Testing Instruments to Eradicate Hard Drives for Reuse.

Uploaded on:
Testing Instruments to Delete Hard Drives for Reuse. Jim Lyle and Craig Russell National Organization of Norms and Innovation. Disclaimer.
Slide 1

Testing Tools to Erase Hard Drives for Reuse Jim Lyle & Craig Russell National Institute of Standards and Technology

Slide 2

Disclaimer Certain exchange names and organization items are said in the content or recognized. For no situation does such distinguishing proof suggest proposal or underwriting by the National Institute of Standards and Technology, nor does it infer that the items are essentially the best accessible for the reason. AAFS

Slide 3

Testing Drive Wipe Tools at CFTT Computer Forensic Tool Testing venture at NIST Develop materials for testing criminological instruments . . . Apparatus Requirements Test Plans Test information www.cfreds.nist.gov (likewise see Simson Garfinkel; Brian Carrier http://dftt.sourceforge.net/) Tool test reports submitted to NIJ Anyone can utilize our test philosophy to test instruments as required AAFS

Slide 4

Drive Wiping Remove all information from a drive DCO & HPA Tool fashioner may select to overlook, i.e., “if shrouded range there then it’s not used” Tool architect may choose “every thing must go” Command utilized: WRITE or SECURE ERASE Number of overwrite passes (WRITE summon) Overwrite design AAFS

Slide 5

Number of Passes DoD standard 5220.22-M for clearing and disinfecting attractive media prescribes the methodology "Overwrite every single addressable area with a character, its supplement, then an arbitrary character and verify” for clearing and cleaning data on a writable media. Innovation has changed and as indicated by NIST Special Publication 800-88 Guidelines for Media Sanitization: “ …the change in track thickness and the related changes in the capacity medium have made a circumstance where the demonstrations of clearing and cleansing the media have joined. That is, for ATA circle drives fabricated after 2001 (more than 15 GB) overwriting so as to clear the media once is satisfactory to shield the media from both console and research facility attack.” AAFS

Slide 6

Easy Wiping by means of WRITE The via the path of least resistance to wipe a drive in UNIX (Linux, FreeBSD, and so on) dd if=/dev/zero of=/dev/xxx Where/dev/xxx is the gadget\'s name to delete Other dd choices can be added to taste There are constraints and expenses Skips DCO, possibly HPA, if present Ties up a PC (perhaps for a considerable length of time) Ignores remapped broken parts AAFS

Slide 7

Easy Wiping by means of ERASE Use CMRR free instrument: http://cmrr.ucsd.edu/individuals/Hughes/SecureErase.shtml Drive must be connected to ATA or SATA interface Uses SECURE ERASE to wipe drive PC BIOS frequently issues SECURITY FREEZE LOCK AAFS

Slide 8

Options for Wiping Use compose charges to overwrite each noticeable area Only wipes unmistakable areas, overlooks DCO & HPA DCO & HPA can be uprooted first For ATA & SATA can utilize SECURE ERASE Also wipes (available) remapped awful segments Must evacuate DCO & HPA first (Some drives execute SECURE ERASE to eradicate HPA as well) Destroy or degauss the drive AAFS

Slide 9

Wipe Tool Features Choice of WRITE or ERASE order Number of overwrites Verification pass Overwrite design: Constant byte, arbitrary byte, irregular arrangement Removal and wiping for HPA or DCO Interface: ATA, SATA, SCSI, USB & FireWire Hardware gadget or Software device AAFS

Slide 10

CFTT Disk Wipe Requirements Wipe strategy: WRITE or ERASE HPA & DCO wipe and evacuation User warning if ERASE chose however not bolstered by the drive Features (may be chosen, yet) not checked: Multi-pass Verify haphazardness AAFS

Slide 11

Test Cases Run 1 &2 for every interface: ATA, SATA, USB, and so forth Run 2, 4 & 5 just if SECURE ERASE upheld Run 3 & 4 just on SATA & ATA interface AAFS

Slide 12

Test Case Selection Tool AAFS

Slide 13

Generated Test Plan AAFS

Slide 14

Running a Test Case Remove DCO/HPA Use NIST apparatus to fill every division: 00000/000/01 000000000000XXX … Optional: include DCO/HPA (cases 3 & 4) Run wipe device under test Examine result with more NIST devices: DCO/HPA state, drive content AAFS

Slide 15

Test Support Tools DISKWIPE – put introductory substance on drive DSUMM – plate rundown, tally number of times every byte worth is seen RANSUM – distinguish keeps running of wiped segments and keeps running of unaltered segments One freeware program HDAT2 (not NIST composed) to control DCO & HPA AAFS

Slide 16

Case Setup AAFS

Slide 17

Test Result AAFS

Slide 18

Erase Toshiba with HPA Initial setup size: 375721968 from aggregate of 390721968 (with 15000000 concealed) IDE circle: Model (TOSHIBA MK2049GSY) serial # (788DT0FLT) Size after device runs: 375721968 from aggregate of 390721968 (with 15000000 shrouded) Analysis of hardware result – 200049647616 bytes, 390721968 segments, 14 particular qualities seen 15000000 segments have printable content Sector 375721968 is first segment with printable content Results HPA not eradicated and not uprooted AAFS

Slide 19

Erase Hitachi with HPA Initial setup size: 365721968 from aggregate of 390721968 (with 25000000 concealed) IDE circle: Model (Hitachi HTS722020K9SA00) serial # Size after device runs: 365721968 from aggregate of 390721968 (with 25000000 shrouded) Analysis of hardware result - 200049647616 00 200049647616 bytes, 390721968 segments, 1 particular qualities seen Results HPA set to zeros HPA left set up AAFS

Slide 20

Reading a CFTT Report Results Summary segment has everything the vast majority need to peruse. Experiment Selection area depicts why we chose every case. May be valuable for more profound comprehension or on the off chance that somebody needs to do their own testing. Test Materials portrays the drives utilized, bolster instruments utilized, setup techniques and examination methodology. Not valuable unless . . . Evaluate legitimacy of testing Want to do your own Test Details – don’t go here! We incorporate it to permit confirmation of what is accounted for in the Results Summary. AAFS

Slide 21

Results Over 6 Tools All noticeable parts wiped – all instruments HPA evacuated yet not wiped HPA wiped but rather not uprooted (ERASE) Remove and wipe both HPA & DCO HPA & DCO disregarded HPA & DCO overlooked in 1 pass mode, evacuated & wiped in “DoD 7 pass” mode Scratch drive needed with some keeping in touch with the scratch drive AAFS

Slide 22

Project Sponsors (otherwise known as Steering Committee) National Institute of Justice (Major financing) FBI (Additional subsidizing) Department of Defense, DCCI (Equipment and bolster) Homeland Security (Major subsidizing) State & Local organizations (Technical data) Internal Revenue, IRS (Technical information) NIST/OLES (Program administration) AAFS 2008

Slide 23

Contact Information http://www.cftt.nist.gov cftt@nist.gov Jim Lyle jlyle@nist.gov Craig Russell craig.russel@nist.gov Sue Ballou, Office of Law Enforcement Standards Steering Committee delegate for State/Local Law Enforceme

View more...