Question
How do I remove sensitive information from a disk?
Answer
It's a wise precaution to remove sensitive data from computer disks
before the disks are either transferred from one area to another or
discarded. The process is referred to as disk sanitizing, cleaning, p
urging, or wiping.
The method you choose to sanitize a disk should depend on the
security requirements of your organization.
Removing a file actually only removes the pointer to the file. Common
utilities can often recover deleted files, so the data may
still be recoverable. Three techniques available for disk sanitization
are:
Overwriting a disk by using the format(1MTSOL) command
as described under Procedure is usually enough
for most purposes, because it greatly reduces the chance
that any data can be recovered from the disk.
However, any data that remains can potentially be accessed by
someone with enough expertise, determination, or money.
To ensure that no one could ever
recover data from a disk, you need to degauss or destroy it
or keep it in a secure location until the disk is needed again.
Procedure
NOTE: The purge step is done twice (once
with the manufacturer's defect list and once with the grown defe
ct list) so that sectors that became
defective over time are also overwritten. Otherwise they might continue
to contain sensitive data.
- As system administrator or security administrator, enter
format
either on the command line or in single-user mode.
|
command line
|
$ format
|
|
single-user mode
|
# format
|
|
- When prompted, select the disk from the AVAILABLE DISK SELECTIONS
|
Specify disk (enter its number):
|
|
- Enter defect after the format> prompt:
format> defect
DEFECT MENU:
. . .
defect>
|
|
- Enter primary after the defect
prompt to read in the manufacturer's defect list and update
the in-memory defect list.
- Enter quit to return to the main FORMAT
MENU.
- Enter analyze.
format> analyze
ANALYZE MENU:
. . .
analyze>
|
|
- Enter purge, and when prompted,
specify the slice than encompasses the entire disk.
NOTE: This is slice
2 by default, but check this with the format
command. At the top menu, choose the disk in
question, then choose partition,
then choose print. One partition
should start at the beginning of the disk and go all
the way to the end. (Typically, but not always, this is
named "backup")
- Enter quit to return to the
main FORMAT MENU.
- Enter defect after the prompt
to return to the DEFECT MENU:
- Enter both to update in-memory defect list
with
both the manufacturer's defect list and the grown defect list for
another purge. This command also causes the combined defect list to be
written to
the working-list when you quit format.
- Enter quit to return to the main FORMAT
MENU.
- Enter analyze.
format> analyze
ANALYZE MENU:
. . .
analyze>
|
|
- Enter purge, and when prompted, specify a
disk.
- Enter quit to return to the main FORMAT
MENU.
- Enter quit to quit the format program.
Related Information
Data
Remanence
Data remanence refers to the remaining magnetic or electrical
representation of data that has been erased.
Overwriting
One organization wants a method to zero the freespace that remains
within
a UFS filesystem. The security officer is unconcerned about
the "acceptable" risk posed by disk areas that are not accessible
from user space. Using the format(1MTSOL)
command as described
under Procedure would satisfy this
organization's requirements.
The format command overwrites the available
disk
sectors with patterns that comply with the Department of Defense
declassification
regulations for data remanence.
For reasons explained in more detail under
More About format, a
slight possibility
exists that data could still remain on a disk after the format command has
been used to purge the disk.
Degaussing
Degaussing is a government-approved method that is less costly than
destruction. Degaussing removes the remnants of previously recorded
signals by destroying the recording layer's magnetic field.
The disk is disassembled, degaussed, and reassembled in a secure
location.
Some organizations buy their own degaussers. Others make use of the
outside
firms that specialize in degaussing.
Destruction
Even if a disk is broken up, data is still potentially accessible.
Approved destruction methods include:
- Smelting, disintegration, or pulverization
- Incineration
- Removal of the recording surface by processes that include
the application of an abrasive substance or acid
followed by disposal of the remains
More About format
The format command works as follows when
purging a disk.
- Three patterns are written to the disk:
0xaaaaaaaa
0x55555555
0xaaaaaaaa
|
|
- The disk is read to verify that the third pattern
is in each location.
- If the read pass is successful, the alpha_pattern
is written to each location.
format> analyze> purge removes all data
from
accessible sectors of the disk.
However, not all sectors are accessible. Reserved sectors are set aside
to replace sectors that become flawed during the disk's operations.
The (remote) possibility exists that a reserved sector could be used
to
store data before being replaced later by another reserved sector.
If this occurs, there is no way for the format
command
to access the first replacement sector to purge its data.
Even if you purge the disk using both the manufacturer's defect list
and the grown defect list,
the first replacement sector would not be cleared of possibly sensitive
information.
The Procedure is totally effective unless
both
of the following have occurred:
- A spare sector was used to replace a bad sector and had data written
on it
- The replacement sector (now with data on it) was replaced later by
another spare sector
Related Documentation
format(1MTSOL)
NCSC-TG-025,
A Guide to Understanding Data Remanence
in Automated Information Systems,
Sept 1991, National Computer Security Center
DISPOSITION OF
SENSITIVE AUTOMATED INFORMATION,
Computer Systems Laboratory bulletin from Idaho State University.
October 1992
Applies to Trusted Solaris Release
all (also to Solaris releases)
| 