How do you Solve a Problem Like Data?

For the most part, IT Departments are tasked with the preservation of data. Backing it up, restoring previous versions, etc. But what about when you need to purposefully destroy data you don’t need any more? This may not even be restricted to PCs and Servers. When I bought a new car recently, I was shocked to discover the previous owners GPS data was still in the cars database, he lived in Gloucester! I flagged this to the garage – I’d already blanked my own Navigation system – and they commented that it should have been reset. People, however, forget they are only a forgotten USB drive or misplaced hard drive away from a potentially being headline news.

Decommissioning old hardware is a key component of any IT department. When I worked in local government we had a portable metal shredder – hardware went in one end and shrapnel came out the other. This might seem extreme, but is that really the case when weighed against the value of your data? As you might have gathered, at deeserve we’re big fans of the show “Mr Robot” and the realistic approach it takes to IT. There’s one episode in the first season where the main protagonist is concerned his systems have been infected and proceeds to take a power drill to hard hard drives and places his RAM sticks in the microwave. Whilst we aren’t advocating that, it isn’t too hard to find news articles about where data that should have been wiped has been discovered.

You might think just a simple format of a hard drive would be enough to destroy any data, but anyone who had to do an UNFORMAT C: /U might tell you otherwise. So what are your options?

Logical
For a long time, the tool of choice for scenarios like this has been DBAN (Darik’s Boot And Nuke). This blanks information stored on a hard drive with random data. It can do multiple passes over the hard disk until all data has been permanently erased. There are variations on this theme – DBAN hasn’t been actively developed since 2012 but is still used as a verb by those of us who used it almost exclusively back in the 2000s. Using something like this is almost a prerequisite before any recycling where the device might be reused in a different computer or situation.

The same is true for most personal devices such as phones and tablets. Running something like DBAN on them might not be straightforward and most manufacturers recommend doing a factory reset as an absolute first step. More recent devices (such as iPhones) encrypt their contents (a feature that has recently made the news several times) and by doing a factory reset you wipe out the decryption keys, the data might still be on the device but it’s in a form that’s going to be next to impossible to read.

Physical
As I alluded to earlier, actual destruction is perhaps the most secure method of destroying any data but then it prevents anything being recovered. There are companies with mobile shredders who can be hired by the hour so if you’ve got a lot of hardware to destroy then that might be an option but it can be surprisingly expensive. You can send hardware away to be destroyed and then get a certificate certifying so but it very much comes down to your companies policies regarding this. You could also invest in a power drill and/or a hammer but depending on how much damage you inflict (following safety protocols of course), data could still be recovered.

We don’t have to attack a drive – be it USB, hard or SSD – like they did in ‘Mr Robot’, but we do have to be aware of the ramifications of leaving sensitive data open to future prying eyes. It’s rare for IT support teams to consider actively destroying data, but when we do it needs to be permanent without any chance of recovery. Nobody wants to be a headline horror-story in the pages of The Register.

Posted on: 26th October 2020.