12. 2 2012 - Dipl. Ing. Nicolas Ehrschwendner
An increasing number of companies and private users are faced with a massive problem when they perform a system change: What should you do with the old storage media, which generally also contains data that should not fall into the wrong hands? May this be the competition, the own superiors or the revenue office: Data in the wrong hands can in some cases be a delicate matter.
For this reason, there are a multitude of commercial deletion programs available on the market, which promise the full and complete deletion of data on storage media. However, this often only an empty promise, which is less due to the (often quite) varying quality of these programs and more due to the construction as well as the internal functions of hard disks.
In order to understand that the complete deletion is practically impossible, one must first understand the manner in which modern hard disks work. A large problem when deleting data are for instance the faulty areas that develop in the course of the operation of the hard disk. Whenever a defect occurs in a physical area of the hard disk, the entire area is separated electronically and the data is copied to a reserve area. The defect is entered in the “grown defect list” and the errors, which already occurred during manufacture, are noted in the “primary defect list”. The system can no longer access these locked areas – and therefore it also cannot be accessed by deletion software that is not suited for this purpose. However, the data is still physically present and can be read with special procedures.
When one takes into consideration that in a hard disk with a size of one terabyte, the defective sectors can take up a size of several hundred megabytes, it is possible to get an impression of how much data is not included in the deletion. An additional problem are the reserved areas, which are hidden from the operating system and are separated and reserved by means of special ATA or SCSI commands. Manufacturers of laptops like to use this feature in order to store an installation medium for the operating system protected from the users. When this area is only separated off afterwards, for instance when the user installs a recovery CD, then data that was already present there, will not be accessed by commercial deletion software.
By the way, a widely spread misunderstanding is that repeated overwriting will make the deletion of a hard disk safer. This is based on disk designs that are several decades old, which did not feature overlapping tracks and MFM recording. The recording process and the recording density in modern hard disks has changed to such a degree that a single overwrite is sufficient to prevent the recovery of data. For this reason, programs that perform several overwrite-instances, are insignificantly safer than those in which the process is only performed once.
Data rescue specialists are a bit like archaeologists: They have been trained with meticulousness to extract data even under the most adverse conditions from the veil of obscurity. Not a single bit is without value to them and everything is done to recover each and every one. The fact that data rescue technology has made such incredible progress in recent years (in particular due to the private research of relevant companies) also has a downside: Namely the question arises how hard disks can be deleted “safely”, ensuring that even a specialist can no longer reconstruct the data. Few things are as dangerous as sensitive data, which leave a company intact and therefore could fall into the wrong hands.
Aside of the software-based procedures, at this juncture we would like to resort to a certain degree of brute force. This should also illustrate which efforts are usually required in order to achieve the physical destruction of hard disks.
The first option is the baking of the storage medium. This is due to the fact that all magnetic material has a specific temperature, referred to as the “Curie temperature”, at which the elementary magnets on their own are aligned in random directions. In this manner, each directed magnetism present in the material is removed, ensuring the safe destruction of the data. Unfortunately, the “Curie temperature” of common magnetic materials of hard disks are in a temperature range that exceeds 800 °C, a temperature, which far exceeds the capacity of common household ovens. This means that this method of destruction would have to be performed in special ovens. Furthermore, the environmental safety of the gases that are generated during the heating up process is also in doubt.
An additional secure method of data destruction is the demagnetisation of the magnetic surface coating with the use of a sufficiently strong magnetic field. Commercial equipment, which can generate such magnetic fields, are offered under the designation “degausser”. However, hard disks that record the data longitudinally (longitudinal recording) must be treated in a different manner than hard disks that record perpendicularly (perpendicular recording). Unfortunately, there is no guarantee that the degausser has actually managed to wipe each and every byte of data. For this reason, a reliable quality control is advisable after the demagnetisation. It is however only possible with special microscopes in the laboratory. Following the demagnetisation, the storage medium is unusable and can no longer be used.
Now, let us move on to the heavy equipment: Shredding and grinding of the storage medium can also be seen as a secure method of data destruction. Due to the fact that a data sector typically only takes in a few micrometers on the surface, the particles that are larger than a few micrometers can in theory be read out by means of scanning probe microscopy. Therefore, to ensure secure destruction, hard disks should also be ground following the shredding, in order to achieve a particle size that is sufficiently small.
But please do not let this discourage you; there are less brutal methods to achieve secure data destruction. We will address these in the next paragraph. Until then, you should better keep your old hard disks in a safe storage location before you resort to drastic measures.
Users who delete data from a hard disk and believe it is actually gone, will probably face a bitter disappointment on Easter: Because, sorry, there is no such thing as an Easter bunny. And in the same manner, as a rule there is no such thing as a completely deleted hard disk, as data rescue specialists will be able to confirm. So what should you do to actually destroy sensitive data such as passwords, to ensure that they can no longer be used?
Data encryption is a good method, which tackles the root of the problem. If data cannot be deleted easily, then at least it is stored in such a manner that even specialists can no longer use it: namely in encrypted form. Of course, this only applies as long as possible data sniffers do not know the passwords. However, there are significant problems with the prevailing lack of creativity in this regard, as the use of questionable passwords such as “12345” illustrate. For this reason, continuous encryption cannot be generally recommended as a true alternative to data destruction.
Furthermore, data encryption also has concrete disadvantages. If an encryption key is lost, in most cases it is no longer possible to access your own data – the user is locked out and all data is lost. Additionally, commercial encryption programs often have a drawback: A local read error could possibly cause that the entire hard disk can no longer be decrypted, for instance when the key is affected by the defect. This of course increases the danger of data loss. Additionally, for many calculation operations the encryption is a millstone in regard to the machine’s performance.
However, encryption also has advantages: In the case of theft (such as of a laptop), unauthorised access is not immediately possible.
Those who do not want to use encryption can still fall back on commercial deletion software. However, not all products fulfil what they promise. Just recently, a deletion application was tested in Attingo’s laboratory, which had even been hailed as the winner of a test in a magazine: However, this program was not even able to delete one hundred per cent of the visible area. How will areas that have been marked as faulty be treated? Because these are deleted by hardly any software, however they can still be read by specialists. And there are also deficiencies in regard to reliability. For instance, sometimes ten hard disks are wiped correctly, but not the eleventh one. Furthermore, many deletion programs have a seemingly myriad of options and parameters that must first be set up correctly by the user. There is no guarantee that the correct setting is used for each hard disk type.
For this reason, when the user wants to make sure when handling sensitive data there is only a single alternative: First encrypt, then wipe the hard disks and subsequently have the deletion certified by a specialist. Or you could choose to use heavy equipment and delete the hard disk, demagnetise it, heat it up and then throw it into a shredder. That should be sufficient.