[unisog] Wiping hard drives before computer transfer

Jim Dillon Jim.Dillon at cusys.edu
Mon Jan 27 16:46:14 GMT 2003


Depends on what's on them, and how comfortable you are with being a target of opportunity vs. a target of choice.  How sensitive is the data, and how strong is your obligation to protect?

In most cases, degaussing or re-writing should be enough due-diligence to provide evidence of diligence on your behalf, freeing you from liability risk, and making the prospect of decoding the drive a "target of choice" proposition.   

Unless you have serious privacy, sensitivity, or proprietary interest in the content, any number of the suggested routines are likely to be fine.  For your classified or sensitive research, you probably have requirements for the handling of data that will define what you need to do.

So yeah, if you are dealing with plans for a thermonuclear device or creating biological weapons in a jello mold, then melt the thing.  If you have a bunch of patient information, break the platters in some fashion.  

When HD's of multiple Gigabytes can be had for well under $100, it isn't worth reusing them, so don't fret about it, break/crush them/drill them - no one operating under "target of opportunity" motives will invest the time to mess with one.  Trying to secure past that is only worth doing if you are obligated by the nature and sensitivity of the data.  Investing even an hour of your time in recycling a disk is a losing proposition for your employer in the long run.

Like locks on doors, we generally strive to prevent the haphazard and casual breaches of security - and we live with that for all but the most sensitive operations.  The same model probably applies to your data - if it is protected in the daytime by the equivalent to a locked door, you've most likely been diligent enough by basic erases, unless you're talking "diamonds" in value.  I'm betting 95% or higher don't have that kind of value or sensitivity.

If the data is of that value, then you are under constant (and probably higher) threat before the disk is recycled - this should make it easy to determine what data needs to be carefully destroyed - and again, forget the re-use proposition, it probably is not cost-effective.

My advice alone - but I'd audit to this standard, I think I could justify this stance pretty readily by looking at the Federal Sentencing Guidelines and doing a little financial analysis.


-----Original Message-----
From: Ben Compton [mailto:Ben.Compton at sw.edu]
Sent: Sunday, January 26, 2003 11:49 AM
To: 'unisog at sans.org'
Subject: RE: [unisog] Wiping hard drives before computer transfer

I'm posting what our campus does for both information and a bit of feedback.

We picked up a tool from Gateway called GWSCAN.  It has a very handy feature
of writing zeros to a drive.  The upside ..it's free and available online
(at least at one time it was online).  The downside...it takes forever..a
20GB drive is about 4-5 hours of work to zero.  The program is DOS based and
should be run from a boot disk.

I've had data recovery people tell me that they know of nothing that will
recover the data (within reason of course).  Have I been fed a line on this
or have I figured out a good way to take care of my old drives?

Ben C.

-----Original Message-----
From: Marty Hoag
To: unisog at sans.org
Sent: 1/23/2003 5:14 PM
Subject: [unisog] Wiping hard drives before computer transfer

    I'm curious what others are doing to remove data and
software from hard drives of surplused or "passed down"
PCs and Macs.  Besides things like FERPA and licensed
software concerns, there could be some liability if we
passed along a machine which had already be compromised
and potential embarrassment of revealing old data.

    As a public institution we are to either pass along
the systems internally or send them to purchasing as
surplus (they often old spot silent auctions on the old
stuff).  Our "Lan Group" provides desktop support to many
departments on campus and is often requested to remove
the old data but I suspect some machines are getting
through to surplus or to some other department without
expert attention.

    Doing some Google searches reveals a plethora of
products available with wildly different pricing
models (e.g. per wipe, per technician, etc.).  One
staff member created a Linux bootable CD-ROM with
an open source tool but that took 6 hours to wipe
a 20 GB hard drive (doing 7 passes).  I had tested
Symantec's gdisk on a 10 GB drive doing the "DoDwipe"
(also supposedly 7 passes) and that took little more
than an hour.  I ran across web pages for things like
PDWIPE, Disk Wipe, Wipedrv, Paragon Disk Wiper, Wipe,
gdisk, and Declasfy.  I know nothing about Macs so I
don't know what is available for them.

    In our distributed environment it would be nice
to have an institutional license for something on a
bootable floppy and cd-rom which: the end user could
just boot, would list the disks on the system, ask
the user to confirm, then just do its thing.

    Anyway, I'd be curious about policy and software
(or hardware) solutions.  I'm most interested in cases
where you do NOT want to destroy the drive itself since
that is pretty easy given a few tools a big enough
sledge hammer.  Depending on the responses I'd be glad
to summarize the comments.   Thanks!


More information about the unisog mailing list