Disk and Data Sanitization Policy and Guidelines
Information Security Office - July, 2005
Stanford staff and faculty often have a business need to store prohibited or restricted data on their personal computers. Yet when it comes time to dispose of these systems, or transfer them to another user, there are few established policies and processes in place to prevent confidential data from being accessible by unauthorized persons.
The goal of this document is to present recommended policies and guidelines that describe the process by which confidential data may be permanently removed from a personal computer , workstation, PDA or CD/DVD in such a way that the data is deliberately made non-recoverable. In other words, this document discusses when and how to sanitize disks, devices that may be mounted as disks (e.g., flash memory devices) and other common data storage products.
The scope of this document is personal computers and attached peripherals used by Stanford staff and faculty. Student systems should never possess prohibited or restricted data. Personal computers include portable systems (notebooks) and workstations. Operating systems are assumed to be Microsoft Windows, Apple OS X (or earlier), or Linux/Unix. The concepts described should be applied to larger systems (e.g., central servers) as well, but system owners are cautioned that relevant vendor guidelines need to be followed, including making appropriate backups before sanitizing any system media.
What is Data Sanitization?
Data sanitization is the process of deliberately, permanently, irreversibly removing or destroying the data stored on a memory device. The devices discussed below include magnetic disks, flash memory devices, CDs and DVDs, and PDAs (Palm Pilots, Pocket PCs and Smart phones). A device that has been sanitized has no usable residual data and even advanced forensic tools should not ever be able recover erased data. Exceptions tend to be specialized hardware used by large government agencies to recover sanitized data under special extreme circumstances, and these will not be addressed. It is possible to sanitize a single file, a set of files, or an entire disk or device. Sanitization processes include using a software utility that completely erases the data, a separate hardware device that connects to the device being sanitized and erases the data, and/or a mechanism that physically destroys the device so its data can not be recovered.
The following three cases are intended to cover all possible circumstances during which data sanitization is required. In all cases, the device is assumed to contain prohibited or restricted data and is transferred within one of these three scenarios:
Transferred within an Organization
In this case, a computer or PDA is transferred from one person to another who works in the same organization and has the same level of access to prohibited or restricted data information. If the device is transferred to a staff member who has no permission to this prohibited or restricted data, the policy defaults to "Transferred to a Different Organization". As long as the original system owner and the new owner have the same rights to view the prohibited or restricted data stored on the device, there is no need for data sanitization. The system may be transferred without removing any confidential data. However if the recipient has no business need to access the stored prohibited or restricted data, the files containing this data should be sanitized according to the directions in the Sanitization Guidelines section.
Transferred to a Different Organization
When a computer is transferred from one person to another in a different organizational unit, all prohibited or restricted data on the system should be sanitized, unless management representatives from both sides agree the recipient has rights to this prohibited or restricted data. Either the confidential data files or the entire disk should be erased according to directions in the Sanitization Guidelines section.
Device Disposal or Transferred Off Campus
When a computer is to be disposed of or transferred to someone not working for the university, all disks should be sanitized, whether or not they are known to contain any confidential data. No computer system should leave Stanford’s control without all disks being either sanitized or removed. No disks, including flash memory devices, should be disposed of without being sanitized. PDAs (e.g., Palm Pilots, Pocket PC devices) and Smart Phones should have all data removed prior to being transferred to another person or being turned in for recycling.
It is expected that system owners and their local property administrators will be responsible for ensuring that all devices turned in for recycling or transfer to a third party will be properly sanitized before leaving Stanford’s possession. Local property administrators should be prepared to either sanitize disks themselves (and keep a record of the activity) or else contract with ITS through the HelpSU process. ITS provides “on-call services” that include data sanitization and destruction. Figure 1 provides a summary of data sanitization policies discussed.
|Device Transferred within an Organization||Device Transferred Between Organizations||Transferred Off Campus or Recycling|
Sanitizing is required unless target recipient has rights to this data and a business justification exists.
|All prohibited or restricted data is to be sanitized unless an exception is approved by management.||All disks are to be sanitized or removed. PDAs are to have all data removed.|
These guidelines are just that: guidelines. They are not intended to be explicit directions for any operating system utility or third party product. It is important to recognize that almost all operating system commands designed to delete data or format disks do not, in fact, remove all the data. Commands like, “del, delete, rm, drag_to_trash” only free up the space that the deleted files consumed. Most of the actual file data remains on the disk or flash memory device. There are a number of forensics products that can read this data and produce a clear picture of what data had been stored in the files prior to deletion. Therefore, unless vendor supplied operating system commands and utilities have been specifically designed to sanitize data, they should not be used for this purpose. OS commands and utilities that are capable of sanitizing data files or entire disks have names like “secure erase”, “secure delete” or “secure empty trash”. Options to these programs often allow a user to specify how many times the disk or data should be wiped (erased and rewritten). Note that not all OS vendors supply programs capable of data sanitization.
Computer File Sanitization
File sanitization involves securely removing specific files from a computer while generally leaving the operating system and supporting programs in place. Macintosh OS X provides this capability as “Secure Empty Trash”. Files need to be moved to the Trash, and then the “Secure Empty Trash” is accessed from the Finder menu. Microsoft and Linux do not generally provide specific secure file deletion programs as part of the OS. [However some Linux and Microsoft commands may be used for that purpose. See the next section.] A variety of free and inexpensive tools are available for this task. See Appendix 1.
Computer Disk Sanitization and Destruction
Disk sanitization involves securely erasing all the data from a disk so that the disk is, except for the previous wear, “new” and empty of any previous data. There is no way to use any operating system to effectively sanitize the same operating system disk. In other words, an operating system cannot securely erase the disk that it is “running off of”. However it is possible to use operating system commands to sanitize a non-operating system disk. For example, a disk connected to a Linux system may be sanitized by repeating the following command 3 - 7 times (or more):
dd if=/dev/random of=/dev/hdb && dd if=/dev/zero of=/dev/hdb
This command (actually dd repeated twice) first writes a random pattern to disk /dev/hdb, then writes all zeros to it. Any disk that needs to be sanitized, including any flash memory device or former PC or Macintosh disk may be attached to a Linux (or other Unix) system and erased using the above command, replacing /dev/hdb with the appropriate disk device name. Additional tools that can erase disks are discussed in Appendix 1. Some of these allow users to sanitize installed operating system as well as other attached disks (by booting from a CD or floppy disk that contains the secure deletion software). Macintosh systems may also be booted from the OS installation CD or DVD, and then the Disk Utility application may be used to sanitize any attached disks: After the computer is booted from CD/DVD, start the Disk Utility application, select the disk you need to erase, click the Erase button, then click “Security options…”. Select “Zero Out Data” and “7-Pass Erase”, then click “OK”, then click “Erase”, and wait for the task to complete. The other procedure to securely remove confidential data from disks is to destroy the disk. This destruction may be either magnetic or physical. Magnetic destruction involves applying a strong magnetic field to the disk that erases all data. This process often destroys disk read/write heads so the disk cannot be used again. Products that are designed to erase computer disks are readily available for purchase from a number of vendors. Physical destruction involves either taking apart the disk and cutting the platters into small pieces or otherwise destroying the disk (e.g., high temperature or crushing).
PDA and Smart Phone Sanitization and Destruction
Sanitizing PDAs and Smart phones is not a science. Vendor software is not guaranteed to actually sanitize the device’s memory and third-party products are more focused on encryption. In any case, it’s hard to be certain that a device has been securely “zeroed out”. The recommended approach - which does not fully guarantee that all data has been permanently rendered unrecoverable - is to “cold reset” the device. This usually involves inserting a pin or paperclip when the device is powered off, but the procedure can vary depending on the manufacturer. This approach will, in all likelihood, make it extremely difficult for anyone without access to expensive, specialized hardware to recover any data that had been stored on the PDA or Smart phone. If the device is going to be disposed of, it should be either turned in to Stanford’s property department for destruction, or transferred to an organization that can recycle it (e.g., GreenCitizen in Palo Alto: http://www.greencitizen.com/).
CD and DVD Destruction
CDs and DVDs that contain prohibited or restricted data need to be physically destroyed when they are no longer needed. Larger paper shredders can often do this as can special CD/DVD destruction hardware (available at some electronics stores). The Stanford property department should also be able to provide optical disk destruction services.
Appendix I: Data Sanitization Products
Stanford University's Property Management Office issues a data destruction kit, called the D2 KIT, for its members to use in data destruction operations throughout campus. The kit contains Darik's Boot & Nuke (DBAN) disk sanitization program in bootable CDs. Additional information about obtaining DBAN can be found in the DBAN section of the Secure Computing web page:
In addition to DBAN, there are other disk sanitization programs obtainable from the web. The following three product tables have been borrowed from the University of Minnesota’s Information Security web site ( http://www1.umn.edu/oit/security/assureddelete.html ) listing common disk sanitization programs. Like DBAN, PGP also works very well for secure file deletion on PCs, Macintosh and Linux. Users are encouraged to discuss their file and disk sanitization needs with their LNA and/or system administrator.
|Product||Windows Platforms||Options||Web site|
|BC Wipe||95, 98, ME, NT, XP, 2000 and 2003||Free trial, purchase||http://www.jetico.com/download.htm|
|Darik's Boot & Nuke||95, 98, ME, NT, XP and 2000||Free||http://dban.sourceforge.net/|
|Data Eraser||All IBM compatible PC's on all operating systems||Purchase||http://www.ontrack.com/dataeraser/|
|Eraser||95, 98, NT, 2000, XP and DOS||Free||http://www.heidi.ie/eraser/|
|PGP Wipe Utility & Wipe Free Space||95, 98, ME, NT, XP and 2000||Free trial or purchase||http://www.pgp.com/products/desktop/index.html|
|R-Wipe & Clean||98, ME, NT4.0, 2000, XP||Free trial or purchase||http://www.r-wipe.com/|
|WinPT Wipe File Utility||95, 98, ME, NT, XP and 2000||Free||http://winpt.sourceforge.net/en/ a front-end for http://www.gnupg.org|
|Product||Macintosh Platforms||Options||Web site|
|Burn||OS 8.5 and the new Mac OS HFS+ file system||Free||http://www.thenextwave.com/burnHP.html|
|Eraser Pro||Minimum OS 7||Free||http://users.libero.it/yellowsoft/theeraser.html|
|ShredIt||Minimum OS 8||Purchase||http://www.mireth.com/text/shredit_sp.html|
|PGP Wipe Utility & Wipe Free Space||OS X 10.3.9 ("Panther"), 10.4.0 through 10.4.4 ("Tiger")||Free trial or purchase||http://www.pgp.com/products/desktop/index.html|
|BC Wipe||Various platforms||Free trial, purchase||http://www.jetico.com/download.htm|
|Darik's Boot & Nuke||Various platforms||Free||http://dban.sourceforge.net/|