Day 22 - Wiping Disks and Media
The last couple days we talked about getting rid of rootkits, spyware, bots and such. One common suggestion was to "wipe and rebuild". There are other reasons to wipe disks: Are you donating an old computer to charity? Better get rid of that data first! What are your procedures and tricks to quickly and securely erase data. With > 1TB disks on the horizon, the time it takes to erase a disk with "Boot and Nuke" is getting longer and longer.
In particular:
- multiple overwrites? myth or necessity
- physical destruction? shredding? demagnetizing? sledge hammer?
- drive firmware: how do you validate it after a compromise?
- USB disks, SIM cards and other "exotic" media.
- what distance do you keep to the disk on the range to avoid lead backsplatter? ;-)
-----
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Keywords: Awareness2008
3 comment(s)
My next class:
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
×
Diary Archives
Comments
David Brodbeck
Oct 22nd 2008
1 decade ago
Darren Spiteri
Oct 23rd 2008
1 decade ago
physical destruction: shredding: yes, demagnetizing: yes, sledge hammer: ok, but technically many of the bits are still readable if specialized equipment to read them is used.
drive firmware: validation method may be a case-by-case approach, manufacturers would be a good source for a clean copy for comparison. Obtaining a copy from the drive to compare will vary depending on design. Rewriting a fresh copy may be the best you can hope for unless circumstances dictate a more extensive effort, at which point, a new drive will be less costly.
USB disks, SIM cards, etc.: Wear-leveling is falling into disfavor due to performance impact and being replaced by bad block management, this happens when the raw storage cost falls. The answer to wear-leveling is to allocate all locations during the overwrite instead of allocate, write, deallocate, and repeating for the next block. That also means only a full volume overwrite can be performed because any attempt at a partial (i.e. file, slack, freespace) overwrite will be written to the next least used block according to the wear-leveling algorithm. With the cost of these type of storage falling, physical destruction is easiest, but to do it right you have to make sure you hit that tiny target.
avoiding lead backsplatter: depends on the rounds you are using, that is best answered by an arms expert, not me.
Scott H.
Oct 24th 2008
1 decade ago