Jump to content

Data remanence

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by ArnoldReinhold (talk | contribs) at 14:54, 1 December 2004 (create). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

Data remanence is the residual physical representation of data that has been in some way erased. After storage media is erased there may be some physical characteristics that allow data to be reconstructed. As early as 1960 the problem caused by the retentive properties of computer storage media was recognized. It was known that without the application of data removal procedures, inadvertent disclosure of sensitive information was possible should the storage media be released into an uncontrolled environment. Degaussing, overwriting, data, encryption, and media destruction are some of the methods that have been employed to safeguard against disclosure of sensitive information. Over a period of time, certain practices have been accepted for the clearing and purging of storage media.

Clearing

Clearing is the removal of sensitive data from storage devices in such a way that there is assurance, proportional to the sensitivity of the data, that the data may not be reconstructed using normal system capabilities, i.e., through the keyboard. (This may include use of data recovery utilities and advanced diagnostic routines.)

Clearing can be used when the secured physical environment (where the media was used) is maintained. In other words, the media is reused within the same computer and environment previously used.

In an operational computer, clearing can usually be accomplished by an overwrite of unassigned system storage space, provided the system can be trusted to provide separation of the storage space and unauthorized users. For example, a single overwrite of a file or all system storage, if the circumstance warrants such an action, is adequate to ensure that previous information cannot be reconstructed through a keyboard attack, provided the system can be trusted to provide separation of system resources and unauthorized users. Software used for clearing should be under strict configuration controls. Note: Simply removing pointers to a file, which is all that occurs when a file is deleted in most systems, will not generally render the previous information unrecoverable through normal system capabilities (i.e., data recovery programs and diagnostic routines).

Purging

Purging is the removal of sensitive data from a system or storage device in such a way that there is assurance, proportional to the sensitivity of the data, that the data may not be reconstructed through open-ended laboratory techniques. A computer must be disconnected from any external network before a purge.

Purging must be used when the secured physical environment (where the media was used) will not be maintained. In other words, media scheduled to be released from a secure facility to a non-cleared maintenance facility or similar non-secure environment must be purged.

The U.S. Department of Defense (DoD) has approved both overwriting and degaussing for purging data, although the effectiveness of overwriting cannot be guaranteed without examining each application.

Software for purging

To purge the AIS storage media, the DoD requires overwriting with a pattern, then its complement, and finally with another pattern; e.g., overwrite first with 0011 0101, followed by 1100 1010, then 1001 0111. The number of times an overwrite must be accomplished depends on the storage media, sometimes on its sensitivity, and sometimes on differing DoD component requirements. Software developers must design the software such that the software continues to write to all addressable locations on the media, in spite of intermediate errors. All such errors in usable sectors should be reported with a listing of current content. Unusable sectors must be completely overwritten, because the unusable sector list will not show whether the sector ever contained any sensitive data. If any errors occur while overwriting or if any unusable sector could not be overwritten, then degaussing is required.

There are additional risks to trusting overwrite software to purge disks. The environment in which the software must operate is difficult to constrain. For this reason, care must be exercised during software development to ensure the software cannot be subverted. The overwrite software should be protected at the level of the media it purges, and strict configuration controls should be in place on both the operating system the software must run under and the software itself. The overwrite software must be protected from unauthorized modification.

The bad track problem

A compromise of sensitive data may occur if media is released when an addressable segment of a storage device (such as unusable or "bad" tracks in a disk drive or inter-record gaps in tapes) is not receptive to an overwrite. As an example, a disk platter may develop unusable tracks or sectors; however, sensitive data may have been previously recorded in these areas. It may be difficult to overwrite these unusable tracks. Before sensitive information is written to a disk, all unusable tracks, sectors, or blocks should be identified (mapped). During the life cycle of a disk, additional unusable areas may be identified. If this occurs and these tracks cannot be overwritten, then sensitive information may remain on these tracks. In this case, overwriting is not an acceptable purging method and the media should be degaussed or destroyed.

Degaussing

Degaussing is a process whereby the magnetic media is erased. Degaussing requires a degausser device that is designed and approved for the type of media being purged. The U.S. General Services Administration maintains a list of approved degaussers.

Degaussing often renders hard drives inoperable. This can prevent computers from being recycled, say for educational use. The sensitivity of the data stored on the computer and the feasibility of software purging should be weighed before degaussing hard drives.

The DoD has approved overwriting for clearing, but not purging, magnetic floppy disks. Degaussing is the preferred method. Degaussed floppy disks can generally be reformatted and reused.

Disk encryption

Several software products, including Apple's Mac OSX and PGP, can encrypt all data before it is stored on a hard disk or other storage medium. If enabled beginning when the computer s first purchased or first used for sensitive information, disk encryption can alleviate the need for degaussing and destruction.

Destruction

It is good practice to purge media before submitting it for destruction. Media may generally be destroyed by one of the following methods. (DoD lists two other approved methods employing acid, which is dangerous and excessive, to remove recording surfaces.)

  • Destruction at an approved metal destruction facility, i.e., smelting, disintegration, or pulverization.
  • Incineration.
  • Application of an abrasive substance (emery wheel or disk sander) to a magnetic disk or drum recording surface. Make certain that the entire recording surface is completely removed before disposal. Also, ensure proper protection from inhaling the abraded dust.

CD's, DVDs, etc.

Optical media are not magnetic and cannot be erased by degaussing. Write-once media, such as CD-ROM, CD-R, DVD-R, etc., cannot be purged by software or a degausser. They must be destroyed. Read/write optical media, such as CD-RW and DVD-RW can be cleared by software. It is not known if software purging is effective and, in any case, it would be a lengthy process. Destruction is usually the best approach.

Source

Adapted from National Computer Security Center TG-025.

See also

Retrieved from "https://en.wikipedia.org/w/index.php?title=Data_remanence&oldid=8017059"