Anyone who looked at The Guardian’s website in the last week will have seen a picture of one of the newspaper’s own laptops smashed and in pieces. Why did this Mac have to die?
Hard drive picture from Shutterstock
The article accompanying the photo describes how The Guardian was visited by representatives of GCHQ who, believing The Guardian were using the laptop in question to store files provided by the NSA whistleblower Edward Snowden, demanded that the data on it should either be handed over to them, or destroyed.
The fragments of computer pictured on The Guardian’s website make it clear that they chose the second option. Leaving aside the rights and wrongs of an intelligence agency interfering with journalists, and the fact that electronic data is very easily replicated, was it really necessary to smash up a computer in order to make sure the data was really gone? Well, truly deleting data might be harder than you think.
A standard computer will store your files on a “hard drive”; specifically a stack of spinning disks coated in a magnetic film. This film acts like billions of tiny magnets, each of which can be in one of two positions, representing either a one or a zero. All of your files: documents, pictures, music and movies, are encoded on these disks as sequences of ones and zeros. To keep things organised, the hard drive has a table of contents that indicates which parts of the drive are currently in use and where each file is stored.
Deleting a file only deletes the file’s information from the drive’s table of contents; the ones and zeros that make up the file remain on the drive. Until this data is overwritten, it is easy enough to look at this ghost data and reconstruct the file. An analysis of second hand hard drives from eBay found 40% contained personal information that could be recovered in this way.
A more sophisticated method of removing a file is to repeatedly overwrite the file data with random values and then delete it. This is the standard method of “securely deleting” files used by many businesses. There are many free applications that will do this for you on Windows (for example, Eraser); on a Mac this can be done via the “Securely Empty Trash” option on the finder menu and on Linux you can use the “shred” command.
But even this isn’t guaranteed to destroy the data completely; when viewed under a magnetic force microscope, a tiny magnet on the drive that has recently been switched from a 1 to a 0 will look slightly different to one that has been in the 0 position for a long time. Therefore, with a well-equipped lab, it may still be possible to reconstruct the deleted data. A further complication is that it would have been hard for The Guardian to prove to GCHQ that this procedure had been carried out correctly; showing GCHQ the smashed pieces of a hard drive would certainly have provided more conclusive evidence.
Smashing a hard drive is a sure way to stop it functioning as intended (step-by-step instructions on physically destroying a hard drive can be found here). Companies that specialise in the mass destruction of data will put hard drives through an industrial shredder. But even this may not be enough to ensure the data really is unreadable. Each fragment of disk will still contain the ones and zeros that represent the files, and so with advanced lab equipment they could be read and pieced back together. The Guardian reports that they used angle grinders to destroy their drive, which would have probably fragmented it into pieces too small to read. In which case, we can be sure that the data on the laptop in question is gone.
Justified or not, the complete destruction of The Guardian’s hard drive was the only sure way to be certain that the data was really gone, but many questions remain. For example, the pictures on the Guardian’s website only showed the smashed case and main computing boards, not the computer’s memory and hard drive. So what happened to the actual hard drive that stored the data? Why were parts of the computer that hold no data also smashed?
It’s unlikely that The Guardian or GCHQ will be providing answers to these questions anytime soon. So that leaves us with one final question (originally posed by security expert Matt Blaze): does an AppleCare warranty cover the destruction of a computer due to interference by the secret services? Let’s hope so, because it looked like a nice laptop.
Tom Chothia is Lecturer in Computer Science at University of Birmingham. He does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations.
This article was originally published at The Conversation. Read the original article.
Comments
10 responses to “How Do You Properly Destroy A Hard Drive?”
… Most people just use an electromagnet….
They really don’t… Enjoy having your identity stolen.
As long as you remove the hard drives shielding, there is basically no protection against it, even with regular magnets – with an electromagnet you can usually leave the casing on.
http://www.networkworld.com/news/2006/062706-guard-dog.html
Admittedly a bit outdated.. But the technology hasn’t really changed (though shielding might be better ?)
If you want to be absolutely sure about data destruction, destroying the drive is fairly well accepted (though considered wasteful).
The issue people had with this were:
a) The menacing and questionably-legal tactics used
b) The destruction of the entire laptop rather than just the hard drives.
If they wanted to destroy the data securely there were much less dramatic, forceful, and destructive to the property of others. If they’d simply swapped in a clean drive (and possibly ram) on-site and then securely destroyed the drives it would have accomplished the same goals in the same illicit way, but it wouldn’t have sent the right message to the newspapers.
Please note that if you are destroying a Hard drive remember to keep the supper powerful magnets that are in there. They are a lot of fun.
Throwing it into the fires of Mt Doom would work well.
Just install Vista on it and then no one will be able to find anything.
just bore a hole / multiple holes in the disc?
Then the data between the holes may be recoverable.
Extreme heat is probably the most effective way. Hard drive platters are normally made of glass or aluminium. The particles holding the data are typically a cobalt alloy (or iron oxide with some older drives). Aluminium has a melting point of around 660C; glass, iron and cobalt all have melting points of around 1500C.
Also, heat tends to scramble magnetic patterns.
So put the hard drive in a 2000C environment for a few hours and you’ll have a puddle of demagnetised metal and possibly glass. A blast furnace will probably do the job (think Terminator 2).
If you lack an oven of that temperature, an arc welder exceeds those temperatures so you could melt your drive with one of those.
Practically speaking, however, an angle grinder will almost certainly be sufficient (and much cheaper).
Perhaps semtex or thermite.
There’s a lot of misinformation about data sanitization and IT departments are starting to mature in how they deal with retired hard drives. There are a number of key points to ensure a secure data destruction process:
1) Any form of physical destruction that leaves the disk platter in tact is not 100% secure because the data is still present even on platter fragments and could be read in a lab environment. This eliminates shredding the disk, drilling holes in the drive, shooting the drive (we’ve talked to many banks that still take drives out to the shooting range), bending the disk, and taking a hammer to the drive. The only form of physical destruction that seems to guarantee data destruction is grinding the disk into particles small enough that 0s and 1s can’t be read from them. There are actually specifications that indicate how small the particle size needs to be to be considered secure.
2) Audit logs are a vital part of any secure process. With physical destruction, common practice is to scan the hard drive serial number and then toss it into the shredder (like in the posted video). There is much room for human error and manipulation. A worker could scan a drive and then pocket it rather than destroy it. Or they may destroy it accidentally without scanning it. Either way you end up with reporting that is prone to error.
3) Methods such as degaussing can be effective but would have to be verified by a second party to ensure data is properly destroyed. Like other forms of physical destruction it is not self-verifying.
4) If software tools are used, you must use a certified tool that wipes DCOs, HPAs, and re-mapped sectors. Free or consumer tools do not perform a comprehensive wipe.
5) To my knowledge the idea that overwritten data can still be recovered based on bit ghosting has never been empirically proven even though it makes a degree of logical sense. Overwriting multiple times would solve this potential problem. This is why many organizations use a DoD 5220.22-M wipe pattern which consists of 3 wipe passes.
6) Speed in destroying data is an equal risk to the method of destruction. Most companies let retired drives sit around for months before they are destroyed or sanitized. The data is vulnerable through this time period while the drive is moved to various secure or insecure locations and handled by a variety of employees and third parties. Many organizations completely rely on a 3rd party leasing company or recycler to sanitize their data. by the time it reaches the third party it’s not uncommon for drives to have sat around unsecured for over a year.
7) Redundancy is a best practice. Retired drives should be wiped using software the same day or week they are decommissioned. If they are then physically destroyed by a leasing company or recycler, this serves as a redundant step in your process which is a good thing since it is a backup measure to ensure the data was destroyed.
Full Disclosure: I work for WhiteCanyon Software, maker of WipeDrive. This makes me very well informed on the topic of data sanitization but also somewhat partial to software wiping as an optimal tool.