S 2.167 Secure deletion of data media

Initiation responsibility: Head of IT Section

Implementation responsibility: IT Procedures Officer

A regulated procedure for the deletion or destruction of data media will prevent misuse of stored data. Before data media can be reused, the stored data must be fully deleted, for example by being completely overwritten or by formatting the media. This is especially important when data media are to be passed on to third parties. After receiving the data medium, the recipient must also check whether the protection requirements of the data require the data medium to be erased immediately after the data has been transferred to another IT system.

There are various different methods of deleting information from data media, for example with deletion commands, by formatting, by overwriting or by destroying the data medium. The method that should be chosen is dependent in this case, too, on the protection requirements of the data to be deleted; protection against the restoration of residual data increases in the order shown below.

Deletion commands

When deletion commands are used, especially in DOS-based operating systems it should be noted that the file information is not in fact deleted at the same time, only the reference to that information in the table of contents on the data medium. The file remains available. There are a large number of programs which can be used to restore the information that is believed to have been deleted (such as UNDELETE in DOS).

To delete files irrevocably, all entries on the data medium must be overwritten. Programs such as PC Tools ("Overwrite" option to overwrite data media or WIPE program to overwrite individual files) or Norton Utilities (WIPEINFO program) can be used for this purpose.

Formatting

To return data media to their original state and therefore also to erase any information that they may contain, they can be formatted. How reliably the old data is deleted by this, however, is heavily dependent on the underlying operating system. Whatever the case, overwriting the old data is more reliable.

When DOS data media are being formatted, care should be taken for example that the parameter /U (e.g. as in DOS 6.2 format a: /U) is used so that the formatting process cannot be reversed by the unformat command. For the same reason, formatting under Windows 95 and Windows NT must be executed with the parameter complete, and not quick-format.

Overwriting

Physical erasure sufficient for medium-level protection can be achieved by overwriting the entire data medium or at least the used sectors with a certain pattern. Certain commercially available products even allow the physical erasure of individual files.

Uniform patterns such as "0000" should not be used for overwriting, but rather patterns such as "C1" (hexadecimal, corresponds to the bit sequence 11000001). Following on from that, in a second pass a complementary pattern (for example 3E, corresponding to the bit sequence 00111110) should be used so that if at all possible each bit has been changed once.

The overwrite procedure should therefore be repeated at least twice, or preferably three times, as this provides a better protective effect.

Of course, write-protected media or media that cannot be written to more than once, such as CD-ROMs or CD-Rs, cannot be deleted and should be destroyed.

Erasing devices

Flexible magnetic data media (floppy disks or tapes) can be erased with an erasing device. These devices expose the data media to an external constant or alternating magnetic field (erasure by magnetomotive force). Suitable erasing devices which conform to DIN 33858 are listed in BSI publication 7500.

Basically the data media are reusable after they have been erased. It should be noted, however, that data media with a magnetically recorded servotrack (e.g. IBM 3590, Travan 4 and MLR tape cartridges and ZIP disks) are unusable after erasure.

Erasing hard disks

If hard disks containing sensitive data are to be passed on to third parties they should also be erased, especially if they are removed from service or sent for repair. It should also be borne in mind that passing on "cleaned-up" hard disks which contain only the operating system and standard software is liable to give rise to licensing problems.

Hard disks that are to be erased should therefore undergo low-level formatting at least. To do this, first all existing partitions should be deleted (under DOS with the fdisk command) and one large partition should be created. Then the entire hard disk should be formatted (under DOS with the format /U command).

As an additional security measure, new data can then also be loaded onto the hard disk, for example pattern sequences with the WIPE program.

If a relatively large number of hard disks (of identical type) need to be erased, as an alternative first one hard disk can be overwritten with a pattern and this can then be copied to all other hard disks with an image copying program.

If the hard disk is faulty, erasure by overwriting is no longer possible. The only option is therefore erasure with an erasing device, even though these devices are not intended for erasing hard disks. Due to the differences in the design of hard disk drives, in particular the number of disks, no general comments can be made on what erasure effect can be achieved. Using an erasing device on a hard disk usually makes the disk unusable.

Destroying the data media

A simple method of destroying data media is the cutting up of diskettes/magnetic tapes and the mechanical destruction of hard disks. However, if there are rather large quantities of data media to be destroyed this is too cumbersome, nor is it adequate if protection requirements are high.

Suitable devices for destroying magnetic tapes, floppy disks and CD-ROMs in conformance with DIN 32757 are listed in BSI publication 7500. These destruction devices either shred or melt down the data media. There are no known destruction devices for hard disks.

Additional controls:

• Is there are a standard procedure for erasing data media?