CS406: Information Security

Overview

• Data remanence is the residual representation of data that has been in some way been nominally erased or removed. This residue may be due to data being left intact by a nominal delete operation, or through physical properties of the storage medium.
• Data remanence may make inadvertent disclosure of sensitive information possible, should the storage media be released into an uncontrolled environment.

Countermeasures

• Classes of Countermeasures
  • Clearing
    • Clearing is the removal of sensitive data from storage devices in such a way that there is assurance, proportional to the sensitivity of the data, that the data may not be reconstructed using normal system functions. The data may still be recoverable, but not without unusual effort.
    • Clearing is typically considered an administrative protection against accidental disclosure within an organization. For example, before a floppy disk is re-used within an organization, its contents may be cleared to prevent their accidental disclosure to the next user.
  • Purging
    • Purging or sanitizing is the removal of sensitive data from a system or storage device with the intent that the data can not be reconstructed by any known technique.
    • Purging is generally done before releasing media outside of control, such as before discarding old media, or moving media to a computer with different security requirements.
• Methods to Countermeasure
  • Overwriting
    • A common method used to counter data remanence is to overwrite the storage medium with new data. This is often called wiping or shredding a file or disk. Because such methods can often be implemented in software alone and may be able to selectively target only part of a medium, it is a popular, low-cost option for some applications.
    • The simplest overwrite technique writes the same data everywhere—often just a pattern of all zeros. At a minimum, this will prevent the data from being retrieved simply by reading from the medium again and, thus, is often used for clearing.
  • Degaussing
    • Degaussing is the removal or reduction of a magnetic field. Applied to magnetic media, degaussing may purge an entire media element quickly and effectively. A device, called a degausser, designed for the media being erased, is used.
    • Degaussing often renders hard disks inoperable, as it erases low-level formatting which is only done at the factory, during manufacture. Degaussed floppy disks can generally be reformatted and reused.
  • Encryption
    • Encrypting data before it is stored on the medium may mitigate concerns about data remanence. If the decryption key is strong and carefully controlled (i.e., not itself subject to data remanence), it may effectively make any data on the medium unrecoverable. Even if the key is stored on the medium, it may prove easier or quicker to overwrite just the key, vs the entire disk.
    • Encryption may be done on a file-by-file basis, or on the whole disk.
  • Physical destruction
    • Physical destruction of the data storage medium is generally considered the most certain way to counter data remanence, although also at the highest cost. Not only is the process generally time-consuming and cumbersome, it obviously renders the media unusable. Further, with the high recording densities of modern media, even a small media fragment may contain large amounts of data.
    • Specific destruction techniques include:
      • Physically breaking the media apart, by grinding, shredding, etc.
      • Incinerating
      • Phase transition (i.e., liquification or vaporization of a solid disk)
      • Application of corrosive chemicals, such as acids, to recording surfaces
      • For magnetic media, raising its temperature above the Curie point