Data Sanitation

By: Richard Glaser - Revised: 2007-06-22 richard

Why Worry about Data Sanitation?

If you keep business, medical, or personal financial information on disks, simple file deletion or drive erasure isn’t enough to protect the data when disposing of the equipment.

Besides identity theft, data loss may leave you or your institution liable under federal laws such as HIPAA, Sarbanes-Oxley, Graham-Leach-Bliley or other state laws. Criminal penalties include fines and prison terms up to 20 years. Not to mention the civil suits that can result.

There are several approved methods for data sanitation that satisfy these legal requirements or meet even more stringent corporate or government secrecy requirements. Many methods for sanitizing data include deleting files, drive formating, block overwrite,  in-drive secure erase, physical drive destruction, degaussing, and encryption.

Block erase is most commonly used. While it  is much better than no erase, or file deletion, or drive formatting, it is vulnerable to incomplete erasure of all data blocks, like  data blocks reassigned by drives, multiple drive partitions, host protected areas, device configuration overlays, and drive faults.

Currently, with Mac OS X 10.4.10, Disk Utility supports drive formating and three different block erase methods, but recent documents from US Government’s National Institute of Standards and Technologies (NIST 800-88) state that new ATA drives built secure erase is more secure.

Disk Utility

Disk Utility is a Mac OS X utility that performs disk-related task, it has graphical-user-interface (GUI) an command line versions. It supports disk erasing, formating and partitioning.

Disk Utility - Erase

Also, supports three levels of block overwrite. It supports a zero-out erase, a 7-pass erase, or a 35-pass erase. A zero-out erase sets all data bits on the disk to 0, while 7-pass and 35-pass use Gutmann algorithms of varying complexity to overwrite the disk.

Disk Utility - Erase

Darik's Boot and Nuke ('DBAN')

Darik's Boot and Nuke ('DBAN') is a popular open source block overwrite self-contained boot floppy that securely wipes the hard disks of most computers. DBAN will automatically and completely delete the contents of any hard disk that it can detect, which makes it an appropriate utility for bulk or emergency data destruction.

Darik's Boot and Nuke

DBAN for currently DOES NOT support Apple computer hardware. The developer is requesting Mac donations to develop & test the software for the Apple computer hardware. For more information on Mac donation, see the web page:

    http://dban.sourceforge.net/ppc.html

Secure Erase - ATA Drives Built-in Command

Secure Erase is a set of commands embedded in most ATA drives built since 2001. Secure Erase overwrites every single track on the hard drive. That includes the data on “bad blocks”, the data left at the end of partly overwritten blocks, directories, everything.

This functionality is recognized by the US Government’s National Institute of Standards and Technologies (NIST 800-88) as equivalent to magnetically wiping a drive (degaussing) or physically destroying it. The National Security Agency and the National Institute for Standards and Testing (NIST 800-88) gave it a higher security rating than external block overwrite software. External block overwrite software includes Apple's Disk Utility, Darik's Boot and Nuke ('DBAN'), etc.

The University of California at San Diego hosts the Center for Magnetic Recording Research. Dr. Gordon Hughes of CMRR helped develop the Secure Erase standard.

There is a Freeware Secure Erase Utility, that is a DOS executable, HDDerase.exe, that can be run from a floppy/CD-ROM bootable DOS disk.

Currently, there isn't support or a port for Mac OS X. Maybe, Apple would be interested in adding support for "secure erase" embedded in ATA drives? If you want this support, please file a feature request in Apple's BugReporter.

Summary

So, with Mac OS X computers you could use Disk Utility and use a block overwrite like 7-Pass Erase or 35-Pass Erase, which according to some recent papers isn't secure enough. Or physical destroy hard disks, by degaussing, disintegration, shredding, or other means is not only hazardous, but has limited effectiveness, like if fragment sizes aren't small enough to recover data, etc.

There are products like EDT's Digital Shredder that implement the "secure erase" technology that allows secure & complete removal of data but the disk drives can be reused.

Hopefully, in the future there will be support for the "secure erase" technology in Apple's Disk Utility or other 3rd party Mac OS X utility to support these new data sanitation security levels.