|
File Shredding Levels and Standards
This article describes the standards supported by FileCenter's file shredding, along with a summary of the most common standards.
Often-Cited Standards
Many electronic file shredders inaccurately cite Department of Defense standards for file shredding. Here are the commonly-cited sources:
DoD 5200.28-STD:
The document is called "Department of Defense Trusted Computer System Evaluation Criteria". Software vendors wrongly cite this as the "DoD seven-pass standard" or "DoD three-pass standard". This document does not lay out any shredding procedures or standards. It only states general, non-specific guidelines. Instead, the specific procedures come from DoD 5200.28-M (below).
DoD 5200.28-M:
Published in 1973(!), this manual lays out specific procedures that will satisfy the guidelines of DoD 5200.28-STD (above). This is the first published government description of how to wipe data from a hard disk. In section 7-202, it states:
[A]ll storage locations will be overwritten a minimum of three times, once with the binary digit 1, once with the binary digit 0, and once with a single numeric, alphabetic, or special character. (DoD 5200.28-M, section 7-202)
DoD 5220.22-M / NISPOM:
NISPOM is the National Industrial Security Program Operations Manual. Its DoD reference is DoD 5220.22-M. This is the most heavily-referenced document.
Software vendors wrongly cite this as a "seven-pass standard". This document simply restates and expounds on the DoD 5200.28-M three-pass procedure:
Overwrite all addressable locations with a character, its complement, then a random character and verify. THIS METHOD IS NOT APPROVED FOR SANITIZING MEDIA THAT CONTAINS TOP SECRET INFORMATION. (DoD 5220.22-M (1996), section 8-306)
The most recent version of NISPOM (2006) has dropped specific procedures and now only specifies the following:
8-301. Clearing and Sanitization. Instructions on clearing, sanitization and release of IS media shall be issued by the accrediting CSA.
a. Clearing. Clearing is the process of eradicating the data on media before reusing the media in an environment that provides an acceptable level of protection for the data that was on the media before clearing. All internal memory, buffer, or other reusable memory shall be cleared to effectively deny access to previously stored information.
b. Sanitization. Sanitization is the process of removing the data from media before reusing the media in an environment that does not provide an acceptable level of protection for the data that was in the media before sanitizing. IS resources shall be sanitized before they are released from classified information controls or released for use at a lower classification level. (DoD 5220.22-M (2006), section 8-301)
Gutmann Standard:
Finally, some commercial utilities provide 35-pass "Gutmann" shredding, which is based on a study by Peter Gutmann in which he laid out a 35-pass shredding pattern. But this 35-pass algorithm was for a very specific type of legacy hard drive. In his own Epilogue, Gutmann states:
In the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques. As a result, they advocate applying the voodoo to PRML and EPRML drives even though it will have no more effect than a simple scrubbing with random data. In fact performing the full 35-pass overwrite is pointless for any drive since it targets a blend of scenarios involving all types of (normally-used) encoding technology, which covers everything back to 30+-year-old MFM methods.... [Y]ou never need to perform all 35 passes. For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do. As the paper says, "A good scrubbing with random data will do about as well as can be expected". This was true in 1996, and is still true now.
Looking at this from the other point of view, with the ever-increasing data density on disk platters and a corresponding reduction in feature size and use of exotic techniques to record data on the medium, it's unlikely that anything can be recovered from any recent drive except perhaps one or two levels via basic error-canceling techniques. In particular the drives in use at the time that this paper was originally written have mostly fallen out of use, so the methods that applied specifically to the older, lower-density technology don't apply any more. Conversely, with modern high-density drives, even if you've got 10KB of sensitive data on a drive and can't erase it with 100% certainty, the chances of an adversary being able to find the erased traces of that 10KB in 80GB of other erased traces are close to zero.
(http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html)
Techniques Used in FileCenter
FileCenter provides three wiping options: Low Shred, Medium Shred, and High Shred, as follows:
Low Shred: Overwrites the file with one pass of random data. This is adequate to prevent undelete utilities from restoring the file.
Medium Shred: Overwrites the file with one pass of binary "0" bits, one pass of binary "1" bits, and one pass of random data. This matches the old DoD 5200.28-M/DoD 5220.22-M procedure and is adequate for all but the most extreme circumstances.
High Shred: Overwrites the file with seven passes, alternating between binary "0" bits, binary "1" bits, and random data. As Gutmann states, "[f]or any modern ... drive, a few passes of random scrubbing is the best you can do." (see above)
Learn more about FileCenter >
| 
