In today’s digital age, destroying data is not as easy as it once was. Before the advent of computers, if you needed to destroy sensitive government information to prevent it from falling into the wrong hands, all you often needed to do was light some papers on fire.
With computers, you might think that it’s a simple matter. After all, if you’ve ever accidentally deleted a file or had a hard disk crash, you’ve probably lost data and haven’t been able to recover it.
The reality is, though, that data lingers even if it’s not easily accessible. When you delete a file on a hard drive, nothing actually happens to that data. The file system simply removes the ability to navigate to that data and assigns it as free space to be overwritten by other data whenever it’s convenient to do so.
This means that there are ways to recover “deleted” data. Programs that don’t just browse a file table but instead look directly at a drive, recording every last 0 and 1 and finding data that is partially complete, data that is “deleted” but still there, and more. This is the core principle behind data recovery.
Even in the case of a “dead” hard drive, those drives can often be repaired. No one is really going to do that to your personal drives, but the drives used by government agencies or the military are a different story. There’s a lot more motivation for an organization or a rival nation to try to recover information from a discarded hard drive when it could contain classified military or defense information, after all.
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontDestroying data in the digital age is complex. Deleted data often stays accessible through recovery tools as deletion merely removes file paths, not the data itself. Effective wiping methods include short wipes (three-pass process) and long wipes (seven-pass process), but DoD standards now rely on techniques suited to modern storage like the NIST SP 800-88. Depending on security levels, physical destruction may be necessary for highly sensitive data. Comprehensive standards ensure thorough data security.
How Does Modern Data Storage Work?
When we consider a hard drive or a solid-state drive for a modern computer system, it all goes back to binary. Data on a drive is stored as a sequence of 0s and 1s, a binary code that means something. From tip to tail, a hard drive is nothing but a long sequence of these two numbers. Everything built on top of it is just ways to read, process, and change those numbers.
Why binary? Storage is magnetic. 0 and 1 correspond to magnetic north and magnetic south. You can read more about the underlying technology here and elsewhere. Since there are only two magnetic poles, that’s why there are only 0s and 1s and no 2s.
When you get a brand new drive, all those 0s and 1s are scrambled up, and the first thing you generally do is format it. Formatting it just adds a file system table that provides an index of what else is on the drive as you add, change, and remove files.
When you create a file, a section of otherwise unassigned 0s and 1s is allocated to the file, and the relevant 0s and 1s in sequence are written to that section of the drive. The file table prevents other files from using that space and overlapping files, and the file is only changed when it’s accessed by a program on your computer.
All of this is a vast oversimplification, of course. There’s an incredible amount of detail that goes into it. The important part to know for data security and data wiping is this: all data is encoded as strings of 0s and 1s, with the start and end of a file demarcated by the file table.
How Does Deleting a File Work?
As mentioned above, when you delete a file, the actual data of the file is generally untouched. This saves on wear and tear on the computer hardware, which can wear out over time. It’s a lot easier for a computer to remove one line from a file table specifying what a file is than to overwrite and purge all of the 0s and 1s that made up that file.
That means that if you have a way to inspect the actual binary on a hard drive without paying attention to the file table, you can see all of the data on the drive, including deleted data. This can even include partial files that have had part of their contents overwritten.
It isn’t even particularly hard to do. There are readily available commercial products that can recover deleted data with relative reliability. Imagine how much more powerful a similar program funded by a nation-state would be!
What Does the DoD Recommend?
The Department of Defense has confronted the issue of persistent magnetic storage for a long time. Since the DoD handles classified information in digital formats, they need to make sure that any data that is deleted is actually removed rather than just hidden but still accessible to anyone with the tools to look.
The initial concept was to “zero out” a drive, but this proved ineffective. Thus, the DoD developed data-wiping standards and codified them in the document known as DoD 5220.22-M. This document includes a lot of information – it’s 96 pages long – but the section on data wiping is just a small part of it. This document is also known as NISPOM, the National Industrial Security Program Operating Manual.
The DoD has two specifications for wiping data: the short wipe and the long wipe. So, let’s talk about all three forms of wiping.
What is Zeroing Out a Drive?
First, let’s talk about the simplest option: zeroing out a drive.
To zero out a drive, every byte on that drive – or chunk of drive, if you’re wiping a specific file – has every bit overwritten with a zero. So, a string that looks like this:
- 01001001 01100111 01101110 01111001 01110100 01100101
Becomes this:
- 00000000 00000000 00000000 00000000 00000000 00000000
Seems clear, right? Well, there’s a problem. Since we’re dealing with magnetics, there are pesky physics to contend with, and part of those physics is that bits can get a little “stuck” magnetically.
A good way to understand this is to think of an analogy. When you write something down on a piece of paper, you’re pressing down on the paper. This can leave an impression on the paper beneath it. This has been used throughout history and in media and means that even if you never wrote anything on a page, you can see the things written on the previous page.
Zeroing out data works in kind of the same way. If all you’re doing is overwriting all the 1s with 0s, you don’t end up with nothing but 0s; you end up with 0s that have the impression of 1s behind them. So, instead of that clean line of 0s above, you would actually have something like this:
- 0Φ00Φ00Φ 0ΦΦ00ΦΦΦ 0ΦΦ0ΦΦΦ0 0ΦΦΦΦ00Φ 0ΦΦΦ0Φ00 0ΦΦ00Φ0Φ
A sensitive enough device can still detect this, and while there will likely be errors – physics isn’t quite as clean as this example – it’s enough to recover a significant portion of the data.
So, what would be a good solution?
What is a Short Wipe?
If you answered, “Write everything with a 1, then a 0,” you’re on the right track. If you were to write every digit with both a 0 and a 1, the “impressions” left behind would be universally Φ, and thus impossible to differentiate.
The DoD standard takes this one step further. The so-called “short wipe” is a three-pass wipe.
- Write every digit over with a 0.
- Write every digit over with a 1.
- Write every digit over with a random character.
This way, you can’t even look for patterns in subtle physics differences, as even those are obfuscated by a new random pattern laid over the top of it.
Ideally, this will be a secure wipe. However, advances in nation-state-level technology have made even this less reliable, so the DoD developed the “long wipe” to make things harder.
What is a Long Wipe?
A long wipe is a seven-pass wipe.
- Write every digit over with a 0.
- Write every digit over with a 1.
- Write every digit over with a random character.
- Write every digit over with a 0.
- Write every digit over with a 0 again.
- Write every digit over with a 1.
- Write every digit over with a random character.
Or, to put it in shorter terms, do a short wipe, do a pass of 0s, and then do another short wipe.
Each additional pass makes it harder for any technology to identify the original state of a bit and thus makes it harder for any data to be recovered. The long wipe is often considered overkill, and a short wipe is “good enough” for most use cases.
Which Wipe Should You Use?
So, with DoD 5220.22-M in play, should you be using a short wipe or a long wipe?
The answer is… probably neither.
First and foremost, these wiping patterns only apply to traditional spinning metal magnetic hard disk drives. There are a lot of different storage options today, many of which don’t use this form of magnetic storage and thus don’t respond to these kinds of wipes. Everything from ancient magnetic tape (which needs to be degaussed) to EPROM (which requires UV light to erase) to flash memory (that loses data when power is removed) to other kinds of storage that can only be destroyed, each method of data storage has its own mechanism for erasure.
Many modern businesses aren’t even using spinning magnetic storage media anymore, simply because it’s less effective, more prone to failure, and slower than more modern storage methods.
Truthfully, the DoD hasn’t even updated its data erasure standards in over 20 years. NISPOM actually no longer even specifies a method for erasing data.
Instead, they’ve handed over management of this standard, as with so many other standards, to the National Institute of Standards and Technology, NIST.
What NIST Standard Should You Use?
Published in 2014, the most recent data sanitization standard is NIST SP 800-88. This 64-page-long document encompasses definitions of types of media and the processes necessary to sanitize those types of media.
So, which kind of sanitization should you use? It depends on many factors, including:
- Is it partial or total drive wiping you need to perform?
- Is the device going to leave organizational control after the wipe or be reused?
- Is the information contained on the drive considered low, medium, or high security?
- What kind of storage media are you wiping?
- Do you have encryption in place, and can you use a cryptographic erase?
The NIST standard contains information to help you make this determination.
Truthfully, the NIST document defines the DoD short wipe and similar processes as the standard, so for that particular type of media, that’s still the way to go. For other kinds of data storage, other methods may be employed.
Can’t You Just Destroy the Storage Media?
In some cases, yes. In some cases, in fact, it’s required. The highest level of security categorization, in fact, has little room for anything other than destruction. Sometimes, after all, the simplest method is to put those hard drives in a furnace until they’re a puddle of liquid and ash.
This shouldn’t generally be your first thought, however, for two reasons. The first is that these devices are often reusable, and it’s a waste of money and resources to destroy them without good reason. The second is that comprehensive physical destruction requires equipment most simple cloud service providers and other DoD contractors don’t have easy access to, and handing them off to a third party for destruction is itself a security hole.
Can You Be DoD Data Wiping Certified?
No. While many of the standards, frameworks, and compliance systems we talk about are frameworks that you, as a business, can be certified and verified to comply with, data wiping is not an ongoing process and does not have standardized certification.
Instead, it’s a process you implement when the need arises, which is any time you’re handling confidential or classified information and need to get rid of it or get rid of the device it’s stored on. It’s something you determine the need to perform, perform as necessary, and validate when it’s complete.
That said, being able to sanitize data and storage devices is part of the overall compliance with DoD security and information handling, and that is part of compliance. You can’t be data sanitization certified, but you can comply with FedRAMP, HITRUST, DFARS, or another framework. At Ignyte, we can help; our platform helps streamline and make compliance easy. To learn more, book a demo, or ask any questions you may have, reach out today!
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.