Trusted Solaris Operating System - Technical FAQs

Question

How do I remove sensitive information from a disk?

Answer

It's a wise precaution to remove sensitive data from computer disks before the disks are either transferred from one area to another or discarded. The process is referred to as disk sanitizing, cleaning, p urging, or wiping.

The method you choose to sanitize a disk should depend on the security requirements of your organization.

Removing a file actually only removes the pointer to the file. Common utilities can often recover deleted files, so the data may still be recoverable. Three techniques available for disk sanitization are:

Overwriting a disk by using the format(1MTSOL) command as described under Procedure is usually enough for most purposes, because it greatly reduces the chance that any data can be recovered from the disk. However, any data that remains can potentially be accessed by someone with enough expertise, determination, or money. To ensure that no one could ever recover data from a disk, you need to degauss or destroy it or keep it in a secure location until the disk is needed again.

Procedure

NOTE: The purge step is done twice (once with the manufacturer's defect list and once with the grown defe ct list) so that sectors that became defective over time are also overwritten. Otherwise they might continue to contain sensitive data.

  1. As system administrator or security administrator, enter format either on the command line or in single-user mode.
    command line $ format
    single-user mode # format
  2. When prompted, select the disk from the AVAILABLE DISK SELECTIONS

    Specify disk (enter its number):
  3. Enter defect after the format> prompt:

    format> defect
    DEFECT MENU:
    . . .
    defect>
  4. Enter primary after the defect prompt to read in the manufacturer's defect list and update the in-memory defect list.

    defect> primary
  5. Enter quit to return to the main FORMAT MENU.

    defect> quit
  6. Enter analyze.

    format> analyze
    ANALYZE MENU:
    . . .
    analyze>
  7. Enter purge, and when prompted, specify the slice than encompasses the entire disk.

    NOTE: This is slice 2 by default, but check this with the format command. At the top menu, choose the disk in question, then choose partition, then choose print. One partition should start at the beginning of the disk and go all the way to the end. (Typically, but not always, this is named "backup")

    analyze> purge
  8. Enter quit to return to the main FORMAT MENU.

    analyze> quit
  9. Enter defect after the prompt to return to the DEFECT MENU:

    format> defect
  10. Enter both to update in-memory defect list with both the manufacturer's defect list and the grown defect list for another purge. This command also causes the combined defect list to be written to the working-list when you quit format.

    defect> both
  11. Enter quit to return to the main FORMAT MENU.

    defect> quit
  12. Enter analyze.

    format> analyze
    ANALYZE MENU:
    . . .
    analyze>
  13. Enter purge, and when prompted, specify a disk.

    analyze> purge
  14. Enter quit to return to the main FORMAT MENU.

    defect> quit
  15. Enter quit to quit the format program.

    format> quit
Related Information

Data Remanence

Data remanence refers to the remaining magnetic or electrical representation of data that has been erased.

Overwriting

One organization wants a method to zero the freespace that remains within a UFS filesystem. The security officer is unconcerned about the "acceptable" risk posed by disk areas that are not accessible from user space. Using the format(1MTSOL) command as described under Procedure would satisfy this organization's requirements. The format command overwrites the available disk sectors with patterns that comply with the Department of Defense declassification regulations for data remanence.

For reasons explained in more detail under More About format , a slight possibility exists that data could still remain on a disk after the format command has been used to purge the disk.

Degaussing

Degaussing is a government-approved method that is less costly than destruction. Degaussing removes the remnants of previously recorded signals by destroying the recording layer's magnetic field. The disk is disassembled, degaussed, and reassembled in a secure location. Some organizations buy their own degaussers. Others make use of the outside firms that specialize in degaussing.

Destruction

Even if a disk is broken up, data is still potentially accessible. Approved destruction methods include:

  • Smelting, disintegration, or pulverization
  • Incineration
  • Removal of the recording surface by processes that include the application of an abrasive substance or acid followed by disposal of the remains

More About format

The format command works as follows when purging a disk.

  1. Three patterns are written to the disk:

    0xaaaaaaaa
    0x55555555
    0xaaaaaaaa
  2. The disk is read to verify that the third pattern is in each location.
  3. If the read pass is successful, the alpha_pattern is written to each location.

    0x40404040

format> analyze> purge removes all data from accessible sectors of the disk. However, not all sectors are accessible. Reserved sectors are set aside to replace sectors that become flawed during the disk's operations.

The (remote) possibility exists that a reserved sector could be used to store data before being replaced later by another reserved sector. If this occurs, there is no way for the format command to access the first replacement sector to purge its data. Even if you purge the disk using both the manufacturer's defect list and the grown defect list, the first replacement sector would not be cleared of possibly sensitive information.

The Procedure is totally effective unless both of the following have occurred:

  • A spare sector was used to replace a bad sector and had data written on it
  • The replacement sector (now with data on it) was replaced later by another spare sector
Related Documentation

format (1MTSOL)

NCSC-TG-025, A Guide to Understanding Data Remanence in Automated Information Systems, Sept 1991, National Computer Security Center

DISPOSITION OF SENSITIVE AUTOMATED INFORMATION, Computer Systems Laboratory bulletin from Idaho State University. October 1992

Applies to Trusted Solaris Release

all (also to Solaris releases)

Left Curve
System Administrator
Right Curve
Left Curve
Developer and ISVs
Right Curve
Left Curve
Related Products
Right Curve