Why do we destroy data?
The invention of various methods of data recording became the foundation of civilization's development. Initially, these were incisions made on bones and sticks, knots tied on strings, later wedges impressed on clay tablets, and hieroglyphs painted on papyrus. These methods allowed information to survive independently of human memory, facilitating the accumulation of knowledge and experience and its transmission to subsequent generations.
Further development led to the invention of alphabetic writing, allowing for the recording of any content using a small number of symbols. The invention of printing and movable type made mass reproduction and dissemination of information simple and inexpensive. Another civilizational breakthrough was the emergence of computers and the internet, which enabled even easier access to data stored in digital form.
However, information was also frequently destroyed. Sometimes as a result of accidents, random events, the natural degradation of media, or mindless, barbaric acts of destruction, but also in targeted and deliberate ways. In this way, the cultural heritage of conquered nations was erased, religious leaders suppressed manifestations of heresy, and rulers destroyed literature that spread dissident ideas. The most famous example of information destruction was the double burning of the Great Library of Alexandria, which resulted in the irretrievable loss of a significant portion of ancient literature.
Today, books are burned much less frequently, but this does not mean that censorship and attempts to control the flow of information have been abandoned. But this is only one reason for data destruction. Transferring a significant portion of information related to our personal and professional lives to digital media is, on the one hand, convenient, but on the other, it significantly increases the risk of unauthorized access, and thus the potential for malicious use.
For this very reason, digital data sanitization has become an important element of cybersecurity. Numerous more or less adequate standards have emerged regulating data destruction procedures in a way that, at least in principle, ensures the security and effectiveness of the process. Numerous regulations are also developing that specify the obligation to appropriately destroy data in certain situations – from international legal acts, such as the GDPR (General Data Protection Regulation), through national laws establishing various types of official and professional secrets, to internal regulations in force in various public and private organisations.
In addition to legal obligations, we also have contractual obligations. This allows us to commit to maintaining the confidentiality of certain information and its proper protection, including its destruction when it is no longer needed. We can also destroy data without any specific obligations, simply to protect our interests and privacy. In extreme cases, we can also destroy data to avoid liability for errors, unethical behavior, or even crimes committed, if this information could be used as digital evidence against us.
It might seem that the need for proper information destruction in certain situations should be obvious, yet we still face numerous data leaks caused by negligence. The situation is even more dire when it comes to understanding the principles of operation of data storage media and the physics of information storage. This problem also affects the authors of standards describing data sanitization procedures, which often result in provisions that are bizarre in light of technical knowledge.
Basic information about data carriers.
The development of electronics and computing technology has led to a need for data storage media that could be used by new devices. Initially, punched cards and tapes, used since the 19th century, were used, but in the mid-20th century, magnetic media were developed – tapes and hard drives, and later, floppy disks. Over time, these media completely replaced paper media, but since the beginning of the 21st century, they have had to compete with semiconductor devices using Flash-NAND memory. Meanwhile, laboratories are developing a wide range of new types of data storage media, often utilizing physical phenomena related to resistance changes.
It is precisely these physical phenomena used to store data that form the basis of the most popular classification of information storage media. The division into paper, magnetic, optical, semiconductor, and resistive media is widely known, but the physics behind data storage often remains misunderstood, leading to myths and misconceptions about the effectiveness of data destruction. Due to the breadth of these topics, it will not be possible to explain them in detail in this article.
Another popular distinction between data storage media is between analog and digital. Digital media store data in the form of logical states interpreted as zeros and ones, making them easily understood by machines. Other data storage media are analog.
It's important to remember that the basis of every digital logical state is some analog physical state, which is interpreted during the data decoding process as a logical zero or one. A good example to illustrate the assignment of logical states to physical states is punched cards, where specific logical values can be assigned to "full" spaces or punched holes. Perhaps precisely because the physical state underlying the logical state in punched cards is easily discernible even to a layman, they are often considered analog storage media.
An important classification for information deletion is the division of data storage media into volatile (energy-dependent) and nonvolatile (energy-independent). The volatile media maintain their logical states only when powered and lose them immediately upon disconnection from the power source. Therefore, to erase data from them, simply disconnecting the power supply is sufficient. Examples of volatile storage media include DRAM (Dynamic Random Access Memory) chips used as operative memory and SRAM (Static Random Access Memory), often used as processor caches.
Non-volatile storage media, on the other hand, can maintain logical states independently of power for very long periods of time, even decades with proper storage. In their case, deleting data requires deliberate action. This further division into rewritable and write-once storage media is important.
Write-once storage media can be written to only once, and their content cannot be changed. Therefore, to destroy the data stored on them, it is necessary to physically destroy the entire storage media. However, in the case of rewritable storage media, their content can be replaced with another, which opens up the possibility of destroying information by overwriting it without destroying the storage media itself.
It is also important to note that the cloud, network drives, and similar resources are not a separate category of storage media. Behind each type of network resource stands a real infrastructure, which also includes physical storage media of various types. A special feature of such resources is that they are often administered by other entities and the user does not have physical access to the media, which limits his options for destroying information and control over copies of data stored in such resources.
Standards governing data destruction.
To ensure safe and effective data destruction, many institutions have developed procedures, some more or less detailed. Some, especially those developed by government and military institutions, are widely trusted and have gained significant popularity. Data destruction companies often declare their procedures to be compliant with popular standards, as this is what their customers expect.
It is quite common to believe that the procedures described in the standards somehow reflect the technical capabilities of data recovery by police forces, intelligence agencies, and similar organizations. In reality, this is not the case – these standards are usually created by officials, often with very limited technical knowledge. To see this, one need only consider the significant discrepancies between various regulations (for example, differences in recommended overwrite patterns and the number of overwrite passes), even though physics is the same for all.
And it is physics that determines how data is stored in various types of media, as well as how it can be destroyed and under what circumstances it can be recovered. All regulations are secondary to the laws of physics and the technical solutions based on them. Differences between individual standards and procedures stem primarily from their inconsistency with the technical knowledge and physics of data storage.
Different data destruction standards were developed at different times and reflect varying degrees of technological advancement and understanding of data recovery capabilities. For example, older regulations typically required a greater number of overwrite passes than newer ones. Significant similarities can be observed between some standards. For example, IEEE 2883-2022 was clearly inspired by NIST SP-800-88, while DIN 66399 and ISO/IEC 21964 are thoughtless adaptations of the DIN 32757 standard, which governs the destruction of paper documents, lacking any understanding of the physics of storing information in digital storage media.
When destroying data, it's important to remember that the effectiveness of the process is determined by the laws of physics and the appropriateness of the chosen method to the type of storage media. Various regulations often recommend unnecessary redundancies (e.g., multi-pass data overwriting algorithms), but there is also a risk of ineffective destruction of information if the procedure is fully compliant. Therefore, while following the procedure correctly can protect us from liability, choosing the wrong procedure may not necessarily protect us from data leakage. Therefore, regardless of knowledge of the regulations, it is also worth knowing and understanding at least the basics of the physics of data storage.
Below is a list of the most popular standards regulating data destruction:
AFSSI-5020 (Air Force System Security Instruction 5020),
CSEC ITSG-06 (Communication Security Establishment Canada, Information Technology Security Guide – 06)
DIN 66399 (Büro- und Datentechnik - Vernichten von Datenträgern),
HMG-IS5 (Her/His Majesty Government Infosec Standard 5),
IEEE 2883-2022 (Institute of Electrical and Electronics Engineers, Standard for Sanitizing Storage),
ISO/IEC 21964 (International Standard - Information technology – Destruction of data carriers),
NAVSO P-5239-26 (Navy Staff Office Publication 5239-26, Information Systems Security Program Guidelines),
NISPOM DoD 5220.22-M (National Industrial Security Program Operating Manual, Departament of Defence 5220.22-M),
NIST SP 800-88 (National Institute of Standards and Technology, Guidelines for Media Sanitization),
NSCS-TG-025 (National Computer Security Center, Technical Guidelines 025, A Guide to Understanding Data Remanence in Automated Information Systems),
RCMP TSSIT OST-II (Royal Canadian Mounted Police, Media Sanitation of the Technical Security Standards for Information Technology),
VSITR (Verschlusssachen IT Richtlinien),
ГОСТ Р50739—95 (Средства вычислительной техники. Защита от несанкционированного доступа к информации. Общие технические требования).
When is data actually destroyed?
Effective data destruction occurs when, after the destruction operation, data recovery is impossible. The impossibility of recovering destroyed data should be considered from the perspective of the laws of physics. If there is even a potential possibility of data recovery, it cannot be considered effective destruction, even if recovering the data would be an extremely complex, expensive, and lengthy process.
A common mistake is to assess the effectiveness of information destruction based on the capabilities of commonly used data recovery methods, as well as the value of the data and the technical and financial capabilities of a potential adversary. If questions such as "who will want it?", "who will be able to do it?", or "who will be able to afford it?" arise during the data destruction process, the process is likely being performed incorrectly. This is especially true if the answers to these questions are provided by people with insufficient technical knowledge.
As a result, these individuals often overestimate the significance of trivial faults (e.g., broken interface connectors or simple electronic damage) and underestimate the capabilities of adversaries who are not only potentially willing to develop new methods for recovering information, but also possess very typical data recovery capabilities. Data recovery often encounters practical obstacles related to time and budget constraints, problems with the availability of necessary parts, or the complexity of some tasks that are more suitable for research projects than commercial services. However, failure to recover data due to a specific cause does not necessarily mean that the data has been irreversibly destroyed.
As long as the data physically exists on a medium and can potentially be recovered, it cannot be considered effectively destroyed. In particular, a lack of knowledge and skills required to recover data in a specific case is not a sufficient basis to conclude that the data is truly unrecoverable. And even if the use of a specific method sometimes effectively destroys data, this does not always prove its effectiveness in every situation. A data destruction method can only be considered effective if it produces repeatable results and is not dependent on random factors.
On the other hand, in some situations, unnecesary data may be so uninteresting and worthless that no one would be willing to make even the slightest effort to access it. In extreme cases, this data could be left on a storage device that no one would even bother to connect to a computer. But in such a situation, would it be rational to consider this data effectively destroyed? Why, then, are we so often inclined to consider data effectively destroyed when, from a physical perspective, recovery is still possible, and often not even difficult?
What are we actually destroying? Media and data.
A common mistake in information destruction is equating data storage media with their content. This was done by, among others, the authors of the DIN 66399 and ISO/IEC 21964 standards. This error typically leads to the conclusion that effective data destruction requires physical destruction of the media. A second consequence of equating media with their content is the false belief that damaging the media always effectively prevents access to the information stored on it.
In reality, physical destruction of the media for irreversible data deletion is necessary only in the case of write-once media or damaged media. In these cases, it is impossible to change the physical state of the media to replace the destroyed information with another, worthless one. In the case of functional rewritable media, data can be effectively destroyed by overwriting, that is, changing the physical state of the media so that it is interpreted as a different logical state.
While the first consequence of identifying the media with its content merely results in unnecessary costs associated with choosing a more expensive data destruction method and the loss of the media itself, the second poses a direct threat to the security of the information destruction process. Damage to the media can result in it no longer being recognized by the computer and no longer responding to commands. This behavior makes it difficult to verify whether data was destroyed correctly, and in those with a lesser understanding of the technique, it may lead to the false belief that the data is unrecoverable.
to the hard disc drive electronics.
In fact, in many cases of failure, especially those caused by amateur methods, data is recoverable. An example of such ineffective data destruction is the disk shown in the photo. Damage to the electronics requires its replacement. In such situations, it is often necessary to replace the head stack assembly, but in most such cases, data is practically recoverable.
Data destruction methods and their effectiveness.
Classification of data destruction methods.
Data destruction methods are most often divided into software (logical) and hardware (physical). Hardware methods are commonly considered more effective than software ones, but this approach is unjustified. If a method of information destruction is effective, the data cannot be recovered after its application. This means that the effect of information destruction cannot be achieved to a greater extent, so among effective methods, no one can be considered more effective than another. Only ineffective methods, i.e., those that only hinder data recovery to a greater or lesser extent, can be compared in terms of the difficulty of recovering data after their application.
The advantage of physical data destruction methods is that they can be applied to any type of media and in any technical condition. Software methods can only be used with functional, rewritable media, allowing their content to be replaced with another. The most significant disadvantage of physical methods is that the information is destroyed along with the media. Furthermore, when choosing a data destruction method, it's important to consider its suitability for the media type, as each type of media has its own sensitivity to various physical factors.
Sometimes, data destruction methods are classified differently. For example, the NIST SP-800-88 and IEEE 2883-2022 standards divide information destruction methods into three categories: Clear, Purge, and Destroy. While the Destroy category could be perceived as distinguishing physical from software methods, the distinction between Clear and Purge seems somewhat artificial. Justification for this division of data destruction methods is even more difficult to find because some methods, such as overwriting, are simultaneously classified in both categories.
The inclusion of demagnetization, a typically physical method of information destruction, in the Purge category does not help in finding sense of this classification. Due to the fact that demagnetization, in addition to user data, also destroys all other records, including the servo signal and the contents of the service zone of hard drives, its use renders most magnetic data carriers useless. For this reason, it would be more appropriate to place it in the Destroy category.
At the same time, the approach of these standards to the effectiveness of data destruction is very unclear and inconsistent. The authors of these standards link the recommendations for selecting a data destruction method to the classification of its content and seem to allow the use of ineffective destruction methods for less important data. Given the wide selection of effective methods, such an approach is absurd. Another problem with the above-mentioned standards is the automatic assignment of higher effectiveness to methods classified as Destroy and lower effectiveness to methods classified as Clear, unjustified by technical knowledge.
Software methods of data destruction.
A major advantage of software data destruction methods is the ability to selectively destroy selected data. The effectiveness of logical methods relies on altering the physical state of the medium so that when read, it is interpreted differently than originally. Therefore, all effective software data destruction methods can be reduced to overwriting a specified area. However, to ensure the complete security of these methods, it is necessary to ensure the appropriate accuracy of the process.
Deleting files at the file system metadata level.
In most cases, after deleting a file in the file system metadata, it is still recoverable. This is especially true if deletion involves moving the file to the system recycle bin, that is, moving it to a special directory. Therefore, this method cannot be considered effective in any way.
This assessment is not altered by the fact that in many practical situations, recovering certain files proves impossible. This happens for various reasons. Most often, this occurs due to subsequent overwriting of files or their fragments with new content, and in the case of SSDs and some other Flash-NAND devices, also as a result of the TRIM function. However, in the case of intentional data destruction, the results of the process cannot be left to random factors.
Formatting the partition.
Formatting a partition can, under certain circumstances, be an effective method of data destruction. Data can generally be recovered with a quick format, which creates new metadata for an empty partition in place of the previous one. This formatting method is quick, but leaves much of the old partition's content intact and, unless overwritten with new files, still recoverable.
The situation is different with a full format, sometimes incorrectly called a low-level format (low-level formatting involves creating a structure of disk tracks and sectors and is available only under factory conditions from about 30 years, but when it could still be performed by the user, it effectively destroyed data). It involves zeroing the entire partition before creating new metadata, which overwrites the previous content and renders it unrecoverable. The TRIM function, combined with physical erasure of blocks in solid-state drives, can also prevent data recovery from a formatted partition, but this requires some time (usually from several to several dozen minutes) for the firmware to perform background processes.
Data overwriting.
Data overwriting involves replacing the information we want to destroy with worthless content. This is only possible with rewritable media, where the content can be freely changed. Data is destroyed during the first overwrite pass, as writing new information changes the physical state of the media so that it is logically interpreted according to the overwrite pattern. The effectiveness of data overwriting also not depends on the overwrite pattern used, as long as it is different from the data being destroyed.
The accuracy of overwriting is crucial for the security of this information destruction method, as data can persist in unoverwritten physical allocation units. Therefore, when setting process parameters, it is important to pay attention to the range of sectors to be overwritten and to consider areas beyond the LBA (Logical Block Addressing) zone, such as HPA (Host Protected Area) or DCO (Device Configuration Overlay). Difficulties can also be caused by media in which LBA addressing is not strictly related to physical addressing, such as solid-state media, Shingled Magnetic Recording (SMR) drives, or NAND buffers in SSHDs (Solid State Hybrid Drives). In these situations, it is often worthwhile to use Secure Erase or Block Erase procedures.
The issue of the need for accuracy in data overwriting and the risks associated with sectors outside of LBA addressing was discussed in more detail by Dai Shimogaito in his presentation "Exotic data recovery & paradais" in 2016 at the "Code Blue" conference in Tokyo. The most important element of this presentation was booting the Windows XP operating system from a WD20WZRZ-00Z5HB0 hard drive previously overwritten using the Secure Erase procedure. The system was hidden from destruction by interfering with the LBA-to-physical address translation subsystem.
Each hard drive has a number of excess physical sectors above the nominal capacity of the medium. Some sectors are found to be damaged in factory tests and cannot be used, some serve as reserve sectors, and some remain unused and have no LBA numbers assigned. The number of such sectors is around 0.6-0.7% of the total drive capacity, which in the case of a 2 TB drive gives approximately 12-14 GB of hidden capacity.
To achieve the effect demonstrated by Dai Shimogaito, it is necessary to craft and hide a translator module (31) in the drive's service zone, addressing different physical sectors than the original translator. The location of this translator is indicated by an alternative module directory (01, DIR). In turn, the location of the module directory in the service zone is indicated by module 20B, stored in EEPROM on the drive electronics. After appropriate modification of the firmware modules indicated above, we can have two different translators addressing physical sectors differently. To select one of them, use the appropriate electronics board with a programmed 20B module pointing to the module directory redirecting to the selected translator.
This method can hide some sectors from overwriting or the Secure Erase procedure. The risk of using this option to hide data from destruction is negligible. Not only would this require physical access to the disk and high-level firmware skills and working with physical addressing, but it would also pose the risk of damaging the logical structures of the file system when attempting to work with two different translators in parallel. A potential adversary with physical access to the disk could much more easily simply copy the necessary data to another medium. Nevertheless, the example mentioned above clearly demonstrates the need to increase the security of software data destruction procedures by switching to working with physical addressing. Simply increasing the number of overwrite passes or inventing new miraculous overwrite patterns in light of the fact that data is irreversibly destroyed the first time it is overwritten by any content, are of no importance. However, it is important to pay attention to sectors that may be missed during the overwriting process.
Cryptographic erasure.
Cryptographic erasure (cryptoerase) is a very fast method of destroying encrypted data by destroying the encryption key used to encrypt it. The data remains intact on the storage medium, but destroying the key prevents decryption. However, despite the complexity of the task, the data is still potentially decryptable, which prevents this method from being considered effective.
There is always a risk that a copy of the encryption key may have been previously secured, including in an uncontrolled and unauthorized manner. Attempts to break the encryption are also possible. While the probability of brute-force cracking the encryption key is negligible, it is not zero. Advances in quantum computing and artificial intelligence may also pose a threat to the security of cryptographic erasure. Furthermore, more sophisticated methods, such as a known-text attack, could be used if the adversary possesses partial knowledge of the storage medium's contents. For these reasons, cryptographic erasure should be used in emergency situations when there is a need to quickly hinder access to data, but for their guaranteed destruction, another effective method should be used.
Secure Erase
Secure Erase is a data destruction procedure implemented in disk firmware since the early 21st century. Essentially, it overwrites (by zeros) all disk sectors, but it operates not at the LBA addressing level, but closer to the physical addressing. Therefore, it also allows for the destruction of at least some sectors inaccessible to programs operating at the LBA addressing level. Therefore, it is worth using it where there is a risk of data being preserved outside the LBA addressing, such as in SMR drives. A properly implemented Secure Erase procedure should also destroy the content of damaged sectors that have been reallocated and potentially still contain fragments of previous content.
However, sometimes, to speed up the data destruction process, media manufacturers take shortcuts and implement the Secure Erase procedure in questionable ways. For example, in the case of encrypted SSDs, the Secure Erase procedure oftenboils down to cryptographic erasure (generating a new encryption key) and destroying the Flash Translation Layer tables. In this case, the data is actually physically destroyed by erasing blocks after the Secure Erase procedure is completed, which briefly leaves the opportunity to attempt analysis of the partially destroyed content.
An interesting example of an incorrect implementation of the Secure Erase procedure in eMMC chips was demonstrated by Aya Fukami in her presentation "Exploiting the eMMC security features using the VNR" presented at the "Flash Data Recovery & Digital Forensic Summit 2024" conference in Warsaw. In these chips, the data was not physically erased; only the TRIM function was used, and only operations were performed on the LBA to physical address translation subsystem. Consequently, the supposedly destroyed data was still recoverable in the physical addressing. Furthermore, the content of these chips was not encrypted. Therefore, if the Secure Erase operation takes less time than required to overwrite or physically erase the entire media, it is better to disregard it and destroy the data using another method.
Block Erase.
The Block Erase operation occurs in semiconductor storage media. It involves physically erasing all blocks (removing electrons from the floating gates of transistors), making data recovery impossible. Importantly, the erase operation also applies to blocks outside the LBA addressing. Therefore, this operation is a valid alternative to questionable and suspiciously fast Secure Erase implementations.
Physical methods of data destruction.
Physical data destruction methods can be used on any information storage media, regardless of its technical condition. They encompass a wide range of different methods, some of which may be universally applicable, others effectively destroy data only on certain media categories, and the use of many others is technically pointless, as instead of achieving the intended purpose, they merely provide the illusion of security. The fundamental requirement for effective data destruction is a change in the physical state of the storage media that cannot be logically interpreted as destroyed data. This change may not always be visible to the naked eye, but on the other hand, not every visible damage to the storage media results in a change in its physical state that effectively prevents data recovery.
Mechanical methods of data destruction.
Mechanical data destruction methods encompass a wide spectrum of methods for mechanically affecting information storage media with the intent to destroy them. These methods vary widely, from the use of standard disk shredders to such bizarre methods as breaking off interface connectors. In general, these methods enjoy a high degree of trust, though interestingly, often undeservedly.
hit with a hammer
Most mechanical data destruction methods are very primitive and involve striking the drive with a hammer or other objects. Since a picture is worth a thousand words, let a photo of a hard drive smashed with a hammer attest to the effectiveness of these methods and the technical competence of those using them. Despite severe damage to the casing, destruction of the head stack assembly, and deformation of the magnet, the drive platter and its data remained virtually intact.
Similarly, semiconductor media and mobile devices can be damaged with insufficient precision, with Flash-NAND chips surviving intact despite external damage. Such imprecision can also be encountered when drilling into devices or taking more extreme measures, such as running them over with vehicles or shooting them with firearms. So, is it necessary to shred the drive in accordance with DIN 66399 or ISO/IEC 21964 standards to effectively destroy data?
Gorgon F. Hughes, Tom Coughlin, and Daniel M. Commins from the University of California provided the answer to this question by examining various data destruction methods. They also examined the possibility of recovering data from shredded disk fragments and demonstrated that this task, although extremely complex, is feasible. Fragment sizes, consistent with the aforementioned standards, are significantly larger than sector sizes, allowing for imaging such fragments using a magnetic force microscope and recovering the contents of complete sectors.
They described the results of their research in the article "Disposal of disk and tape data by secure sanitization". Assembling the recovered data fragments into a larger whole remains a challenge, especially considering the need to separate information from the actual disk from fragments from other drives. However, this is primarily an organizational and logistical challenge, which can be overcome with the increasing efficiency of computer hardware, automation, and properly trained artificial intelligence models. Of course, losses at the edges of the cuttings cannot be avoided, but it is impossible to consider a data destruction method that allows for the recovery of part of the data as effective, and what is actually destroyed is left to chance.
Suitable techniques for imaging fragments of mechanically damaged media also exist for other types. In particular, the possibility of imaging the electrical potentials of the floating gates in the transistors of flash memories using an atomic force microscope is worth noting. Research in this area is much less well-known than magnetic force microscope analysis of hard drive surfaces, but the results are nevertheless quite promising.
It is true that there are no commercially available data recovery services, even for much more subtle damage to disk platters, such as bending, breaking, or punctures. However, this is not due to the impossibility of physical data recovery, but rather to the lack of sufficient economic justification for using data recovery methods other than rotating the platter and reading its contents using original or donor hard drive components. The situation is similar for semiconductor media, where the typical scope of services does not extend beyond methods of establishing communication with the entire device or reading the contents of Flash-NAND chips using a programmer.
Data recovery from shredded media is still a task more suited to a research project than a commercial service. However, the results of projects already completed clearly indicate that it is partially feasible. Given the proven ineffectiveness of shredding data media in accordance with DIN 66399 and ISO/IEC 21964, the value of using such methods becomes highly questionable. Not only do they fail to guarantee the expected level of security, but they are also expensive and generate waste that is difficult to recycle.
Since an effective data destruction method can be selected for every type of media, regardless of its technical condition, it is difficult to find a justification for disk shredding other than the well-being of non-technical managers looking at a pile of chips. This feeling is not dampened by the fact that there are known cases of reconstructing paper documents from scraps, a more famous example of which is the BND's (Bundesnachrichtendienst) reconstruction of the destroyed Stasi (Staatssicherheitdienst) archive. Some believe that higher storage density may be an additional obstacle to data recovery. In reality, the higher the recording density, the greater the chance of recovering a larger portion of consistent data from a fragment of a given size.
Are all mechanical methods of data destruction ineffective, then? It's always possible to fragment the media further than regulations require, so that the remaining fragments are smaller than the physical data allocation units. Flash-NAND chips can be drilled, ensuring that a drill of an appropriately large diameter penetrates every chip in the device. In the case of hard drives, data can be destroyed by wiping the platter surfaces with fine sandpaper. This method can destroy data effectively and much more cheaply than shredding the disks, but it does not comply with the standards.
Thermal data destruction methods.
Thermal data destruction methods typically involve applying high temperatures with significant redundancy, ultimately destroying the medium. After applying these methods, the medium is no longer suitable for further use. Therefore, it is very difficult to find studies indicating the appropriate temperature sufficient for destroying data on a given type of medium.
Thermal methods are the easiest to destroy data on plastic media, such as CDs, DVDs, magnetic tapes, and floppy disks. Such media begin to melt even at temperatures around 100°C. The situation is completely different for hard drives and semiconductor media.
To destroy data on a hard drive, it is necessary to reach the Curie temperature – the temperature characteristic for a given magnetic substance at which it loses its magnetic properties. Hard drive manufacturers keep the detailed composition of the magnetic alloys used confidential, but it is estimated that the Curie temperature of the magnetic layer is approximately 700°C. This temperature is unattainable in bonfires, ovens, and most fires. Therefore, data recovery companies often successfully recover information from drives damaged by fire.
The situation is more challenging in devices using Flash-NAND chips. While these chips are sensitive to high temperatures and increasingly susceptible to degradation, this doesn't mean that data can be guaranteed destroyed through thermal exposure. It's worth noting that one popular method of recovering data from semiconductor media involves reading the contents of desoldered memory chips using a programmer.
With commonly used lead-free solders, desoldering Flash-NAND chips requires operating at temperatures of approximately 300°C, which is higher than can be achieved in an oven or typical campfire. It's true that in the case of Flash-NAND chips, their degradation rate also depends on the duration of exposure to high temperatures. However, there are no available analyses that would allow for the development of a procedure that guarantees effective data destruction without using significant redundancy, which would lead to complete destruction (incineration) of the device.
Chemical methods of data destruction.
Chemical data destruction methods rely on the use of chemicals to degrade the media so that its contents become unreadable. Typically, these methods completely dissolve the media in a suitable solution, which raises no doubts about the method's effectiveness. Of course, the solution should be selected appropriately for the type of media being destroyed.
The effectiveness of chemical data destruction is not affected by the possibility of leaving undamaged elements that are not essential for information storage, such as the glass substrate of magnetic platters on hard discs. However, damaging media with various random substances is not an effective data destruction method. Significant disadvantages of chemical methods also include the need to ensure appropriately safe transport and storage conditions for the substances used, the process itself, and waste disposal.
Demagnetization.
One popular method of data destruction is degaussing media. This involves applying a strong magnetic field to the media, disrupting its magnetization, making its contents unreadable. Importantly, degaussing is not limited to destroying user information; it also destroys the servo signal and service information of hard drives, thus destroying the media itself. Only older, rarely used magnetic tapes without servo tracks and floppy disks can be reused after degaussing.
For data on a degaussed device to be effectively destroyed, the magnetic field used must be higher than the coercivity of the material from which the magnetic layer of the media is made. The coercivity of cobalt alloys commonly used in hard discs is approximately 0.5 T, and degaussers inducing a magnetic field of approximately 1 T are sufficient to degauss them. It is also important to note the emerging energy-assisted recording drives. There are HAMR (Heat-Assisted Magnetic Recording) and MAMR (Microwave- Assisted Magnetic Recording) hard drives, which utilize iron-platinum alloys with a coercivity of nearly 6 T, making them resistant to most modern demagnetizers. It's also important to note that demagnetization is an effective data destruction method only for magnetic media, and its use with other types of media is pointless. NAND buffers in SSHD (Solid State Hybrid Drive) drives are particularly resistant to demagnetizers. This may seem obvious, but it's not uncommon especially for public institutions, those seeking to demagnetize flash drives or optical media.
Electrical data destruction methods.
One popular method for destroying data is electrically damaging devices. These methods are usually ineffective. Using a voltage that is too high compared to the nominal voltage often damages the storage media, providing a false sense of security. However, the resulting faults are usually easy to repair even by those with basic electronics knowledge.
Such damage is often limited to discrete safety components (fuses, Zener diodes, 0-Ω resistors), but even in the case of more extensive damage, it is difficult to affect the components actually responsible for storing information. In particular, the content of hard discs will survive the destruction of all electronic components, so data recovery is still physically possible. However, in the case of semiconductor media, effective electrical data destruction requires applying an excessive voltage to each Flash-NAND chip individually and verifying that it has actually been completely destroyed.
Even if a memory chip does not respond to commands, does not display an identifier, and heats up after being inserted into a programmer, this does not guarantee that its internal structure has been damaged in a way that prevents data recovery. According to the ONFI (Open NAND Flash Interface) specification, one integrated circuit can contain up to 4 memory chips, and in the case of chips operating simultaneously on two buses – even up to 8. If any of the memories is not completely destroyed, this opens the way to imaging the electric charges stored in the floating gates and attempting to recover some of the data this way.
Inductive data destruction methods.
The idea for inductive data destruction methods likely originated from the method of erasing older EPROM (Erasable – Programmable Read Only Memory) chips using ultraviolet radiation. These chips were equipped with a special window through which they could be irradiated, removing electrons from the floating gates. These chips were replaced in the early 1980s by EEPROM (Electrically Erasable – Programmable Read Only Memory) chips, in which the erasure operation is performed electrically, usually using the Fowler-Nordheim tunneling effect.
Currently proposed inductive data destruction methods rarely use ultraviolet radiation; they more often use ionizing or microwave radiation. The use of this type of radiation in certain situations can damage the storage medium, but this is another category of damage that complicates the verification of data destruction effectiveness. There are no reliable studies or analyses to determine the requirements for inductive exposure conditions that would allow for the fully secure destruction of information for specific storage media categories.
Pyrotechnic methods of data destruction.
Pyrotechnic methods rely on the use of pyrotechnics and explosives. While these methods can impress non-technical users with their visual and acoustic effects, in practice their effectiveness is highly random. They operate at temperatures too low to guarantee thermal destruction of data, while also causing mechanical failures that are difficult to verify.
In most cases, after using pyrotechnic methods, the device's technical condition is significantly better than its appearance suggests, and critical components for information storage, such as hard drive platters and NAND flash chips, are often undamaged or damaged insufficiently to cause data destruction. Besides the high uncertainty and random effectiveness of these methods, their drawback is the need to ensure appropriate safety conditions. Therefore, their use is pointless and should be replaced by other methods.
Data classification and methods of data destruction.
Most standards and norms describing data sanitization procedures base the choice of information destruction method on the nature and content of the data being deleted. In particular, they require consideration of the assigned secrecy or confidentiality classification, an assessment of its sensitivity and importance to the organization or other entities, or the potential consequences of a potential leak. Typically, in these procedures, the choice of data destruction method also depends on whether the medium remains within the organization or leaves it. In the latter case, physical destruction of the medium is usually recommended, which in practice prevents its meaningful use outside the organization.
In reality, information classification, assigned secrecy and confidentiality classifications, data sensitivity assessment, and the subjective meaning we assign to it, technically have no impact on data destruction. Data stored on any digital information medium is simply a stream of zeros and ones, organized in a specific way, which is interpreted at the level of the logical structures of file systems and software. And no particular sequence of zeros and ones becomes more resistant to destruction based on the meaning assigned to it by the user. The effectiveness of data destruction also does not depend on whether its classification is at the user's discretion or is imposed on them in some way, for example, by superiors, internal procedures, or applicable legal regulations.
Similarly, the effectiveness of data destruction in no way depends on the intended use of the medium containing the destroyed information. If data has been effectively destroyed, any subsequent actions on that medium have no impact on the deleted content. It is true that a potential adversary would have far greater ability to analyze the media beyond the control of its owner, but they can recover the data only if the destruction is ineffective. The fact that data media can fall into the wrong hands in an uncontrolled and unplanned manner is a compelling reason to use only effective methods of information destruction. Even in situations where someone might think an ineffective method is sufficient.
How to choose a good data sanitization method?
The primary criterion for selecting a data destruction method should be its effectiveness. Regardless of the type of information being destroyed, its classification, and its confidentiality, it is difficult to find justification for using methods that, even theoretically, allow for subsequent data recovery. Only among effective methods can the optimal choice be made, guided by the type of media, its technical condition, and economic, ecological, or other criteria relevant to a given situation.
Choosing any effective data destruction method allows for optimizing the process by eliminating costly and often troublesome multi-stage information sanitization procedures. Meeting the effectiveness criterion defined above means secure destruction of the media's contents without the need corrections for "safety" using other methods, especially expensive and difficult-to-recycle mechanical destruction of media. Limiting the procedure to a single effective method also reduces the costs of media protection, storage, and transportation.
In the case of efficient and reusable rewritable media, the most logical choice is software-based data destruction methods. They are simple to implement, significantly cheaper than physical methods, and do not degrade the technical condition of the media. Furthermore, they significantly contribute to reducing the generation of electronic waste and have a smaller environmental impact. Further use of a working device will always be more effective than recycling it. The details of selecting the optimal method depend on the specific media, and making a good decision requires understanding at least the basics of its operation.
Write-once and damaged media should be physically destroyed. When choosing a method, one should primarily consider its relevance to the physical phenomena responsible for information storage and strive to influence the physical states that underlie logical interpretation. Next, it is worth considering the economic and environmental costs, remembering that more brutal treatment of media is usually accompanied by a lower level of understanding of their operation and a lower level of security.