|
|
Joe St Sauver, Ph.D.
Director, User Services and Network Applications
joe@uoregon.edu
When desktops or laptops are replaced or become obsolete, they are commonly transferred to another department or disposed of as surplus property.
Before transferring or disposing of any UO computer system, it's important to make sure any sensitive data formerly stored on the system has been completely removed.
While university data is not as highly classified as that of the Department of Defense (DoD) or law enforcement and intelligence agencies, the UO does work with confidential administrative and academic data. These data include student records, human subjects-related academic research data, health-related information, financial data, passwords, and the like--all of which must be protected from unauthorized disclosure in compliance with the requirements of FERPA, HIPAA, GLB, Sarbanes-Oxley, and other applicable state and federal privacy regulations.
Non-technical users may assume that simply "deleting" the files on a system's hard drive (or "formatting" that disk) may be sufficient to destroy the contents of that drive or disk.
Unfortunately, that is not the case: simply "deleting" files or "formatting" a hard drive will not be enough to definitively destroy information formerly stored on that drive. In fact, deleted files or information on a formatted drive will most likely still be recoverable--which means that private or sensitive data is vulnerable to inappropriate disclosure if special additional measures aren't taken.
For example, a recent article (see "Dumped hard drives tell all" in the References section below) reported that 113 of 200 drives purchased on eBay as part of a security vendor's study on disk sanitization still contained recoverable data, including data that in some cases appeared to be confidential or quite personal in nature. If you are transferring or surplusing a university computer system, you must sanitize that machine before transferring or otherwise disposing of that system.
There are two common approaches to sanitizing disks in a system. The first is to employ a software disk "wiping" or "overwriting" utility. The other is to physically destroy the hard disk by incinerating, melting, crushing, or shredding it.
Disk Wiping. If you'd like to employ a disk wiping utility to successively overwrite a surplus hard drive with various specified or random patterns, look for a disk wiping utility that at least meets the DoD 5220.22-M standard (not all disk wiping utilities do; it is common for some commercial products to offer a less thorough wiping mode as part of a free "trial," only providing a DoD 5220.22-M-compliant version upon payment of an additional fee).
Examples of commercial and open source products which perform software disk wiping include (in alphabetical order):
Although wiping a drive to DoD 5220.22-M standards will normally be sufficient, it is not foolproof.
For example, software disk-wiping utilities obviously cannot sanitize disconnected and forgotten internal hard drives, or hard drives that have physically failed. Likewise, disk wiping is not government-approved for sanitizing particularly sensitive information (such as Department of Defense top secret information) because of the possibility that a particularly determined adversary might be able to recover inter-track residual data.
In other cases, using a software disk wiping tool may take far too much time, particularly if you have lots of drives or extra-large drives (remember that disk wiping tools repeatedly overwrite the entire drive, a process that can take minutes to hours depending on the number of passes performed, the size of the drive, and the speed of the system).
Hard Drive Destruction. When DoD 5220.22-M standard software disk wiping isn't enough, drives will normally be removed from the host computer and then destroyed by melting, incineration, crushing, or shredding.
Obviously the physical removal of a system's hard drive(s) this way takes time, and renders the remainder of the system unusable without a replacement disk. This may result in some dead-on-arrival systems being demanufactured (or junked outright) rather than being reused, a point that can rightfully cause concern in these times of tight budgets and overflowing landfills.
On the other hand, the potential costs associated with compromised data can be huge, and aging computer hard drives, perhaps more than any other system component, are prone to catastrophic physical failure and a resulting loss of data. Considering those factors, investing in a comparatively inexpensive newly manufactured replacement drive may prove to be a real bargain in the long run!
Let me also stress that we do not recommend that you attempt to physically destroy surplus sensitive hard drives yourself. Most individuals and departments do not have suitable facilities to do this safely and in an ecologically sound way, and it is easier to fail at irrevocably destroying a hard drive than you might think. For example, see the March 2004 Network World article "Inside the DoD's crime lab," which recounts how the Department of Defense computer forensics lab has been able to successfully recover hard drives that have been "thrown off of balconies and even shot with AK-47s, as in one recent battlefield case."
If you do need to physically destroy hard drives that contain sensitive information, many of the same companies that offer certified secure document disposal also offer certified secure hard drive destruction services.
If you're a UO user with questions, comments, or feedback about this article, feel free to email me, Joe St Sauver, at joe@uoregon.edu