Erasing Business Hard Drives

Toggle sidebar Toggle sidebar
jedinegotiator

jedinegotiator

Distinguished
Apr 2, 2011
141
0
18,690
I work for the City of Roanoke and we are looking for a secure and efficient way to erase hard drives. He are in the process of recycling close to 1000 computers and we need to take the hard drive out of each one and make sure the data is destroyed. As you can imagine these hard drives have sensitive data on them.

I know that formatting a disk does not actually delete the data. What are some good programs that will securely erase the data(preferably free)?

We have also considered using a drill press to simply drill a hole through all the drives which renders the drive unusable. Do you think this is a good idea? It is much faster than formatting the drive.

Any ideas are appreciated. Just remember the faster the better as long as it is secure!

Thanks!
 
Sort by date Sort by votes
Here is a program that is used by both private and public entities (I've used this in both personally):

http://www.dban.org/

It is free and you can specify the level of sanitization, it includes up to the level used by the Department of Defense. Drilling will work pretty well too, but this is one of the best logical sanitization methods that I am aware of. A good knock with a sledge hammer after using DBAN is also a good way to damage the platters and relieve the stress of sanitizing over 1000 hard drives 😉

Also be aware the more thorough the sanitization method while taking into account the size of the hard drive will greatly determine how long it takes it to finish. Good luck.
 
Upvote 0 Downvote
I imagine the drill press would be much quicker than DBAN (depending on the size of the HDDs and the sanitization settings). If you are drilling through all of the platters it would be a pretty secure way to dispose of those hard drives, it would take substantial expertise to recover any data off of a drive that has been damaged that badly.

With that being said, if you have any hard drives that contain Sensitive Personally Identifiable Information (SPII) such as SSNs and Tax Identification Numbers (TINs), I would recommend at least a quick logical wipe as well -- especially since you are working in the public sector.
 
Upvote 0 Downvote
dban would simply take too long especially if you do it to DOD levels

drill press

gas welding torch

angle grinder

i wouldnt give them to a company to destroy--once they are out of your hands you have no way of knowing

what they do with them

environmentally speaking the best way is dban then either sell them or give them to charities etc
 
Upvote 0 Downvote
Yes, the drill press will work. A couple of holes each...through the platters and circuit board.

But then you still have to dispose of the drives. Can't just throw them in the landfill.
I suggest giving one or more of the data destruction companies a call, just to see what they might charge. Might not be as bad as you think.

You'll know it is securely done, and you won't have the mess to clean up after. And the City would be patronizing a local company...good PR.
"As part of our modernization efforts, we utilized the ABC Corp to securely destroy our old data, blah, blah.."
 
Upvote 0 Downvote
I'd look into a professional hard drive degausser for around $2,500. You could likely destroy those 1,000 HDDs in a day or so.

Then, as a public service through the PD or IT departments, citizens could bring in their old HDDs for wiping. You could go 'entrepreneurial' and charge them a few bucks to make your cash back, or you could do it for free as part of a community awareness program on ID or information theft



 
Upvote 0 Downvote


This is what these companies do for a living. Often, you can have a representative watch them do it. For 1,000+ City hard drive, some of which almost certainly contain some PII...I wouldn't take the risk of trying to do it on the cheap, and certainly wouldn't try to sell them off, DBAN or no DBAN.
What if you missed a few?

"The City of Roanoke regrets to inform you that some residents personal information has been exposed. We will provide you with one year of credit monitoring..."
 
Upvote 0 Downvote
I once bought a used computer from the local county here and even thought they did a fresh format and install of windows I was able to use recovery software to pull up previous files. I reported this to the county and they stopped selling their old pc's LOL

DoD specifies degaussing or shredding the drive as the only acceptible method. Here where I work they drill holes thru the drives platters.

Boot & Nuke (Dban) can be used in military wipe mode but plan on hours per pc for this process. In the long run its cheaper to shred the drives than pay someone to setup and do this on every pc.
 
Upvote 0 Downvote
A simple format isn't sufficient since the data can still be accessed with the right tools and DBAN is not as comprehensive because it doesn't wipe HPAs, DCOs, and re-mapped sectors. You should ideally use a certified tool like WipeDrive [http://www.whitecanyon.com/whitecanyon-home-enterprise] to erase hard drive data and ensure your data is permanently erased. Be sure to back everything up before wiping your hard drive.
 
Upvote 0 Downvote


WipeDrive is the most highly certified data-destruction software available. Government, law enforcement, banking, and many other industries choose WipeDrive for their hard drive retirement process. DoD does NOT require physical destruction (as someone here stated), instead they use WipeDrive. I work for WhiteCanyon, maker of WipeDrive. You may contact me directly if you would like more information: 801-224-8900 x7026, my name is Todd.
 
Upvote 0 Downvote


Drilling is considered one of the least effective methods of destruction. If you drill a hole in a music record, the songs might have glitches, but still exist for the most part. The same is true for hard drives, if you just drill a couple holes most of the data on the drive will be recoverable. Roughly speaking, whatever percentage the holes comprise of the total surface area, is the amount of data you securely destroyed.
 
Upvote 0 Downvote


This is untrue. If you use an NIAP EAL 4+ certified destruction utility, you are within the DoD guidelines. I work for WhiteCanyon (makers of WipeDrive). DoD is a regular customer of ours, for this type of need. Likewise Homeland Security, and all branches of the military use WipeDrive here in the states.
 
Upvote 0 Downvote
Wiping the drives via any of the above mentioned applications will work.

But!

We are talking about 1,000+ drives here. The potential for missing a few, and releasing them out into the wild, is high.

Let's split that 1,000 drives into two stacks of 500. Pile A and Pile B.

Pile A, we will wipe and then sell or donate
Pile B we will shred into metal dust.

Given that many of these drives will have PII (Personally Identifiable Information) on them, we need to be sure of the data destruction.

OK, go. Two teams, one on pile A, and one team on Pile B.
Process a hundred or so in each pile...shift change!
Which ones have or have not been processed?

In Pile A (wipe with software) we do not really know. Unless we plug tham back into a system to check.
In Pile B, the ones that still look like hard drives have not been done.

Since we are dealing with citizen data, and we do not know which specific drives have this data on them....I know which solution I would suggest.
The potential for missing one (or 10) is simply too high.
 
Upvote 0 Downvote


If you have the right equipment, you can erase 20 drives at a time in each RAID rack. Operate 5 racks at once, and you can clean 100 drives at a time. Each drive serial number is recorded, and logged as a wipe is completed. Exercise diligence and there is little room for "error" or missed targets. BOOT-test the drives before and after wipe, if you're worried that they're really blank. The "No Operating System" message on the screen is a sign the drive was wiped. If you're unsure, wipe it again, this is not something which should be left to chance.

The PROPER way to use software like this is by wiping all drives before they move from the secure location where they were originally in service. Only after wiping: should machines be moved around, or retired from use. Wipe machines in departmental-sized blocks, and the work is accomplished by your existing IT team.

Destruction is NOT the best method, it's actually the worst. It's very unfriendly to the environment, greatly devalues each computer, and wastes precious global resources. You don't have to put yourselves into a position where you are forced to trust a third-party to handle this. Do the work yourselves, and audit it carefully, for the best results.

United States Air Force purchases WipeDrive regularly in many many locations around the world, and they trust it to accomplish secure data destruction without damaging the hardware itself.

It is easy to tell if the data was deleted after our program was used, simply try to boot up the computer afterward to see the results. Some companies use their security footage to form an electronic trail which indicates when the wipe software was finished, and the results of attempted reboots by the IT staff. After it fails to boot up, the machine can be pulled from that desk, and refreshed with a new machine.

It boils down to a couple different scenarios. Our software would produce a secure log of all the wiped drives. Whereas a shredder will produce a pile of metallic bits which may or may not be the drives you stuffed through the metal door on the shredding truck. Shredding is typically up to $8 per drive, whereas our software costs only a fraction of that price. They provide a pile of metal bits for proof, which bare no resemblance to the original drives and really could be from destructing anything. Software solutions let you keep the drives, and put them back into machines for continued use, or resale.
 
Upvote 1 Downvote


If you truly work for whitecanyon then you know this is only true for drives that do not contain classified data or controlled unclasified data.

Heres the Navy and Marines official policy unless things have changed since 2009, which I doubt. (DON = Dept of the Navy)

5. ACTION. ALL DON-OWNED MAGNETIC HARD DRIVE STORAGE MEDIA WHICH ARE CLASSIFIED OR NOT DATA AT REST COMPLIANT WILL REMAIN IN DON CUSTODY AND CONTROL UNTIL DEGAUSSED (CLASSIFIED ONLY), PHYSICALLY DESTROYED, UNLESS SHIPPED TO THE NATIONAL SECURITY AGENCY (NSA). THERE ARE THREE APPROVED DISPOSAL METHODS FOR MAGNETIC HARD DRIVES. COMMANDS MAY USE A DESTRUCTION SERVICE OR PURCHASE THEIR OWN DEGAUSSING AND DESTRUCTION EQUIPMENT BUT WILL BEAR WHATEVER COST IS ASSOCIATED WITH THAT EQUIPMENT. A GSA APPROVED LIST OF RESOURCES CAN BE FOUND AT WWW.DONCIO.NAVY.MIL/PRIVACY. ALL METHODS MUST RESULT IN PHYSICAL DESTRUCTION, UNLESS A WAIVER FROM THE RESPECTIVE DON DEPUTY CIO IS APPROVED (PER PARA. 6)
 
Upvote 0 Downvote
Disclaimer: I work for the Air Force (software developer), in one of their biggest data centers.
Now...on to the actual situation:

If you have the right equipment, you can erase 20 drives at a time in each RAID rack. Operate 5 racks at once, and you can clean 100 drives at a time. Each drive serial number is recorded, and logged as a wipe is completed.

I get that. But from the initial question, it is obvious that they do not have one or more RAID racks capable of doing this to multiple of drives at a time.
He was looking to do this on the cheap.

Now...how do we help the City of Roanoke to properly dispose of the data on these drives, either via software or actual physical destruction?

Having seen reports of hard drives being bought on eBay or wherever that do actually contain PII (municipal or corporate), I prefer to default to the 'not reselling them' scenario. No matter what procedure is used.

Yes, I get that your software is great. As are many other solutions proposed here.

Now.....which is more secure for that particular entity...the City of Roanoke? Proper procedures, correct auditing, blah blah...
Asking in here, hoping for a proper and inexpensive solution, speaks loudly of an accident waiting to happen.

If I lived in that city and read this thread from the beginning, I'd be very, very worried.
 
Upvote 0 Downvote
Most newer hard drives should have a secure erase feature built into them. You can use parted magic to call the drive's secure erase function.

To securely erase all the data on an SSD, you use a command—called Secure Erase, appropriately enough—that's built into the firmware of all modern SATA drives and older PATA/IDE drives. Some SSDs ship with the ability to initiate secure erase, but if your drive doesn't, two top third-party programs that can activate the command and wipe SSDs are the Center for Magnetic Recording Research's Secure Erase tool and Parted Magic.

http://www.pcworld.com/article/261702/how_to_securely_erase_your_hard_drive.html
 
Upvote 0 Downvote


Many (most?) mfg's of SSD's have NOT implemented Secure Erase properly within their firmware. Be very very careful trying to delete information from these devices, because they contain an extra un-accessible area which data is swapped into and out of. Because it is not accessible through normal means, it is also not erasable by normal means. Advanced testing has shown that these devices are not able to be deleted reliably, even using Secure Erase. More info here: http://www.theregister.co.uk/2011/02/21/flash_drive_erasing_peril/
 
Upvote 0 Downvote


Navy (SSP & others) use our programs on a regular basis. Maybe they obtain clearance/authorization on an individual basis from the NSA themselves, which is signed off by the CIO for that base/location/etc. It is my understanding that the National Security Agency is the driving force as far as NIAP EAL 4+ certification & NSA implements the testing procedures prior to certification. As with many government procedures, this sounds like a bit of paperwork for authorization, is all that is required. The CIO checks our NIAP cert. and if everything checks out, viola.
 
Upvote 0 Downvote


I don't know who wrote that, but it is not correct. The problem with SSD is that because of the nature of the devices themselves, they cannot and do not adhere to all the standards. In the case of rotational media, yes they will adhere completely. Not so with SSD's. VERY FEW SSD manufacturers implement a firmware which effectively can erase the whole device, including the slush area used for bad-sector management. You really should read this, and re-read it until it sinks in, the information is HIGHLY technical: http://static.usenix.org/events/fast11/tech/full_papers/Wei.pdf
 
Upvote 0 Downvote


Honestly, the original poster seems interested in doing this right. I think that the citizens of Roanoke are in good hands, as long as he sticks to the attitude that securely erasing the information is the main concern.
 
Upvote 0 Downvote
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom