In the modern world of portable electronic devices and massive data storage capacities, people often worry about losing their data when they don’t want to. However, there are plenty of times where you do want to ‘lose’ your data, or rather delete it, and be certain that it is truly deleted – especially if it is sensitive data. This process of deleting data and then verifying that it has been deleted is called data sanitisation.
The Problem
When you simple-delete a file on your computer, often it does not actually destroy any data at that point. Instead, what it generally does is earmark the physical space on the storage drives as being writeable, meaning that new data can be written to that place. For an analogy, this is much like a teacher in a classroom with a whiteboard at the end of a lesson; If they have the time they might erase the board, but they can also just walk out knowing that this whiteboard is implicitly earmarked as being writeable as their lesson has finished – the next teacher to use the classroom can erase it as they need to and write on it again.
This means that any data on a storage drive that you have simple-deleted will remain there until it gets overwritten – and there are plenty of programmes that can recover it before this happens. This then becomes a risk when you are disposing of your old storage devices, as a digital ne’er-do-well may rummage through your deleted files to see what they can do with it. An e-waste dump in Ghana (Agbogbloshie) is reportedly picked through by organised criminals, and many an interesting file has been found on improperly erased hard drives, including from the US Department of Defence.
This simple-delete behaviour is very much the case with magnetic hard disk drives (HDDs), but it is a little more complicated with solid state drives (SSDs), which have the unusual quirk of only being able to erase full blocks of data at once and to only be able to write to empty blocks. However, this does not mean that it will delete your data immediately, and it is also worth noting that some SSDs can store data in areas inaccessible to the user, adding an extra risk.
So how can we actually destroy data and sanitise a storage device?
The Solution in Theory
Thinking back to our whiteboard and teacher analogy, the obvious solution would be to erase the board. In the digital world this is can be achieved by writing something else, such as ‘zeros’, to the storage drive. But this also comes with a slight risk, as sometimes the previous data on the storage device is still slightly visible – as sometimes a feint bit of whiteboard pen remains when a board is erased. Generally this is not an issue as it would take a very determined individual to try and recover this data, but with sensitive data that doesn’t belong to us it is worth being careful.
A mitigation to this risk is to then write something else to the storage drive, and often ‘ones’ or random data is chosen for this task – imagine trying to read what the last teacher had written on a whiteboard that had been erased and then covered in nonsense.
There is much discussion about the number of times a storage drive should be overwritten to ensure the data has been destroyed, but there are a number of standard practices that exist which we can follow. Mostly these have been developed by cryptographers and government agencies, and they range from the paranoid (physical destruction) to the practical (a few passes and a verification).
The Solution in Practice
Preparing to move house, I finally cleared out ‘that cupboard’ which included a number of storage devices that I had been carrying around for too long, so put some data sanitisation techniques into practice.
Since Vista and beyond, Microsoft Windows has provided a ‘fill with zeros’ option in its format tool. You can either run this from the command line, or more easily from the ‘format’ interface you get when you right-click on a drive icon. If you untick the ‘Quick Format’ box Windows will write zeros to the storage drive. ‘Quick Format’ will just mark everything for deletion, but not actually overwrite anything – a simple-delete. I used Microsoft’s tool for some old SD cards from my digital camera; nothing particularly untoward on them anyway, so I wasn’t too worried about the data. In a business environment I should probably have put these in the shredder as they are simple solid state devices with potential hidden data storage areas.
As for SSDs, many manufacturers will provide their own data deletion tools to wipe SSDs – this will ensure that any data in hidden areas is wiped – with the caveat for the paranoid being that it is only as good as the implementation the manufacturer has done. If you do not have access to a manufacturer’s tool, you can take other precautions to reduce the risk – but not completely remove it. Encryption is one sensible option, as the data on the storage drive would be unreadable without the necessary key and if you separate these two it will be unreadable, or ‘cryptographically shredded’ – but you rely on it being implemented properly. Zero-filling an SSD may not be as secure as it would be for a HDD, as SSDs do hide away some of their storage capacity from both the user and the operating system to make themselves more robust; a couple of passes may probably destroy your data, but you won’t be completely sure. The final option is physical destruction, which is the least economic of the options. It’s worth noting that the UK’s National Cyber Security Centre is fairly lukewarm about the possibility of completely sanitising an SSD – so from a business perspective it would be worth holding on to any SSDs and reusing them in similarly-classified areas as long as economically viable, and then physically destroying them.
Now onto the HDDs, which we can be pretty sure we can delete the data from. The UK’s National Cyber Security Centre lists three assured data erasure products, so from a business perspective it would make sense to use an assured product to do this – naturally at a premium. From an amateur perspective and on my own devices I was happy to use open source tools, and turned to those that are readily available to mess around with HDDs. The oldest HDDs I subjected to some physical destruction – I opened up and physically removed the discs, snapping them so that they shattered. One old one had screws I did not have a screwdriver for, so I gave it a good drilling – make sure you do drill the discs if you do this, rather than just the case around it – which was harder than anticipated. For the HDDs I wanted to continue to be functional, I turned to more technological solutions.
Microsoft’s built-in format would have been fine for my purposes if I had some external HDDs to wipe, but it can’t wipe the HDD in a laptop if that is where Windows is installed – which is the situation I was in.
Bootable USB Tools
You can make a bootable USB drive of a number of Linux distributions, with which you will then be able to access the HDD of any laptop or computer without the operating system on it complaining about you trying to delete it. I opted to use a live boot version of GParted, which also can be used to set up and partition storage drives if you want to set up your computer to run several operating systems. As such it comes with a lot of handy tools pre-installed.
I set up a live USB of GParted, which comes with a utility called Nwipe as part of its basic install. NWipe will let you destroy data on a chosen drive by filling it with various options (zeros, ones, random data) and then more importantly assuring that it has worked. It includes a number of recognised options in it, and also lets you define your own.
To wipe a couple of HDDs, I used a variant which did two passes and verified that the final pass was all zeroes, which balanced the time it took with a reasonable level of assurance. Once again, if I was going to do this in a business environment, I would have used one of the approved products the UK’s National Cyber Security Centre has certified.
Cloud Servers
The final piece of the puzzle is assuring data deletion from cloud servers. Storing data on third party servers has become more and more feasible as the internet became faster and accessible from portable devices, and the enterprise level security they offer is very reassuring. From a data loss perspective it is also gives a warm fuzzy feeling – you can’t get to the data without the right credentials, and it is unlikely you will leave a cloud server on the train by mistake.
However, the owners of these servers are probably not going to welcome me trying to overwrite their servers with zeros when I delete my data, so what happens?
Generally the servers only do what amounts to a simple-delete, marking the space as reusable. As they provide mass storage to a wide range of customers, it is likely that your data will be overwritten before too long – but there is no guarantee of this, and you won’t get any feedback. The plus side as stated before is that they do have enterprise level security for their sites – it would be very hard for someone to break into a cloud server farm and manually retrieve data from a HDD, even if they were able to find out which one the data was on. As and when the HDDs in the servers are retired, each cloud service provider will have different process they undertake to sanitise the HDDs before disposing of them too – but they are unlikely to invite you to come and watch to be sure it has been done to your liking.
Using cloud servers gives you great protection from data loss, but it makes data sanitisation hard to assure. The accepted best practice is therefore to encrypt all your data on cloud servers so that just in case your data doesn’t become overwritten and just in case the provider doesn’t properly sanitise a drive before disposing of it, your data is at least unreadable without the key.
Conclusion
Being sure you have deleted your data from the various kinds of storage devices available is not as simple as it seems. Certainly, just clicking delete is not enough, but there are open-source and proprietary tools out there to help you – and you should always try to keep your data encrypted!