disposal of disk and Tape data by Secure Sanitization

Secure Data Sanitization

Disposal of Disk and Tape Data by Secure Sanitization

US laws require secure data sanitization to eradicate data in disk and tape drives, but not all methods offer the highest level of security. The most secure methods include secure erase and physical destruction of devices.

D

isk drives provide primary mass storage for computer systems, and backup tapes maintain their data as well. A cardinal rule for product design of computers, disks, and tapes is to protect user data from accidental deletion. Computer operating systems erase disk files into recycle or trash folders to prevent accidental deletion of user data, and have file recovery commands. File deletion erases only file block pointers, links that let a file system reassemble a file. This type of deletion is fastest and facilitates subsequent restoration of files because the data remains on disk, but it isn’t secure. Erasure of both pointers and file data is an example of secure sanitization. For computer tape, secure sanitization typically involves physical destruction, data encryption, or magnetic degaussing (see http://siswg.org). However, magnetic tapes containing unerased, unencrypted user data are nevertheless often lost. Thus, true computer data sanitization is an abnormal event.1 Typical measures to protect user data and allow convenient and fast user data access and recovery can make the data vulnerable to recovery by unauthorized people. Federally approved methods to reliably sanitize data from retired computer hard disk drives and tapes are critical for both security and privacy reasons. In 2006, the US National Institute of Standards and Technology issued Guidelines for Media Sanitization (NIST 800-88) to address this need.2 US government agencies such as NIST use the term data sanitization to encompass all data eradication methods, including block-by-block overwrite; drive internal secure erase (SE); and physical, chemical, thermal, or magnetic destruction.2,3 The US Center for Magnetic Recording Research (CMRR;

JULY/AUGUST 2009

■ 1540-7993/09/$26.00 © 2009 IEEE

http://cmrr.ucsd.edu/hughes) has studied two types of sanitization techniques for more than a decade: magnetic degaussing and SE in magnetic tape and disk drives. This article addresses concerns and developments in user data sanitization on computer magnetic storage devices, specifically hard disk drives and tapes. We discuss federal sanitization guidelines and laws, and we describe sanitization of disk drives by physical destruction or degaussing, nondestructive sanitization by block overwrite or by the in-drive SE command, and enhanced SE via data encryption. We also discuss computer forensics data recovery—the most formidable threat to sanitization security. Finally, we describe SE implementation in devices and their certification, and we present a freeware SE utility as an example of practical data sanitization in the real world.

Gordon F. Hughes and Daniel M. Commins University of California, San Diego Tom Coughlin Coughlin Associates

Federal Guidelines for Data Sanitization

Table 1 outlines comparative times to execute various methods for data sanitization and the resulting data sanitization security. We used NIST 800-88 to rate the security levels.2 NIST 800-88 defines four distinct protocols for user data sanitization: disposal, clearing, purging, and destroying. Disposal means discarding storage media without employing any other sanitization or by deleting user file directories in public operating systems such as Windows or Linux (“OS file deletion” in Table 1). Clearing includes computer software utilities that overwrite user data blocks. Block overwrite is the most common data sanitization technique. Clear■ COPublished by the IEEE Computer and Reliability Societies

29

Secure Data Sanitization

Table 1. Comparison of data sanitization methods. Sanitization type OS file deletion

Average time for 100 Gbytes Minutes

Security Low

Block overwrite (DoD 52203)

Up to a half-day

Medium

NIST 800-88 secure erase (SE)

30 minutes to three hours Milliseconds Seconds to minutes

High

Comments Deletes only file pointers, not actual data; data recovery possible through common commercial data recovery software. Now obsolete; needs three writes and one verify; might not erase reassigned blocks; multiple cycles leave other vulnerabilities. Performs in-drive erase of all user-accessible blocks.

High Highest

Executes SE of in-drive encryption key. Required for top secret data and above.

Enhanced SE Physical or magnetic destruction

ing is considerably superior to disposal but can result in incomplete sanitization. Because of media defect errors, data on multiple drive partitions, and several other cases, clearing might not erase user data blocks reassigned to different disk locations. An example of popular external block overwrite software is the DBAN open source program (http://sourceforge.net/ projects/srm). Clearing utilities are often designed to meet US Department of Defense document DoD 5220,3 which defines a “clearing and sanitization matrix” requiring two fixed-character overwrites and one random­character overwrite, followed by a verify read. However, progress in hard drive technology has rendered DoD 5220 obsolete. All drives today use partial response-recording channels, a technology that randomizes user data before recording, so the first two writes of DoD 5220 no longer function as intended. The US Defense Security Service today requires that federal agencies using overwrite utilities have an authorized DoD laboratory evaluate them for proper functionality.3 NIST 800-88 replaces DoD 5220 for disk sanitization. Apple’s Mac and Linux offer permanent eraser, which overwrites file blocks in the trash folder multiple times (see http://sourceforge.net/projects/srm and www. apple.com/downloads/macosx/system_disk_utilities/ permanenteraser.html). However, permanent eraser provides erasure security only for file systems that overwrite blocks in place or that track the block locations of previous file versions.4 Otherwise, older file versions stored in different blocks will not be erased (see www.forensicswiki.org/wiki/Anti -forensic_techniques for a clear explanation). Microsoft Windows addresses this issue with its file encryption command “Cipher.exe /w=name,” which erases all free (unallocated) space in the volume or disk partition (“name”) and therefore erases all earlier (deleted) file versions in that partition. OS hibernation, paging, and system-restore files can also contain unerased user file data. Consequently, sanitizing files or folders by erasing is considerably less secure than entire-drive 30

IEEE SECURITY & PRIVACY

sanitization and might even be less secure than clearing. Many block-overwrite utilities permit erasure of single files or folders. These utilities are less secure when used for this purpose. Experimental evidence doesn’t make clear how much sanitization security the multiple overwrites of DoD 5220 actually add.5,6 Researchers have observed traces of old overwritten data at track edges of the new data.6,7 Peter Gutmann originally claimed that up to 35 overwrites might be necessary but later retracted this claim,8 saying “it will have no more effect than a simple scrubbing with random data.” Repeated sanitization operations are certainly acceptable, but their focus on multiple overwrites obscures other important vulnerabilities. There are additional block-erase weaknesses as well.9 Purging is the next (higher) sanitization level in NIST 800-88. Approved methods include the indrive SE command and magnetic degaussing of disk drives or tape reels (bulk demagnetization through intense magnetic fields). SE is faster than externalblock-overwrite programs such as DBAN because SE is a single-pass overwrite with no host-to-drive data transfer of the write pattern. The write pattern for SE is predefined and originates from inside the drive. All Advanced Technology Attachment (ATA) interface drives manufactured after 2001 (drives with capacities greater than about 15 Gbytes) implement the SE command, according to drive testing at our CMRR laboratory. Some drive models (such as those from Hitachi Global Storage Technology) currently support the internal SE command in Small Computer System Interface (SCSI) specifications (these specifications are available at ANSI, 11 W 42nd St., 13th Floor, New York, NY 10036). Many SCSI interface tape drives implement the SE command in SCSI ANSI specifications, erasing tape and block ID bursts from beginning to end of tape. Destroying is the highest level of sanitization per NIST 800-88, meaning media physical destruction by disintegration, incineration, pulverizing, shredding, chemical attack, or melting.

Secure Data Sanitization

Physical destruction

Block overwrite

Data Sanitization Laws Many users are aware of legal-compliance regulations in data privacy laws regarding long-term data retention. But they might not know that those laws also specify requirements for data sanitization. Strict local, state, and federal legislation protecting consumers, medical patients, investors, and the environment specify that organizations must be careful when disposing or repurposing digital equipment. US laws that address data sanitization for storage devices include the Health Insurance Portability and Accountability Act (HIPAA; Public Law 104-191, 1996), the Gramm-Leach-Bliley Act (1999), California Senate Bill 1386 (2002), the Sarbanes-Oxley Act (2002), the Fair and Accurate Credit Transactions Act (Public Law 108-159, 2003), and SEC Rule 17a (1997). Users should meet these legal requirements at the highest standards consistent with their operations.

Data Sanitization through Media Physical Destruction

For the highest security, tapes and disks removed from drives should be destroyed. This can involve breaking up or shredding media, chemically or thermally destroying media surfaces, or grinding media into microscopic pieces. Physical destruction doesn’t provide absolute certainty against hypothetical exotic forensics data recovery methods if any remaining unerased disk pieces are larger than a record block. (This would be about 1/125 inch or 0.2 mm for the 512-byte blocks in most current disk drives. But, as drive linear and track densities increase, the maximum allowable disk fragment size will become ever smaller.) Our CMRR laboratory has studied ground-up disk fragments using magnetic-force microscopy to create images of stored media bits.7 Although imaging magnetic-bit transitions is possible, a series of technical hurdles make actual user data recovery difficult unless drive heads and electronics are intact. These hurdles include knowledge of drive-recording technology details,10 such as the specific bit-randomizer scheme; the modulation

Enhanced security erase

Secure erase

Security

Figure 1 illustrates user trade-offs between sanitization security level, available resources, and time. Users tend to select the method that provides an acceptable security level in a reasonable time window. Many users avoid a high-security protocol that requires special software and days to accomplish, making such a protocol less used and thus less practical. The four full-drive accesses in DoD 5220 (three writes and one verify) can take a half-day to complete in today’s large-capacity drives. For example, a 750-Gbyte, 5400-rpm ATA interface drive can take more than three hours to erase, and the four passes of DoD 5220 would take a half-day, as Table 1 shows.

Computer file delete 0 Speed Figure 1. Security vs. speed for data sanitization methods. Users tend to select the method that provides the best security in the shortest time.

code; the partial-response target; and the sector format, including servo, preamble, address mark, user data, postamble, and error correction code. Simple disk-bending provides more effective destruction than many realize, particularly in emergency situations, because drive read-and-write heads will either crash or fly too high to read data, and different heads can’t easily read the media.10 Some storage products are easier to destroy than hard disk drives; these include magnetic-disk data cartridges, tape, floppy disks, secure USB drives, and optical media. According to Ric Bradshaw, formerly of the IBM Tucson tape division, tape will melt into a solid blob of plastic at 200 °C in less than an hour, destroying the magnetic-media particles’ spatial organization and therefore their recoded information; these particles’ magnetization vanishes at 450 °C, even for the highest-coercivity metal particle media.

Data Sanitization through Drive or Tape Degaussing

Degaussers are commercial instruments that bulk­demagnetize disk drives and tape reels. They use high-intensity magnetic fields to erase magnetic media in a drive or tape, including record headers and servo bursts—information required for head positioning and data recovery. In addition, degaussers usually demagnetize disk drive motor magnets. As with physical destruction, degaussed disk drives are no longer operable (a degaussed-drive operational test can serve as an initial test of sanitization certainty). Our CMRR laboratory has evaluated degaussers for more than a decade, from the first electromagnetic www.computer.org/security

31

Secure Data Sanitization

machines for erasing 300-oersted iron-oxide disk and tape media to today’s permanent-magnet machines for 5,000-oersted disk media.11 Newer, higher-datacapacity disk drives require higher demagnetization fields (because of their higher disk media coercivity), and older degaussers might not be able to erase them. Moreover, older degaussers were designed for older longitudinal recording drives and might not be able to erase today’s perpendicular recording drives. Hybrid drives for notebook or laptop computers include flash memory read-and-write cache chips—for example, to speed up computer booting. Magnetic degaussing might not affect user logical-block-address (LBA) data resident on those flash chips. Degaussing machines don’t provide positive proof that degaussed disk and tape media have been securely sanitized, and older demagnetizers should be used only with older media. For these reasons, degaussing to sanitize disk media will become increasingly impractical, except by specialized sanitization organizations running controlled processes that include audit trails and machine magnetic-field monitoring. Degaussing will remain entirely practical for tape media because tape coercivity is far lower than disk media and is expected to remain so for some time.

Data Sanitization through Block Overwrite or SE

Disk drives are complex devices with hundreds of user commands. Many computer disk-interfacing programs use only the simplest commands—those that write and read data blocks. But ATA and SCSI specifications also include drive commands that can shrink the apparent user area size by reducing the maximum addressable LBA below the native drive capacity. ATA specifications allow setting a host-protected area (HPA) in high-LBA space for purposes such as storing computer diagnostic programs. The ATA device configuration overlay (DCO) command also allows reducing drive capacity—for example, to improve drive factory yield. In addition, SCSI specifications allow setting disk drive maximum LBA at less than native drive capacity. The downloadable DBAN external-block-overwrite utility (http://sourceforge.net/projects/srm) doesn’t currently overwrite an ATA HPA or DCO but could be modified to do so. Reassigned blocks will also not be overwritten; however, users can’t access them because they have no LBA. (ATA user data access is only through LBAs; ATA drives internally map LBAs to physical head, cylinder, and sector locations.) ANSI added data sanitization commands to its ATA and SCSI drive open standards, following CMRR requests to ANSI’s T13.org ATA specification committee (PC parallel and serial disk drives) and T10. org committee (SCSI interface enterprise drives). The SCSI command set is also used in iSCSI, Fiber Chan32

IEEE SECURITY & PRIVACY

nel, and serial-attached SCSI drives. SCSI SE is called “security initialize” in the specifications, but in this article we classify both ATA and SCSI commands as secure erase. An ATA SE writes binary 0s or 1s, conveniently allowing an SE to be verified. SCSI specifications let users specify the SE pattern and state that the command intent is “to render any previous user data unrecoverable by any analog or digital technique.” Both the ATA and SCSI SE specifications require that a drive overwrite all user areas that have ever been accessible, up to the maximum native drive capacity. This should include any HPA but not necessarily a DCO (the drive might be functional only with the DCO). SCSI specifications additionally require erasing all reassigned blocks. SCSI drives, unlike ATA drives, permit physical block addressing (cylinder, head, and sector), allowing reassigned blocks to be read. SCSI-drive defect lists can also be externally read and/or erased. The SCSI SE command requires a drive to detect the presence of any nonwritable defect blocks, issue a media error condition, and complete the full SE. The drive user can decide the importance of unerased but defective blocks. An SE sanitizes hybrid-drive flash memories because their data blocks have user LBAs (per the ATA specifications). However, NIST 800-88 doesn’t rate flash memory sanitization security levels. Nevertheless, thanks to our CMRR laboratory’s verification testing of SE for the US federal government, NIST 800-88 rates SE sanitization security at the purge level.

Enhanced SE through In-Drive Data Encryption

Computer OS data encryption is a common feature but isn’t often used. Encryption in large enterprise computer systems defeats the operation of many important data management functions, such as incremental backup, continuous data protection, data compression, deduplication, virtualization, archiving, content-addressable storage, advanced routing, and thin provisioning.12 Efforts to defeat these operations cause significant data access speed and cost penalties to enterprise storage because such operations exploit the structure of user data. These functions involve inspecting data, and they become inefficient or nonfunctional because encrypting data randomizes it. (Any structure in encrypted data could be used in a decryption attack.) For example, data compression ratios could fall to less than 1:1 because attempting to compress random data could end up expanding it instead. Deduplication needs to decrypt data to find duplicate user data sets if they’re encrypted with different user keys. Securing OS encryption is difficult without adversely affecting user convenience, performance, data availability, or encryption-key management security. Recently, Seagate and Hitachi introduced 2.5-inch

Secure Data Sanitization

secure disk drives for laptop computers. These drives, called full disk encryption (FDE) or self-encrypting drives, internally encrypt user data before magnetic recording.13 FDE drives provide data protection in case a laptop or drive is lost or stolen. They also offer a new and virtually instantaneous way to sanitize data—by securely changing their internal encryption key. The Trusted Computing Group (www.trustedcomputing group.org) has developed an open industry standard for FDE drives via the Storage Working Group.14 Drive members presently include Seagate, Hitachi, Fujitsu, Western Digital, Toshiba, and Samsung. Existing ATA specifications (available at ANSI) have long-defined two SE commands. Normal SE is the command we’ve been discussing thus far. Enhanced SE (ESE) additionally requires a drive to overwrite all previously written user data, “including sectors no longer in use due to reallocation.” Drives haven’t implemented the ESE optional command because normal drive architecture would preclude many drives from successfully executing ESE. Drives inevitably have one or more magnetic defects in their millions of disk servo bursts (which leaves drive operation unaffected because the data block following the servo defect has been reallocated to a different disk location). Drive architecture forces rejection of a data block write command if its preceding servo burst is unreadable (because the drive could write to an adjacent track). FDE drives allow ESE because they need not write any blocks at all. An FDE drive ESE renders encrypted user data still on disk indecipherable (including any reassigned blocks), which is far faster than normal SE (see Figure 1). Drives with ESE will spread as FDE drives become popular. CMRR has validation-tested the first FDE ESE drives from Hitachi Global Storage and Seagate, and they passed the validation test protocol, taking less than 15 ms to complete an ESE. Tape drives offer hardware encryption of data stored on tape reels (see http://siswg.org), and the open standard LTO (Linear Tape-Open) Consortium has added encryption to its LTO-4 tape format specification.

Erased Data Recovery via Computer Forensics

Computer forensics data recovery techniques pose the most extreme threats to data sanitization security. Forensics companies employ experts to perform exotic laboratory techniques to recover data. Their normal objective is to recover user data from failed disk drives and for legal discovery. Their techniques employ technology knowledge specific to each drive, as well as specialized scientific and engineering instrumentation, to attempt data recovery outside the normal drive operating environment. SE, degaussing, and physical destruction sanitize

data to a level that prevents recovery by exotic forensics techniques because the data simply isn’t there. FDE ESE via encryption must be tested for protection against forensic techniques; the results will determine its sanitization security level. For maximum protection against forensic attack, cryptographic subsystems in the highest-security FDE drives should meet federal specifications. Federal Information Processing Standard 140 sets security requirements for cryptographic modules and concerns data encryption inside storage devices.15 This document’s language suggests additional FDE validation requirements, such as encryption keys never appearing on drive circuit board digital-signal pins. Such additions to FDE drive validation testing haven’t yet been firmly established, so a variant of FIPS 140 specifically for FDE drives might be necessary. An obvious sanitization concern is that ESE user data does actually remain on disks, even though encrypted. The US Federal Department of Commerce approved the Advanced Encryption Standard (AES) cryptographic algorithm after a multiyear, worldwide open competition, and security experts believe it to be uncrackable except by brute-force attacks trying all possible keys [For more on the AES, see this issue’s Crypto Corner on p. 71]. FDE drives effectively have double-key-length encryption strength because text data encrypted with the original key will be decrypted with the new key when read after ESE. Because AES is a symmetric encryption scheme, data read from an FDE drive after ESE would have to be externally encrypted with the correct new key and then decrypted with the correct old key, to produce clear text that verifies both keys. This squares the number of brute-force key attacks required to produce the original clear text (assuming FDE AES won’t produce a recognizable data pattern structure after encryption of the as-read data with the correct new key). For higher-level assurance against forensics attacks, a normal SE executed after the FDE ESE could eliminate the user data itself in an FDE disk drive.

Real-World Data Sanitization A freeware SE utility to sanitize drives using the SE command is downloadable from the CMRR Web site (http://cmrr.ucsd.edu/hughes) and is available to all users. This utility is roughly twice as fast as externalblock-overwrite utilities. It is single pass, exploiting the facts that drives with the SE command also randomize user bits before storage on magnetic media (obviating DoD 5220) and that all drives employ internal monitoring, which provides write verification after each block is erased. This utility illustrates several security best practices by • having a verifiable MD5 hash code; • providing malware protection by running from a www.computer.org/security

33

Secure Data Sanitization

boot disk instead of a networked OS; • immediately setting a user password on a drive to be securely erased; • checking for HPAs and DCOs and giving users an option to erase them; • issuing the SE command with the user password so that the drive unlocking will verify the erase; and • storing an audit trail on a log file and in LBA 0 on the drive. The MD5 hash allows higher-security users to detect possible malware alteration (added at the request of such users). A malware vulnerability example is in the Linux OS, which can issue ATA security feature set SE commands that malware could exploit to erase drives. (Any OS format-disk command could do the same damage but is a necessary computer function and often leaves the original data recoverable.) Current ATA specifications require setting a user password before an SE command, and they also prevent malware from issuing an SE or spoofing the SE utility into reporting a successful SE without executing the command.

I

n conclusion, to provide the highest confidence in meeting government laws protecting user privacy, use the SE command in computer storage devices, where possible. Otherwise, use block-overwrite utilities on entire drives. Use secure physical destruction of devices that contain data with the highest security classification level (for example, top secret and above). This will provide the highest data sanitization confidence while also meeting federal and state legal requirements.

Acknowledgments The US National Security Agency sponsored this work. References 1. S. Garfinkel and A. Shelat, “A Study of Disk Sanitization Practices,” IEEE Security & Privacy, vol. 1, no. 1, 2003, pp. 17–27. 2. Guidelines for Media Sanitization, Special Publication 800-88, Computer Security Division, Information Technology Lab., National Inst. of Standards and Technology, Sept. 2006; http://csrc.nist.gov/publications/ nistpubs/800-88/NISTSP800-88_rev1.pdf. 3. Industrial Security Regulation, DoD 5220.22R, US Dept. of Defense, Dec. 1985. 4. S. Bauer and N.B. Priyantha, “Secure Data Deletion for Linux File Systems,” Proc. 10th Conf. Usenix Security Symp., Usenix Assoc., 2001, pp. 153–164. 5. G.F. Hughes and T.M. Coughlin, “Secure Erase of Disk Drive Data,” IDEMA Insight, Summer 2002, pp. 22–25. 6. D. Mayergoyz et al., “Spin-Stand Imaging of Overwritten Data and Its Comparison with Magnetic Force Mi34

IEEE SECURITY & PRIVACY

croscopy,” J. Applied Physics, 1 June 2001, pp. 6772–6774. 7. C. Tse et al., “Whole-Track Imaging and Diagnostics of Hard Disk Data Using the Spin-Stand Imaging Technique,” J. Applied Physics, 17 May 2005, article 10P104. 8. P. Gutmann, “Secure Deletion of Data from Magnetic and Solid-State Memory,” Proc. 6th Usenix Security Symp., Usenix Assoc., 1996, pp. 8–24. 9. M. Geiger and L. Cantor, Counter-Forensic Privacy Tools: A Forensic Evaluation, tech. report CMU-ISRI-05-119, Inst. for Software Research, School of Computer Science, Carnegie Mellon Univ., 2005. 10. C.H. Sobey, L. Orto, and G. Sakaguchi, “Drive­Independent Data Recovery: The Current State-of-theArt,” IEEE Trans. Magnetics, Feb. 2006, pp. 188–193. 11. Degausser Evaluated Products List, Nat’l Security Agency, Central Security Service, 4 Dec. 2007; www.nsa.gov/ia/ _files/Government/MDG/NSA_CSS-EPL-9-12.PDF. 12. S. Foskett, “Best Practices,” Storage, Oct. 2006; http:// searchstorage.techtarget.com/magazineArchives/ 0,296887,sid5_yea2006,00.html. 13. G. Hughes, “Wise Drives,” IEEE Spectrum, Aug. 2002, pp. 37–41. 14. R. Thibadeau, “Trusted Computing for Disk Drives and Other Peripherals,” IEEE Security & Privacy, vol. 4, no. 5, 2006, pp. 26–33. 15. Security Requirements for Cryptographic Modules, Federal Information Processing Standards Publication 140-2, Information Technology Laboratory, National Inst. of Standards and Technology, 25 May 2001; http://csrc. nist.gov/publications/fips/fips140-2/fips1402.pdf. Gordon F. Hughes is a project scientist in the Center for Magnetic Recording Research at the University of California, San Diego. His research interests include disk drive systems and the drive industry (see www.harddrivethenovel.com). Hughes has a PhD in electrical engineering from the California Institute of Technology. He is a fellow of the IEEE. Contact him at [email protected]. Tom Coughlin is the president of Coughlin Associates, which develops market and technology analysis reports and provides engineering and other consulting services. His research interests include digital storage devices and applications, particularly for consumer electronics and professional media and entertainment. Coughlin has a PhD in electrical engineering from Shinshu University in Nagano, Japan. He is a senior member of the IEEE and a member of the Santa Clara Valley Magnetics Society. Contact him at [email protected]. Daniel M. Commins is a software engineer at Western Digital and a part-time researcher in the Center for Magnetic Recording Research at the University of California, San Diego. His research interests include drive systems, ATA and SCSI drive firmware, and the HDDErase secure-erase utility. Commins has a BS in electrical engineering from the University of California, San Diego. Contact him at [email protected].