Clear, Purge, Destroy, Verify
Classification of Data
The first step to methodical data destruction is classifying the type and hence security level of the data we are dealing with. This helps to determine the level of data sanitization required and hence the methods to be used.
For an organization with limited internal guidelines on data classification, guidance can be taken from a series of publications (in particular 800-60 Vol 1 Rev 1) by the National Institute of Standards and Technology (also known as NIST), a US Government's non regulatory federal agency within the U.S. Department of Commerce.
Generally, when deciding on which “security level” best describes your information, think of its value, and confidentiality, as well as the consequences of loss. The name and home address of your clients may not seem of “High Security” to you, but it may be to your client, employee or other stakeholders. Use this security level to determine how the data storage medium should be handled.
One method to sanitize media is to use software or hardware products to overwrite user addressable storage space on the media with non-sensitive data, using the standard read and write commands for the device. This process may include overwriting not only the logical storage location of a file(s) (e.g., file allocation table) but also should include all user addressable locations. The security goal of the overwriting process is to replace Target Data with non-sensitive data. Overwriting cannot be used for media that are damaged or not rewriteable, and may not address all areas of the device where sensitive data may be retained. The media type and size may also influence whether overwriting is a suitable sanitization method. For example, flash memory-based storage devices may contain spare cells and perform wear levelling, making it infeasible for a user to sanitize all previous data using this approach because the device may not support directly addressing all areas where sensitive data has been stored using the native read and write interface.
The Clear operation may vary contextually for media other than dedicated storage devices, where the device (such as a basic cell phone or a piece of office equipment) only provides the ability to return the device to factory state (typically by simply deleting the file pointers) and does not directly support the ability to rewrite or apply media-specific techniques to the non-volatile storage contents. Where rewriting is not supported, manufacturer resets and procedures that do not include rewriting might be the only option to Clear the device and associated media. These still meet the definition for Clear as long as the device interface available to the user does not facilitate retrieval of the Cleared data.
Some methods of purging include Overwrite, Block Erase, and Cryptographic Erase, through the use of dedicated, standardized device sanitize commands that apply media-specific techniques to bypass the abstraction inherent in typical read and write commands.
Destructive techniques also render the device Purged when effectively applied to the appropriate media type, including incineration, shredding, disintegrating, degaussing, and pulverizing. The common benefit across all these approaches is assurance that the data is infeasible to recover using state of the art laboratory techniques. However, Bending, Cutting, and the use of some emergency procedures (such as using a firearm to shoot a hole through a storage device) may only damage the media as portions of the media may remain undamaged and therefore accessible using advanced laboratory techniques.
Degaussing renders a Legacy Magnetic Device Purged when the strength of the degausser is carefully matched to the media coercivity. Degaussing should never be solely relied upon for flash memory-based storage devices or for magnetic storage devices that also contain non-volatile non-magnetic storage. Degaussing renders many types of devices unusable (and in those cases, Degaussing is also a Destruction technique).
There are many different types, techniques, and procedures for media Destruction. While some techniques may render the Target Data infeasible to retrieve through the device interface and unable to be used for subsequent storage of data, the device is not considered Destroyed unless Target Data retrieval is infeasible using state of the art laboratory techniques.
The application of Destructive techniques may be the only option when the media fails and other Clear or Purge techniques cannot be effectively applied to the media, or when the verification of Clear or Purge methods fails (for known or unknown reasons).
Verification is required for destructive techniques that are not obvious to the naked eye, such as degaussing and software erasure.
A degaussed hdd when plugged into their native interface will show no response at all.
An erased hdd can be examined with a hex editor to verify that all data has been overwritten. This function is usually built into the erasure software.