Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Day 22 - Wiping Disks and Media - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Day 22 - Wiping Disks and Media

The last couple days we talked about getting rid of rootkits, spyware, bots and such. One common suggestion was to "wipe and rebuild". There are other reasons to wipe disks: Are you donating an old computer to charity? Better get rid of that data first! What are your procedures and tricks to quickly and securely erase data. With > 1TB disks on the horizon, the time it takes to erase a disk with "Boot and Nuke" is getting longer and longer.

In particular:

  • multiple overwrites? myth or necessity
  • physical destruction? shredding? demagnetizing? sledge hammer?
  • drive firmware: how do you validate it after a compromise?
  • USB disks, SIM cards and other "exotic" media.
  • what distance do you keep to the disk on the range to avoid lead backsplatter? ;-)



Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Defending Web Applications Security Essentials - SANS Munich July 2019


3551 Posts
ISC Handler
Flash media are a particular problem because the built-in wear-leveling means attempts to overwrite data probably won't *really* overwrite it. Physical destruction may be the only way to really make these disks safe.
Truecrypt or other raw volume crypto will alleviate the issues with massive drives and block abstraction. Luckily CPU is keeping step, so the overhead is minimal.
Multiple overwrites: No, overkill for most. The last word I have seen from Peter Gutmann "For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do" note that was best, most do not need best so a single random bit pattern pass would work fine for most. A single zero pass would too, but random is better and hardly impacts the speed. Any overwrite causes an attacker to use clean room plus specialized equipment to recover any bits, very costly.
physical destruction: shredding: yes, demagnetizing: yes, sledge hammer: ok, but technically many of the bits are still readable if specialized equipment to read them is used.
drive firmware: validation method may be a case-by-case approach, manufacturers would be a good source for a clean copy for comparison. Obtaining a copy from the drive to compare will vary depending on design. Rewriting a fresh copy may be the best you can hope for unless circumstances dictate a more extensive effort, at which point, a new drive will be less costly.
USB disks, SIM cards, etc.: Wear-leveling is falling into disfavor due to performance impact and being replaced by bad block management, this happens when the raw storage cost falls. The answer to wear-leveling is to allocate all locations during the overwrite instead of allocate, write, deallocate, and repeating for the next block. That also means only a full volume overwrite can be performed because any attempt at a partial (i.e. file, slack, freespace) overwrite will be written to the next least used block according to the wear-leveling algorithm. With the cost of these type of storage falling, physical destruction is easiest, but to do it right you have to make sure you hit that tiny target.
avoiding lead backsplatter: depends on the rounds you are using, that is best answered by an arms expert, not me.
G.Scott H.

48 Posts

Sign Up for Free or Log In to start participating in the conversation!