritten disk is not giving real bits, but just probabilities ("this 0 bit has 75% probability of being a 1 in a previous life"). It takes lots of effort, so it is expensive and useful for small data areas only.

Here is a very hypothetical scenario where things are balanced differently:

An AES-256 encrypted partition contains the info where the Iraqi WMDs are hidden => the data is really interesting to a concerned party with lots of resources
A file on another partition contains the key, but was overwritten with zeroes => just a small amount of data to salvage, and even probabilities for bits are helping to reduce the brute force search space to manageable size
The disk gets into the hands of the NSA => the new owner knows how to really do it

Cleaning up your disks

Posted Mar 25, 2004 15:07 UTC (Thu) by freethinker (guest, #4397) [Link]

Don't use /dev/random, it's way too slow. Write a quickie program that generates random numbers or something.

Cleaning up your disks

Posted Mar 26, 2004 1:58 UTC (Fri) by wolfrider (guest, #3105) [Link]

--Next time try tacking on ' bs=1M ' (or 2M) to the end. It will speed things up a bit.

Schneier's Advice

Posted Mar 25, 2004 12:43 UTC (Thu) by jhs (subscriber, #12429) [Link]

Don't have the book with me, but I found this excerpt from Applied Cryptography which sounds accurate, to my memory.

According to the National Computer Security Center [1148]:
Overwriting is a process by which unclassified data are written to storage locations that previously held sensitive data.... To purge the...storage media, the DoD requires overwriting with a pattern, then its complement, and finally with another pattern; e.g., overwrite first with 0011 0101, followed by 1100 1010, then 1001 0111. The number of times an overwrite must be accomplished depends on the storage media, sometimes on its sensitivity, and sometimes on different DoD component requirements. In any case, a purge is not complete until a final overwrite is made using unclassified data.

I thought I remember reading something from him elsewhere where he recommended something like the following

all zeroes
all ones
randomness
randomness (again)

Schneier's Advice

Posted Mar 26, 2004 2:22 UTC (Fri) by jhs (subscriber, #12429) [Link]

(Just checked for myself. I guess that explains his "general paranoia.")

1) zeroes
2) ones
3) five passes of cryptographically-secure pseudo-randomness

Not as easy as it sounds

Posted Mar 25, 2004 23:29 UTC (Thu) by xorbe (subscriber, #3165) [Link]

Fortunately, simply zeroing out the drive will stop 99.9999% of all the ordinary harddrive data-swipers. If your enemy has the means to get past that, you've probably got bigger problems...

Not as easy as it sounds

Posted Mar 26, 2004 1:13 UTC (Fri) by freethinker (guest, #4397) [Link]

True...

I do have my paranoid tendencies :)

Use DBAN to erase your disks

Posted Mar 25, 2004 18:08 UTC (Thu) by spudbeach (guest, #5837) [Link]

I will second that motion. I recently gave DBAN to a physician just completing his training. He booted, he nuked, he gave the hospital back a fully HIPPA compliant (i.e., no patient information) laptop. Was quite the thank you to the information systems guys at the hospital, for all of their weak service over the years.

Yes, it took a while, but you can be sure it's working for anything short of the NSA to get the data back. As for dumping 30 computers, it will run in parallel.

Steve Beach

Cleaning up your disks

Posted Mar 25, 2004 18:25 UTC (Thu) by PhracturedBlue (subscriber, #4193) [Link]

I just has a disk failure, which was apparently the onboard controller that failed. Since the drive was under warranty, I needed to return it to the manufacturer to get a free replacement. However there would have been no way to destroy the data on the platter first ( that I'm aware of), as (a) dissasembly would prevent me from returning it under warranty, and (b) because of the failure type I couldn't access the drive from any system to wipe it. Assuming the manufacturer replaces the controller and sends it out as refurbished, all my old data could be availiable to whomever gets it. In this case there was nothing on the drive of much value, but it seems to me that the only way to guard against something like this is to use an encrypted FS. Of course I could have opted to not return it, but that is a costly solution to the problem.

Cleaning up your disks

Posted Mar 25, 2004 22:32 UTC (Thu) by Baylink (subscriber, #755) [Link]

This is probably the best argument for using encrypting filesystems: you never know when a
drive is gonna break on you. And once it's broken...

My personal solution, though I've never tested it, is to rely on the theory that bulk
reel-to-reel tape erasers can generate a spike -- at turn-off time -- that even they
themselves cannot erase cleanly, from the field collapse. Whether in fact such spikes would
make it through the case and render the platter unusable, I don't know for sure, but I have a
strong intuition. It would certainly be worth testing.

Of course, the flip side is, make good (encrypted) backups, and if your drive dies, destroy it
and throw it out.

Cleaning up your disks

Posted Mar 25, 2004 23:21 UTC (Thu) by crouchet (guest, #1084) [Link]

Can you tell those of us who might not know where to go to learn about setting up encrypted file systems?

I tried to figure this out a few years ago and quickly got lost in spite of the fact that I admin Linux systems and have set up and mounted various file systems. I could not decide if it was too complex for me to understand or if it was really simple and I was just trying too hard. ;-)

Bulk tape eraser? > no. (I get physical.)

Posted Mar 26, 2004 0:40 UTC (Fri) by Duncan (guest, #6647) [Link]

I haven't tried it either, but I do recall reading that a modern drive has enough magnetic
shielding that such erasers don't work -- even the power toggle spike doesn't reliably
work, tho it does occasionally.

On the last couple I've had, since I became aware of the issue, I've physically destroyed
the drive, breaking the circuit board (the easy part), prying off the cover, and bending
and scratching the platters with pliers and screwdriver. I'm sure the NSA or equivilent
could get to part of the info, still, but as someone else mentioned with regard to zeroing
the drive, it'll do for 99.9 percent of data-thieves out there, and if someone wants my info
THAT bad, I have bigger problems to worry about.

I'm most worried about the dumpster diver bums around here that keep trying to sell me
old computer stuff, since they know I'm into computers. I wouldn't be interested, but
there are used computer shops around that might offer them $10 or so, all that's needed
for a crank or crack hit, which is what the bums are after. Just destroying the circuit
board would take care of that, and fairly decently suit my needs, but as the guy with the
bullet solution mentioned, there's the satisfaction element to think about, as well. =:^)

The last one I did that to was a Western Digital 100 gig, still under warrantee, and
obviously still big enough to be of some value. As has already been discussed, what is
one to do in that case? Encrypted would be good, but as someone else mentioned,
many of us still find it beyond our capacities. I chalked it up to a poor buying decision in
going Western Digital for the price, when I SHOULD have stuck with my old, reliable,
Maxtor. I know others have other experiences, and WD still has the 3-yr when Maxtor
has gone to one, but if you aren't going to use the warrantee anyway, and when Maxtor
has never yet failed me.. I replaced it with a Maxtor 250G.

One thing I HAVE found out, however, with that physical distruction.. The Maxtors are a
whole lot tougher than that WD was! I have an entirely different perspective on Maxtors
and why they've yet to fail me, now, having taken apart an obviously physically inferior
design in the form of that Western Digital! Having seen the evidence in the physical
device itself, it's possible I may be swayed from Maxtor again, but I doubt I'll ever
purchase a WD again.

Just one guy's exerience..

Duncan

Cleaning up your disks

Posted Mar 26, 2004 1:27 UTC (Fri) by Soruk (guest, #2722) [Link]

My mother's laptop hard disc had failed, and it contained lots of unpublished music scores (thankfully backed up!). When she and I took the machine in for repair I mentioned to the shop the copyright issues and dropped a mention of the rather vicious UK Computer Misuse Act on them (and the notional desire to use a data recovery firm). It seemed to work, they returned the old hard disc in bubble-wrap. Of course there's no telling what they did to it while they had it, but the unit was returned to us. Again this was a disc whose onboard controller had failed so it was impossible to nuke the contents.