Permanently removing data from old hard drives is harder than you might imagine
Completely removing data from a modern hard drive is a difficult thing to do, which can be a blessing when your drive crashes or you hit the Delete button at the wrong time. But it becomes a double-edged sword when it's time to decommission an old computer.
'When we turn in a computer, we have to take the hard drive out,' said Derrick Bell, who leads automation acquisition at the Army's Command and General Staff College at Fort Leavenworth, Kan. 'We were keeping all of our drives ' just storing them. We had some units that had a roomful of drives.'
According to industry estimates, more than 200 million hard drives with an estimated life of five years each were shipped in 2002. Do the math and you can see that a whole lot of drives are approaching the end of their useful lives.
The Defense Department requires overwriting a disk three times to eliminate data classified as secret, a process that can take hours or even days on a large drive. DOD requires the physical destruction of hard drives containing higher-classified data.
The Army is touchy about letting even unclassified data out of its hands, so the handling of old hard drives is a difficult subject.
'You can't just throw them in the trash can,' Bell said. 'We even shred every bit of paper.'
You can also shred a hard drive, but it's not cheap or easy. The danger of hazardous materials in the devices means that specialized companies usually do the shredding, and drives carrying classified data cannot easily be shipped to third parties for shredding. The Space and Naval Warfare Systems Command in San Diego had to ship hard drives being decommissioned to the National Security Agency by classified courier for disposal.
'We are research and development,' said Dan Angeles, physical-security specialist at Spawar, where the power users frequently upgrade their information technology systems.
'They go through computers like it's nothing. People always had hard drives sitting in their areas.'The persistence of memory
Classified couriers are expensive, so Spawar officials did a cost analysis and decided that a $48,000 high-end degausser was a more cost-effective option.
'In our world, the only way to get rid of a hard drive is to degauss it,' Angeles said. 'With this machine, you just run it through one time, and the material is erased.'
That's a lot of money to erase magnetic data, but good alternatives are difficult to find.
Deleting files does not actually erase data, of course. It merely removes the name from the directory structure and makes the space available to be overwritten.
Hammers and drill presses have been employed, but although they can make a drive unusable, they do not remove data from the disk. The Center for Magnetic Recording Research at the University of California at San Diego warns that although physical destruction of a drive is probably the most secure method of disposal, useable data can be recovered from a piece of disk less than 0.01 inch in size if someone wanted to spend enough time and money on it.
Overwriting, a solution approved by DOD and NSA, has its limitations as well. Overwriting can skip bad sectors on the disk, leaving data intact. Tracking errors also leave some bits untouched. Multiple overwriting, as many as 13 times to satisfy NSA, can help address this but still is not absolutely guaranteed.
'There is no way to ensure that the head always hits the same spot exactly,' said Dan Dalton, director of new product development at hard drive manufacturer Fujitsu Computer Products of America. 'It's a fact of magnetic recording, and there's no way to eliminate it.'
Multiple overwriting is so time-consuming it is impractical for many shops that have a large volume of drives to eliminate.
'We aren't staffed to do that,' the Army's Bell said.
So the Command and General Staff College and Spawar in San Diego have both adopted Fujitsu's Mag EraSURE degausser.
'We have been making disk drives for 30 years, and we know how to make disks permanent, and we know how to erase them,' Dalton said.No charge
Even with that expertise, effective degaussing is not simple.
Degaussing is the process of using a magnetic field to remove an unwanted magnetic field, such as data stored on a tape or disk. The term comes from researcher Carl Friedrich Gauss. But magnetic data on the disk of a hard drive is well-protected, buried under shielding, and the bits are recorded with an intense magnetic force measured in coercivity.
The coercive force of the data on a hotel room key would be in a low range, Dalton said. For a VCR tape it might be four or five times higher. For a disk drive it is as much as 25 times higher. To degauss a field this powerful, 'you have to have overwhelming magnetic force,' Dalton said.
It requires a force of about 10,000 Gauss, or one Tesla ' named after another early electrical researcher, Nikola Tesla ' to do the job. The Mag EraSURE generates about 1.3 Tesla.
But it requires more than brute force to erase a disk. The magnetic field must be groomed and directed to effectively reach the disk so that all data bits are flipped in the direction of the field, creating an effectively blank disk of all ones or zeroes.
Fujitsu uses permanent rare-earth magnets to generate this field. The Mag EraSURE P2V commercial model uses an electric motor to pass a hard drive through the magnetic field, destroying data in about 10 seconds.
'With this model, you just run it through one time and the material is erased,' Angeles said. Once degaussed, the drives can be physically destroyed without sending them to NSA.
The General Staff College recently degaussed 1,900 hard drives ' several years' worth, Bell said. Sites with few drives to dispose of also find the tool valuable. NASA's Marshall Space Flight Center in Alabama uses it only selectively.
'It depends on what's on the PC, whether the government wants it sanitized or not,' said Bobby Rafuse, who is in charge of computer media. 'We don't do it very often,' but 'for our situation, it's perfect.'
Fujitsu's P3M government model degausser uses a hand crank to move the hard drive. Because no electrical power is needed, the model can be used in the field, where a power source might not be available.
This is all well and good, but what if you are in a situation where you absolutely must destroy your hard drive quickly, and you do not have time to remove it and take it to a degausser?
This is exactly the situation the crew of a U.S. spy plane found itself in when it crash landed on the Chinese island of Hainan in 2001, said John Benkert, senior computer scientist at CPR Tools.
'I used to work with NSA, and I was with the Air Force for 25 years,' Benkert said. 'I was in those situations. I know there was no quick way to destroy that data.'
CPR Tools specializes in recovering data from damaged drives. When Benkert joined CPR Tools, 'I said, 'We're experts on drives, why can't we help people get rid of data?' '
The result was DefenDisk, a portable external housing for a hard drive that also contains a degausser. It is intended for use in potentially dicey locations, such as planes, ships and embassies where security is at a premium and reaction time may be limited.Quick destruction
When the barbarians are at the gate, DefenDisk's arming switch is turned on. When they burst in, the trigger button is pushed, and within 30 seconds, data on the drive is destroyed.
The magnetic field in DefenDisk has been tuned to effectively wipe out data on just about any type of hard drive, Benkert said. It generates about 3,000 Gauss, only about one-third of the more powerful Fujitsu table-top model, and it is not up to NSA standards for data destruction. But what it lacks in power it makes up for with convenience. In a crisis, it is more effective than taking a hammer or screwdriver to a hard drive.
Because the hard drive is housed with the magnets, DefenDisk uses electromagnets rather than permanent magnets and requires an external power source. Benkert said CPR is working on a battery pack for the tool.
'It's probably not going to be a huge moneymaker,' Benkert said, but there is a sizeable government niche for the product.
A possible downside to degaussing is that it destroys not only your data but also your hard drive. The read-write heads are destroyed and servo data (head positioning data) is destroyed so that the disk cannot boot. This usually is not a big problem, given the relative value of the data on the disk compared to the hardware.
'You can't make a used drive new,' Fujitsu's Dalton said. 'The residual value of the drive is so small, why bother?'
But what if you are not done with the drive when you want to destroy the data? Maybe you are just reconfiguring it for a new user, returning it to a dealer for warranty repair or want to make sure you get rid of a particularly nasty virus. Or maybe you just want to be responsible and recycle a useful piece of hardware.
As it turns out, there already is code built in to most hard drives that will effectively destroy the data without destroying the drive. But it is not easy to access that code.
Secure Erase is a required part of the security feature set of Advanced Technology Attachment interface standards for hard drives (see sidebar). The command destroys data by overwriting data on all user accessible blocks. The process only takes as long as 45 minutes, about one-eighth the time required to meet DOD erasure requirements of three block overwrites for secret data. But according to the Center for Magnetic Recording Research, Secure Erase provides the same level of security for erasing the data.
Secure Erase is incorporated in the command set of most current ATA drives of 15G or more. It also is an optional feature for SCSI, but so far has not been implemented in SCSI drives.
Because the data is not recoverable, Secure Erase was so frightening that 'the market decided it was more of a menace than a feature,' said Roger Detzler, chief technology officer at Ensconce Data Technology.
The software industry put blocks against Secure Erase in operating systems and BIOS to prevent accidental destruction or exploitation by malicious code. The result is that the average user on a Windows PC cannot invoke Secure Erase when retiring a hard drive.
Daniel P. Schneider, EDT executive vice president and another former NSA man, said the key to decommissioning a hard drive without destroying it is to separate it from the operating system and BIOS to use Secure Erase on it. This is what EDT's Digital Shredder does.
The Shredder is built on an industrial-grade single-board computer to avoid operating system and BIOS blocks. Hard drives to be reused or recycled are removed from the computer and docked in a bay that fits the backplane of the specific make and model of drive being erased. Multiple drives can be erased at the same time, and when the bay is inserted into the shredder, it is locked in place until the erasure is complete. If the drive does not include Secure Erase, the Shredder recommends an alternative process.
The device also documents the process and can print an adhesive label with the details of the process that can be put on the drive for audit purposes. This auditing capability and the fact that the drive does not have to be sent to a third party for processing are big selling points for EDT.
The National Institute of Standards and Technology recognizes Secure Erase as an appropriate method for purging data from ATA drives and USB removable media such as thumb drives that contain hard drives. Digital Shredder is not the only way to use Secure Erase. Software to use the command also is available for download from the University of California at San Diego's CMRR Web site at http://cmrr.ucsd.edu.