Approaches to Data Sanitization
Instant Secure Erase: The Ultimate Solution for Drive Retirement and Disposal
What's this
According to National Institute of Standards and Technology Special Publication 800-88, “Guidelines for Media Sanitization,” there are a handful of acceptable methods for sanitizing ATA- and SCSI-type hard drives.
Clearing. Often called “wiping,” this is the most common sanitization method used with hard drives. Essentially, clearing uses software to overwrite all addressable media bits with random data. The NIST paper states, “Studies have shown that most of today’s media can be effectively cleared by one overwrite.” (The Department of Defense specification 5220.22-M is often cited as specifying a given number of overwrites in order to qualify as acceptable clearing. This is inaccurate. The Defense Security Service has a Clearing and Sanitization Matrix that does offer such guidelines, but the June 2007 version of this document eliminated clearing as an acceptable sanitization method for magnetic media. The document states, “Effective immediately, DSS will no longer approve overwriting procedures for the sanitization or downgrading (e.g. release to lower level classified information controls) of IS storage devices (e.g., hard drives) used for classified processing. Note that the DSS doesn’t specify if clearing was removed for technical or human fallibility reasons. Moreover, adding some confusion, a footnote to this matrix refers readers back to NIST 800-88, which does embrace clearing, for further help on sanitization decisions.)
[caption: The DSS Clearing and Sanitization Matrix, June 28, 2007. The letters “a” and “b” refer to approved use of a degausser. Letter “c” denotes overwriting of all addressable locations with a single character. Letters “l” and “m” denote physical destruction.
Purging. For ATA drives over 15 GB, NIST recommends purging as protection against laboratory forensic attacks. Two of the most common forms of purging are degaussing and using the Secure Erase command. Degaussers use a strong magnetic field to essentially scramble the magnetic bits adhered to a hard drives platters, making them unreadable. Degaussing was very common in the era of magnetic tape, but with disk systems, there are two unfortunate issues. First, the level of the magnetic field emitted by the degausser must be calibrated to the target device. An inadequate field may not eliminate all data, and little if any post-degaussing validation of erasure is ever conducted. Additionally, degaussing will also destroy the servo data embedded in the magnetic media. This data is permanent on the drive and never overwritten. Without it, the drive doesn’t know how to position the read/write heads properly. Thus the drive turns into a doorstop, eliminating any resale value.

The Secure Erase (ATA-SE) command built into every ATA drive since 2001 will cause a drive to self-wipe. However, this does not guarantee elimination of any off-track data. By this, we mean data written outside the regular groove on a hard disk track. (If you imagine an analog phonograph track, most information is written at the bottom of the groove, but sometimes the writing mechanism wobbles, causing information to be written on the sides of the groove, or “off-track.” In the case of hard drives, such data may be retrievable though laboratory forensics, even after an ATA-SE wiping.)
Destroying. Pick your method: disintegration, incineration, pulverization, melting, or shredding. The point is that the physical media is reduced to pieces so small and ruined that there is no possible way for them to be put back together in any readable form.
Many factors will influence an organization’s decision as to which sanitization method to use. Foremost among these may be the sensitivity of the information. When the fate of the free world hinges on a drive’s data vanishing, melting the drive into slag is probably a good idea. Beyond this point, though, other factors likely come into play.