Tip

Secure data destruction using a bootable Windows CD

In my last post, I discussed the creation and use of a bootable Windows CD using the Ultimate Boot CD for Windows (UBCD). The disk provides an on-demand operating system that is both familiar

    Requires Free Membership to View

and trusted (known-good and non-compromised), and is a flexible and useful tool that no IT worker should be without. Now let's look at the value of one specific data destruction tool that happens to be on that bootable CD: "Darik's Boot and Nuke", or DBAN.

A critical but often overlooked security issue is the data on hard drives when a computer is reassigned or discarded. Neither reinstalling Windows nor reformatting the drive will destroy the data on that drive. Combine this with the rather obvious fact that computers (technically, the hard drives) contain sensitive data, and we have a potential disaster.

If, for example, someone in human resources leaves the company, the computer and hard drive they leave behind is likely to contain personal information, such as Social Security numbers, salary figures and perhaps a list of people terminated for cause. If that computer is simply discarded, or sent for electronics recycling, that hard drive may end up on eBay or sent to a developing nation for reuse. That confidential data can then be recovered -- sometimes very easily -- by someone who would abuse it. If this scenario seems far-fetched, a little research will show you several examples of this exact scenario happening to sensitive information, including U.S. defense data and U.K. bank details.

For more information

A bootable Windows CD is a great tool to keep on hand as it provides a secure environment from which to run antivirus or to examine a system. Tom Chmielarski reveals what else can be found on the Ultimate Boot CD (UBCD).
Unless you physically destroy the hard drive(s) of every computer that is removed from service or transferred to a new person, you need to overwrite all of the data on that drive. Conveniently, DBAN is a simple-to-use, disk erasure tool and, unlike the other tools on UBCD, DBAN is selected at boot time and does not require booting into Windows.

DBAN features a convenient 'autonuke' option, which will prompt you with a few defaults and, once accepted, will begin to erase the drive. Although the software can overwrite each sector of the disk multiple times (multiple-pass), for most non-governmental organizations, a single pass is sufficient. One pass is quicker than multiple, and the data will be gone for all practical purposes.

To be explicitly clear -- DBAN and the steps I have described will completely and securely destroy, or erase, a hard drive. Absolutely all data on the hard drive will be overwritten by this tool: the operating system, documents and programs will be gone. If you only want to erase specific files or the unused (unallocated) portion of a drive you need to use a different tool. There are many options to selectively erase files, both commercial and free. Eraser, which is also part of UBCD, is one such tool. Unlike DBAN, Eraser will not destroy everything on a drive, leaving the normal, allocated files alone.

More on secure data destruction

Review the concise tutorial on DBAN use for more details, and check out the Darik's Boot and Nuke website for available screenshots.

Lastly, there are numerous options for disk erasure programs, and it is probably worth your time to explore a few options. Most disk encryption tools include an erasure option as do some antivirus suites. DBAN and Eraser, however, are quick, easy to use, free, and already included on that bootable Windows utility CD you've created.

Erasing those old hard drives, even when re-provisioning a computer for a new user, may seem like a lot of work, but it can save you, and your company, a lot of embarrassment and legal problems. If, for example, you re-provision a computer to a new user without erasing the data, the new user may have access to the prior user's information. That information could contain sensitive personal documents -- copies of paystubs, a mortgage application, or letters to a divorce lawyer. The unintentional distribution of this information on a re-positioned or discarded hard drive could pose legal risk to your company or could expose company secrets (such as the salary of every employee).

In my next post, I will discuss ways to protect sensitive data (perhaps when the sensitive computer is lost or stolen) using disk encryption.

About the author
Tom Chmielarski is a senior consultant with GlassHouse Technologies, Inc.

Send comments on this technical tip to editor@searchmidmarketsecurity.com.

Join our IT Knowledge Exchange discussion forum; please use the midmarket security tag.

This was first published in January 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.