DHRA is a multifaceted organization with a diverse mission set. DHRA:
Individuals and organizations often want to replace their existing desktop computers, laptops, and smaller devices such as PDAs or Blackberries that also have digital memories. What to do with the old ones presents a problem, as the old system memories typically contain sensitive government or business information or sensitive personal information such as social security numbers, credit card numbers, account numbers, IDs, and passwords.
Whether you give away your excess or outdated digital equipment, sell it on eBay or just set it at the curb with the rest of your trash, you need to take appropriate precautions to ensure that sensitive data is destroyed or remains protected and not inadvertently passed on to unknown others. The following paragraphs discuss policies and best practices to assist organizations and individuals in properly removing the data on their digital devices prior to their disposal or reuse.
Massachusetts Institute of Technology (MIT) conducted a study to determine what kind of information can be recovered from used hard drives. They bought 158 used hard drives from eBay and other sources. The computers had originally belonged to a variety of businesses ranging from banks to law firms. They discovered that only 12 of the 158 hard drives had had their data destroyed in a way that kept the data from being recovered. From the other 146 drives, they recovered thousands of credit card numbers, social security numbers, medical records, emails, and other sensitive information. 1
Many people are under the false impression that when they delete a file this information is removed from the hard drive, but this is not the case. Deleting all your files does not delete the files from the hard drive. It just removes the information the hard drive needs to find the files; it does nothing to the files themselves.
There is also a widespread belief that formatting a hard drive will completely remove all data. "This false understanding is derived from the somewhat misleading warning given before format operations: 'Warning: Formatting the disk will permanently remove all data.' However, formatting a disk does not delete the actual data. Only a small percentage of the data on the drive is actually overwritten.... Formatting complicates the recovery of fragmented files, but does not prevent it." 2
Disposal of hand-held communications devices such as Personal Digital Assistants (PDAs), Blackberries, and various types of smart phones presents similar problems. A study of 160 discarded hand-held communications devices by the University of Glamorgan in Australia found that information had not been removed effectively from 43% of the Blackberries and 23% of the mobile smart phones. As a result, individuals were exposed to identity theft and organizations were exposed to loss of sensitive information to their competitors. 3
When you delete a file, most computer operating systems delete only the "pointer" which allows the computer to find the file on your hard drive. The file itself is not deleted until it is overwritten by another file. Just deleting a file is comparable to deleting a chapter heading from the table of contents of a book, but not removing the pages on which the chapter is written. Some networks may be configured to "wipe" or purge the hard drive when information is deleted, but most are not.
Sanitization is the process of removing data from storage media so that it may not be easily retrieved or reconstructed. The types of media that need to be sanitized before they are given away, sold, or disposed of include computer hard drives, RAM, ROM, mobile computing devices, various types of smart phones, and networking equipment. National standards for the sanitization of all forms of storage media are provided by the National Institute of Standards and Technology in NIST Special Publication 800-88, Guidelines for Media Sanitization, dated September, 2006, available on the Internet at http://csrc.nist.gov/publications/PubsSPs.html.
Department of Defense (DoD) requires that any DoD-owned or controlled hard drive -- regardless of whether the content is classified or unclassified -- be sanitized before it is permanently removed from DoD custody. Specific instructions are in an Assistant Secretary of Defense Memorandum, "Disposition of Unclassified DoD Computer Hard Drives," dated June 4, 2001. This is available at http://iase.disa.mil/policy-guidance/index.html. Other major organizations have their own rules. Rules for sanitization of media with classified information are themselves classified.
There are three basic approaches to sanitization to ensure the data is not recoverable. These are described briefly below. Each method has its own particular advantages and disadvantages, so the choice of method depends upon the particular circumstances, especially the level of classification or sensitivity and the type of media on which the data is stored. 4
This is a process whereby a software program writes a combination of 0s and 1s over all the data on the hard drive. This process, which requires a special software program, covers previous data with multiple layers of magnetic flux, making the data unreadable. The more frequently the data is overwritten, the greater the security. Three to seven repetitions are normal. This process is also known as "wiping" the hard drive or "wiping out " the data. The overwriting must be done by a trained person who certifies that the process has been successfully completed.
An advantage of this process is that the hard disk is not destroyed, so the drive can then be reused. The computer can be given to a different person or office, sold, or donated to charity. Overwriting may also be less expensive than physical destruction or degaussing when used to sanitize just a few drives. On the other hand, the overwriting takes considerable time when done well (i.e., many overwrites), so it may not be cost-effective when sanitizing a large number of drives.
Degaussing is the process of removing or neutralizing a magnetic field. It requires special equipment designed and approved for the type of media being sanitized. Equipment of the type required for degaussing a hard disk is expensive, so this process is used more often with smaller magnetic media such as floppy disks and backup tapes. Degaussing may do a more thorough job of sanitization than overwriting, but the drive is no longer usable after this process. The process requires approved equipment operated by a trained individual who certifies successful completion.
The safest and surest way to sanitize a hard drive is to physically destroy it. This is an attractive option if the drive is to be discarded anyway and not reused. One common method is shred or drill four holes through the entire drive. Another approach is to pry the platters apart to the extent that each platter is sufficiently warped or distorted to make it inoperable. It can also be taken to a professional for destruction. Some consumer electronics stores will do this as a courtesy for individual customers worried about what will happen to their old hard drive.
Physical destruction is also a good, and certainly easier, alternative for sanitizing smaller digital memory devices that contain sensitive or personal information such as thumb or flash drives, PDAs, and iPods.
1. "Drive Disposal Best Practices: Guidelines for Removing Sensitive Data Prior to Drive Disposal," Seagate Technology LLC, Publication Number TP582.1-0710US, October 2007. Accessed June 2010 at www.seagate.com/docs/pdf/whitepaper/Disposal_TP582-1-0710US.pdf
3. "One in Five Second Hand Mobiles Contain Sensitive Data," University of Glamorgan News Centre, accessed July 2010 at http://news.glam.ac.uk/news/en/2008/sep/26/one-five-second-hand-mobiles-contain-sensitive-dat/
4. "Drive Disposal Best Practices," op.cit.