In today's world, the age-old question "Does size really matter?" has possibly inspired nearly as much spirited debate as religion, politics and the meaning of life, at least when it comes to the destruction of devices containing digital data.
Shredding is a recognized and accepted method to physically destroy data storage media and devices; but, the question becomes just how much shredding is enough.
SANITIZED FOR YOUR PROTECTION
The generic term "sanitization" is applied to different methods of eliminating data from digital media and hard drives. Sanitization is defined in National Institute of Standards and Technology (NIST) Special Publication 800-88, "Guidelines for Media Sanitization," as "the general process of removing data from storage media, such that there is reasonable assurance that the data may not be easily retrieved and reconstructed." (NIST Special Publication 800-88 is available at http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf.)
Methods of sanitization include:
- Clearing data on a hard disk involves overwriting them with other characters. This process results in a physically functioning drive that can be re-used.
- Purging of the hard drive would include degaussing, which would remove all data, including data in the "service area" of the drive. A degaussed drive appears physically intact but is no longer functional and void of data. Degaussed drives, therefore, cannot be re-used.
- Physical destruction of the hard disk will make that drive inoperable by compromising the physical structure of the storage media. Methods of physical destruction include disintegration, pulverization, shredding and incineration. All of these methods will make the data a hard drive contains nearly impossible to recover.
NIST Special Publication 800-88 does provide for shredding of hard drives as an acceptable method of physical destruction but does not indicate a minimum particle size. This standard also provides the following definitions of the above methodologies:
- Disintegration is "a physically destructive method of sanitizing media; the act of separating into component parts."
- Pulverization is "a physically destructive method of sanitizing media; the act of grinding to a powder or dust."
- Shredding is "a method of sanitizing media; the act of cutting or tearing into small pieces."
- Incineration is "a physically destructive method of sanitizing media; the act of burning completely to ashes."
The "NSA/CSS Storage Device Declassification Manual" (www.nsa.gov/ia/_files/government/MDG/NSA_CSS_ Storage_Device_Declassification_ Manual.pdf), produced by the National Security Agency/Central Security Service, provides guidance for classified storage device disposal. Shredding is not a method of physical destruction for hard drives, though it is acceptable for other types of digital storage, such as diskettes, smart cards, paper and microforms. Instead, the manual stipulates degaussing or incineration of hard drives.
Shredding is specified by NIST and NSA/CSS as a method of disposal for optical media and solid state devices. With these devices, as with floppy disks, a minimum particle size is specified as a standard and varies by device type.
The NIST standard specifies the same minimum size requirements as NSA/CSS for optical media and solid state devices: 5 millimeters per side for optical media and 2 millimeters per side for solid state devices. NIST does not define an acceptable particle size for shredded hard drives.
SHRED TO SUIT
Shredder manufacturers and shredding companies offer different output particle size. These sizes range from 15 to 40 millimeters (approximately 0.5 to 1.5 inches).
Particle size is the debatable issue when shredding is used as the method of hard drive destruction. With particle sizes ranging from 15 to 40 millimeters, one would think that data could be recovered from the larger sized particles more easily than from the smaller sized particles. However, in the case of hard drives, this does not necessarily hold true.
Why do the standards specify a particle size for shredded optical media but not for hard drives? While we can't speak directly to the exact reason the authors of the two publications did this, we draw the conclusion that the likely reason is because of the differences in the way data are stored on the two forms of media.
In hard drives and optical devices, data are not recorded as discrete binary ones and zeros but rather in an encoded format that reads transitions or changes in the information written to the media.
The difference between optical storage devices and hard drives is where the reading and encoding/decoding electronics are located. In a CD/DVD player, the media itself is removable and interchangeable, while the laser that reads the surface and the electronics to decode the read results are contained in the drive. To allow that drive to read discs that are created by different manufacturing processes, or from completely different drives, the standards for encoding that data and defining the layout and maximum capacity of a disc are standard and identical across manufacturers. The hardware to read the data does not have to go with the data to be decoded.
Contrast this with a hard drive. The media, the read mechanism and the electronics to decode the data from the media are all contained within the hard drive. Each manufacturer is free to encode the data and to control the layout of the data as its technology allows. Unlike optical disks, the order of the data on the disk, the way the encoded data are translated to a binary one or to a zero, and even the capacity of the platter surfaces are specific to the manufacturer.
Manufacturers have been in a race to one-up each other in increasing the areal density of their hard drives. Areal density is how tightly data can be encoded on the disk. Increases in areal density are what allow a manufacturer to store multiple terabytes of data on the same number and size of platters that just 10 years ago may have been able to store only 10 gigabytes. Since the read mechanism and electronics are controlled by the manufacturer, how it is actually written to the platters inside the drive is not a defined standard, and the manufacturer can do it using any encoding it desires.
What this means is, if remnants of a shredded CD/DVD are found and can be read, the data are always encoded the same way no matter what manufacturer or model of device was used to record it. The standard used is publicly available, and while not necessarily simple to decode, is relatively easy to decode.
If a remnant of a hard drive is located that can be read, for example, using magnetic force microscopy (MFM) photography, the data are seen in an encoded format. This is the only method that is available that does not require the platters of the hard drive to spin and the heads to read the data. This method is used with a camera to produce pictures of the platter surface. In the case of a shredded drive, all of the remnants available from the platters would need to be examined microscopically.
With the proper MFM equipment, one would think that data easily could be recovered from the damaged disk, until we see the process required. The MFM will take a picture of each bit on the disk. This resultant picture will then be approximately 100 bytes in size. If that doesn't sound too bad, read on.
For a drive that is 20 gigabytes in size (small by today's standards), approximately 160 billion bits with a magnetic flux change need to be photographed. The space required to store all of these photographs is approximately 16 terabytes.
While that is still possible, consider what now has to be done with these photographs. Each photograph would have to be analyzed by an expert to interpret each bit. Any small error in interpretation would result in useless data. While possible, it is an expensive and time consuming process and, more importantly, unreasonable.
To decode that data it would be necessary to know the manufacturer of the hard drive and the model of the hard drive, in fact. Most likely, one would even need to know the version of the firmware that was used to write the data. Even this information is not enough to decode the data, as one also would need access to the manufacturer's proprietary information concerning how that particular firmware/model drive actually wrote the data to the disk surface. That can be a lot of background information to try to glean from what is left after a hard drive has been shredded.
The above assumes the encoded data can be read from the surface. Any method of physical destruction, whether shredding, use of a hydraulic press/punch or even repeated applications of a large, heavy hammer to the platters, will result in distortion and breakdown of the magnetic substrate coating the platter's surface. This can render large portions of the surface unreadable, even by the most expensive and advanced technology available.
THEORY VS. PRACTICE
Much of the discussion about recoverability of data from sanitized media is based in theory and "what if" scenarios. We can't conclusively state that there is not some three-letter government agency, who's initials may not even be known, that has the time, money and capability to recover data from properly sanitized media when the data are of importance to national security. What we can state is that, from a commercial forensic standpoint, there is no methodology for recovery that is cost-effective, time-effective and reliable enough to be practical.
Scott Moulton, the owner of myharddrivedied.com and Forensic Strategy Services, Woodstock, Ga., and a data recovery expert certification instructor, had this to say about recovery from physically damaged platters: "In my 11 years of doing data recovery, it has been my experience that when a platter has been bent, cut or shattered that it is impossible to recover. The head has a very small area, measured in millimeters, over which it can float to be able to read the data from the platters. When you have a case where the platter is damaged, the head cannot maintain its position over the platter close enough to read the data and, in many cases, will cause the head to skip, doing even more damage. In cases where the platters have been shredded, it is impossible to reassemble correctly and to have the heads survive the read process."
Digitally wiping data on a hard drive to a recognized standard allows an entity to repurpose that drive internally or to sell the drive, both of which allow a company to recover some of its IT investment, while a verification and certification of sanitization assures a company its data are not recoverable.
Degaussing and physical destruction provide the customer with a tangible physical indicator that reasonable measures have been taken to ensure the protection of data.
THE QUESTION OF SIZE
Does it matter if the shredded hard disk particle size is 15 millimeters, 40 millimeters or even larger?
It would be impossible to reassemble a hard drive's shredded platters and read it by the hard disk components. Though the particles could be read individually by microscopic photography, the time and expense would be unreasonable.
Size does matter, but only to the owner of the hard drive that contains sensitive information. It all comes down to reasonable sanitization based on the potential sensitivity of the data. One may feel that the smaller particle is more secure, but the larger particle size also will make data recovery unreasonable.
Thomas Laino is a computer forensics expert, while Julius "Bud" Younke is a data recovery expert. Both men are employed by Tyrone, Pa.-based Reclamere Inc., www.reclamere.com. Reclamere is a leader in data security and IT asset management, specializing in a range of services from deployment of new IT equipment to computer forensics.