Recent Entries
Popular articles
Topics
Recommended links

RSS icon Subscribe

» View my profile
Technorati

del.icio.us My links on del.icio.us

Tags
analysis antivirus application security auditing botnets breaches compliance crime cryptography DNS encryption forensics humor interesting Linux Malware marketing network pdf pentest phishing php Privacy rant reference software ssl standards sysadmin tool tools trends ubuntu Virtualization virtualization security vmware vulnerabilities vulnerability+assessment web web application security webappsec web security windows Windows security xss

« Previous article — Next article »

Sanitizing hard drives at the hardware level

July 24th, 2006 Posted by D Webber

If you need to sanitize an ATA (”IDE”) hard drive prior to throwing it out or giving it away, try the Secure Erase Utility published by researchers at the Center for Magnetic Recording Research at the University of California at San Diego (UCSD).

The utility invokes the “SECURITY ERASE UNIT” instruction built into recent ATA hard drives. Any ATA (”EIDE” or SATA) hard drive manufactured since about 2000 will have it. A few SCSI drives apparently also have the feature. The command was added to the ATA specification to address the serious limitations of software-based sanitization utilities (e.g. DBAN and the many commercial disk wiping utilities for sale).

Years ago microcomputers used MFM hard drives which could be accessed at the physical level. Today, however, ATA and SCSI drives have integrated drive controllers acting as middleware between the operating system and the physical sectores on the disk surface. Only logical sectors can be accessed by operating systems and disk wiping software. Data left in physical sectors that were marked as bad and logically relocated by the on-board drive controller can never be accessed by a software wiping utility. Latent data in areas between tracks is also inaccessible.

The security erase command instructs the drive’s on-board controller to run a firmware routine that overwrites disk contents at the physical level, including any remapped bad sectors containing old data. The command is also supposed to move the drive head off track by 10% so that data between tracks is also overwritten.

The UCSD Secure Erase Utility invokes this built-in command. It’s a DOS executable, so you’ll need to boot the computer that contains the drive to be wiped from a DOS boot diskette.

To use it, run hdderase.exe from the command line and agree to all the disclaimers. A menu lists detected hard drives and lets you pick one to wipe. The selected drive is then checked for the UNIT SECURITY ERASE COMMAND. If present, you can select from either a hardware “quick erase” or the more thorough hardware “security erase”.

The UCSD utility also provides several software overwrite methods, including U.S. DoD methods, in case the drive doesn’t support Security Erase or you want wipe using both physical and sofware methods.

The Secure Erase Utility is mentioned in a bulletin (warning: PDF link) published by the RCMP that lists possible alternatives to their now defunct DSX disk wiping utility.

We tried the secure erase utility on multiple old ATA drives and every one manufactured since 2000 supported the Security Erase command (the utility tells you if the drive does not). Drives older than 2000 don’t have the command so if you need to wipe very old drives, a software wipe is the best you can do. As an added bonus, a Security Erase takes much less time to wipe drives than software wipe utilities… 30 minutes for a 40GB drive instead of several hours for an allegedly DoD compliant wipe using sofware.

In researching commercial disk wiping products, including those listed in the above RCMP bulletin, we couldn’t find any of them that say they can use the Security Erase command. The products emphasize providing Gutmann, U.S. DoD 5220.22-M and other data overwrite methodologies, but nothing about Security Erase. You’d think that companies who’s business it is to provided robust methods of wiping hard drives would exploit the very command built into the most widely used type of drive, but that doesn’t seem to be the case.

Since we deal with some sensitive government data, we have to take data destruction seriously. Drives that have ever touched classified material must be physically destroyed, preferably in a commercial disintegrator that grinds them into small bits. Fortunately we never handle that level of sensitivity in our offices so for old server and workstation drives we do the following:

Overkill? You bet. A data recovery service or foreign intelligence service might be able to recover something after that, but it’s doubtful they would bother due to the low levels of sensitivity involved. Safeguards must be based on the risk and level of sensitivity involved.

Assuming Security Erase does that it’s supposed to, it should make data recovery from drives virtually impossible. The problem is the erase routine is embedded into the proprietary drive controller firmware and cannot be inspected. You have only the manufacturer’s word that it wipes the drive in accordance with the ATA specification.

That’s the biggest problem with both the Security Erase feature and the many software wipe utilities out there. We’ve found none that have been independently verified in any meaningful way, such as examining the physical data left on the drive (one commercial wiping utility has passed a Common Criteria EAL 1 rating, but the protection profile didn’t call for actually examining data remaining on the drive).

For that reason it’s probably best to wipe hard drives using both the embedded Security Erase feature and using a software wipe utility. if the drive is being discarded, physically damaging the case and electronics is also advisable. You never know who might be going through your garbage.

Update: NIST has released SP800-88: Guidelines for Media Sanitization. Available from the NIST Special Publications page.


Related posts:

Posted in Best practices, Safeguarding data |
Tags: ,

2 Responses to “Sanitizing hard drives at the hardware level”:

  1. Tim Says:
    December 5th, 2006 at 9:40 pm

    Ever try a D@m small linux Live CD?
    How bout a Slax Live CD?
    or maybe a LIVE Knoppix CD.

    No HD needed EVER.

    Just plug in your favorite USB thumb drive to save stuff.

    All that is needed is an open mind to different operating systems.

    You can have your cake and eat it too.
    People might want to check out the (Gigabyte IRAM card)…
    That is after you learn you can load up an operating system with a full GUI on to that card and surf from it—IRAM is at 4 GIG right now but you can put in more than one card (pci slot)and(DDR NEEDED)
    Solid state memory is faster than a mechanical HD and if you ever want to dump all contents in a few seconds (literally) —>unplug the battery from the card–since it’s DDR ,when the voltage reaches (0 volts) on the card everything goes bye bye forever.

    This is only the extreme for some one who wants the best in computer security.

  2. Data Destruction: Is One Pass Overwriting Enough? | EPC's Computer Recyling Blog Says:
    March 13th, 2009 at 3:15 pm

    [...] vendors claim that no software writing solution is secure, and only firmware level erasing, like Secure Erase, is certifiable. Others go further and say that only physical destruction is enough. The DoD spec [...]


Article contents copyright © Advosys Consulting Inc. Comments are copyright of the author
Icons courtesy Wikimedia Commons and are copyright of their authors.