Media Sanitization
How to get rid of unwanted data
so no one else can get it
Do You Have Sensitive Data
• Excel spreadsheet of names, addresses, phone
numbers, SSN’s and credit card numbers
• Full database dump of KEAS or SIS
• Full time or student evaluations with names and SSN’s
• Financial data – departmental or personal
• Contacts in Outlook with addresses, e-mails, phone
numbers and birthdays
• Any credit card transactions – customers or purchases
• Web forms accepting eID and password
• Saved usernames and passwords for websites, e.g.
banks, retirement fund
• Blueprints for constructing a nuclear weapon
K-State Policy
Draft policy on computer disposal:
.085 Disposal of Computers and Electronic Media
After local disposition has been authorized, it is the responsibility of the
department to ensure that all information is removed from computers and
electronic media (e.g., magnetic tapes, CDs, DVDs, hard drives, diskettes,
ZIP drives, USB drives, etc.) by physically destroying the media or
overwriting the data utilizing approved data destruction procedures before
it is disposed of by the department.
If the surplus computer is to be transferred to another entity for continued
use, the license(s) for any software remaining on the computer, such as the
operating system, must be transferable to the receiving department in order
to maximize the value of the computer and ensure compliance with software
license agreements. It is the responsibility of the transferring department to
make sure no other copies are retained unless allowed by license
agreements.
What can I do with it
•
•
•
•
•
•
Keep it forever
Throw it away
Erase it
Erase it securely – reuse media
Erase it securely – don’t reuse media
Destroy it
• Keep in mind that technology is constantly
changing, take everything you hear with a grain
of salt
Keep it forever
• A lot of people actually do this
• Easy and inexpensive
• Doesn’t get rid of it
• Someone gets to clean up the mess
eventually
Throw it away
• Easy and inexpensive
• Be absolutely certain that there is no
sensitive data on the device
• Almost impossible to guarantee –
violation of policy
Erase it
•
•
•
•
Drag all documents to recycle bin
Empty recycle bin
Format drive
Sufficient to hide data from the casual looker
• Doesn’t remove data, just pointers in the file
table
• Easy to recover data – Restorer 2000
Erase it securely – reuse media
•
•
•
•
Usually a software based solution
DBAN, Eraser, KillDisk
Leaves the drive functional / reusable
Options to meet most stringent guidelines (DOD,
NIST)
• Device must be functional to begin with
• Time consuming
• Requires some tools and knowledge
Erase it securely – don’t reuse media
• Use a magnetic field to “scramble” magnetic
domains on substrate
• Garner HD-1(~$2000), degaussing ring
• May be used on any magnetic media – hard
drives, tapes, floppy disks, etc.
• Generally destroys device (R/W heads) or
erases low-level format – device unusable
• Potentially damaging to nearby devices
• Doesn’t work with optical media – CD’s, DVD’s
Destroy it
• Medium duty cross-cut shredder or
microwave for CD’s, DVD’s
• Incinerate floppy disks
• Fast, inexpensive
• Doesn’t work for HD’s
• Dangers – toxic fumes or hazardous
waste, fire hazard
Destroy it, page 2
• Crush HD’s – EDR Disk Crusher $11,500
• Drill or Cut HD’s – drill press or table saw
with carbide tipped blades – the more
tracks you sever the better
• Shred and/or melt HD’s
– SEM Model 22 HDD - $50,000+, 3600 lbs.
– Outsource ~$7/drive – sending drive off-site
Resources
• Darik’s Boot and Nuke
http://dban.sourceforge.net/
• Eraser
http://sourceforge.net/projects/eraser
• KillDisk
http://www.killdisk.com/downloadfree.htm
• Garner HD-1
http://www.garner-products.com/pdf/hd-1.pdf
• EDR Disk Crusher
http://www.edrsolutions.com/solution.asp
• SEM Model 22-HDD
http://www.semshred.com/content551.html
• NIST Guidelines
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf