Data wiping is an important part of a businesses information security program. For those in compliance with federal regulations and have a Written Information Security Program (WISP) it likely includes the procedures and processes for data wiping and scrubbing of files, directories, partitions and storage devices. Personally Identifiable Information (PII) is most often stored on digital media. Payment Card Information (PCI) is also likely to be stored on your drives. Due to the sensitive nature of this data one must destroy storage media properly. They must do so to be in compliance with federal and state laws. While the law mandates the proper destruction of data storage devices it is left unclear as to what constitutes “proper”. This article attempts to define a process that meets and exceeds what is expected by regulators.
When we refer to a drive or drives we are referring to any storage media such as your hard disk drive (HDD), solid state dive (SSD), flash drive, Network Attached Storage (NAS), or Storage Area Network (SAN). All of these storage types must be disposed of correctly, and accordance with, your companies Written Information Security Program. You must ensure that the data is irretrievable. Yes. Dumpster diving is a real thing.
In this article we are going to present the methodologies that we, at Cyber Defense Contractors, use to accomplish this task. What is detailed below are the steps and commands that are necessary to securely and safely wipe and scrub storage media. We go to great lengths to ensure we not only meet but exceed the requirements of regulators.
We’re also including a link to our “Certificate of Guarantee” which we provide to customers at the conclusion of wiping, scrubbing and physically destroying their storage device. You are welcome to modify and use this document as you see fit.
Requirements & Prerequisites
You will need a Linux machine to follow the procedures detailed below. Linux allows for greater control from the command line and has historically maintained commands that support that control. We use this as our data wiping and scrub machine. For the sake of this article we are using Ubuntu 18.04 but nearly any version of Linux can be used.
The storage device, typically an HHD or SSD, must be attached to the Linux machine. It can be attached directly to the motherboard of your machine or, as we do, attach it using an external converter. We use a USB to IDE and SATA converter. They are readily available and inexpensive. They can be found on most marketplaces on the Internet.
The procedures that follow assume you have connected the drive either internally and to a PC or possibly externally to a laptop using the aforementioned converter. The convertor can be used on both a PC and a laptop. The real benefit of the converter is that wiping and scrubbing can be done with a laptop and without the need to open up the chassis of a PC.
Lastly, and before we move on to the procedures, be sure you have the necessary tools installed.
# Install srm sudo apt-get install secure-delete
Wiping & Scrubbing Methodologies
|Overwriting Standard||Date||Overwriting Rounds|
|U.S. Navy Staff Office Publication NAVSO P-5239-26||1993||3|
|U.S. Air Force System Security Instruction 5020||1996||3|
|Peter Gutmann's Algorithm||1996||1|
|Bruce Schneier's Algorithm||1996||7|
|U.S. DoD Unclassified Computer Hard Drive Disposition||2001||3|
|German Federal Office for Information Security||2004||2–3|
|Communications Security Establishment Canada ITSG-06||2006||3|
|U.S. National Industrial Security Program Operating Manual (DoD 5220.22-M)||2006||7|
Data Wiping & Scrub Procedures
Supported File Systems
This procedure supports, at a minimum, the Linux ext4 file system as well as Microsoft Windows NTFS and FAT file systems. If you intend to erase a different filesystem or a subset of its files and directories be sure to consult the man pages. Research the file system to be sure it overwrites data in place. File systems that are journaled or log-structured are not supported. That includes JFS, ReiserFS, XFS, ext3, etc…
Common sense suggests that the procedures contained within will not work on a RAID filesystem. With that said we are assuming you’ve physically broken the array having removed each HDD or SSD from the chassis. As long as you are wiping and scrubbing one HHD or SSD at a time you are fine.
Snapshots & Compressed File Systems
Any file system that takes snapshots also may not work. Keep that in mind when determining if you can use these procedures. Compressed file systems and those that cache in temporary locations will also not work. That includes NFS 3 clients.
Cloud or On-Prem Data Backups
This is obviously a “no brainer”, but be sure that you wipe and scrub any back-ups you may have. While this can be done for your local back-ups you likely will not be able to wipe and scrub the data you have that’s hosted in the cloud. Cyber Defense Contractors discourages cloud based back-ups for this reason. One would be better off hosting their own NAS or SAN. Depending on the amount of data you store you might be best served if storing it on one or two flash based drives. There are a number of hardware encrypted external flash drives that can be purchased and relatively inexpensively. The topic of drives with encryption in hardware is for another article.
Keep in mind we are presenting multiple procedures and commands to accomplish the same task. Some work faster than others. Some perform several wipes and alternate between all one’s and all zero’s. Although we present multiple methods of accomplishing the same task we do cover the methodology we, at Cyber Defense contractors, use. We are also providing you a copy of the “Certificate of Guarantee” that we provide our customers when we perform this data destruction process. It not only acts as a guarantee it also walks you through the data destruction process.
Encryption as a Final Step
The final step of any scrub and wipe, no matter the method or commands used, should be to perform an encryption of the storage media. We haven’t seen any procedure that includes this as a final step. However, it is a best practice and something Cyber Defense Contractors not only condones but includes as part of their process. When we kick off encryption at that final step we blindly enter a passphrase by pecking at various keys on the keyboard. This makes the encryption key unknown to us as the one performing the encryption process. We are sure to use a passphrase length that is the most allowed by the encryption process. When using a strong cipher suite and without a known encryption passphrase data recovery is impossible. If you have an HDD degaussing is no longer needed. If it was demanded of us to hand over the passphrase we would have nothing to hand over.
“Shred” can Destroy Volatile and Temporary Data
Shred is useful when one seeks to eliminate all traces of activity when using the Linux operating system. Below are the steps you may want to perform before shutting down your Linux machine.
Using the “shred” Command
As the man page states, shred overwrites a file to hide its contents, and optionally deletes it. It makes it impossible for very expensive hardware probing software to recover the data. The default settings of this command obfuscates the file. It does not delete it. You must specify a switch for it to be deleted. That is the -u switch below.
Wiping Temporary Files and Downloads with Shred
# Linux Commands. Replace Specific References. sudo shred -n 100 -f -v -z -u --remove=wipesync /home/null/.local/share/Trash/files/* sudo shred -n 100 -f -v -z -u --remove=wipesync /home/null/.local/share/Trash/info/* sudo shred -n 100 -f -v -z -u --remove=wipesync /home/null/Downloads/* sudo shred -n 100 -f -v -z -u --remove=wipesync /tmp/*
Wiping Memory and the Swap File
# Linux Commands. Replace Specific References. sudo sdmem -v sudo cat /proc/swaps sudo swapoff -v /dev/dm-2 sudo sswap -v -z /dev/dm-2 sudo swapon -v /dev/dm-2
Shredding a Single File
Note in the below we are performing a urandom write defined by the –random-source=urandom parameter. The -n parameter specifies the number of iterations or complete writes. In the below it is set to 100 iterations. The -f forces shred to run by changing permissions to allow for writing. -z adds a final overwrite with zeros which hides the fact that the file has been shredded.
# Linux Commands. Replace Specific References. sudo shred -n 100 -f -v -z --remove --random-source=/dev/urandom "/media/some/path/to/a/file/including/the/directory/name"
Wiping and Scrubbing a Partition or Drive
Use the “fdisk” and “smartctl” Commands to Get a Visual of Your Drives
# Linux Commands. Replace Specific References. sudo fdisk --list sudo smartctl --xall /dev/sdc
Use the “dmesg” Command to View All Recognized Drives
# Linux Commands. Replace Specific References. dmesg | egrep -i " Product| Manufacturer| SerialNumber"
Using the “dd” Command to Write All Zeros and All Ones
The below dd commands should be run alternating between the two and for a total of 7 passes. This is the procedure that Cyber Defense Contractors uses. One set will write all zeros to the drive or directory. The other will write all ones. The progress switch will show you how far along the dd write pass is.
Be aware that depending on the size of your drive it can take upwards of 24 hours to complete one pass. Yes. It can take that long. For this reason its a good idea to have dedicated machine for the process. Also, if you have multiple drives to wipe it might be worthwhile to have a dedicated machine performing a write pass on multiple drives at the same time. In our experience and having wiped and scrubbed thousands of drives, it will take approximately 24 hours to wipe a 4 GB HDD. This process isn’t for the impatient.
Using the “dd” Command to Perform a Single Write Pass of All Zeros
# Linux Commands. Replace Specific References. sudo dd if=/dev/zero of=/dev/sdc iflag=fullblock oflag=direct, sync conv=fsync bs=1M status=progress sync
Using the “dd” Command to Perform a Single Write Pass of All Ones
# Linux Commands. Replace Specific References. sudo dd if=/dev/urandom of=/dev/sdb iflag=fullblock oflag=direct,sync conv=fsync bs=1M status=progress && sync
Removing the MBR and Partition Table
# Linux Commands. Replace Specific References. sudo dd if=/dev/zero of=/dev/sdd bs=512 count=1 status=progress && sync
Resuming a Halted Wipe
In the event that the drive becomes disconnected during the write process take note of how far along it is measured in bytes. You may use that number as the starting point when resuming the wipe. This has saved us on many occasions.
# Linux Commands. Replace Specific References. sudo dd if=/dev/urandom of=/dev/sdc bs=1M status=progress seek=1397542092800 oflag=seek_bytes iflag=skip_bytes skip=1397542092800 && sync
Verify the Wipe & Scrub
Part of the process of performing wiping and scrubbing a drive is to verify the process worked as expected. Below are two methods one can use.
Method 1: Use the “badblocks” Command
The badblocks command does exactly what it sounds like. It searches a drive or disk partition for bad blocks. The way we do this is to use the command such that we specify that it should read and compare blocks for zero’s or one’s. The parameter -s simply shows the running progress of the command. The -v parameter makes the output verbose. 0x00 is the hex pattern it should match.
# Linux Commands. Replace Specific References. sudo badblocks -sv -t 0x00 /dev/sdc
Method 2: Use the “cmp” Command
The cmp command compares two files byte by byte. The -p parameter prints the bytes to the terminal. The -l parameter forces the output to be verbose. The -b parameter prints the bytes.
# Linux Commands. Replace Specific References. sudo cmp /dev/zero /dev/sdc -b -l
How Many Passes is Necessary
This is up for debate. You’ll notice that the table above and its standards rarely makes reference to more than three. However, we at Cyber Defense Contractors use a custom derivation of the DoD 5220.22-M standard.
We do not perform the degaussing. Most drives that come to us these days are SSD’s or flash drives. Degaussing has no relevance. Additionally when companies contact us to destroy their drives they typically do not plan to repurpose them as they are end of life.
Alternate Wiping & Scrubbing Methods
Using the “wipefs” Command
Wipe Filesystem Signatures
Method 1: Using “wipefs” Specify the Contents of the Partition
# Linux Commands. Replace Specific References. sudo wipefs /dev/sdc*
Method 2: Using “wipefs” Specify the “-all” and “-force” Parameters
# Linux Commands. Replace Specific References sudo wipefs --all --force /dev/sdc*
Using the “srm” Command (secure-delete)
srm or as it is commonly called, the secure deletion toolkit, is another, equally effective command. The man pages state, “srm is designed to delete data on mediums in a secure manner which can not be recovered by thieves, law enforcement, or other threats. This algorithm is the creation of one of the leading civilian cryptographers, Peter Gutmann. It processes thirty-eight passes of varying complexity.
Securely Delete a File
# Linux Commands. Replace Specific References sudo srm /home/null/Downloads/file.txt
Securely Delete Free Space In Partitions or Directories
# Linux Commands. Replace Specific References sudo sfill /home
Securely Delete Your Swap Partition
# Linux Commands. Replace Specific References cat /proc/swaps sudo sswap /dev/sda5
Securely Delete Memory (RAM)*
# Linux Commands. Replace Specific References smem
* Some of you may notice the similarity between the TAILS operating system and the smem command.
Physically Destroying the Drive
To physically destroy the drive you need the proper equipment. That equipment will get you access to the HDD platters or will allow you to destroy the SSD or flash semiconductors. The following is recommended.
- A carpenters hammer;
- A course grit metal sand paper;
- Vice grips;
- An adequate screw driver set;
Remove the manufacturers sticker from the top of the HDDs casing. Locate the correct screw head. Tightly place your vice grips around the screw driver. What you are doing here is creating the necessary leverage to open the HDD drives casing. Unscrew all of the screws from the casing. Once open begin removing each component surrounding the platters. Once the platters are free set them aside. Grab your sand paper and begin scratching both sides of the surface of each platter. Once all platters have been sanded you have successfully rendered this drive useless.
SSDs are much easier to destroy. Simply take a hammer to the casing until the semiconductors are exposed. Once exposed take the hammer to each semiconductor such that they shatter.