Data sanitization

Another Little Known Tool to Securely Delete Files, Folders, and Volumes

Why, all of a sudden, is everyone concerned about secure file deletion? I hesitate to say it’s a sign of the poor economy, but perhaps people consider it even more important to protect their personal information when the idea of losing control of their assets—and their lives–through the incompetence of corporate “managers” and well-intentioned but clueless politicians is more abhorrent than losing control through the outright thievery of Internet gangs. It’s weird. I harped on people about securing their data all along and mostly, my advice fell on deaf ears. Now people are worried. And it’s not because they see more spam email phishing attempts, it’s because they feel they can’t trust anyone anymore, not their formerly respected captains of industry, and certainly not their elected officials.

But, I digress. This post is about security tools, not politics, so I’m now officially off of my soapbox.

I recently posted an article about SDelete, a tool that can be used to securely delete files and folders on a hard drive. There’s another little known, useful tool that has been built into the OS since Windows 2000: cipher.exe. Microsoft provides the following in Knowledge Base article 315672:

How to Use the Cipher Security Tool to Overwrite Deleted Data

To overwrite deleted data on a volume by using Cipher.exe, use the /w switch with the cipher command. Use the following steps:

1. Quit all programs.
2. Click Start, click Run, type cmd, and then press ENTER.
3. Type cipher /w:driveletter:\foldername, and then press ENTER. Specify the drive and the folder that identifies the volume that contains the deleted data that you want to overwrite. Data that is not allocated to files or folders will be overwritten. This permanently removes the data. This can take a long time if you are overwriting a large space.

One more tool you can use to mollify your paranoid clients.

Use This Little Known Tool to Securely Delete Files and Folders on Your Hard Drive

For those who grew up with the graphical user interface, command line tools are often seen as arcane remnants from the dawn of PC history, a time when badly-dressed nerds sporting horn-rimmed glasses and pocket protectors ruled the universe (well, maybe just the computer lab). For them, nearly all of the command line tools are little known; for us dinosaurs who were typing on terminals well before the PC arrived, there are few of these older tools we haven’t seen. However, as the GUI gradually replaced the command line and we command line geeks began to point and click more and more, some useful tools escaped our notice. One of these is the ten-year-old SDelete by Mark Russinovich of Sysinternals fame. Microsoft acquired Sysinternals in July, 2006 and made all of the excellent tools available free.

Using SDelete

SDelete is a command line utility that takes a number of options. In any given use, it allows you to delete one or more files and/or directories, or to cleanse the free space on a logical disk. SDelete accepts wild card characters as part of the directory or file specifier.

Usage: sdelete [-p passes] [-s] [-q] <file or directory>
sdelete [-p passes] [-z|-c] [drive letter]

-c     Zero free space (good for virtual disk optimization).

-p passes     Specifies number of overwrite passes.

-s     Recurse subdirectories.

-q     Don’t print errors (quiet).

-z     Cleanse free space.

SDelete implements the Department of Defense clearing and sanitizing standard DOD 5220.22-M, which is overkill (see The Great Drive Wiping Controversy Settled at Last), but ensures your data is deleted forever. There is one caveat: SDelete securely deletes file data, but not file names located in free disk space. If you want to be completely sure that all traces of a file are gone, be sure to use the –c or –z option.

#####

Want to see even more useful, little known tools? Check out Sysinternals Live:

Sysinternals Live is a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool’s Sysinternals Live path into Windows Explorer or a command prompt as http://live.sysinternals.com/<toolnam…; or  \\live.sysinternals.com\tools\<toolname>.

You can view the entire Sysinternals Live tools directory in a browser at http://live.sysinternals.com.

The Great Drive Wiping Controversy Settled at Last

How many times do you have to overwrite a hard drive in order to securely wipe it? This question has been at the center of an ongoing controversy for a long time. On the one hand, we’ve had Peter Gutmann saying it takes 35 passes (Gutmann, P.  (1996) “Secure Deletion of Data from Magnetic and Solid-State Memory”); on the other hand, we’ve had the NIST saying one pass is enough (http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf). So, which is it, one, 35, or something in between?

NIST gets the prize: One pass is enough to delete data such that it can not be recovered.  A paper published in December last year; “Overwriting Hard Drive Data: The Great Wiping Controversy” by Craig Wright, Dave Kleiman and Shyaam Sundhar R.S. as presented at ICISS2008 and published in the Springer Verlag Lecture Notes in Computer Science (LNCS) series, proves beyond doubt that data can’t be recovered from a wiped drive even if one uses an electron microscope. As Craig Wright puts it in a post on the SANS Computer Forensics blog:

Although there is a good chance of recovery for any individual bit from a drive, the chances of recovery of any amount of data from a drive using an electron microscope are negligible. Even speculating on the possible recovery of an old drive, there is no likelihood that any data would be recoverable from the drive. The forensic recovery of data using electron microscopy is infeasible… The fallacy that data can be forensically recovered using an electron microscope or related means needs to be put to rest.

That sure makes life easier for those of us who have to deal with secure deletion of sensitive data. I’ll use my copy of Darik’s Boot and Nuke (DBan) with one pass from now on and get those retired hard drives wiped in no time.

How to Quickly & Securely Erase a Hard Drive

Over at Ask the Geek, I often receive questions about how to properly erase a PC hard drive so personal data can’t be recovered. Clients also ask similar questions, particularly those involved in medical, dental, or financial practices. I’ve posted on this subject before, of course. “Paranoid About Hard Drive Security? Try This” outlined a two-step approach that works well, but is probably overkill for most, including those under regulatory scrutiny. The Center for Magnetic Recording Research (CMRR) points out that completely secure erasure doesn’t exist: erasure security is relative and is “a tradeoff between the erasure security level and  the erasure time required. A high security protocol requiring custom software or days to accomplish will be avoided by most users, making it  little used and  therefore of limited practical value.” Enter Secure Erase (SE).

According to CMRR, “The Secure Erase (SE) command was added to the open ANSI standards that control disk drives, at the request of CMRR… The SE command is implemented in all ATA interface drives manufactured after 2001 (drives with capacities greater than 15 GB)….

“Secure erase does a single on-track erasure of the data on the disk drive. The U.S. National Security Agency published an Information Assurance Approval of single pass overwrite, after technical testing at CMRR showed that multiple on-track overwrite passes gave no additional erasure.”

Secure Erase is a DOS-based program, so you need to make a bootable floppy, CD, or flash drive that boots DOS, FreeDOS, or a Windows 95/98/ME rescue disk. Download the freeware HDDerase, extract HDDerase.exe to your bootable media, boot the computer to a command prompt, and execute HDDerase.exe (HDDerase.exe must be run from an actual DOS environment and not a Window based DOS command shell).

In about an hour or two, depending on the size of the hard disk, you’ll have a drive that can be safely disposed of or re-deployed without fear. If you plan to re-deploy the disk, you’ll have to create a new partition and format the disk before you’ll be able to use it again.

I’ve used this handy utility many times to sanitize disks that contained data subject to the Health Insurance Portability and Accountability Act (HIPAA). All normal attempts to discover any trace of identifiable data on my test drives failed to reveal anything usable.