Secure Deletion of Data From Magnetic and Solid-State Memory

8/6/2019 Secure Deletion of Data From Magnetic and Solid-State Memory

http://slidepdf.com/reader/full/secure-deletion-of-data-from-magnetic-and-solid-state-memory 1/21

Sixth USENIX Security SymposiumPp. 77±90 of the Proceedings

S ecure Deletion of Data from Magneticand S olid- S tate Memory

Peter Gutmann Department of Computer Science

University of Auckland [email protected]

Abs tract

Wi th the use of increas ingly soph isticated encrypt ion systems, an attacker w ishing to ga inaccess to sens itive data is forced to look elsewhere for informat ion. One a venue of attack isthe reco very of supposedly erased data from magnet ic med ia or random-access memory.Th is paper co vers some of the methods a vailable to reco ver erased data and presentsschemes to make th is reco very s ign if icantly more d iff icult.

1. Introduction

Much research has gone into the des ign of h ighly secure encrypt ion systems intended to protect sens itive informat ion. Howe ver work on methods of secur ing (or at least safelydelet ing) the or iginal pla intext form of the encrypted data aga inst soph isticated newanalys is techn iques seems d iff icult to f ind. In the 1980's some work was done on therecovery of erased data from magnet ic med ia [1] [2] [3], but to date the ma in source of informat ion is go vernment standards co ver ing the destruct ion of data. There are two ma in

problems w ith these off icial gu idel ines for san itizing med ia. The f irst is that they are oftensomewhat old and may predate newer techn iques for both record ing data on the med ia andfor reco ver ing the recorded data. For example most of the current gu idel ines on san itizingmagnet ic med ia predate the early-90's jump in record ing dens ities, the adopt ion of soph isticated channel cod ing techn iques such as PRML, the use of magnet ic forcemicroscopy for the analys is of magnet ic med ia, and recent stud ies of certa in propert ies of magnet ic med ia record ing such as the beha viour of erase bands. The second problem w ithoff icial data destruct ion standards is that the informat ion in them may be part iallyinaccurate in an attempt to fool oppos ing intell igence agenc ies (wh ich is probably why agreat many gu idel ines on san itizing med ia are class if ied). By del i berately under-stat ing therequirements for med ia san itizat ion in publ icly-a vailable gu ides, intell igence agenc ies can

preser ve the ir informat ion-gather ing capab ilities wh ile at the same t ime protect ing the ir



own data us ing class if ied techn iques.

Th is paper represents an attempt to analyse the problems inherent in try ing to erase datafrom magnet ic d isk med ia and random-access memory w ithout access to spec ialisedequi pment, and suggests methods for ensur ing that the reco very of data from these med ia

can be made as d iff icult as poss i ble for an attacker.

2 . Method s of Recovery for Data s tored on MagneticMedia

Magnet ic force m icroscopy (MFM) is a recent techn ique for imag ing magnet izat ion patterns w ith h igh resolut ion and m inimal sample preparat ion. The techn ique is der ivedfrom scann ing probe m icroscopy (SPM) and uses a sharp magnet ic t i p attached to a flex i blecant ilever placed close to the surface to be analysed, where it interacts w ith the stray f ieldemanat ing from the sample. An image of the f ield at the surface is formed by mo ving the

ti p across the surface and measur ing the force (or force grad ient) as a funct ion of pos ition.The strength of the interact ion is measured by mon itor ing the pos ition of the cant ilever using an opt ical interferometer or tunnell ing sensor.

Magnet ic force scann ing tunnel ing m icroscopy (STM) is a more recent var iant of th istechn ique wh ich uses a probe t i p typ ically made by plat ing pure n ickel onto a prepatternedsurface, peel ing the result ing th in f ilm from the substrate it was plated onto and plat ing itwith a th in layer of gold to m inimise corros ion, and mount ing it in a probe where it is

placed at some small b ias potent ial (typ ically a few tenths of a nanoamp at a few volts DC)so that electrons from the surface under test can tunnel across the gap to the probe t i p (or vice versa). The probe is scanned across the surface to be analysed as a feedback system

cont inuously adjusts the vert ical pos ition to ma inta in a constant current. The image is thengenerated in the same way as for MFM [ 4] [5]. Other techn iques wh ich ha ve been used inthe past to analyse magnet ic med ia are the use of ferroflu id in comb inat ion w ith opt icalmicroscopes (wh ich, w ith g igab it/square inch record ing dens ity is no longer feas i ble as themagnet ic features are smaller than the wa velength of visi ble l ight) and a number of exot ictechn iques wh ich re quire s ign if icant sample preparat ion and expens ive equi pment. Incompar ison, MFM can be performed through the protect ive overcoat appl ied to magnet icmed ia, requires l ittle or no sample preparat ion, and can produce results in a very short t ime.

Even for a relat ively inexper ienced user the t ime to start gett ing images of the data on adr ive platter is about 5 m inutes. To start gett ing useful images of a part icular track re quires

more than a pass ing knowledge of d isk formats, but these are well-documented, and oncethe correct locat ion on the platter is found a s ingle image would take approx imately 2-10minutes depend ing on the sk ill of the operator and the resolut ion re quired. Wi th one of themore expens ive MFM's it is poss i ble to automate a collect ion se quence and theoret ically

poss i ble to collect an image of the ent ire d isk by chang ing the MFM controller software.

There are, from manufacturers sales f igures, se veral thousand SPM's in use in the f ieldtoday, some of wh ich ha ve spec ial features for analys ing d isk dr ive platters, such as the



vacuum chucks for standard d isk dr ive platters along w ith spec ialised modes of operat ionfor magnet ic med ia analys is. These SPM's can be used w ith soph isticated programmablecontrollers and analys is software to allow automat ion of the data reco very process. If commerc ially-a vailable SPM's are cons idered too expens ive, it is poss i ble to bu ild areasonably capable SPM for about US$1400, us ing a PC as a controller [ 6].

Faced w ith techn iques such as MFM, truly delet ing data from magnet ic med ia is verydiff icult. The problem l ies in the fact that when data is wr itten to the med ium, the wr itehead sets the polar ity of most, but not all, of the magnet ic doma ins. Th is is part ially due tothe inab ility of the wr iting device to wr ite in exactly the same locat ion each t ime, and

part ially due to the var iations in med ia sens itivity and f ield strength o ver t ime and amongdevices.

In con vent ional terms, when a one is wr itten to d isk the med ia records a one, and when azero is wr itten the med ia records a zero. Howe ver the actual effect is closer to obta ining a0.95 when a zero is overwr itten w ith a one, and a 1.05 when a one is overwr itten w ith a

one. Normal d isk c ircu itry is set up so that both these values are read as ones, but us ingspec ialised c ircu itry it is poss i ble to work out what pre vious "layers" conta ined. Therecovery of at least one or two layers of o verwr itten data isn't too hard to perform byread ing the s ignal from the analog head electron ics w ith a h igh-qual ity d igital sampl ingosc illoscope, download ing the sampled wa veform to a PC, and analys ing it in software torecover the pre viously recorded s ignal. What the software does is generate an " ideal" readsignal and subtract it from what was actually read, lea ving as the d ifference the remnant of the pre vious s ignal. S ince the analog c ircu itry in a commerc ial hard dr ive is nowhere near the quality of the c ircu itry in the osc illoscope used to sample the s ignal, the ab ility ex ists torecover a lot of extra informat ion wh ich isn't explo ited by the hard dr ive electron ics(although w ith newer channel cod ing techn iques such as PRML (expla ined further on)

which re quire extens ive amounts of s ignal process ing, the use of s imple tools such as anosc illoscope to d irectly reco ver the data is no longer poss i ble).

Us ing MFM, we can go e ven further than th is. Dur ing normal readback, a con vent ionalhead a verages the s ignal o ver the track, and any remnant magnet izat ion at the track edgessimply contr i butes a small percentage of no ise to the total s ignal. The sampl ing reg ion istoo broad to d istinctly detect the remnant magnet izat ion at the track edges, so that theoverwr itten data wh ich is st ill present bes ide the new data cannot be reco vered w ithout theuse of spec ialised techn iques such as MFM or STM ( in fact one of the "off icial" uses of MFM or STM is to e valuate the effect iveness of d isk dr ive ser vo-pos ition ing mechan isms)[7]. Most dr ives are capable of m icrostepp ing the heads for internal d iagnost ic and error

recovery purposes (typ ical error reco very strateg ies cons ist of reread ing tracks w ith sl ightlychanged data threshold and w indow offsets and vary ing the head pos ition ing by a few percent to e ither s ide of the track), but wr iting to the med ia wh ile the head is off-track inorder to erase the remnant s ignal carr ies too much r isk of mak ing ne ighbour ing tracksunreadable to be useful (for th is reason the m icrostepp ing capab ility is made very d iff icultto access by external means).

These spec ialised techn iques also allow data to be reco vered from magnet ic med ia long



after the read/wr ite head of the dr ive is incapable of read ing anyth ing useful. For exampleone exper iment in AC erasure involved dr iving the wr ite head w ith a 40 MHz s quare wa vewith an initial current of 12 mA wh ich was dropped in 2 mA steps to a f inal le vel of 2 mAin success ive passes, an order of magn itude more than the usual wr ite current wh ich rangesfrom h igh m icroamps to low m illiamps. Any remnant b it patterns left by th is eras ing

process were far too fa int to be detected by the read head, but could st ill be obser ved us ingMFM [ 8].

Even w ith a DC erasure process, traces of the pre viously recorded s ignal may pers ist unt ilthe appl ied DC f ield is several t imes the med ia coerc ivity [9].

Deviat ions in the pos ition of the dr ive head from the or iginal track may lea ve s ign if icant port ions of the pre vious data along the track edge relat ively untouched. Newly wr itten data, present as w ide alternat ing l ight and dark bands in MFM and STM images, are oftensuper imposed o ver pre viously recorded data wh ich pers ists at the track edges. Reg ionswhere the old and new data co incide create cont inuous magnet izat ion between the two.

Howe ver, if the new trans ition is out of phase w ith the pre vious one, a few m icrons of erase band w ith no def inite magnet izat ion are created at the juncture of the old and new tracks.The wr ite f ield in the erase band is abo ve the coerc ivity of the med ia and would change themagnet izat ion in these areas, but its magn itude is not h igh enough to create new well-def ined trans itions. One exper iment involved wr iting a f ixed pattern of all 1's w ith a b itinter val of 2.5 µm, mo ving the wr ite head off-track by approx imately half a track w idth,and then wr iting the pattern aga in w ith a fre quency sl ightly h igher than that of the

previously recorded track for a b it inter val of 2.45 µm to create all poss i ble phasedifferences between the trans itions in the old and new tracks. Us ing a 4.2 µm w ide head

produced an erase band of approx imately 1 µm in w idth when the old and new tracks were180° out of phase, dropp ing to almost noth ing when the two tracks were in-phase. Wr iting

data at a h igher fre quency w ith the or iginal tracks b it inter val at 0.5 µm and the new tracks bit inter val at 0.49 µm allows a s ingle MFM image to conta in all poss i ble phasedifferences, show ing a dramat ic increase in the w idth of the erase band as the two tracksmove from in-phase to 180° out of phase [ 10].

In add ition, the new track w idth can exh i bit modulat ion wh ich depends on the phaserelat ionsh i p between the old and new patterns, allow ing the pre vious data to be reco veredeven if the old data patterns themsel ves are no longer d istinct. The o verwr ite performancealso depends on the pos ition of the wr ite head relat ive to the or iginally wr itten track. If thehead is d irectly al igned w ith the track, o verwr ite performance is relat ively good; as thehead mo ves offtrack, the performance drops markedly as the remnant components of the

or iginal data are read back along w ith the newly-wr itten s ignal. Th is effect is lessnot iceable as the wr ite fre quency increases due to the greater attenuat ion of the f ield w ithdistance [ 11].

When all the abo ve factors are comb ined it turns out that each track conta ins an image of everyth ing ever wr itten to it, but that the contr i but ion from each "layer" gets progress ivelysmaller the further back it was made. Intell igence organ isat ions ha ve a lot of expert ise in



recover ing these pal impsestuous images.

3 . Era s ure of Data s tored on Magnetic Media

The general concept beh ind an o verwr iting scheme is to fl i p each magnet ic doma in on thedisk back and forth as much as poss i ble (th is is the bas ic idea beh ind degauss ing) w ithoutwr iting the same pattern tw ice in a row. If the data was encoded d irectly, we could s implychoose the des ired o verwr ite pattern of ones and zeroes and wr ite it repeatedly. Howe ver,disks generally use some form of run-length l imited (RLL) encod ing, so that the adjacentones won't be wr itten. Th is encod ing is used to ensure that trans itions aren't placed tooclosely together, or too far apart, wh ich would mean the dr ive would lose track of where itwas in the data.

To erase magnet ic med ia, we need to o verwr ite it many t imes w ith alternat ing patterns inorder to expose it to a magnet ic f ield osc illat ing fast enough that it does the des ired fl i pp ingof the magnet ic doma ins in a reasonable amount of t ime. Unfortunately, there is acompl icat ion in that we need to saturate the d isk surface to the greatest depth poss i ble, andvery h igh fre quency s ignals only "scratch the surface" of the magnet ic med ium. D isk dr ivemanufacturers, in try ing to ach ieve ever-h igher dens ities, use the h ighest poss i blefrequenc ies, whereas we really re quire the lowest fre quency a d isk dr ive can produce. E venthis is st ill rather h igh. The best we can do is to use the lowest fre quency poss i ble for overwr ites, to penetrate as deeply as poss i ble into the record ing med ium.

The wr ite fre quency also determ ines how effect ively pre vious data can be o verwr itten dueto the dependence of the f ield needed to cause magnet ic sw itch ing on the length of t ime thef ield is appl ied. Tests on a number of typ ical d isk dr ive heads ha ve shown a d ifference of up to 20 dB in overwr ite performance when data recorded at 40 kFCI (flux changes per inch), typ ical of recent d isk dr ives, is overwr itten w ith a s ignal vary ing from 0 to 100 kFCI.The best a verage performance for the var ious heads appears to be w ith an o verwr ite s ignalof around 10 kFCI, w ith the worst performance be ing at 100 kFCI [ 12]. The track wr itewidth is also affected by the wr ite fre quency - as the fre quency increases, the wr ite w idthdecreases for both MR and TFI heads. In [ 13] there was a decrease in wr ite w idth of around20% as the wr ite fre quency was increased from 1 to 40 kFCI, w ith the decrease be ing mostmarked at the h igh end of the fre quency range. Howe ver, the decrease in wr ite w idth is

balanced by a correspond ing increase in the two s ide- erase bands so that the sum of thetwo rema ins nearly constant w ith fre quency and e qual to the DC erase w idth for the head.The med ia coerc ivity also affects the w idth of the wr ite and erase bands, w ith the ir w idthdropp ing as the coerc ivity increases (th is is one of the explanat ions for the e ver- increas ingcoerc ivity of newer, h igher-dens ity dr ives).

To try to wr ite the lowest poss i ble fre quency we must determ ine what decoded data to wr iteto produce a low-fre quency encoded s ignal.

In order to understand the theory beh ind the cho ice of data patterns to wr ite, it is necessaryto take a br ief look at the record ing methods used in d isk dr ives. The ma in limit on



record ing dens ity is that as the b it dens ity is increased, the peaks in the analog s ignalrecorded on the med ia are read at a rate wh ich may cause them to appear to o verlap,creat ing intersymbol interference wh ich leads to data errors. Trad itional peak detector readchannels try to reduce the poss i bility of intersymbol interference by cod ing data in such away that the analog s ignal peaks are separated as far as poss i ble. The read c ircu itry can then

accurately detect the peaks (actually the head itself only detects trans itions inmagnet isat ion, so the s implest record ing code uses a trans ition to encode a 1 and theabsence of a trans ition to encode a 0. The trans ition causes a pos itive/negat ive peak in thehead output voltage (thus the name "peak detector read channel"). To reco ver the data, wedifferent iate the output and look for the zero cross ings). S ince a long str ing of 0's w ill makeclock ing d iff icult, we need to set a l imit on the max imum consecut ive number of 0's. Theseparat ion of peaks is implemented as some form of run-length-l imited, or RLL, cod ing.

The RLL encod ing used in most current dr ives is descr i bed by pa irs of run-length l imits (d,k ), where d is the m inimum number of 0 symbols wh ich must occur between each 1 symbolin the encoded data, and k is the max imum. The parameters ( d, k ) are chosen to place

adjacent 1's far enough apart to a void problems w ith intersymbol interference, but not so far apart that we lose synchron isat ion.

The grandfather of all RLL codes was FM, wh ich wrote one user data b it followed by oneclock b it, so that a 1 b it was encoded as two trans itions (1 wa velength) wh ile a 0 b it wasencoded as one trans ition (« wa velength). A d ifferent approach was taken in mod if ied FM(MFM), wh ich suppresses the clock b it except between adjacent 0's (the amb igu ity in theuse of the term MFM is unfortunate. From here on it w ill be used to refer to mod if ied FMrather than magnet ic force m icroscopy). Tak ing three example se quences 0000, 1111, and1010, these w ill be encoded as 0(1)0(1)0(1)0, 1(0)1(0)1(0)1, and 1(0)0(0)1(0)0 (where the()s are the clock b its inserted by the encod ing process). The max imum t ime between 1 b its

is now three 0 b its (so that the peaks are no more than four encoded t ime per iods apart), andthere is always at least one 0 b it (so that the peaks in the analog s ignal are at least twoencoded t ime per iods apart), result ing in a (1,3) RLL code. (1,3) RLL/MFM is the oldestcode st ill in general use today, but is only really used in floppy dr ives wh ich need to rema in

backwards-compat i ble.

These constra ints help a void intersymbol interference, but the need to separate the peaksreduces the record ing dens ity and therefore the amount of data wh ich can be stored on adisk. To increase the record ing dens ity, MFM was gradually replaced by (2,7) RLL (theor iginal "RLL" format), and that in turn by (1,7) RLL, each of wh ich placed less constra intson the recorded s ignal.

Us ing our knowledge of how the data is encoded, we can now choose wh ich decoded data patterns to wr ite in order to obta in the des ired encoded s ignal. The three encod ing methodsdescr i bed abo ve co ver the vast major ity of magnet ic d isk dr ives. Howe ver, each of thesehas se veral poss i ble var iants. Wi th MFM, only one is used w ith any fre quency, but thenewest (1,7) RLL code has at least half a dozen var iants in use. For MFM w ith at most four

bit t imes between trans itions, the lowest wr ite fre quency poss i ble is atta ined by wr iting therepeat ing decoded data patterns 1010 and 0101. These ha ve a 1 b it every other "data" b it,



and the inter vening "clock" b its are all 0. We would also l ike patterns w ith every other clock b it set to 1 and all others set to 0, but these are not poss i ble in the MFM encod ing(such " violat ions" are used to generate spec ial marks on the d isk to ident ify sector

boundar ies). The best we can do here is three b it t imes between trans itions, wh ich isgenerated by repeat ing the decoded patterns 100100, 010010 and 001001. We should use

several passes w ith these patterns, as MFM dr ives are the oldest, lowest-dens ity dr ivesaround (th is is espec ially true for the very-low-dens ity floppy dr ives). As such, they are theeas iest to reco ver data from w ith modern e qui pment and we need to take the most care w iththem.

From MFM we jump to the next s implest case, wh ich is (1,7) RLL. Although there can beas many as 8 b it t imes between trans itions, the lowest susta ined fre quency we can ha ve in

pract ice is 6 b it t imes between trans itions. Th is is a des irable property from the po int of view of the clock-reco very c ircu itry, and all (1,7) RLL codes seem to ha ve th is property.We now need to f ind a way to wr ite the des ired pattern w ithout know ing the part icular (1,7)RLL code used. We can do th is by look ing at the way the dr ives error-correct ion system

works. The error- correct ion is appl ied to the decoded data, e ven though errors generallyoccur in the encoded data. In order to make th is work well, the data encod ing should ha velimited error ampl if icat ion, so that an erroneous encoded b it should affect only a small,f inite number of decoded b its.

Decoded b its therefore depend only on nearby encoded b its, so that a repeat ing pattern of encoded b its w ill correspond to a repeat ing pattern of decoded b its. The repeat ing pattern of encoded b its is 6 b its long. S ince the rate of the code is 2/3, th is corresponds to a repeat ing

pattern of 4 decoded b its. There are only 16 poss i bilities for th is pattern, mak ing it feas i bleto wr ite all of them dur ing the erase process. So to ach ieve good o verwr iting of (1,7) RLLdisks, we wr ite the patterns 0000, 0001, 0010, 0011, 0100, 0101, 0110, 0111, 1000, 1001,

1010, 1011, 1100, 1101, 1110, and 1111. These patterns also con veniently co ver two of theones needed for MFM o verwr ites, although we should add a few more iterat ions of theMFM-spec if ic patterns for the reasons g iven abo ve.

Finally, we ha ve (2,7) RLL dr ives. These are s imilar to MFM in that an e ight-b it-t imesignal can be wr itten in some phases, but not all. A s ix-bit-t ime s ignal w ill f ill in therema ining cracks. Us ing a « encod ing rate, an e ight-b it-t ime s ignal corresponds to arepeat ing pattern of 4 data b its. The most common (2,7) RLL code is shown below:

T he mo s t common ( 2, 7) RLL Code

Decoded Data ( 2, 7) RLL Encoded Data00 1000

01 0100

100 001000

101 100100



111 000100

1100 00001000

1101 00100100

The second most common (2,7) RLL code is the same but w ith the "decoded data"complemented, wh ich doesn't alter these patterns. Wr iting the re quired encoded data can beach ieved for e very other phase us ing patterns of 0x33, 0x66, 0xCC and 0x99, wh ich arealready wr itten for (1,7) RLL dr ives.

Six-bit-t ime patterns can be wr itten us ing 3-b it repeat ing patterns. The all-zero and all-one patterns o verlap w ith the (1,7) RLL patterns, lea ving s ix others:

001001001001001001001001

2 4 9 2 4 9

in b inary or 0x24 0x92 0x49, 0x92 0x49 0x24 and 0x49 0x24 0x92 in hex, and011011011011011011011011

6 D B 6 D B

in b inary or 0x6D 0xB6 0xDB, 0xB6 0xDB 0x6D and 0xDB 0x6D 0xB6 in hex. The f irstthree are the same as the MFM patterns, so we need only three extra patterns to co ver (2,7)RLL dr ives.

Although (1,7) is more popular in recent (post-1990) dr ives, some older hard dr ives do st illuse (2,7) RLL, and w ith the e ver- increas ing rel iability of newer dr ives it is likely that theywill rema in in use for some t ime to come, often be ing passed down from one mach ine toanother. The abo ve three patterns also co ver any problems w ith end ianness issues, wh ichweren't a concern in the pre vious two cases, but would be in th is case (actually, thanks to

the strong influence of IBM ma inframe dr ives, everyth ing seems to be un iformly b ig-end ian w ith in bytes, w ith the most s ign if icant b it be ing wr itten to the d isk f irst).

The latest h igh-dens ity dr ives use methods l ike Part ial-Response Max imum-L ikel ihood(PRML) encod ing, wh ich may be roughly e quated to the trell is encod ing done by V.32modems in that it is effect ive but computat ionally expens ive. PRML codes are st ill RLLcodes, but w ith somewhat d ifferent constra ints. A typ ical code m ight ha ve (0,4,4)constra ints in wh ich the 0 means that 1's in a data stream can occur r ight next to 0's (so that

peaks in the analog readback s ignal are not separated), the f irst 4 means that there can be nomore than four 0's between 1's in a data stream, and the second 4 spec if ies the max imumnumber of 0's between 1's in certa in symbol subse quences. PRML codes a void intersymbol

influence errors by us ing d igital f ilter ing techn iques to shape the read s ignal to exh i bitdes ired fre quency and t iming character istics (th is is the "part ial response" part of PRML)followed by max imum- l ikel ihood d igital data detect ion to determ ine the most l ikelysequence of data b its that was wr itten to the d isk (th is is the "max imum l ikel ihood" part of PRML). PRML channels ach ieve the same low b it error rate as standard peak-detect ionmethods, but w ith much h igher record ing dens ities, wh ile us ing the same heads and med ia.Several manufacturers are currently engaged in mo ving the ir peak-detect ion-based productlines across to PRML, g iving a 30-40% dens ity increase o ver standard RLL channels [ 14].



Since PRML codes don't try to separate peaks in the same way that non-PRML RLL codesdo, all we can do is to wr ite a var iety of random patterns because the process ing inside thedr ive is too complex to second- guess. Fortunately, these dr ives push the l imits of themagnet ic med ia much more than older dr ives ever d id by encod ing data w ith much smaller magnet ic doma ins, closer to the phys ical capac ity of the magnet ic med ia (the current state

of the art in PRML dr ives has a track dens ity of around 6700 TPI (tracks per inch) and adata record ing dens ity of 170 kFCI, nearly double that of the nearest (1,7) RLL e quivalent.A con venient s ide-effect of these very h igh record ing dens ities is that a wr itten trans itionmay exper ience the wr ite f ield cycles for success ive trans itions, espec ially at the track edges where the f ield d istr i but ion is much broader [ 15]. S ince th is is also where remnantdata is most l ikely to be found, th is can only help in reduc ing the reco verab ility of the data).If these dr ives re quire soph isticated s ignal process ing just to read the most recently wr ittendata, read ing o verwr itten layers is also correspond ingly more d iff icult. A good scrubb ingwith random data w ill do about as well as can be expected.

We now ha ve a set of 22 o verwr ite patterns wh ich should erase e veryth ing, regardless of

the raw encod ing. The bas ic d isk eraser can be impro ved sl ightly by add ing random passes before and after the erase process, and by perform ing the determ inistic passes in randomorder to make it more d iff icult to guess wh ich of the known data passes were made atwhich po int. To deal w ith all th is in the o verwr ite process, we use the se quence of 35consecut ive wr ites shown below:

O verwrite Data

Pa ss No. Data Written

Encoding S chemeT argeted

1 Random

2 Random

3 Random

4 Random

5 01010101 01010101 01010101 0x55 (1,7)RLL MFM

6 10101010 10101010 10101010 0xAA (1,7)RLL MFM

7 10010010 01001001 00100100 0x92 0x49 0x24(2,7)RLL MFM

8 01001001 00100100 10010010 0x49 0x24 0x92 (2,7)RLL MFM

9 00100100 10010010 01001001 0x24 0x92 0x49 (2,7)RLL MFM



10 00000000 00000000 00000000 0x00 (1,7)RLL

(2,7)RLL

11 00010001 00010001 00010001 0x11 (1,7)RLL

12 00100010 00100010 00100010 0x22 (1,7)RLL

13 00110011 00110011 00110011 0x33 (1,7)RLL

(2,7)RLL

14 01000100 01000100 01000100 0x44 (1,7)RLL

15 01010101 01010101 01010101 0x55 (1,7)RLL MFM

16 01100110 01100110 01100110 0x66(1,7)RLL

(2,7)RLL

17 01110111 01110111 01110111 0x77 (1,7)RLL

18 10001000 10001000 10001000 0x88 (1,7)RLL

19 10011001 10011001 10011001 0x99 (1,7)RLL

(2,7)RLL

20 10101010 10101010 10101010 0xAA (1,7)

RLLMFM

21 10111011 10111011 10111011 0xBB (1,7)RLL

22 11001100 11001100 11001100 0xCC (1,7)RLL

(2,7)RLL

23 11011101 11011101 11011101 0xDD (1,7)RLL

24 11101110 11101110 11101110 0xEE (1,7)RLL

25 11111111 11111111 11111111 0xFF (1,7)RLL

(2,7)RLL

26 10010010 01001001 00100100 0x92 0x49 0x24 (2,7)RLL MFM

27 01001001 00100100 10010010 0x49 0x24 0x92 (2,7)RLL MFM



28 00100100 10010010 01001001 0x24 0x92 0x49 (2,7)RLL MFM

29 01101101 10110110 11011011 0x6D 0xB60xDB

(2,7)RLL

30 10110110 11011011 01101101 0xB6 0xDB0x6D

(2,7)RLL

31 11011011 01101101 10110110 0xDB 0x6D0xB6

(2,7)RLL

32 Random

33 Random

34 Random

35 Random

The MFM-spec if ic patterns are repeated tw ice because MFM dr ives ha ve the lowest dens ityand are thus part icularly easy to exam ine. The determ inistic patterns between the randomwr ites are permuted before the wr ite is performed, to make it more d iff icult for an opponentto use knowledge of the erasure data wr itten to attempt to reco ver overwr itten data ( in factwe need to use a cryptograph ically strong random number generator to perform the

permutat ions to a void the problem of an opponent who can read the last o verwr ite pass being able to pred ict the pre vious passes and "echo cancel" passes by subtract ing the knownoverwr ite data).

If the de vice be ing wr itten to supports cach ing or buffer ing of data, th is should be d isabledto ensure that phys ical d isk wr ites are performed for each pass instead of e veryth ing but thelast pass be ing lost in the buffer ing. For example phys ical d isk access can be forced dur ingSCSI-2 Group 1 wr ite commands by sett ing the Force Un it Access b it in the SCSIcommand block (although at least one popular dr ive has a bug wh ich causes all wr ites to beignored when th is b it is set - remember to test your o verwr ite scheme before you deploy it).Another cons iderat ion wh ich needs to be taken into account when try ing to erase datathrough software is that dr ives conform ing to some of the h igher-le vel protocols such as thevar ious SCSI standards are relat ively free to interpret commands sent to them in wh ichever way they choose (as long as they st ill conform to the SCSI spec if icat ion). Thus somedr ives, if sent a FORMAT UNIT command may return immed iately w ithout perform ingany act ion, may s imply perform a read test on the ent ire d isk (the most common opt ion), or may actually wr ite data to the d isk (the SCSI- 2 standard includes an initializat ion pattern(IP) opt ion for the FORMAT UNIT command, howe ver th is is not necessar ily supported byexisting dr ives).

If the data is very sens itive and is stored on floppy d isk, it can best be destroyed byremo ving the med ia from the d isk l iner and burn ing it, or by burn ing the ent ire d isk, l iner and all (most floppy d isks burn remarkably well - albe it w ith quant ities of o ily smoke - and



leave very l ittle res idue).

4 . O ther Method s of Era s ing Magnetic Media

The pre vious sect ion has concentrated on erasure methods wh ich re quire no spec ialisedequi pment to perform the erasure. Alternat ive means of eras ing med ia wh ich do re quirespec ialised e qui pment are degauss ing (a process in wh ich the record ing med ia is returned toits initial state) and phys ical destruct ion. Degauss ing is a reasonably effect ive means of

purg ing data from magnet ic d isk med ia, and w ill even work through most dr ive cases(research has shown that the alum inium hous ings of most d isk dr ives attenuate thedegauss ing f ield by only about 2 dB [ 16]).

The sw itch ing of a s ingle-doma in magnet ic part icle from one magnet izat ion d irect ion toanother re quires the o vercom ing of an energy barr ier, w ith an external magnet ic f ieldhelp ing to lower th is barr ier. The sw itch ing depends not only on the magn itude of theexternal f ield, but also on the length of t ime for wh ich it is appl ied. For typ ical d isk dr ivemed ia, the short-term f ield needed to fl i p enough of the magnet ic doma ins to be useful inrecord ing a s ignal is about 1/3 h igher than the coerc ivity of the med ia (the exact f igurevar ies w ith d ifferent med ia types) [ 17].

Howe ver, to effect ively erase a med ium to the extent that reco very of data from it becomesuneconom ical re quires a magnet ic force of about f ive t imes the coerc ivity of the med ium[18], although e ven small external magnet ic f ields are suff icient to upset the normaloperat ion of a hard d isk (typ ically a few gauss at DC, dropp ing to a few m illigauss at 1MHz). Coerc ivity (measured in Oersteds, Oe) is a property of magnet ic mater ial and isdef ined as the amount of magnet ic f ield necessary to reduce the magnet ic induct ion in themater ial to zero - the h igher the coerc ivity, the harder it is to erase data from a med ium.Typ ical f igures for var ious types of magnet ic med ia are g iven below:

T ypical Media Coercivity Figure s

Medium Coercivity

5.25" 360K floppy d isk 300 Oe

5.25" 1.2M floppy d isk 675 Oe

3.5" 720K floppy d isk 300 Oe



3.5" 21M flopt ical d isk 750 Oe

Older (1980's) hard d isks 900-1400 Oe

Newer (1990's) hard d isks 1400-2200 Oe



1/2" magnet ic tape 300 Oe

1/4" QIC tape 550 Oe

8 mm metall ic part icle tape 1500 Oe

DAT metall ic part icle tape 1500 Oe

US Go vernment gu idel ines class tapes of 350 Oe coerc ivity or less as low-energy or Class Itapes and tapes of 350-750 Oe coerc ivity as h igh-energy or Class II tapes. Degaussers areavailable for both types of tapes. Tapes of o ver 750 Oe coerc ivity are referred to as ClassIII, w ith no known degaussers capable of fully eras ing them be ing known [ 19], s ince e venthe most powerful commerc ial AC degausser cannot generate the recommended 7,500 Oeneeded for full erasure of a typ ical DAT tape currently used for data backups.

Degauss ing of d isk med ia is somewhat more d iff icult - e ven older hard d isks generally ha vea coerc ivity equivalent to Class III tapes, mak ing them fa irly d iff icult to erase at the outset.Since manufacturers rate the ir degaussers in peak gauss and measure the f ield at a certa inor ientat ion wh ich may not be correct for the type of med ium be ing erased, and s incedegaussers tend to be rated by whether they erase suff iciently for clean rerecord ing rather than whether they make the informat ion imposs i ble to reco ver, it may be necessary to resortto phys ical destruct ion of the med ia to completely san itise it ( in fact s ince degauss ingdestroys the sync bytes, ID f ields, error correct ion informat ion, and other paraphernal ianeeded to ident ify sectors on the med ia, thus render ing the dr ive unusable, it makes thedegauss ing process mostly e quivalent to phys ical destruct ion). In add ition, l ike phys icaldestruct ion, it re quires h ighly spec ialised e qui pment wh ich is expens ive and d iff icult toobta in (one example of an ade quate degausser was the 2.5 M W Navy research magnet used

by a former Pentagon s ite manager to degauss a 14" hard dr ive for 1« m inutes. It bent the platters on the dr ive and probably succeeded in eras ing it beyond the capab ilities of anydata reco very attempts [ 20]).

5 . Further Pro b lem s with Magnetic Media

A major issue wh ich cannot be eas ily addressed us ing any standard software-basedoverwr ite techn ique is the problem of defect ive sector handl ing. When the dr ive ismanufactured, the surface is scanned for defects wh ich are added to a defect l ist or flawmap. If further defects, called grown defects, occur dur ing the l ife of the dr ive, they areadded to the defect l ist by the dr ive or by dr ive management software. There are se veral

techn iques wh ich are used to mask the defects in the defect l ist. The f irst, alternate tracks,moves data from tracks w ith defects to known good tracks. Th is scheme is the s implest, butcarr ies a h igh access cost, as each read from a track w ith defects re quires seek ing to thealternate track and a rotat ional latency delay wh ile wa iting for the data locat ion to appear under the head, perform ing the read or wr ite, and, if the transfer is to cont inue onto aneighbour ing track, seek ing back to the or iginal pos ition. Alternate tracks may beinterspersed among data tracks to m inimise the seek t ime to access them.



A second techn ique, alternate sectors, allocates alternate sectors at the end of the track tominimise seeks caused by defect ive sectors. Th is el iminates the seek delay, but st ill carr iessome o verhead due to rotat ional latency. In add ition it reduces the usable storage capac ity

by 1-3%.

A th ird techn ique, inline sector spar ing, aga in allocates a spare sector at the end of eachtrack, but rese quences the sector ID's to sk i p the defect ive sector and include the sparesector at the end of the track, in effect push ing the sectors past the defect ive one towardsthe end of the track. The assoc iated cost is the lowest of the three, be ing one sector t ime tosk i p the defect ive sector [ 21].

The handl ing of mapped-out sectors and tracks is an issue wh ich can't be eas ily resol vedwithout the cooperat ion of hard dr ive manufacturers. Although some SCSI and IDE harddr ives may allow access to defect l ists and e ven to mapped-out areas, th is must be done in ahighly manufacturer- and dr ive-spec if ic manner. For example the SCSI-2 READ DEFECT

DATA command can be used to obta in a l ist of all defect ive areas on the dr ive. S ince SCSIlog ical block numbers may be mapped to arb itrary locat ions on the d isk, the defect l ist isrecorded in terms of heads, tracks, and sectors. As all SCSI de vice address ing is performedin terms of log ical block numbers, mapped-out sectors or tracks cannot be addressed. Theonly reasonably portable poss i bility is to clear var ious automat ic correct ion flags in theread-wr ite error reco very mode page to force the SCSI de vice to report read/wr ite errors tothe user instead of transparently remapp ing the defect ive areas. The user can then use theREAD LONG and WRITE LONG commands (wh ich allow access to sectors and extra dataeven in the presence of read/wr ite errors), to perform any necessary operat ions on thedefect ive areas, and then use the REASSIGN BLOCKS command to reass ign the defect ivesect ions. Howe ver th is operat ion re quires an in-depth knowledge of the operat ion of the

SCSI de vice and extens ive changes to d isk dr ivers, and more or less defeats the purpose of having an intell igent per i pheral.

The ANSI X3T-10 and X3T-13 subcomm ittees are currently look ing at creat ing newstandards for a Un iversal Secur ity Reformat command for IDE and SCSI hard d isks wh ichwill address these issues. Th is w ill involve a mult i ple-pass o verwr ite process wh ich co versmapped-out d isk areas w ith del i berate off-track wr iting. Many dr ives available today can bemod if ied for secure erasure through a f irmware upgrade, and once the new f irmware is in

place the erase procedure is handled by the dr ive itself, mak ing unnecessary any interact ionwith the host system beyond the send ing of the command wh ich beg ins the erase process.

Long-term age ing can also ha ve a marked effect on the erasab ility of magnet ic med ia. For example, some types of magnet ic tape become increas ingly d iff icult to erase after be ingstored at an ele vated temperature or ha ving conta ined the same magnet izat ion pattern for acons iderable per iod of t ime [22]. The same appl ies for magnet ic d isk med ia, w ith decreasesin erasab ility of se veral dB be ing recorded [ 23]. The erasab ility of the data depends on theamount of t ime it has been stored on the med ia, not on the age of the med ia itself (so that,for example, a f ive-year-old freshly-wr itten d isk is no less erasable than a new freshly-wr itten d isk).



The dependence of med ia coerc ivity on temperature can affect o verwr ite capab ility if thedata was initially recorded at a temperature where the coerc ivity was low (so that therecorded pattern penetrated deep into the med ia), but must be o verwr itten at a temperaturewhere the coerc ivity is relat ively h igh. Th is is important in hard d isk dr ives, where thetemperature var ies depend ing on how long the un it has been used and, in the case of dr ives

with power-sa ving features enabled, how recently and fre quently it has been used. Howe ver the o verwr ite performance depends not only on temperature-dependent changes in themed ia, but also on temperature-dependent changes in the read/wr ite head. Thankfully thecomb inat ion of the most common med ia used in current dr ives w ith var ious common typesof read/wr ite heads produce a change in overwr ite performance of only a few hundredths of a dec i bel per degree o ver the temperature range -40°C to + 40°C, as changes in the headcompensate for changes in the med ia [24].

Another issue wh ich needs to be taken into account is the ab ility of most newer storagedevices to reco ver from ha ving a remarkable amount of damage infl icted on them throughthe use of var ious error-correct ion schemes. As increas ing storage dens ities began to lead to

mult i ple-b it errors, manufacturers started us ing soph isticated error-correct ion codes(ECC's) capable of correct ing mult i ple error bursts. A typ ical dr ive m ight ha ve 512 bytes of data, 4 bytes of CRC, and 11 bytes of ECC per sector. Th is ECC would be capable of correct ing s ingle burst errors of up to 22 b its or double burst errors of up to 11 b its, and candetect a s ingle burst error of up to 51 b its or three burst errors of up to 11 b its in length[25]. Another dr ive manufacturer quotes the ab ility to correct up to 120 b its, or up to 32 b itson the fly, us ing 198-b it Reed-Solomon ECC [ 26]. Therefore e ven if some data is rel iablyerased, it may be poss i ble to reco ver it us ing the bu ilt-in error-correct ion capab ilities of thedr ive. Con versely, any erasure scheme wh ich manages to destroy the ECC informat ion (for example through the use of the SCSI-2 WRITE LONG command wh ich can be used towr ite to areas of a d isk sector outs ide the normal data areas) stands a greater chance of

mak ing the data unreco verable.

6 . S ide s tepping the Pro b lem

The eas iest way to sol ve the problem of eras ing sens itive informat ion from magnet ic med iais to ensure that it never gets to the med ia in the f irst place. Although not pract ical for general data, it is often worthwh ile to take steps to keep part icularly important informat ionsuch as encrypt ion keys from e ver be ing wr itten to d isk. Th is would typ ically happen whenthe memory conta ining the keys is paged out to d isk by the operat ing system, where theycan then be reco vered at a later date, e ither manually or us ing software wh ich is aware of the in-memory data format and can locate it automat ically in the swap f ile (for examplethere ex ists software wh ich w ill search the Wi ndows swap f ile for keys from certa in DOSencrypt ion programs). An e ven worse s ituat ion occurs when the data is paged o ver anetwork, allow ing anyone w ith a packet sn iffer or s imilar tool on the same subnet toobser ve the informat ion (for example there ex ists software wh ich w ill mon itor and e venalter NFS traff ic on the fly wh ich could be mod if ied to look for known in-memory data

patterns mo ving to and from a networked swap d isk [27]).



To sol ve these problems the memory pages conta ining the informat ion can be locked to prevent them from be ing paged to d isk or transm itted o ver a network. Th is approach istaken by at least one encrypt ion l i brary, wh ich allocates all key ing informat ion inside

protected memory blocks visi ble to the user only as opa que handles, and then opt ionally

locks the memory (pro vided the underly ing OS allows it) to pre vent it from be ing paged[28]. The exact deta ils of lock ing pages in memory depend on the operat ing system be ingused. Many Un ix systems now support the mlock() /munlock() calls or ha ve somealternat ive mechan ism h idden among the mmap() -related funct ions wh ich can be used tolock pages in memory. Unfortunately these operat ions re quire superuser pr iviledges

because of the ir potent ial impact on system performance if large ranges of memory arelocked. Other systems such as M icrosoft Wi ndows NT allow user processes to lock memory w ith the VirtualLock() /VirtualUnlock() calls, but l imit the total number of reg ions wh ich can be locked.

Most pag ing algor ithms are relat ively insens itive to ha ving sect ions of memory locked, andcan e ven relocate the locked pages (s ince the log ical to phys ical mapp ing is invisi ble to theuser), or can mo ve the pages to a "safe" locat ion when the memory is f irst locked. The ma ineffect of lock ing pages in memory is to increase the m inimum work ing set s ize wh ich,taken in moderat ion, has l ittle not iceable effect on performance. The o verall effects dependon the operat ing system and/or hardware implementat ions of virtual memory. Most Un ixsystems ha ve a global page replacement pol icy in wh ich a page fault may be sat isf ied byany page frame. A smaller number of operat ing systems use a local page replacement

policy in wh ich pages are allocated from a f ixed (or occas ionally dynam ically var iable)number of page frames allocated on a per- process bas is. Th is makes them much moresens itive to the effects of lock ing pages, s ince e very locked page decreases the (f inite)number of pages a vailable to the process. On the other hand it makes the system as a whole

less sens itive to the effects of one process lock ing a large number of pages. The ma ineffect ive d ifference between the two is that under a local replacement pol icy a process canonly lock a small f ixed number of pages w ithout affect ing other processes, whereas under aglobal replacement pol icy the number of pages a process can lock is determ ined on asystem-w ide bas is and may be affected by other processes.

In pract ice ne ither of these allocat ion strateg ies seem to cause any real problems. Althoughany pract ical measurements are very d iff icult to perform s ince they vary w ildly depend ingon the amount of phys ical memory present, pag ing strategy, operat ing system, and systemload, in pract ice lock ing a dozen 1K reg ions of memory (wh ich m ight be typ ical of asystem on wh ich a number of users are runn ing programs such as ma il encrypt ion software)

produced no not iceable performance degradat ion obser vable by system- mon itor ing tools.On mach ines such as network ser vers handl ing large numbers of secure connect ions (for example an HTTP ser ver us ing SSL), the effects of lock ing large numbers of pages may bemore not iceable.

7. Method s of Recovery for Data s tored in Random-A cce ss Memory



Contrary to con vent ional w isdom, " volat ile" sem iconductor memory does not ent irely loseits contents when power is remo ved. Both stat ic (SRAM) and dynam ic (DRAM) memoryreta ins some informat ion on the data stored in it wh ile power was st ill appl ied. SRAM is

part icularly suscept i ble to th is problem, as stor ing the same data in it o ver a long per iod of time has the effect of alter ing the preferred power-up state to the state wh ich was stored

when power was remo ved. Older SRAM ch i ps could often "remember" the pre viously heldstate for se veral days. In fact, it is poss i ble to manufacture SRAM's wh ich always ha ve acerta in state on power-up, but wh ich can be o verwr itten later on - a k ind of "wr iteableROM".

DRAM can also "remember" the last stored state, but in a sl ightly d ifferent way. It isn't somuch that the charge ( in the sense of a voltage appear ing across a capac itance) is reta ined

by the RAM cells, but that the th in ox ide wh ich forms the storage capac itor d ielectr ic ishighly stressed by the appl ied f ield, or is not stressed by the f ield, so that the propert ies of the ox ide change sl ightly depend ing on the state of the data. One th ing that can cause athreshold sh ift in the RAM cells is ion ic contam inat ion of the cell(s) of interest, although

such contam inat ion is rarer now than it used to be because of robot ic handl ing of themater ials and because the pur ity of the chem icals used is greatly impro ved. Howe ver, e vena perfect ox ide is subject to ha ving its propert ies changed by an appl ied f ield. When itcomes to contam inants, sod ium is the most common offender - it is found virtuallyeverywhere, and is a fa irly small (and therefore mob ile) atom w ith a pos itive charge. In the

presence of an electr ic f ield, it m igrates towards the negat ive pole w ith a veloc ity wh ichdepends on temperature, the concentrat ion of the sod ium, the ox ide qual ity, and the other impur ities in the ox ide such as dopants from the process ing. If the electr ic f ield is zero andgiven enough t ime, th is stress tends to d issi pate e ventually.

The stress on the cell is a cumulat ive effect, much l ike charg ing an RC c ircu it. If the data is

applied for only a few m illiseconds then there is very l ittle "learn ing" of the cell, but if it isapplied for hours then the cell w ill acquire a strong (relat ively speak ing) change in itsthreshold. The effects of the stress on the RAM cells can be measured us ing the bu ilt-in self test capab ilities of the cells, wh ich pro vide the ab ility to impress a weak voltage on astorage cell in order to measure its marg in. Cells w ill show d ifferent marg ins depend ing onhow much ox ide stress has been present. Many DRAM's ha ve undocumented test modeswhich allow some normal I/O p in to become the power supply for the RAM core when thespec ial mode is act ive. These test modes are typ ically act ivated by runn ing the RAM in anonstandard conf igurat ion, so that a certa in set of states wh ich would not occur in anormally-funct ion ing system has to be tra versed to act ivate the mode. Manufacturers won'tadm it to such capab ilities in the ir products because they don't want the ir customers us ing

them and potent ially reject ing de vices wh ich comply w ith the ir spec sheets, but ha ve littlemarg in beyond that.

A s imple but somewhat destruct ive method to speed up the ann ihilat ion of stored b its insem iconductor memory is to heat it. Both DRAM's and SRAM's w ill lose the ir contents alot more quickly at Tjunct ion = 140°C than they w ill at room temperature. Se veral hours atthis temperature w ith no power appl ied w ill clear the ir contents suff iciently to makerecovery d iff icult. Con versely, to extend the l ife of stored b its w ith the power remo ved, the



temperature should be dropped below -60°C. Such cool ing should lead to weeks, instead of hours or days, of data retent ion.

8 . Era s ure of Data s tored in Random- A cce ss Memory

Simply repeatedly o verwr iting the data held in DRAM w ith new data isn't nearly aseffect ive as it is for magnet ic med ia. The new data w ill beg in stress ing or relax ing the ox ideas soon as it is wr itten, and the ox ide w ill immed iately beg in to take a "set" wh ich w illeither re inforce the pre vious "set" or w ill weaken it. The greater the amount of t ime thatnew data has ex isted in the cell, the more the old stress is "d iluted", and the less rel iable theinformat ion extract ion w ill be. Generally, the rates of change due to stress and relaxat ionare in the same order of magn itude. Thus, a few m icroseconds of stor ing the oppos ite datato the currently stored value w ill ha ve little effect on the ox ide. Ideally, the ox ide should beexposed to as much stress at the h ighest feas i ble temperature and for as long as poss i ble toget the greatest "erasure" of the data. Unfortunately if carr ied too far th is has a rather detr imental effect on the l ife expectancy of the RAM.

Therefore the goal to a im for when san itising memory is to store the data for as long as poss i ble rather than try ing to change it as often as poss i ble. Con versely, stor ing the data for as short a t ime as poss i ble w ill reduce the chances of it be ing "remembered" by the cell.Based on tests on DRAM cells, a storage t ime of one second causes such a small change inthreshold that it probably isn't detectable. On the other hand, one m inute is probablydetectable, and 10 m inutes is certa inly detectable.

The most pract ical solut ion to the problem of DRAM data retent ion is therefore toconstantly fl i p the b its in memory to ensure that a memory cell ne ver holds a charge longenough for it to be "remembered". While not pract ical for general use, it is poss i ble to dothis for small amounts of very sens itive data such as encrypt ion keys. Th is is part icularlyadvisable where keys are stored in the same memory locat ion for long per iods of t ime andcontrol access to large amounts of informat ion, such as keys used for transparent encrypt ionof f iles on d isk dr ives. The b it-fl i pp ing also has the con venient s ide-effect of keep ing the

page conta ining the encrypt ion keys at the top of the queue ma inta ined by the system's pag ing mechan ism, greatly reduc ing the chances of it be ing paged to d isk at some po int.

9. Conclu s ion

Data o verwr itten once or tw ice may be reco vered by subtract ing what is expected to be read

from a storage locat ion from what is actually read. Data wh ich is overwr itten an arb itrar ilylarge number of t imes can st ill be reco vered pro vided that the new data isn't wr itten to thesame locat ion as the or iginal data (for magnet ic med ia), or that the reco very attempt iscarr ied out fa irly soon after the new data was wr itten (for RAM). For th is reason it iseffect ively imposs i ble to san itise storage locat ions by s imple o verwr iting them, no matter how many o verwr ite passes are made or what data patterns are wr itten. Howe ver by us ingthe relat ively s imple methods presented in th is paper the task of an attacker can be madesign if icantly more d iff icult, if not proh i bitively expens ive.



A cknowledgment s

The author would l ike to thank N igel Bree, Peter Fenw ick, Andy Hospodor, Ke vinMart inez, Col in Plumb, and Charles Preston for the ir ad vice and input dur ing the

preparat ion of th is paper.

Reference s

[1] "Emergency Destruct ion of Informat ion Stor ing Med ia", M.Slusarczuk et al, Inst itutefor Defense Analyses, December 1987.

[2] "A Gu ide to Understand ing Data Remanence in Automated Informat ion Systems", Nat ional Computer Secur ity Centre, September 1991.

[3] "Detect ion of D igital Informat ion from Erased Magnet ic D isks", Venugopal Veera vall i,Masters thes is, Carneg ie-Mellon Un ivers ity, 1987.

[4] "Magnet ic force m icroscopy: General pr inci ples and appl icat ion to long itud inalrecord ing med ia", D.Rugar, H.Mam in, P.Guenther, S.Lambert, J.Stern, I.McFadyen, andT.Yog i, J ournal of Applied Physics , V ol.68 , No. 3 (August 1990), p.1169.

[5] "Tunnel ing-stab ilized Magnet ic Force M icroscopy of B it Tracks on a Hard D isk", PaulR ice and John Moreland, IEEE Trans.on Magnetics , V ol.27, No. 3 (May 1991), p.3452.

[6] "NanoTools: The Homebrew STM Page", J im R ice, NanoTools: The Homebrew STM

Page .

[7] "Magnet ic Force Scann ing Tunnell ing M icroscope Imag ing of O verwr itten Data",Romel Gomez, Amr Adly, Isaak Mayergoyz, Edward Burke, IEEE Trans.on Magnetics ,V ol.28 , No. 5 (September 1992), p.3141.

[8] "Compar ison of Magnet ic F ields of Th in-F ilm Heads and The ir Correspond ing PatternsUs ing Magnet ic Force M icroscopy", Paul R ice, B ill Hallett, and John Moreland, IEEE Trans.on Magnetics , V ol.30, No. 6 (November 1994), p.4248.

[9] "Computat ion of Magnet ic F ields in Hysteret ic Med ia", Amr Adly, Isaak Mayergoyz,

Edward Burke, IEEE Trans.on Magnetics , V ol.29, No. 6 (November 1993), p.2380.

[10] "Magnet ic Force M icroscopy Study of Edge O verwr ite Character istics in Th in F ilmMed ia", J ian- Gang Zhu, Yansheng Luo, and Juren D ing, IEEE Trans.on Magnetics ,V ol.30, No. 6 (November 1994), p.4242.

[11] "M icroscop ic Invest igat ions of O verwr itten Data", Romel Gomez, Edward Burke,Amr Adly, Isaak Mayergoyz, J.Gorczyca, J ournal of Applied Physics , V ol.7 3, No.10 (May



[26] "Technology and T ime-to-Market: The Two Go Hand- in-Hand", QuantumCorporat ion, 1995.

[27] "Bas ic Flaws in Internet Secur ity and Commerce", Paul Gauth ier, post ing tocomp.secur ity.un ix newsgroup, 9 October 1995, message-ID

gauth [email protected] keley.edu.

[28] "cryptl i b Free Encrypt ion L i brary", Peter Gutmann, cryptl i b.

Secure Deletion of Data from Magnetic and Solid-State Memory / Peter Gutmann / [email protected]

This paper was originally published in theroceedings of The Sixth US ENIX Security

Symposium, J uly 22±25, 1996, San J ose,

California, USA Last changed: 10 J an 2003 aw

Conference Index USENIX home

Secure Deletion of Data From Magnetic and Solid-State Memory

Documents

Transcript of Secure Deletion of Data From Magnetic and Solid-State Memory