Guest Post by Micah Lahren:
"I’ll just run DBAN on it and that will be good enough."
Is that really good enough? What if the individual or business in question is required by law to complete an erasure protocol up to a certain level of security? In some countries, including the United States, laws requiring secure erasure of data are also accompanied with a punishment if the protocol is not followed, such as fines of $250,000 and 10 years imprisonment.
Is your client’s company disposing of old hardware, or do you have a client with sensitive data who desires complete and total erasure of data? Jackhammers, wrenches, and explosives may be more enjoyable methods of destruction, but what if the user would like to use the old hardware for non-sensitive data in another way, such as an external hard drive for storing personal data of a non-sensitive nature? DBAN it, right?
Why DBAN Isn’t Enough
On the official dban.org website, DBAN is heralded as a “self-contained boot disk designed for consumer use”. The key word in that statement is ‘consumer’. DBAN and similar software intended for wiping hard disks are known as software based overwrites, or ‘clear level processes’, and are vulnerable to recovery without requiring laboratory methods. For instance, if you know what the HPA is (Host Protected Area), you’ll know DBAN doesn’t wipe it. Why should we worry about the HPA?
The HPA can be used by rootkits to hide from Anti-Virus software, manifesting again upon a reinstall of an operating system. The HPA is also used by some vendors to store data relative to the installations of software. One security firm is known to use the HPA to load software that reports back to their servers when the machine is connected to the internet. An employee could use the HPA to store data which would be hidden from many wiping tools, and recover that data later after the drive had been supposedly ‘wiped’ of all data and considered free to use in other applications.
In view of the above currently known uses, including the looming recent threat of cyberwarfare, this alone could present a high security risk for many companies and government entities. Many erasure tools do not touch the HPA or other hidden areas of the drive, which are inaccessible to many wiping tools. How can we effectively eliminate all data on the hard disk without physically destroying it?
Secure Erase (SE) is a feature built into all ATA drives with 15 GB or greater capacity manufactured after 2001. There is also a Secure Erase command for SCSI drives as well, but you may not find it on all drives, as it is an optional feature. Basically, executing a SE command will virtually shred all electronic data on the hard disk in question. It will completely wipe the HPA and other hidden partitions on disk drives, which means any area of the drive which is available for hiding data will be completely wiped, beyond known forensic recovery.
SE will also wipe sectors that are unused by the drive due to errors. It performs a single pass, and that one single pass is more than enough, as technical testing confirmed that multiple passes were unneeded as far as additional erasing was concerned. This single pass meets U.S. Requirements for secure erasure of data for the regulations concerned, with the exception of highly sensitive data which requires complete physical destruction of the disks. Unless you’ve got top secret government files on your hard disk, SE should fit the bill for most clients.
A Freeware Tool That Implements Secure Erase?
That’s right, it’s completely free. And while the NSA has unfortunately dropped support of this great tool, it’s still available. It also utilizes something called Enhanced Secure Erase technology, which the FAQ for this utility details: Enhanced secure erase writes predetermined data patterns (set by the manufacturer) to all user data areas, including sectors that are no longer in use due to reallocation. It’s called HDDerase, and can be found here: http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml
Due credit goes to G. Hughes of UCSD CMRR for this utility. I won’t go into the details of all the technical aspects of the utility, but there’s a data sheet referenced on the web site you can read that goes into deep detail on the methods used.
Basically, HDDerase is a DOS-based utility for ATA hard disks. You can boot it with an antique 3.5 disk, or boot it from a CD. The last time I checked, HDDerase is also available on the Ultimate Boot CD, and is probably on a few other less known boot cd’s along with other tools useful to techs. It can also be booted from a USB flash drive as well. This utility can also bypass the ‘security freeze lock’ which the BIOS sometimes executes when it detects the drive.
Make sure you use version 3.1 or later, as these versions allow you to remove the HPA as well as the DCO on the disk. While this tool cannot be guaranteed to work on absolutely every hard disk in the field, it has worked on every hard disk I’ve had thrown at me for erasure. Scan the readme file provided on the official site before running the utility, just to be sure you cover all your bases. Simply boot it up, follow the prompts, and you’ll have a forensically clean hard disk that is beyond recovery as far as data is concerned, and still have a usuable disk for other applications.
Guest Post by Micah Lahren – Micah covers a wide spectrum of the tech industry, including PC repair, front-end development, WIMAX networking and installation, and more. He currently works with an ISP in Texas that also provides web hosting/design and computer repair, although he’s been tinkering with computers since he was 6 and eventually turned it into a career. He also enjoys traveling and doing volunteer missions in other countries.