S 2.433 Overview of the methods for deleting and destroying data
Initiation responsibility: Head of Organisation, Head of IT, IT Security Officer
Implementation responsibility: IT Security Officer, Head of IT, Head of Organisation
There are various methods available to delete information from data media. The method to select depends primarily on the protection requirements of the data to be deleted, but also on the type of data medium, of course.
On analogue data media, the information can be blacked out (overwritten), cut out, or erased, for example. With digital data media, the data can be deleted or overwritten using deletion programs.
With the deletion methods for electronic data media described in the following, the protection provided against the restoration of residual data increases in the order in which the methods are presented.
Delete commands
Delete commands are commands and functions provided by the operating system for deleting files and directories, for example commands like "Delete" and "Erase". When using delete commands, it must be noted that the actual file information is generally not deleted and only the references to this information in the index or table of contents of the data medium are deleted instead. The file itself still exists on the medium. There are methods and programs available that can be used to recover data that was assumed to have been deleted. For this reason, it is not recommended to use this method when you need to guarantee that it is impossible to restore the data deleted.
Therefore, procedures and mechanisms are necessary that go beyond the standard deletion procedures offered by operating systems and are also able to delete data with high protection requirements so that it cannot be restored.
Overwriting individual files
In addition to the range of deletion commands available in the most commonly used operating systems, there are also other software-based tools available for overwriting individual files. Using these deletion tools (also called wipe tools), it is possible to completely erase the contents of individual files or memory areas by overwriting the entire file or area with suitable data patterns.
However, it must be noted in this case that it is often possible to partially or completely recover the information from the files even though they were deleted using a wipe tool. The main reason for this is that the operating system or application stores copies of the data at a wide variety of locations and that the user often does not know where they are stored or cannot check these locations for copies.
It is therefore possible under some circumstances for data believed to have been deleted to still be stored on the data media, and this data could then be read using corresponding methods.
This includes the following types of files and data:
- The cache files or temporary files created and then deleted by the operating system or application program
- The backup copies created automatically by a program, for example the backup files often created by Office programs
- Swap files (see also S 4.325 Deletion of swap files)
- Data fragments left in the registry or index databases used by the Windows operating systems
- File slack (file slack refers to the storage of "filler data" in unallocated areas of data media commonly performed by some operating systems) and file fragments in cluster tips
Administrators and users often have very little influence on how this data is processed by the operating system or application program. Even programs that use wipe technologies do not have full control over all traces of this data. For this reason, the entire data media must be erased or another secure deletion method selected to ensure that no other copies of the information are available on the data media.
Formatting
Formatting prepares electronic data media so data can be stored on them.
In the case of hard disks, it is possible to perform low-level formatting (LLF), in which case the tracks and sectors on the hard disk are recreated, or logical (high-level) formatting (HLF), which is performed by the operating system.
Since low-level formatting changes the structure of the hard disk and, in contrast to high-level formatting, the track and sector layout is deleted and then recreated, it may be impossible to use the hard disk after reformatting under certain circumstances. If the hard disks will be reused, the manufacturer should be contacted in advance to check if the guarantee for the hard disk is still valid after performing a low-level format of the hard disk.
A hard disk can be returned to its "original state" by a low-level format regardless of the operating system, which means the information existing on the hard disk will be deleted. However, it is impossible to judge how reliably the existing data was deleted. For this reason, low-level formatting is not recommended to be used as a deletion method. Multiple overwrites of the data medium are always more reliable.
When high-level formatting (HLF) a hard disk, only the file system structure is deleted and recreated. High-level formatting is therefore not suitable for use as a reliable method for deleting information.
Completely overwriting data media
A physical deletion method adequate for normal protection requirements is to completely overwrite the data media. Using special software tools, the data media is overwritten one or more times with predefined character strings or random numbers. The data media must be functional, and they can be reused again after overwriting them.
The trustworthiness and security of this deletion method depends on the following factors in this case:
- The software must be used correctly by the user. Incorrect application of the software can result in the data media being only partially overwritten or not overwritten at all.
- The configuration of the deletion tool has a major influence on whether or not the data media are completely and reliably erased. For this reason, it must be ensured that the tools are optimally configured and that the settings cannot be changed by unauthorised persons.
- The deletion software must guarantee that all sectors of the data medium, including the protected or damaged sectors, are overwritten in the desired manner. Due to the differences in the technologies used by the various types of data media (even different hard disk manufacturers use different technologies, for example) and the rapid development of technology, it cannot be assumed that this goal will be reached by every software product. The software must permit verification of the success of the overwrite process after its completion.
One topic always being discussed is the number of passes an overwrite procedure needs to execute in order to securely delete the data. Tests conducted by forensic laboratories have shown that it is impossible to reconstruct the data on a data medium after just one pass using suitable character strings or random numbers. For normal protection requirements, a single-pass overwrite procedure performed using a reliable tool is therefore adequate.
For higher protection requirements, the overwrite procedure used should consist of at least two overwriting processes, but three processes are better. It is recommended to use random data as data pattern. Another possibility when overwriting in multiple processes is to use the binary complement of the data pattern (bit sequence) used to overwrite the data medium in the first path for overwriting during the second process.
In order to delete data media on which classified materials ("classified") were stored, only products recommended and/or approved by the BSI for the respective category may be used. The current specifications can be found in the BSI Technical Guideline TL-03400 "Produkte für die materielle Sicherheit".
Deleting with erasing devices
The task of an erasing device is to irretrievably and securely delete the data requiring protection that is stored on magnetic data media. To accomplish this, the erasing devices are equipped with a strong constant or alternating magnetic field, and the device then exposes the data media to the magnetic field of the device ("degaussed"). These devices are also referred to as degaussers. Since erasing devices use a magnetic field to delete the data, such erasing devices can only be used for magnetic data media such as magnetic tapes, diskettes and hard disks. The magnetic field of an erasing device destroys the magnetic domains recorded on the data media. When a suitable erasing device is used, there is therefore no more information available on the data media after erasing. "Suitable" in this context means that the magnetic field strength of the erasing device must be significantly higher than the intrinsic field strength of the data medium in order to completely demagnetise the medium. Care must be taken when operating erasing devices, and in particular, the data media must be positioned correctly, and the correct time of exposure to the magnetic field must be selected. The operating instructions provided with the erasing device must be followed in all cases.
The advantage of deleting data with an erasing device is that it is possible to erase the entire data medium securely and quickly. However, it must be noted that hard disks and various types of magnetic tape cannot be used any more after erasing because the servo track, which controls the read/write head, is deleted together with the stored data.
Erasing electronic storage media
RAM memory (SRAM and DRAM) is volatile storage in which the contents of the memory are deleted by disconnecting the power supply to the memory chip. If there is a buffer battery connected to the memory, then it also needs to be disconnected. In contrast to volatile memory, non-volatile memory such as EEPROMs and flash memory need to be connected to power in order to delete the contents of the memory. EPROMs, on the other hand, need to be exposed to a UV light source for up to 30 minutes to erase them. The correct procedure to use can be found in the data sheets provided by the manufacturer.
However, it cannot be guaranteed that it will be impossible to reconstruct the stored data after deletion by reading "traces" of the data from the memory cells. It is therefore recommended to overwrite the entire memory chip once with random characters before deletion.
Erasing flash disks
Flash disks are semiconductor memory disks based on flash EPROM technology that are used in computers, and especially in notebooks, instead of hard disk drives.
For normal protection requirements, flash disks can be erased like flash EPROMs in a single overwrite pass using a suitable erasing program. For higher protection requirements, they can be reliably erased by overwriting them up to three times.
Destroying data media
When selecting suitable destruction methods, it is necessary to take analogue data media such as paper or microfilm as well as digital data media (electronic, magnetic or optical) into account. Data media can be destroyed by chopping them into pieces using slicing machines, shredders, cutting mills, punches, or other suitable devices. Data media can also be destroyed by burning or melting them.
Destroying analogue data media
Methods and devices that are suitable for the destruction of analogue data media, e.g. paper documents or microfilms, containing information requiring protection are described in S 2.435 Selecting suitable shredders.
Destroying digital data media
For digital data media, suitable methods and devices are described in S 2.167 Selecting suitable methods for deleting or destroying data.
Optical data media such as CDs or DVDs cannot be overwritten or destroyed using a magnetic degaussing method. They need to be destroyed like write-protected or non-rewritable data media (CD-ROMs or CD-Rs).
Magnetic data media that will not be used any more should be destroyed using suitable devices. Defective hard disks than cannot be overwritten any more must be destroyed. Hard disks can be destroyed by shredding them or using thermal methods such as burning or melting.
Devices designed to destroy data media are often large, expensive devices that are complex to operate. For this reason, a local service provider should be contracted to perform the destruction instead of purchasing such devices. If data media will be destroyed by an external service provider, then the collection, transportation and destruction of the data media at the service provider must be adequately secure (see S 2.436 Destruction of data media by external service providers).