Secure data destruction with an SSD

Big Jim

Big Jim

Well-Known Member
Reaction score
183
Location
Derbyshire, UK
Customer asking for secure data destruction to "a certain standard" with accompanying certificate.

my understanding was that in order to meet the "regular" data destruction standards software writes 0s then 1s a bunch of times. then depending on the standard, random 0s & 1s
The drive in question here is an SSD

my questions are as follows:
1 - what standard do you normally work to ?
2 - is it still necessary on an SSD to multiple pass data overwrites or has secure erase surpassed this now ?
3 - does anyone have a certificate template that I can pinch ?
 
Secure erase on an SSD is just that. I have yet to see any maker that doesn't supply the option to secure erase their SSD using their management software and, as already noted, there are 3rd party tools for this.

Secure erase is essentially a "blast the drive with all zeros (or ones)" in its final effect. Multiple passes are not necessary.

There's more information out there about secure erasing SSDs than you could ever read, and to my knowledge a secure erase meets any known standard for complete erasure.
 
We use the Cruz Drive eRazer Ultra

Drive eRazer Ultra | WiebeTech

wiebetech.com wiebetech.com

It prints out a confirmation label that states the date, time, make/model/serial number of the drive...method of wipe used, and successful or not. We affix that printed label to a home made cert of destruction....a copy for us, and a copy to the client.

Been a long time since we've had the Cruz....will work with modern SSDs with adapters but we're thinking of getting a newer hardware appliance that does this...which works natively with M.2/NVME/etc.

Important thing about this, is for clients that have to fall under compliance and possible audits. Sure..smashing drives with hammers could be fun, shooting them out back can be fun, drilling, steel cutter, etc....but long story short, none of those methods "prove" the specific drive was wiped. A professional certified drive destruction appliances like the above link....can prove it, it prints it out in full detail.

1710275426038.png
 
YeOldeStonecat said:
We use the Cruz Drive eRazer Ultra

Drive eRazer Ultra | WiebeTech

wiebetech.com wiebetech.com

It prints out a confirmation label that states the date, time, make/model/serial number of the drive...method of wipe used, and successful or not. We affix that printed label to a home made cert of destruction....a copy for us, and a copy to the client.

Been a long time since we've had the Cruz....will work with modern SSDs with adapters but we're thinking of getting a newer hardware appliance that does this...which works natively with M.2/NVME/etc.

Important thing about this, is for clients that have to fall under compliance and possible audits. Sure..smashing drives with hammers could be fun, shooting them out back can be fun, drilling, steel cutter, etc....but long story short, none of those methods "prove" the specific drive was wiped. A professional certified drive destruction appliances like the above link....can prove it, it prints it out in full detail.

View attachment 16024
Click to expand...
What appliance are you thinking of or looking to purchase?
 
For the newer m.2/nvme......probably this one....
www.startech.com

M.2 Duplicator and Eraser SATA/AHCI/NVMe - HDD Duplicators - Hard Drive Cloning/Copying | StarTech.com

Standalone M.2 SATA & M.2 NVMe Duplicator and Eraser - External HDD/SSD Cloner/Wiper for M.2 PCIe AHCI/NVMe, M.2 SATA, 2.5/3.5' SATA Drives
www.startech.com www.startech.com

We have 2 or 3 of Startechs drive duplicators...and I think one of them also does secure wipes..but it's a SATA interface. Will be good to get a newer model with the modern drive interface.
 
One thing I learned from a friend who works for a college is encryption. If you encrypt the drive, then format it, all data will be gone. Any data that is possibly recoverable would ben encrypted and without the key, it's not recoverable.
 
Fred Claus said:
One thing I learned from a friend who works for a college is encryption. If you encrypt the drive, then format it, all data will be gone. Any data that is possibly recoverable would ben encrypted and without the key, it's not recoverable.
Click to expand...
That's exactly the process I follow when getting people's older computers ready to recycle or give away. I encrypt the drive first, using a bunch of random keystrokes as the encryption key, and ignore all the pleas and entreaties to backup the encryption key. Then I format the drive and reinstall the OS on it, if it's going to be reused. Very easy to do, and seems reasonably secure to me.
 
Yeah encrypting works, and then blow away. For those informal wipes where you don't need documentation for compliance. But at the same time, just booting from one of the many free drive wipe tools out there will do it quicker. And if you're doing basic freebie jobs like this..quicker is better, no?
 
YeOldeStonecat said:
For those informal wipes where you don't need documentation for compliance.
Click to expand...

While I saw your form, and it's a good one, those are used by people who do drive wipes or destruction using other methods, too.

If you don't trust the person to whom you're giving a drive to wipe it or destroy it, the paperwork isn't worth the paper it's written on.

There are a number of ways to trigger a secure erase of an SSD from using BIOS (which is a PITA, to me), using its manufacturer's utility, using a third party utility, or even using the Windows command diskpart with the "clean all" option. If someone were asking me to wipe, as opposed to actually destroy, a drive I'd happily sign a certificate saying I'd done so if I used any method to secure erase an SSD.

And when it comes to diskpart with "clean all," I'd sign it for a standard HDD, too, as it overwrites the drive content.

I've never been able to use any data recovery tool successfully after an SSD is secure erased or an HDD is wiped with diskpart/clean all.
 
britechguy said:
While I saw your form, and it's a good one, those are used by people who do drive wipes or destruction using other methods, too.
Click to expand...
Yup
But we prefer not to have to argue/debate/waste time trying to prove.....when there are professional, certified tools widely available in the industry, so you can quickly and professionally do your job and hand over the documentation from a device designed to do compliance work. It's just..easier to tell the client you're using certified professional tools, and more importantly tell the group that your client is using for the audits...they're happier to see it done that way. Why spend time arguing with them? You hand over something printed out by a Weibtech device (which I affix to my home made certificate)...they go "Yup, yup, OK, we know that one...very good, thanks".
Instead of getting a raised eyebrow from them..."Well, ...."...and now you have to take a deep breath and..spend more time.

I've never been able to recover data from a hard drive I pumped 6x rounds from my 9mm pistol into....but it's not a method I feel like using for a Hospice client when they're getting an audit done by the Walker Group and I'm spending 3x straight with them going over the whole IT system inside and out.
 
@YeOldeStonecat

The Shenandoah Valley is beautiful at this time of year as the very earliest greening of spring is happening.

With regard to drive wiping, again, I think we're talking past each other a bit. If you are in the business of doing this, all the time, and need to constantly produce documentation then your method is without question the superior one. I'm trying to point out other, equally effective options, that those of us "in the hinterlands" who may get such a request from the odd client here and there can use without needing to purchase additional hardware.

Volume of service dictates approach, and I could never recoup the cost of a hardware-based solution while you can.
 
Big Jim said:
Customer asking for secure data destruction to "a certain standard" with accompanying certificate.

my understanding was that in order to meet the "regular" data destruction standards software writes 0s then 1s a bunch of times. then depending on the standard, random 0s & 1s
The drive in question here is an SSD

my questions are as follows:
1 - what standard do you normally work to ?
2 - is it still necessary on an SSD to multiple pass data overwrites or has secure erase surpassed this now ?
3 - does anyone have a certificate template that I can pinch ?
Click to expand...
Do they have to meet as well as document a certain standard? That's you're real starting point.
 
The data recovery question goes far beyond using commonly available tools that anyone can access. A lot of these standards originated based on Peter Guttman's paper (as well as others), Secure Deletion of Data from Magnetic and Solid-State Memory, presented at USENIX 1996. One of the major premise is that there are techniques/technologies to scan/probe the surface of magnetic media to sense the area around each bit, due to size of the area, and get an indicator of what the value was before the over write. The reasoning behind a 3 pass minimum, 0's then 1's, then random, is that 'original" value could not be extracted.

I'm not sure about modern advanced recovery but I'd say that technique is probably no longer valid. While the drive sizes have remained about the same for many years bit volume has increased dramatically. Which means the area a bit occupies has shrunk dramatically. I'm pretty certain a proper single pass wipe, meaning hitting all the bits including defective, is not recoverable using anything we have access to.
 
Markverhyden said:
is not recoverable using anything we have access to.
Click to expand...

Which is the key phrase. Spy agencies for all the major governments have access to very, very highly specialized and tuned forensic examination software that no one else has.

I don't guarantee NSA-level wiping as I don't know what technology the NSA may have that we do not know about. But I will guarantee that your typical Joe or Jane or your random hacker that might have that drive drop into their hands will not be able to get back anything of use.
 
Big Jim said:
Customer asking for secure data destruction
Click to expand...

I've always wanted to beat the SSD into little pieces with a 3 lb. hammer on my anvil and return the pieces in a plastic bag with a note saying the data has been securely destroyed.... :p

Unfortunately, 3.5" spinners are tough critters that can shrug off hammer blows. I resort to the drill press for those. (I know, doesn't help this discussion.)
 
I honestly think it's a part of our responsibility to educate to actually get people to understand that secure data destruction does not mean device destruction.

Device destruction as a common practice has always been overkill. There are ways to wipe data that no "normal computer user or tech" could ever find a way to reconstruct what was on the device. Worrying about "NSA class" forensic recovery (which might not even work) is not a valid way to look at normal data wiping needs.

I have always hated witnessing the utter waste of what was (at the time of destruction, for the most part) perfectly good, reusable hardware just because someone had the stupid notion that some super-secret recovery method that could get past wiping actually exists for ready use. It didn't and it doesn't.

I have some now-ancient HDDs that I'd be OK with destroying because they are entirely obsolete. But those will most likely go to Goodwill's computer recycling program after I run a diskpart/clean all on them.
 
I don't do it for the overkill. It's purely time savings. When I have 50-75 3.5" drives to bring to the recycler I don't have the 3-4 hours it takes to wipe each to spec. A large drill through the platters takes seconds and I can do several a minute. The drives can still be recycled for materials.
 
To me, it's not so much "volume"...but, "if you have a client...even just one client..that falls under a compliance that needs this, you need to also follow that compliance." And this is all billable work. Drive wiping for compliance, and documentation required....is not cheap. You should easily recoop the cost of that device within short time, even if you're out in farm land, if a client follows HIPAA or NIST 800 or CMMC....they gotta follow the rules, and as their service provider, so should you. One of the hats you wear is to have your client get checks in the boxes on that loooong list of controls for their compliance.

Speed wise, those drive wipers are fast, and easy. Even for drives from customers that are not under compliance, we use them. Just plug the drive in, push a couple of buttons real quick, and walk away and do other things (other billable things). Come back in a bit....it's done. Your total time investment is about 2 minutes...maybe 3 minutes if you're pokey. No having to clean up anything coming from a physical destruction approach. No having to boot up from various boot 'n destroy tools on a USB drive, etc.

Would we have invested in one of those drive wipe appliances if we never had clients under compliance? Probably not...likely we'd just slave a drive to our bench rig and use one of the boot 'n nuke tools like Dariks or ..<one of many> or one of the drive manufacturers tools.
 
You must log in or register to reply here.

Similar threads

Kitten Kong
  • Sticky
Questions and Answers relating to Refurbished Computers and the MS refurb program.
Replies
5
Views
36K
Sergey
S
PCX
Selling Refurbished Computers and Doing It Right
2 3
Replies
53
Views
27K
PCX
PCX
Kitten Kong
Hirens 13 - Now released
2
Replies
31
Views
16K
eloria
E
Back
Top