Guide for Data Sanitization


#1

##Guide for Data Sanitization

Hello everyone, hope you’ve been doing great! @Evalion recently said that we should post articles about something that we are learning, both to help us study and maybe to introduce other people to new subjects. That’s what this article is, so forgive (and please correct) me if I say something that’s wrong, as I’m still learning.


So I’ve recently been tasked with selling a used desktop computer, which means I have to properly clean it, both physically (case, internal components, etc…) and logically (securely erase all data - in other words, sanitize it).

This got me reading a lot of articles on Data Sanitization Methods to better comprehend it and learn more about it, which made me stumble upon a very good and interesting 64-page document about this subject (the purpose of this article is to summarize this document).

The document is called “Guidelines for Media Sanitization” and it’s written by NIST - National Institute of Standards and Technology.

According to their website, “NIST’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life”. Whatever that’s means…

What matters is that they make some fine ass documents (like really good, all freely available), on pretty much every field of science, and the field of Cybersecurity and Computer Security is no exception. They have a website called CSRC - Computer Security Resource Center, “which facilitates broad sharing of information security tools and practices, provides a resource for information security standards and guidelines, and identifies key security web resources to support users in industry, government, and academia.”

There, they have metric shit-tons of documents related to Cyber & Computer Security, and it’s where you’ll find the “Guidelines for Media Sanitization” document we’ll be talking about (in the Special Publications section).

Like I previously said, I’ll try to summarize this document because most of the government related or goverment-produced documents tend to have too many unnecessary redundancies (see what I did there?).


Now that we’ve got that intro out of the way, let’s get to it.

The document is written in a way that kinda focuses more on big bussinesses or organizations where confidentiality is a big deal, but the same concepts apply to people like us, home users.

It has a few pages going on about how technology is constantly evolving, making some of the techniques described obsolete on future technologies and why one might be concerned with Media Sanitization or why it’s important, but I’ll leave that for you to read, if you’re interested.


- What is Data / Media Sanitization?

“Media Sanitization” is just a fancy expression for “securely deleting data on some type of media thus preventing unauthorized access, therefore increasing confidentiality” or just, you know, deleting stuff, period.

- Types of Media

Primarly, there are two types of media involved in our daily routines:

  1. Hard Copy - these are most commonly paper printouts. However, most printer parts and supplies are also a good example of hard copy media, and often overlooked. This tends to leave organizations and bussinesses rather vulnerable to dumpster-divers or anyone looking for information really.

  2. Electronic / Soft Copy - these are the devices that contain bits and bytes of information. Hard drives, flash memory devices, mobile devices, networking and office equipment are all good examples.

- Types of Sanitization

There are three main types of sanitization. These are:

  1. Clear - uses logical techniques (software based) to delete data in a storage device. Generally applies Read & Write commands, meaning in overwrites existing data with new values (basically replacing sensitive or classified data with non-sensative data). This action is most commonly achieved using software like DBAN (or it’s more complete brother Blancco 5), Eraser, with “a cloth or something” or even the standard ‘Factory Reset’ function. However, this method may not be very effective when state of the art data recovery techniques are applied.

  2. Purge - Similar to ‘Clear’ except it uses state of the art techniques and equipment (both physical and logical) to sanitize data, making it even more difficult to apply recovery techniques (i.e degaussers).

  3. Destroy - renders data inacessible by using techniques that prevent future use of the storage device. These include incinerating, shredding, disintegrating, degaussing, pulverizing or melting the storage media.


EDIT : Reading the comments, I remembered a Sanitization Method that I forgot to cover. I’ts called Cryptographic Erase (CE for short). What this means is that you encrypt all the sensitive data, but instead of deleting it, you sanitize the decryption key, meaning that nobody will have access to the target data (basically the same as storing something in a vault and then forgeting the combination to open it).


###What to consider when sanitizing data?

When the time comes to sanitize media, you might be faced with choice of what type of sanitization you should apply or what is the most adequate (this question is most commonly found in a bussiness / organization environment, as home users mostly apply the “Clear” method).

There are a few things to consider when making that decision:

  1. What type of media are we dealing with - hard copy or electronic (if electronic, specify)

  2. Security Category - Early on the document, they talk about how security categorization is important to assure that a proper media sanitization technique is applied (basically, you have to determine if the target data is non-sensitive, if it reveals Personally Identifiable Information, if it’s classified / confidential, etc) (don’t worry, they have a special doc just for that!).

  3. Reuse of Media - wether the storage media is planned for reuse (either within or outside the organization) or recycle.

  4. Control of Media & Data Protection Level - these are closely related to Security Categorization. Control of Media refers to who has had control and access to said media (mostly discussed when leaving organizational control); Data Protection Level refers to the different data protection policies that exist within an organization (like data clearence, some people are authorized to access some information, others are not; mostly discussed when there’s internal reuse).

  5. Environmental Impact - some methods are more harmful to the environment than others.

  6. Cost - some methods may be more cost-friendly than others.

Here’s a decision flow chart that may help you:

From page 35-48 in the document, there are a great deal of tables that tell you what type of sanitization you shoud consider, depending on the type of media (again, it may help you a lot).


That’s it for today. If you made it to the bottom, I hope you’ve enjoyed reading this article and that it helped you in some way.

In the next post maybe I’ll cover software sanitization methods (gutmann method, schneier, DoD, etc…)

Thank you all for reading and I’ll see you all later.


Software-Based Data Sanitization Methods Overview
([email protected] [email protected]) #2

Awesome article! I’ll be looking forward to the software sanitization methods. Also, I just bought the “cloth or something” from bleachbit, lmfao. Gonna have to hang that one up!


#3

Well done summary :slight_smile: .
I’m not sure how detailed and complex the NIST article is but I had my hands on the ISO/IEC 27000 standards especially the ISO 27001 and 27002 which in the end explain similar stuff in there too.
As far as I know it’s more difficult to get a copy of the ISO standards so the NIST articles seem to be a nice alternative.

Also the Computer Security Resource Center (CSRC) is a good source for looking up “used practices and techniques”. Have a read there :stuck_out_tongue:


#4

Great to see my words had effect.

Great article. It’s simple yet in-deep. I like it. +1

-Phoenix750


#5

Not the best method, but what I did with my hdd was wipe the parition table, overwrite with urandom in three passes and set up a luks header before selling the desktop away. Pretty sure there’s no way you can recover anything.


(Not a N00b, but still learning) #6

If it’s just a cheapo hdd and not a ssd, i always buy a new one before reselling and treat the old one with a special hammer message :smile: Of course I encrypt everything sensible while actually using the pc, but better safe than sorry!


#7

Sorry to break it to you @SmartOne, but a hammer massage isn’t the best method. Sure it does a good job, but you’re wasting energy and are leaving scrapsa, + your HDD becomes unusable

Simple magnetic HDD’s work according to Weber’s hypothesis (look it up) and Faraday’s law of induction (look it up aswell). When you put one of the tiny magnets on the disk in a magnetic field, it becomes a magnet itself based on the polarity of the read/write head. When the read/write head moves over such a tiny magnet, a current is induced, a “1”. A neutral ferromagnetic piece on the disk (no magnetic polarity) also has no induction and is therefore read as a “0”.

So what to do? Get a really strong magnet (or a nail, wind a coil around it and get a 30A power supply atleast, voltage doesn’t matter since it basically is a dead short, just make sure it is a CC protected one), open up the HDD until you see the silver disks, and move your (electro)magnet over the silver disk. STAY AWAY FROM THE READ/WRITE HEAD! If done correctly, everyone on the disk should read “1” and you can re-use the disk. Again, this is a theory and is really hard to do in reality, but since you’re smashing it with a hammer anyway, why don’t you give it a try?

-Phoenix750


#8

Huh. That’s pretty cool, it’s basically a homemade degausser, right (you’re just demagnetizing the device) ?


#9

Basically, yes. What I explained is basically the process of degaussing but simplified.

-Phoenix750


(Not a N00b, but still learning) #10

I’ll give it a try next time :smile: :stuck_out_tongue_winking_eye:


(Co-Founder and Part-time Fool ) #11

This is a cool subject, I loved this talk on Hard Drive destruction:


#12

For anyone who is interested, I came across this document. It’s the NSA Data Sanitization Standards. Gotta love their simplicity, either degauss it or destroy it…


(system) #13

This topic was automatically closed after 30 days. New replies are no longer allowed.