Annihilate Sensitive Data


A chief executive asked this week about, if he is going to donate a computer to a good cause, how can he erase all of his sensitive data from the hard drive first? Here is how – complete with a video.

If you would rather just watch the video, it is here:

While the “most secure way” would be to remove the existing drive, destroy it with smashing, chemicals, drill holes, huge magnetic fields that make the drive unusable, etc. If your data is super-sensitive, then destroy the drive. Period.

But what if you want to donate the computer such that the receiving organization doesn’t need to buy a new hard drive (and/or you don’t need to buy a new drive either)?  As you probably know, when you “delete files” from a hard drive, the files aren’t really gone. We have tools that will allow us, in most cases, to recover the deleted files.

The most important thing here is that you feel comfortable that you can remember all the places where you have sensitive data, then there is a way to cleanse a drive. An example of a place you may not think of erasing data is in something Windows uses called the Paging File. Think of it as a small “notepad” where Windows jots stuff down when working. The Paging file may contain a little bit of data; or not. And, with normal use of the computer, the data will probably be overwritten soon anyway. Unless you suspect someone is going to perform a forensic analysis on the drive, you have little to be concerned about.

The process of erasing the drive is two steps: First delete all of your sensitive information on the drive, using the normal methods you already use to delete files.  Second, use a program that will write jumbled information over and over on top of the “now blank because you erased the files” parts of the drive. An example command is, “SDelete -c -p 3” That makes it very difficult, practically impossible, to recover the data that you erased.

One program that can help do this is DBAN from www.dban.org. We’ll focus on a different program called SDelete from www.sysinternals.com.   WARNING: Always Backup Important Data Twice SDelete has option switches. You can learn more in the SDelete help section if you want, or by watching the video I created for you here: How to Securely Erase a Hard Drive

Here are common uses:

To write over areas that are supposedly “clean” but may contain old data use, or in other words, write random data over the entire drive except where files are stored and don’t delete any existing files : SDelete – c You can run that program more than once if you want to “be extra sure” the data remanence is deleted. Replace the 3 with however many times you want to write the random data: SDelete -p 3 -c

That may be enough to meet your needs. If you are interested, here are more examples:

If you want SDelete to delete files you specify and then write random data where just those files existed before, and if you know how Windows names folders, then you can substitute whatever path you want in the command below.  Be careful because the path indicated below will obliterate everything you have stored in your “my docs” folder and all the folders below: SDelete -p 3 -s c:\mydocs\*.*

To Completely Sanitize Drive D: SDelete -p 3 –s -c D:\*.*

WARNING: Each pass may take a long time

Please post your comments below…

 


3 Responses to “Annihilate Sensitive Data”

  1. […] Annihilate Sensitive Data | Mike Foster’s IT Security and Best Practices Blog. […]

  2. Great post! Been reading a lot about what to do with sensitive data. Thanks for the info here!

  3. Mike Foster says:

    These steps don’t work with Solid State drives (as opposed to the spinning platter kind of hard drives) because of the way Solid State drives operate. Destroy and replace those drives is one solution.

Leave a Reply