Secure Erase Feature Provides Answer for Complete Hard Disk Erasure

Consequently, user data remains stored on disk drives when they are discarded from PCs or from large enterprise systems, transferred to another user, or returned off lease. Even if users delete their files, they can be recovered from “recycling” folders or by special programs such as Norton Unerase.

Data left on disk drives can fall into the hands of others. Beyond theft of computer disk drives, data can be easily recovered from discarded or sold disk drives. There is a long history of personal information turning up on used hard drives, raising concerns about privacy and identity theft.

Gartner Dataquest estimates that 150,000 hard drives were "retired" in 2002. Many of these drives are thrown away, but a significant percentage find their way back onto the market.

Earlier this year two students at MIT (Simson Garfinkel and Abhi Shelat) reported in newspapers worldwide and in the journal IEEE Security & Privacy, that they bought 158 used hard drives at secondhand computer stores and on eBay. 129 of these drives were functional, 69 of these still had recoverable files on them, and 49 contained "significant personal information" including medical correspondence, love letters, pornography and 5,000 credit card numbers. One even had a year's worth of transactions with account numbers from a cash machine in Illinois. In 2002 Pennsylvania, sold used computers containing information about state employees. In 1997, a Nevada woman bought a used computer and found it contained prescription records for 2,000 customers of an Arizona pharmacy.

Experience gained from supporting customers with computer security and information storage media issues have shown a need for the capability to securely erase data from computer hard drives for security and privacy reasons.

The need for Secure Erase (“SE”) eradication of user data arises in:

• Mainframes and storage networks:
• Storage devices are re-configured for other uses or users, for instance in expiring leased data storage facilities at an SSP or data center.
• A RAID drive backs up data to a hot spare.

Individual user PCs and workstations:

• A computer (and hard drive) is replaced by a newer machine and the older machine is discarded or sold.
• A project is completed and the data must be purged to protect “need to know” or to prepare the drives for new users or applications.
• When a user departs an organization and either leaves sensitive/personal data on the computer or may take the computer (and the organization’s data) with them.
• When a drive is to be returned to a drive manufacturer or a drive repair facility after a drive failure or near failure (for instance upon a SMART drive replacement after imminent failure is determined).
• Data on a drive must be erased to protect digital content from unauthorized access.
• A virus has been detected and all possible traces of the offending code must be eliminated.
• An extreme virus or hacker attack where it is desirable to completely erase the data on some disks and reinstall back-up data.

The elimination of unwanted data from a computer hard drive is not a simple task. Deleting a file merely removes its name from the directory structure. The data itself remains in the drive’s data storage sectors where it can be retrieved until the sectors are overwritten with new data. Reformatting a hard drive clears the file directory and severs the links to file storage sectors, but the data still can be recovered until the sectors are overwritten. Software utilities that overwrite individual data files (or an entire hard drive) are susceptible to error and require frequent modifications to accommodate new hardware and evolving computer operating systems. As a consequence, computer users, system administrators, security personnel and service providers can spend considerable time in an endless game of technology catch-up while trying to develop solutions for the above problems. As an example of vulnerability of traditional data security measures, in the MIT study 51 of the 129 working drives had been reformatted, and 19 of them still contained recoverable data.

So what's a paranoid computer user or IT person supposed to do? Fortunately the disk drive interface standards, ATA (also known as IDE) and SCSI contain a Secure Erase (SE) feature. Secure erase is a positive, easy-to-use data destroy command, amounting to “electronic data shredding.” It completely erases all possible user data areas by overwriting, including the so-called g-lists that contain data in reallocated disk sectors (sectors that the drive quits using for data because they contain bit hard errors). SE is part of the “format drive” command currently present in computer operating systems and storage systems, and consequently adds little or no cost to drives. In addition secure erase does not require any additional software to implement.

Secure erasure capability will be required by the U.S. government for their disk drive purchases. Considering the security feature this capability offers to many users I expect there will be considerable commercial interest in this capability as well. Secure erase is also required by the ATA Security Feature Set specifications, although it is optional in SCSI. The new “serial ATA” drives can advertise SE as a user feature, in their competition with SCSI and Fibre Channel drives for market share in low-end storage systems. SCSI and Fibre Channel disk drives allow data write commands for erasure of data from the storage system level. However, this may not allow as high a level of erasure security as SE, and SCSI and Fibre Channel disk drives do not have "fast erase" capability.

If you want to make sure that your old data really is erased and unavailable to others you definitely will want to look into Secure Erase. A freeware secure erase utility may soon be offered for download by CMRR. For additional information on Secure Erase, high accuracy disk drive failure warnings (SMART), and other intelligent disk drive functions contact Dr. Gordon Hughes of CMRR at the University of California, San Diego (gfhughes@ucsd.edu, 858-534-5317).