3

I manage a company's equipment and the manager has used a piece of equipment for the last 3 years. He told me, that he will give that equipment to one of the employees. However, he has told me to please make sure that the information on it is deleted so that it is unrecoverable.

I like this subject and don't know much about it, so I deleted the information with the linux "rm" command. I know that it is still possible to recover it with forensic techniques. The information on the device was critical, e.g. customer information and information about upcoming projects to be released.

The questions are:

  1. Should I format several times to make the information unrecoverable and overwrite the data? 0's and 1's?
  2. I deleted the information first and the partition was not encrypted. What happens if I encrypt the partition now? If the computer is stolen, could the information be recoverable?
  3. Do programs like BCWIPE work?
  4. What recommendation would you give me so that no one could recover that information that I already deleted with "rm"?

The root disk is SDD and the partition that is not encrypted is HDD. Currently the system is with the Manjaro distribution.

Anders
  • 64,406
  • 24
  • 178
  • 215
pobime7177
  • 131
  • 3
  • SSDs are notoriously hard to wipe completely. With an HDD, several overwrites with random data and zeros will be fine. Are you worried about the recipient actually using forensic techniques on it? Or is it just a precaution? –  Apr 06 '20 at 12:52
  • I'm worried he's using forensic techniques. Because these are people who work in the technical environment and information is extremely important – pobime7177 Apr 06 '20 at 12:57
  • You essentially have to decide if `r*R < C`, with r being the chance that an employee will gain unauthorized access to sensitive data (and is willing to abuse it), R being the damage that will happen if the data is being abused, and C being the cost of a new SSD and HDD. –  Apr 06 '20 at 13:01
  • 1
    Does this answer your question? [How can I reliably erase all information on a hard drive?](https://security.stackexchange.com/questions/5749/how-can-i-reliably-erase-all-information-on-a-hard-drive) – reed Apr 06 '20 at 13:20
  • I've read it, although some of my questions are more specific, because, for example, number 2 – pobime7177 Apr 06 '20 at 13:30
  • As far as I know, encryption doesn't overwrite old data by default, it's a separated concept. Anyway, if the information is "critical", why is the manager willing to give his machine to a random employee? Just tell them you cannot guarantee that all the data will be unrecoverable. If the information is really critical and the risk is really high, then it must be worth at least a few bucks to buy a new HDD/SSD/machine (as MechMK1 suggested) – reed Apr 06 '20 at 13:38
  • I understand, I don't think there's a problem with that, because I guess the company has to pay for a hard drive. However, in this case you had Dual Boot. 1 TB, you divided 700 GB for Windows, and 150 for the linux root "/" which is encrypted, but there is another 150 gb partition which is "/home" and is not encrypted. In this case, we should get rid of the HDD, right? because in "/home/user/Documents" is where the critical information was being stored. – pobime7177 Apr 06 '20 at 13:48
  • If you are sure that the critical info is only on the HDD, you can overwrite the HDD with random data (doing it once seems to be enough for all practical purposes). But if critical data is on the SSD, the procedure is much more complex and unreliable. See the answer I linked above. In any case, if you are not sure where the critical data has been stored, or if you want to avoid every possible risk, replacing the HDD/SSD (or the whole machine) is the best solution. – reed Apr 06 '20 at 14:35
  • I'm sure it's on the HDD. In this case, if it is HDD, they would recommend the BCWIPE? or wipe? tool because as I saw, they apply Gutmann, but if I can avoid the costs to the company and I know that the information is inaccessible by modifying the bits, then I would appreciate it very much – pobime7177 Apr 06 '20 at 15:38
  • @MechMK1 many solid state disks support ATA Secure Erase, typically by removing the encryption key used to transparently encrypt all data stored in flash. This is the same as how mobile phones support a near instant “delete my data” feature. Therefore most (decent) SSDs are actually very easy to erase. – David Apr 06 '20 at 21:41

3 Answers3

5

This is a recurring question, and it comes with a bunch of caveats.

Threat level is a factor. If this is government classified data the official answer is "Destroy the Drives!"

That said, in the commercial world there is a lot more tolerance.

Running DBAN or dd with zeroes against the entire drive will sufficiently wipe it. You should of course VERIFY that the wipe actually took place by looking at the drive contents and confirming zeroes. Zeroes are easier to confirm than random.

You don't need to perform multiple wipe passes to defend against magnetic force microscope attacks. This was a laboratory curiosity more than two decades ago against MFM disk drives that are no longer used and against drives that measured in MEGAbytes. Even then, they could only extract a handful of bytes. A single pass of zeroes will defeat any Earth based forensic facility.

True, bad sectors and hidden disk overlays won't be wiped. If this is a realistic concern for you, fall back to the DoD standard of destruction.

Trotting out wear leveling for solid state drives is also a bugaboo of little reality. Yes, it's technically possible to perform chip-off removal, bypass the on-chip wear processing and find data that survived wiping. However this data is tiny discontinuous snippets and bits that are nearly impossible to reconstruct context from. This is beyond all standard forensics labs and would cost millions of dollars in the specialty labs to even attempt it and would likely yield little to nothing for the effort.

Again, if this is a realistic concern for you, fall back to the DoD standard of destruction.

The drive costs are likely no more than a couple/few $100 bucks, act accordingly.

user10216038
  • 7,552
  • 2
  • 16
  • 19
  • I understand. As I mentioned in other comments, the information is on a partition of the HDD disk(the root is on SDD and the /home partition on HDD). How could I verify that all the information I already deleted, became 0's and will be unreadable for any forensic analysis? is there a program? Another question, do you think those payment tools like BCWIPE have the same result as dd? – pobime7177 Apr 07 '20 at 00:18
1

This is a recurring question on this site.

I've written several details answers.

The tricky part is SSD drives that do wear leveling in hardware. That means that some of the data will be in "hidden" sectors that you can't access / wipe from the operating system.

I think there are 4 categories:

Case 1: you had Full-Disk-Encryption enabled from the beginning. Great, just format the disk. Any data left in un-fortable parts of the disk will be encrypted with a key that no longer exists.

Case 2: the hard drive firmware supports a secure erase. Then maybe the manufacturer provides drivers or utilities to call that secure erase? I'm not sure how this handles SSD blocks that are starting to fail in a way that the data can't be written, but it can still be read forensically. Is that even a thing to worry about?

Case 3: you're not worried about advanced forensics. You are only really worried about attackers reading the uninitialized hard drive space from within the operating system. If an advanced actor wants to solder new chips onto your hard drive to read the fragments of data left in wear-levelling or failing sectors, let them. In this case, a single pass of 0's with dd, or some equivalent tool, will be sufficient (see other answers).

Case 4: none of the above As always, the only guaranteed way to ensure that data is unrecoverable is to physically destroy it:

Hard drive shredding

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • 2
    A good argument for destruction: A new 1TB SSD costs around 150 USD. The damage that could be caused is likely in the millions. So even assuming just 1,000,000 USD damage, you need to guarantee that there is only a 0.015% chance to recover the data or lower, or else it's better to just buy a new SSD. –  Apr 07 '20 at 07:49
1

0xFF, not zeroes. One wipe is adequate, three wipes are more than enough on NAND. Some software may cheat you when doing this type of write, however (for speed). Something like dd if=/dev/dero bs=4M status=progress conv=fdatasync will show the real write speed so you can plan when to come back to the systems you're wiping. If you're all about that jazz, try oflag=sync instead. Make pizzaz.

True, some data may be left in discarded blocks, but accessing those blocks is not trivial. SSDs discard a lot more blocks than spinning drives (HDDs), perhaps 10-20% of total capacity in the drive's lifetime. Cheap SSDs discard most. Google TRIM.

Get it right by creating a veracrypt container spanning the entire drive, and letting it overwrite existing data once (the default and only option).

See also https://wiki.archlinux.org/index.php/Securely_wipe_disk#Wipe_all_data_left_on_the_device

And Can I use Truecrypt/Veracrypt to "Wipe" a partition?

Honestly, you should use Bitlocker on corporate SSDs to avoid this problem. Then you only need to aggressively overwrite the key portion of the drive. If it is serious concern, also ensure that hiberfil.sys and pagefile.sys are destroyed. -> veracrypt

Try dd if=/dev/zero bs=4M status=progress | tr '\000' '\377' > /dev/sdX, though tr will make it slow.

See https://techgage.com/article/securely-erasing-your-ssd-with-linux-a-how-to/ for a quick way to erase, using hdparm.

user2497
  • 580
  • 2
  • 7