Skip to content

Page075

Data Destruction

All forms of media should be securely cleaned or destroyed before disposal to prevent object reuse, which is the act of recovering information from previously used objects, such as computer files. Objects may be physical (such as paper files in manila folders) or electronic (data on a hard drive).

Object reuse attacks range from non-technical attacks such as dumpster diving (searching for information by rummaging through unsecured trash) to technical attacks such as recovering information from unallocated blocks on a disk drive. Dumpster diving was first popularized in the 1960s by “phone phreaks” (in “hacker speak” a phreak is a hacker who hacks the phone system).

An early famous dumpster diver was Jerry Schneider, who scavenged parts and documents from Pacific Telephone and Telegraph’s dumpsters. Schneider was so familiar with the phone company’s practices that he was able to leverage dumpster diving and social engineering attacks to order and receive telephone equipment without paying. He was later arrested for this crime in 1972. Read more about Jerry’s attacks at http://www.bookrags.com/research/jerry-schneider-omc/.

All cleaning and destruction actions should follow a formal policy, and all such activity should be documented, including the serial numbers of any hard disks, type of data they contained, date of cleaning or destruction, and personnel performing these actions.

Overwriting

Simply “deleting” a file removes the entry from the File Allocation Table (FAT) and marks the data blocks as “unallocated.” Reformatting a disk destroys the old FAT and replaces it with a new one. In both cases, data itself usually remains and can be recovered using forensic tools. This issue is called data remanence (there are “remnants” of data left behind).

Overwriting writes over every character of a file or entire disk drive and is far more secure than deleting or formatting a disk drive. Common methods include writing all zeroes or writing random characters. Electronic “shredding” or “wiping” overwrites the file’s data before removing the FAT entry.

Many tools perform multiple rounds of overwrites to the same data, though the usefulness of the additional passes is questionable. There are no known commercial tools (today) that can recover data overwritten with a single pass.

One limitation of overwriting is you cannot tell if a drive has been securely overwritten by simply looking at it, so errors made during overwriting can lead to data exposure. It may also be impossible to overwrite damaged media. Finally, Write Once Read Many (WORM) media cannot be overwritten.

Note
For many years security professionals and other technologists accepted that data could theoretically be recovered even after having been overwritten. Though the suggested means of recovery involved both a clean room and an electron microscope, which is likely beyond the means of most would-be attackers, organizations typically employed either what has been referred to as the DoD (Department of Defense) short method, DoD standard method, or Gutmann approach [10] to wiping, which involved 3, 7, or 35 successive passes, respectively. For (undamaged) magnetic media, now it is commonly considered acceptable in industry to have simply a single successful pass to render data unrecoverable. This has saved organizations many hours that were wasted on unnecessary repeat wipes.