Secure Erase Feature Provides Answer for Complete Hard Disk ErasureBy Dr. Gordon Hughes
Associate Director, Center for Magnetic Recording Research (CMRR)Computer data storage devices are designed for maximum user data protection. This includes protection against accidental erasure, using “recycle” folders and unerase commands. Drives use elaborate error detection and correction techniques to never return incorrect user data. All this means that unrecoverable file erasure is an abnormal situation.
Consequently, user data remains stored on disk drives when they are discarded from PCs or from large enterprise systems, transferred to another user, or returned off lease. Even if users delete their files, they can be recovered from “recycling” folders or by special programs such as Norton Unerase.
Data left on disk drives can fall into the hands of others. Beyond theft of computer disk drives, data can be easily recovered from discarded or sold disk drives. There is a long history of personal information turning up on used hard drives, raising concerns about privacy and identity theft.
Gartner Dataquest estimates that 150,000 hard drives were "retired" in 2002. Many of these drives are thrown away, but a significant percentage find their way back onto the market.
Earlier this year two students at MIT (Simson Garfinkel and Abhi Shelat) reported in newspapers worldwide and in the journal IEEE Security & Privacy, that they bought 158 used hard drives at secondhand computer stores and on eBay. 129 of these drives were functional, 69 of these still had recoverable files on them, and 49 contained "significant personal information" including medical correspondence, love letters, pornography and 5,000 credit card numbers. One even had a year's worth of transactions with account numbers from a cash machine in Illinois. In 2002 Pennsylvania, sold used computers containing information about state employees. In 1997, a Nevada woman bought a used computer and found it contained prescription records for 2,000 customers of an Arizona pharmacy.
Experience gained from supporting customers with computer security and information storage media issues have shown a need for the capability to securely erase data from computer hard drives for security and privacy reasons.
The need for Secure Erase (“SE”) eradication of user data arises in:
Individual user PCs and workstations:
The elimination of unwanted data from a computer hard drive is not a simple task. Deleting a file merely removes its name from the directory structure. The data itself remains in the drive’s data storage sectors where it can be retrieved until the sectors are overwritten with new data. Reformatting a hard drive clears the file directory and severs the links to file storage sectors, but the data still can be recovered until the sectors are overwritten. Software utilities that overwrite individual data files (or an entire hard drive) are susceptible to error and require frequent modifications to accommodate new hardware and evolving computer operating systems. As a consequence, computer users, system administrators, security personnel and service providers can spend considerable time in an endless game of technology catch-up while trying to develop solutions for the above problems. As an example of vulnerability of traditional data security measures, in the MIT study 51 of the 129 working drives had been reformatted, and 19 of them still contained recoverable data.
So what's a paranoid computer user or IT person supposed to do? Fortunately the disk drive interface standards, ATA (also known as IDE) and SCSI contain a Secure Erase (SE) feature. Secure erase is a positive, easy-to-use data destroy command, amounting to “electronic data shredding.” It completely erases all possible user data areas by overwriting, including the so-called g-lists that contain data in reallocated disk sectors (sectors that the drive quits using for data because they contain bit hard errors). SE is part of the “format drive” command currently present in computer operating systems and storage systems, and consequently adds little or no cost to drives. In addition secure erase does not require any additional software to implement.
Secure erasure capability will be required by the U.S. government for their disk drive purchases. Considering the security feature this capability offers to many users I expect there will be considerable commercial interest in this capability as well. Secure erase is also required by the ATA Security Feature Set specifications, although it is optional in SCSI. The new “serial ATA” drives can advertise SE as a user feature, in their competition with SCSI and Fibre Channel drives for market share in low-end storage systems. SCSI and Fibre Channel disk drives allow data write commands for erasure of data from the storage system level. However, this may not allow as high a level of erasure security as SE, and SCSI and Fibre Channel disk drives do not have "fast erase" capability.
If you want to make sure that your old data really is erased and unavailable to others you definitely will want to look into Secure Erase. A freeware secure erase utility may soon be offered for download by CMRR. For additional information on Secure Erase, high accuracy disk drive failure warnings (SMART), and other intelligent disk drive functions contact Dr. Gordon Hughes of CMRR at the University of California, San Diego (firstname.lastname@example.org, 858-534-5317).
Dr. Gordon Hughes is the associate director of the Center for Magnetic Recording Research (CMRR) at the University of California, San Diego. CMRR was established twenty years ago to advance the state-of-the-art in magnetic recording for data storage, and to produce highly trained graduate students and postdoctoral professionals. It is sponsored by virtually all the major manufacturers ofdisk and tape data storage devices. CMRR also serves as a catalyst for joint investigations amongst its industrial sponsors, government agencies, and the university.
Thank you for reading ISIC Quarterly. All articles included this issue are copyright of their respective owners. You have received the ISIC Quarterly because you subscribed via our web site at http://isic.ucsd.edu.
To unsubscribe, send an e-mail message to email@example.com with unsubscribe isicnews-l in the message body.