When you delete a file in Windows, the file is not deleted! When you remove it from the Recycle Bin, the file is still not deleted! Yes, the file name is hidden, but the file’s data is still there on your hard drive. All the Windows file system does to “delete” a file is “release” the space for future use.
Another problem: operating systems are messy. They leave behind all sorts of echos of the data they access or process — swap files, temp files, hibernation files, shadow files, etc. Many programs also scatter axillary files around in obscure locations that are hard to find. All that can be found out from computer forensic and your entire deleted data can be reconstructed.
Programs are messy too. For example, your browser may store sensitive information, such as passwords and account numbers in files you never see. Perhaps worse, you may have misplaced or forgotten files that contain sensitive information. You’ve got to know what you’re doing when you purge a hard drive, particularly one you’ve used a long time.
Need for Data Erasure
The need is for highly specialized tool for Data Erasure for PATA or IDE and SATA hard drives, typically found in desktops, laptops and some RAIDs. The data eradication must be done beyond forensic reconstruction.
Secrets of Hard Disk Drive (HDD)
The HPA (Host Protected Area or Hidden Protected Area) is an area of a hard drive that is not normally visible to an operating system. It is protected because the OS will work with only the value in the register that is returned by the IDENTIFY DEVICE command and thus will normally be unable to address the parts of the drive that lie within the HPA.
The DCO (Device configuration overlay) is yet another hidden area on the hard disk drives (HDDs). Usually when information is stored in either the DCO or host protected area (HPA), it is not accessible by the BIOS, OS, or the user. The Device Configuration Overlay (DCO), which was first introduced in the ATA-6 standard, allows system vendors to purchase HDDs from different manufacturers with potentially different sizes, and then configure all HDDs to have the same number of sectors. An example of this would be using DCO to make an 80-gigabyte HDD appear as a 60-gigabyte HDD to both the (OS) and the BIOS…. Given the potential to place data in these hidden areas, this is an area of concern for computer forensics investigators.
There are two types of remapping by disk hardware: P-LIST (Mapping during factory production tests) and G-LIST (Mapping during consumer usage by disk microcode). When a sector is found to be bad or unstable by the firmware of a disk controller, the disk controller remaps the logical sector to a different physical sector. In the normal operation of a hard drive, the detection and remapping of bad sectors should take place in a manner transparent to the rest of the system and in advance before data is lost. However, damage to the physical body of the hard drive does not solely affect one area of the data stored. Very often physical damages can interfere with parts of many different files. Because reads and writes from G-list sectors are automatically redirected (remapped) to spare sectors it slows down drive access even if data in drive is defragmented. If the G-list is filling up, it is time to replace the drive.
Prevalent Data Erasure Methods
The best software erasure method know in the industry is The 7 pass overwrite method or The Gutmann method. This is an algorithm for securely erasing the contents of computer hard disk drives, such as files. Devised by Peter Gutmann and Colin Plumb and presented in the paper Secure Deletion of Data from Magnetic Memory in July 1996, it involved writing a series of 35 patterns over the region to be erased. All the software overwriting tools are designed to write random bits of data to all user accessible sectors of a drive. The software is loaded onto a machine or server, and executes the overwrite procedure. Most overwriting tools execute multiple passes. It is now understood, and has been for some time, that multiple passes do not offer any added significant assurance of security.
|Software Erasure||– Does an erasure, better than the format command.
– Capable of log generation & maintenance.
– Network capable online process.
– Make HDD reusable.
|– It isn’t forensic proof. In most of the cases you can still access the details from HPA / DCO / G-List.
– Slow process, usually takes almost a day.
– Network ensures ease of use, but does make it vulnerable to leaks.
– Doesn’t remove bad sectors.
– High CAPEX / OPEX with yearly licensing fee / PPU.
– Essentially, just an overwrite, not a complete sanitization.
|Physical destruction||The process of physical destruction in India is ineffective, thus there are no plus points at all, as the basic purpose isn’t getting served at all||– Physical damage to the media doesn’t destroy the data inside the HDD.
– Burning the HDD, also doesn’t affect the data inside, till the heat is 1100°C.
– Can’t be reused.
– E-waste is dangerous to the environment and if not disposed properly, is dangerously harmful for the handlers too.
To be able to make an effective erasure methodology to completely sanitize the HDD, the most important is to do it externally, and do it sector by sector, platter by platter, removing all barriers from interface to OS to BIOS to HPA to DCO to G-List. This can only be done, when you do it right from the firmware of the HDD.