Cornell University Best Practices for Media Destruction

Post date: Feb 12, 2012 4:04:24 AM

Best Practices for Media Destruction

Media destruction, either physical or electronic, is intended to prevent data disclosure. Some ways data may be disclosed are:

    • Computers that are disposed of or sold without appropriate media destruction practices. (More information is available on this page. See Media Destruction Services or Information About Media Destruction if You Don't Use a Service.)
    • Hard drives returned to vendors as defective are frequently repaired and returned to service with data intact.
    • Disposed functional hard drives are a valuable commodity and present significant risk of data disclosure if not properly treated.

Drives that will not be reused should be physically destroyed. This page includes information about ano-fee Cornell service you can use or alternative methods for physical disposal. Even if the drive is to be reused it should be erased using one of the recommended tools or applications described below.

Different terms may be used to refer to disk or file erasure. Some common terms are disk wiping and secure deletion.

WHAT ARE THE STANDARDS FOR MEDIA DESTRUCTION?

    • DoD 5220.22: Functional drives should be overwritten 3 times prior to disposal or reuse.
    • NIST 800-88: Modern hard disks can defy conventional forensic recovery after a single wiping pass.

Note: As of 2001, ATA (thought not SCSI) drives support a secure-overwrite command that should eliminate all data on the drive much more rapidly than operating system-level utilities. Certain specialty hardware supports this.

WHAT IS THE SECURITY OFFICE RECOMMENDATION?

Our recommendation acknowledges the NIST document, but maintains consistency with other practices throughout higher-education and industry.

    • For drives that will be reused or disposed of in a functional state: use of a reputable erasure utility implementing DoD 5220.22. A 3-pass wipe of a large hard disk is time-intensive.
    • For drives that are defective, dead, or sufficiently unresponsive that they do not complete the 5220.22 wipe protocol: physical destruction prior to RMA or disposal.

DESTRUCTION PRACTICE BY MEDIA

MEDIA DESTRUCTION SERVICES

NO-FEE CORNELL SERVICE FOR MEDIA DESTRUCTION: R5

R5 Operations (Respect, Rethink, Reduce, Reuse, Recycle) will securely collect and arrange for the destruction of magnetic media, specifically hard drives, in addition to the systems/electronics they presently recycle. The items are sent to Sunnking, Inc. in Brockport, NY for dismantling and recycling. All hard drives from Cornell are 100% destroyed.

Items that can be picked up by R5 include: monitors, CPUs and hard drives, keyboards, circuit boards, cables, mice, printers, copiers, microwave ovens, televisions, cell phones, power cords, extension cords, power strips, answering machines, fax machines, typewriters, pagers, cameras, VCR/DVD/8-track players, CDs, remote controls, radios, and stereos.

There are no limits on the number of items that can be picked up.

This service is offered at no-fee and is intended to complement other secure destruction methods, not to replace existing practices or means currently in use. It is another option to comply with best practices in a secure, affordable, and convenient way. For more information or to arrange for pick-up, contact R5 Operations by email at: recycle@cornell.edu, or by phone: (607) 254-1666.

Note: The R5 service doesn't accept tapes (reel to reel, VHS, etc.). The following vendors provide secure shredding for tapes. (These vendors do charge a fee.)

    • Cintas: contact Tim Bentley at 716-773-7281
    • Shred-it: contact Brian Lee at 877-607-4733
    • Rogers Service Group: 607-797-7333

INFORMATION ABOUT MEDIA DESTRUCTION IF YOU DON'T USE A SERVICE

PHYSICAL DESTRUCTION

The objective of physical destruction is to badly warp or distort the platters, rendering the drive or any of its components inoperable. Recommended methods:

    • Drilling the drive in several locations perpendicular to the platters and penetrating clear through from top to bottom.
    • Hammering or crushing is equally effective but more labor intensive.

Destroying the logic section of the drive without damaging the platters is insufficient and not recommended.

DISK AND FILE ERASURE

Disk and File Erasure Software

The following utilities meet industry best practices for data sanitization on common read/write media including:

    • Hard disks
    • Floppy disks
    • USB drives

File Erasure Features in Applications

The following features included in application software meet industry best practices for data sanitization in individual files.

Hardware Erasure

    • For Drives That Will Be Reused: Wiebetech Drive eraser (http://weibetech.com/products/Drive_eRazer.php): Able to rapidly erase PATA/SATA hard drives using either multi-pass overwrite or the ATA-6 secure erase command. This device is for small to medium volume sanitization of operational drives.
    • For Drives That Will Not Be Reused: Where drive use is not possible or not desirable, magnetic media should be degaussed or mechanically shredded. The no-fee campus service described abovewill pick up your drives and securely dispose of them.
    • You can also use the self-service degausser hosted by Cornell Recycling. For more information, see the degausser page. About degaussing: Degaussing modern hard disks requires magnets capable of generating fields several orders of magnitude stronger than those required to blank audio and video tapes. As degaussing destroys hidden portions of the drive used for bad block recovery, drive head positioning, and other functions, drives subject to it will be nonfunctional. For these reasons, physical destruction is the preferred practice.

Note about solid state devices: USB thumb drives, compact flash, MMC/SD, and the like are unreliable in the face of disk wiping protocols. Multi-pass wiping is not technically relevant for solid-state devices. More importantly, solid-state storage has a very limited number of read/write cycles and is designed with considerable surplus. This surplus storage is used to relocate data away from failing data segments. Wipe utilities cannot guarantee that all originally allocated blocks have been wiped. Further, they cannot insure new data is properly committed to the device. If disposal is the ultimate goal, physical destruction is strongly recommended.