Many information security professionals have been giving considerable thought to the eradication of sensitive data that is no longer needed. Those of us who are responsible for regulatory and industry standards compliance must deal with potential information “leaks” that may occur when computer or network components are discarded or recycled. Unfortunately, none of the current regulations or industry standards includes the detailed steps that must be taken to avoid this problem. This means that each of us needs to consider the available options and then use his or her best judgment in choosing the approach to be followed.
There are basically four approaches to dealing with obsolete sensitive data:
1. Delete files that contain sensitive data before reusing devices or media.
2. Encrypt all sensitive data before it is written to disk.
3. Overwrite media with random patterns of “zeroes” and “ones.”
4. Physically destroy hardware components that once contained sensitive data.
Let’s take a closer look at each of these options:
Most information security professionals are aware of the problems that are associated with the first approach. Dragging a file or folder icon to the recycle bin (or typing an “erase” command at the command prompt) removes the “file system” entry for a particular file, but does not remove the file itself. What this means is that, even though the data is no longer accessible by navigating the file system (i.e. by using the Windows Explorer or the “dir” command), anyone who has access to any one of a number of digital forensics software tools can access the disk data directly. Many such programs are freely available for download via the Internet. The original file, which was never actually deleted, is easily read by these sorts of programs.
This situation is made more complicated by the fact that data does not tend to stay in a single file and in a single location. Several processes, such as virtual memory management, actually copy the original data and spread it to many locations throughout the network. To be safe, the information security professional has to track down and eradicate not just the original files, but all the various copies of these files as well.
“If you know what it is and where it is you can manage it and destroy it when necessary,” says Rick Dakin, President and co-Founder of Coalfire Systems, Inc., an information security and regulatory compliance consulting firm based in Louisville, CO. “As data becomes ‘virtual’ and disappears into the ether, however, people have no idea where their data is or how it is stored,” Dakin continues, “Data is ‘real’ to the old IBM mainframers who used to keep their critical data on 3480 tape cartridges in a desk drawer. Having to physically carry the tape into the computer room and hand it to an operator makes it ‘real’ in a sense that it will never be to someone who has never had occasion to touch the physical media.”
“People tend to forget that data can be found on a number of system components – not just in its assigned location on the hard drive,” adds Bob Knowles, CEO of SecureCyber Destruction, a Denver firm that specializes in disposing of obsolete system components. In addition to residing at its original location, data can be found in various “buffer” locations on the hard drive including paging and swap files. In the quest to eradicate obsolete data, Knowles advises, we must not forget about removable media such as diskettes and tapes; EPROM or “flash” memory; network switches; “store and forward” components such as email servers; and networked printers. A little known hiding place for obsolete information, Knowles adds, is a disk block or track that has been “flagged” due to I/O errors. Anyone with access to the physical drive can easily unflag bad disk areas and read most of the original data that was contained in them.
Most surprising, perhaps, is the revelation that what we normally think of as “volatile” memory – specifically, static random access memory (SRAM) and dynamic random access memory (DRAM) – is not quite as volatile as we once believed. Most of us have been taught that when power is removed from a computer system the “real” memory is erased. Not so, says Peter Gutmann of the University of Auckland Department of Computer Science. “Contrary to conventional wisdom,” Gutmann warns, “‘volatile’ semiconductor memory does not entirely lose its contents when power is removed.” (See http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html for the full text of the paper that Dr. Gutmann presented to the Sixth USENIX Security Symposium describing this phenomenon.)
An example of the encryption approach is the use of the encrypting file system (EFS) capability of Microsoft Windows. With a little effort it is possible to designate certain folders as containing encrypted data only. The EFS performs the encryption/decryption operations “on-the-fly” and in a way that is transparent to the user. The digital forensics tools mentioned previously will display this encrypted data, but the information will look like gibberish to anyone who does not have access to the decryption key.
But there are problems with this approach, too. First of all, data that is decrypted on the fly can still be written to page and swap files as part of the system’s normal virtual memory management processes. The information will not be re-encrypted prior to being “paged out.” This means that a digital forensics tool might be able to find the plaintext translation of the data by browsing through the page and/or swap files. Another problem is that such systems typically store the encryption/decryption keys on the hard drive itself. This means that a dedicated hacker could use a tool such as SAMInside to crack the encryption scheme and gain access to the information in unencrypted form.
There is a long tradition of overwriting data in order to obliterate it – particularly among members of the defense and intelligence establishments. There are a number of Department of Defense standards for overwriting data. (See, for example, http://www.zdelete.com/dod.htm for a summary of the DoD 5220.22-M standard.) However, Gutmann notes that these standards are dated and do not fully address newer magnetic media recording techniques. He also mentions that the information in these standards “may be partially inaccurate in an attempt to fool opposing intelligence agencies … By deliberately understating the requirements for media sanitization in publicly-available guides, intelligence agencies can preserve their information-gathering capabilities while at the same time protecting their own data using classified techniques.”
In the paper previously cited, Gutmann describes the use of advanced techniques, such as magnetic force microscopy (MFM), for recovering magnetically recorded data even after it has been overwritten several times. He warns us against having complete confidence in any media sanitization procedure, concluding, “… it is effectively impossible to sanitize storage locations by simply overwriting them, no matter how many overwrite passes are made or what data patterns are written.”
Bear in mind that these data recovery techniques can be applied to disk drive fragments as well as to operational devices. Given the high recording densities that are used with modern storage systems, even a small fragment of a disk drive can contain copious amounts of sensitive data. To those whose systems include extremely important information, such as top secret military data, “destruction” may mean nothing short of grinding a component into a powder or incinerating it.
But the destruction of a discarded component is only part of the solution; documentation is also important. Knowles expresses it this way: “People think that smashing a disk drive with a hammer addresses the problem - but it doesn’t. Information can still be recovered from the disk drive pieces. More to the point, there must be proper documentation that will hold up in a compliance review or in court. The fact that your policies and procedures are being followed must be provable to the proper evidentiary level.”
As we can see, information security professionals have a number of choices for dealing with obsolete data, depending on budget, desired assurance levels, and – of course – organizational politics. For a more detailed discussion of this topic, see the NIST special publication, “Guidelines for Media Sanitization (SP 800-88),” which you can download for free at http://csrc.nist.gov/publications/nistpubs/index.html.