One company investigates the effectiveness of secure erase firmware commands.
As a data destruction company, Reclamere handles thousands of terabytes of data. The sensitivity of the data we are tasked to destroy serves as a constant reminder of the vigilance we must exercise, as data security experts, to ensure no data entrusted to us are ever missed and leave the security of our building before, during or after end-of-life processing.
Reclamere takes great care in ensuring that our destruction processes are thorough. We verify it by a rigorous quality-control process based on the ISO standards for manufacturing quality control and the rigorous, independent and unannounced National Association for Information Destruction (NAID) certification audit criteria. In fact, for the past eight years, 100 percent of all drives overwritten at Reclamere have undergone 100 percent forensic quality control at the bit level to guarantee that no humanly readable, meaningful data are ever left on a hard drive. This is done through a protected trade-secret process that accounts for the realities of human error, equipment failure and/or program malfunction. A grand amalgamation of people, process and technology underpin the entire Reclamere way of data destruction.
Before you decide to flip the page thinking that this article is simply an advertisement for Reclamere, we beg your indulgence for a few more paragraphs. It is critical that we share with you the “Reclamere Way,” because it provides the foundation for credibility regarding the huge discovery we have made and why readers should take this topic seriously.
Recently, with the evolution of data storage devices and the vast migration to flash storage technologies, new (and some old) technologies are challenging the conventional wisdom behind how media are sanitized or cleared for final disposition or repurposing. This evolution has led to in-depth process change management evaluations and intense efforts in research and development of our current and future system needs at Reclamere.
One technology that has been around since 2001 is the ATA (advanced technology attachment) secure erase (SE). This is a set of firmware commands executed directly on the hard drive’s controller chip to erase all of the user-accessible blocks on the hard drive and replace them with zeros. For hard drives built after 2001 and those larger than 15 gigabytes, the SE feature is an option for fast, nonforensically recoverable data destruction. In fact, SE is purported to be so secure as to require no additional quality control measures after execution. As per the NIST (National Institute of Standards and Technology) “Guidelines for Media Sanitization,” NIST Special Publication 800-88, Section 4.7, verify methods: “Verifying the selected information sanitization and disposal process is an essential step in maintaining confidentiality. A representative sampling of media should be tested for proper sanitization to assure the organization that proper protection is maintained. Verification of the process should be conducted by personnel without a stake in any part of the process.”
Investigating Solid State
Our findings piqued an interest in solid state drives, which are the nonspinning, nonmagnetic media that store data by electrical charges on silicon chips. The way data is stored on a standard hard disk drive and a solid state drive is completely different. Think of a traditional, platter-spinning, magnetic hard drive sector as a cup. When a file is created, water is poured into the cup. When that file is modified and made bigger, more water is poured into the cup, until eventually, the cup is full. Once the cup is full, the only way to make more space available is to empty some water down the drain, making it gone forever. The way a traditional hard drive empties its contents is by the overwriting older system data and/or by user deletion. After overwriting (either done automatically as part of disk cleanup or manually by overwriting), the old data has been effectively dumped down the drain, gone forever.
Using the same analogy, in solid state drives, when a file is created, water is poured into a cup; but, when that file is modified, the water is poured into a second cup and the first cup is aside to be washed. In reality, the cup is not truly empty, as it contains residual droplets of moisture that can theoretically be accumulated from many empty cups, resulting in a volume of water left behind. In solid state drives this becomes an issue. When using traditional overwriting methods on solid state drives, modifying the files with zeros, they are not overwritten; they are marked for “garbage collection,” effectively becoming droplets of water that will be wiped dry later when the system is idle.
This functionality has led to many fears and much research into the data remnants that are left behind. Forensic experts truly need data to be left behind for such important matters as criminal investigation, homeland security and civil litigation. Destruction service providers and IT technicians truly need for data to be gone, or at least not meaningfully recoverable by any commercially available or heroic methods. These two factions, and the value of what’s at stake for both, make this an important problem to solve with solid science.
The good news is that solid state drives also have the SE feature, so we are not left with overwriting as our only means of data destruction. In solid state drives, SE works a little differently. Think of the solid state drive as a book and the controller as the book’s table of contents. Executing SE commands is equivalent to ripping only the Table of Contents out of the book and leaving the other pages behind all mixed up. It has been theorized that data remnants are still available on the flash chips, which potentially could be extracted and read with a chip reader.
Research has been done and more is being pursued on what the actual “data remnants” might be. Is it real, humanly readable, meaningful data? Is it just a few hexadecimal characters that form the letter "R?” Or is it merely electrical charges on silicon that can't be put back into anything even close to resembling true, meaningful data? At this point, more research is eagerly awaited, some of which is currently being commissioned by NAID and their Solid State Drive Task Force. The results that this incredibly valuable research will yield to our industry will be groundbreaking. No matter the outcome, in the destruction and security professions, we will finally have some solid data upon which to build the processes that are necessary to insure complete destruction every time.
Further along in the NIST document’s Glossary, secure erase is defined as: “An overwrite technology using [a] firmware based process to overwrite a hard drive. Is a drive command defined in the ANSI (American National Standards Institute) ATA and SCSI (small computer system interface) disk drive interface specifications, which runs inside drive hardware. It completes in about one-eighth the time of 5220 block erasure. It was added to the ATA specification in part at CMRR request. For ATA drives manufactured after 2001 (over 15 gigabytes) [that] have the Secure Erase command and successfully pass secure erase validation testing at CMRR (Center for Magnetic Recording Research).”
SE has introduced tremendous efficiency into the process of destroying data in a way that renders the drives still usable, whereas, previously, data destruction was a matter of overwriting the hard drive with a specific data pattern bit by bit over the entire disk’s surface. This process is very time consuming, taking many hours. On today’s larger drives, it can even take days. Since the commands for SE are executed directly on the hard drive’s controller, the process is much faster and believed to be more thorough than simply overwriting the drive with a software-based application.
Our research, however, has shown that this is not true and that SE does not always successfully execute on all hard drives that fit the ATA standard criteria. Because Reclamere is a high-volume ITAM (IT asset management) processor, thousands of hard drives have passed through the SE digital data destruction process, and a troubling trend of failed drives began to be observed at the inception of the process change from traditional DOD (Department of Defense) 5220.M overwriting to SE.
Of course, good science requires looking first to the processes at Reclamere and how the SE command was executed, the systems upon which it was executed and careful observation for human error. After exhaustive, in-depth analysis of those issues by the forensics experts in the Reclamere data recovery lab, it was clearly established that the SE process and subsequent forensic quality control process were 100 percent functional as designed, built and operated.
We have found numerous hard drives where SE did not successfully remove all of the data or actually left all of the data intact, visible by simply plugging in the drive and requiring no heroic or expert forensic techniques. Unfortunately, we have not been able to find an identifiable pattern among the failed drives that we could use to determine if the drive’s SE feature would successfully execute. We continue to track every failed hard drive by serial number, manufacturer, manufacture date and drive size and will continue to look for patterns.
Another weakness we found in SE is that it does not output any status codes or statistics; so, when the command is executed, the only return from the application is that it completed. This leaves the destruction processors and IT technicians to assume that the drive is purged and ready for reuse with no data intact. However, “complete” and “successful” are two very different words with very different meanings. SE does not indicate if it was successful or not. This is a major weakness because of the trust put behind SE.
Reclamere is currently beta testing a way to analyze the limited data produced by SE so that errors in the output can be used to indicate failure before the forensic quality control step. Failed drives found from our forensic quality control are overwritten by the traditional overwrite and quality control program and continue on through our process.
A lot of destruction companies that are using SE are not using a quality control process to verify that data have, in fact, been destroyed. This is a serious problem in so many ways. For the clients who use destruction service providers with no quality control capability, the liability is obvious. For the destruction service providers themselves, this is a serious liability. When we begin to look to the world of highly regulated industries such as health care, where the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health) data breach prevention and notification burden is now on the business associate (BA) doing the destruction, as well as on the data owner, the liability becomes magnified exponentially. For the small business, it becomes potentially catastrophic.
Our findings are not in any way an indictment on the experts at NIST or the CMRR. Reclamere processes thousands of hard drives per week. Multiplied over months, this is in sharp contrast to the volumes of hard drives tested in laboratory environments. In addition, those thousands of hard drives processed by Reclamere are comprised of drives spanning decades that are manufactured by a myriad of manufacturers. It is our sincere hope that this finding will lead to additional research and/or modifications to the NIST guidelines requiring more rigorous quality control testing for processes using the SE tool.
Reasearching for Answers
Some research from the Reclamere labs is available to share with you. There are approximately 24 different hard drive manufacturers and each uses its own unique algorithms to encode data on the flash chips that they source from hundreds of chip manufacturers. Flash chips similar to those on a solid state drive also are used in smartphones, tablets, USB portable drives and office equipment. The manufacturers of those devices number in the hundreds. To test whether data still reside on a chip after SE, the only testing that can be done is destructive in nature. The chips must be very carefully removed from the circuit board. This part is hard because heat can damage the chip, as can mishandling the pins. Solid state drives are expensive, and most of the devices that use flash chips are as well. Destructive testing of these devices is expensive simply in the purchase of the gear to be destroyed, let alone the purchase of all of the equipment necessary to actually remove the chip and subsequently attempt to read it.
In light of the expensive nature of the testing process, Reclamere has conducted testing on four solid state hard drives in our forensic lab. The team doing the work has successfully extracted data from chips for criminal matters and civil litigation. In our admittedly small study, Reclamere found that only one of the four drives tested was compatible with state-of-the art, commercially available chip-reading forensic equipment.
Our process consisted of the engineer filling the drive with known data. In this case the drive was filled with the word “evidence,” then processed for destruction by executing the SE command. Upon completion of SE, the drive was dismantled. The chip was removed and placed in the chip reader. Forensic tools were then used to search for the data fingerprint. Of the one compatible drive, the search did not return any results. Also, the engineer was unable to find any data remnants or evidence of a file system left on the drive after SE was executed.
Reclamere continues to attempt subsequent research, however finding drives that have chips compatible with our equipment continues to be a challenge. Recently, we attempted to analyze six drives from five manufacturers. None of the drives were compatible with the chip reader, making testing impossible. Although it hinders data recovery experts and the digital forensics industry, it is only a matter of time until the algorithms of the chips are decoded and it is possible to extract data from more solid state drives’ flash chips to facilitate quality control methodologies.
If you’ve hung on through all of this article’s technical jargon, you may be wondering exactly what all of this means. Here are the two important points that Reclamere has to offer the reader:
- We believe that SE does not work on 100 percent of all magnetic ATA hard drives larger than 15 gigabytes manufactured after 2001 as has been put forth. It can be an incredibly time-saving, forensically sound, data destruction technique, but without 100 percent forensic quality-control capability for verification, it creates risk and liability for those relying on it.
- SE appears to be an excellent process for the destruction of data on solid state media; however, the seemingly endless variety of chips used in manufacturing them makes development of reliable, cost-effective quality control unreasonable at this time.
In the rapidly growing world of technology, it is important that we are able to trust the claims of manufacturers. But it is critical that we challenge that trust and conduct our own sets of checks and balances. SE is supported by NIST Special Publication 800-88 and is supported as a sufficient data destruction method for various industries governed by regulations such as HIPAA, Personal Information Protection and Electronic Documents Act (PIPEDA), Gramm-Leach-Bliley Act (GLBA) and Sarbanes-Oxley Act (SBA). While SE is an excellent tool and can destroy data in hard drive locations that are both user-accessible and not user accessible, quality control is critical to ensure that sensitive information does not land in the wrong hands.
Gubanov, Y., & Afonin, O. (2012, October 23). Why SSD Drives Destroy Court Evidence, and What Can Be Done About It. Retrieved from Belkasoft Ltd.: forensic.belkasoft.com/why-ssd-destroy-court-evidence
Hughes, G. (2004, October). CMRR Protocols for Disk Drive Secure Erase. Retrieved from Center for Magnetic Recording Research: cmrr.ucsd.edu/people/Hughes/CmrrSecureEraseProtocols.pdf
Hughes, G., & Coughlin, T. (n.d.). Technical Proposal on ATA Secure Erase. Retrieved from Center for Magnetic Recording Research: http://t13.org/Documents/UploadedDocuments/docs2004/e04147r0-TechProposalFreezeLockSecureErase.pdf
Hughes, G., & Coughlin, T. (n.d.). Tutorial on Disk Drive Data Sanitization. Retrieved from Center for Magnetic Recording Research: cmrr.ucsd.edu/people/Hughes/DataSanitizationTutorial.pdf
King, C., & Vidas, T. (2011, May). Empirical Analysis of Solid State Disk Data Retention When Used with Contemporary Operating Systems. Retrieved from Science Direct: www.dfrws.org/2011/proceedings/17-349.pdf
Kissel, R., Scholl, M., Skolochenko, S., & Li, X. (2006, September). NIST Special Publication 800-88. Retrieved from National Institute of Standards and Technology: http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_with-errata.pdf
Secure Erase Newsletter. (2004, September). Retrieved from Center for Magnetic Recording Research: cmrr.ucsd.edu/people/Hughes/SecurEraseNewsletter1004.pdf
Wei, M., Grupp, L., Spada, F., & Swanson, S. (2011). Reliably Erasing Data from Flash-Based Solid State Drives. Retrieved from Usenix Association: https://db.usenix.org/events/fast11/tech/full_papers/Wei.pdf
Younke, J. (n.d.). Solid State Drives.
Angie Singer Keating is CEO and co-founder of Reclamere Inc., headquartered in Tyrone, Pa., and Kirk Durbin is the company’s data recovery and information assurance engineer. More information on Reclamere is available at www.reclamere.com.