Remove All Data from Workstations & Servers

1.0 Identification Data
1.1 BSP Number
00017
1.2 BSP Title/Name
Remove All Data from Workstations & Servers
1.3 Version Number
1.0
1.4 Adoption Date
April 25, 2001
1.5 Approving Authority
CIO Council Security Practices Subcommittee (SPS)
1.6 Responsible Organization
United States Agency for International Development (USAID), Bureau for Management, Information Resources Management (M/IRM), Information Systems Security Team
1.7 Level of BSP
Candidate
1.8 Security Processes or other Framework(s) Supported
Security Process Framework: SPF 2.6: Sanitize storage media

NIST Special Publication 800-14, Paragraph 3.4.6

1.9 Reserved
1.10 Points of Contact
Government BSP Owner:

Yes, post this contact information with the publicly accessible BSP.

  • James P. Craft, CISSP
    USAID Information Systems Security Officer
    Ronald Reagan Building
    1300 Pennsylvania Ave.
    Suite 2.12-032
    Washington DC 20523-2120
    Telephone No - 202-712-5460
    Fax No. - 202-712-3053
    E-mail – jcraft@usaid.gov
    Also: cassistance@usaid.gov

Vendor Partner:

Yes post this contact information with the publicly accessible BSP.

2.0 What This BSP Does
2.1 BSP's Purpose
This BSP describes how USAID removes all data, including sensitive but unclassified data, from PCs, workstations and servers that are being moved to a less secure environment, or to a new project with different need-to-know rules. This procedure has not been applied to National Security Classified (Top Secret, Secret, Confidential) data.

This procedure "sanitizes" the equipment. That is, it removes all data, including sensitive data in organized files and in unused disk space, in such a way that recovery will require highly sophisticated, expensive and time-consuming methods not available to most intruders. These procedures make treated equipment safe for reloading and use with unclassified or non-sensitive data in an insecure environment. They remove the need to destroy media that previously held sensitive files.

2.2 Requirements for this BSP
  • USAID Automated Directive System section ADS 545.3.2.4.t states: "The IT Specialist/ System Manager and designated Information System Security Officer (ISSO) must ensure that sensitive magnetic storage media used on Agency systems are not removed from U.S. Government controlled premises for maintenance, credit, or sale unless all information on the media has been sanitized. If a fixed disk (e.g., fixed disk, disk cartridge, or disk pack) cannot be returned to the vendor for credit, the IT Specialist/ System Manager must ensure appropriate security procedures are followed when returning the damaged disk to M/IRM for destruction. Sensitive magnetic storage media used on Agency systems must be overwritten using overwrite procedures approved by the ISSO for USAID or degaussed with a magnet approved by the ISSO for USAID."
  • Note: The parts of this Directive concerning storage media that cannot be properly overwritten or degaussed before leaving U.S. Government control are especially important. Regardless of current use, if a fixed disk has recorded sensitive information at any time in the past, it must either be overwritten using this procedure, degaussed using approved tools and procedures, or returned via trusted courier to the central M/IRM facility for destruction. An unsanitized disk should never be removed from Government controlled premises without proper authorization.
2.3 Success Stories
These procedures have been used to remove all traces of data from a variety of equipment being returned to service. Equipment includes servers and workstations running all the common operating environments, namely UNIX, Linux, Windows 9x and NT, and Banyan. All disks have been verified at the end of the sanitizing process and found to have no recoverable data.
3.0 What This BSP Is
3.1 Description of BSP
The procedures in this BSP have been used to treat workstations being removed from USAID-controlled premises to other, uncontrolled locations such as warehouses or transportation vehicles to distant missions. They ensure that no sensitive data are exposed to unauthorized agents while the equipment is beyond USAID control.
3.1.1 Inputs
  1. Disk hardware specifications for each type of equipment to be sanitized.
  2. Inventory of servers and workstations to be sanitized, identified by tag or serial number.
  3. Disk wiping tools and associated users’ manuals (see 4.4 Tools)
  4. Disk manufacturers’ standard base-level formatting utilities, for use in case the sanitizing procedure fails to access a partition with manufacturer-specific protections enabled. (see 4.4, Tools)
  5. Permission-to-sanitize document for each machine or group, signed by the responsible ISSO
3.1.2 Process
Use the following procedures if the target workstation or server might contain a remnant of information that no current users need or for which they have no active access authorization. After sanitization, the target machine will require complete reloading of the standard operating system and software applications suite prior to reassignment. The reloading operation is outside the scope of this BSP.

NOTE: After sanitizing, no normal disk rescue technique will be able to retrieve any data or programs on this device. Therefore it is important to review machine contents and remove all possibly useful data before sanitization takes place. The on-site ISSO should issue a permission-to-sanitize document for each machine, certifying that this review and removal have been done. After permission has been issued, perform the following steps.

  1. Ensure that machine identity on the sanitizing certificate matches identity tags on the subject machine. Initial the identity field on the certificate to show that you have made this check.
  2. Prepare bootable floppy disks as instructed by the sanitizing utility users’ manual. The sanitizing programs run in main memory, from floppy disks. Because they destroy all data on a hard drive, they cannot be run from the hard drive.
  3. Perform the steps in section 3.1.2.1 or 3.1.2.2, depending on the sanitizing tool in use, using the existing low-level partition formatting on the disk
  4. Verify that no data remain on the disk, using a text search utility such as DiskSearch32™ by New Technologies Incorporated™ or Norton DiskEditorTM by Symantec. Perform the steps in Sections 3.1.2.3 or 3.1.2.4 for this procedure. These utilities accesses the disk through the primitive functions in the BIOS and bypass logical volume or partition formatting, which the sanitizing operation has usually destroyed.
  5. If the text search utility finds no remaining data, proceed to Step 8. If the text search utility finds readable data, perform Steps 6 and 7.
  6. A readable data residue has been found after sanitizing. Using the disk manufacturer’s proprietary formatting utility, for example Seagate Seatools, reformat the disk at the lowest level. Set the formatter to remove all logical partitions, including those reserved for special functions such as Boot or Maintenance Sectors.
  7. Return to Step 3 and proceed as directed.
  8. When no residual data can be found, initial the permission-to-sanitize document, showing that the process is complete. Return the sanitized machine(s) to their owner(s) and collect a signed receipt for each, showing the machine inventory number(s), responsible owner(s) and date of return.
  9. Make a final report enclosing the permission-to-sanitize documents listing the machines sanitized and noting any abnormal events during the process.
  10. Attach signed return receipts to the final report, showing disposition of the sanitized machines.
3.1.2.1 Norton - WipeInfo:
The Norton WipeInfo utility is a component of Norton Disk Utilities, Release 4.0:
  1. Boot the computer from the A:\ disk drive in DOS mode.
  2. Insert the floppy disk with the WipeInfo utility, and ensure that A:\ is the current primary drive. Note: Booting from the A:\ drive should make it the primary device until changed via keyboard input. This step simply ensures that the machine is following standard rules.
  3. At the A:\> prompt, enter wipeinfo from the keyboard.
  4. WipeInfo signs on. At the Main Menu screen use the Tab key to select the Configure sub-menu.
  5. Using the Space Bar, select the Government Wipe option.
  6. Tab to the other settings on the Configure menu and confirm that WipeInfo is configured to overwrite 3 times for sensitive but unclassified data.
  7. Tab to the Save Settings option and use the Return key to select enter.
  8. Return to the Main Menu screen and select the Drives sub-menu.
  9. Use the Space Bar to highlight the drive to be cleaned (c:, d:, etc.). You will see a check mark by the drive once it is selected. (Note: Do this process for each drive present.)
  10. On the Drives sub-menu, confirm that the Wipe Entire Drive option is selected
  11. Select OK with the Enter key. This will return you to the Main Menu.
  12. On the Main Menu, confirm the process by selecting Wipe with the Enter key.
  13. Sanitizing of the selected hard drive proceeds. When the process completes, repeat steps 8 through 12 for each additional drive present.
  14. When all drives are sanitized, sign and date the sanitization certificate for the subject machine to show that the process has been done.
3.1.2.2 New Technologies Incorporated - ScrubTM
  1. Boot the computer in DOS mode.
  2. Insert the floppy disk with the Scrub utility.
  3. At the A:\> prompt, enter scrub /d:all/p:3/g Three is the standard number of passes for sensitive-but-unclassified data.
  4. When Scrub ends, sanitizing of the selected hard drive(s) is complete.
  5. Sign and date the sanitization certificate for the subject machine to show that the process has been done.
3.1.2.3 New Technologies Incorporated DiskSearch32™
This utility verifies that no readable data remain on the disk after the sanitize operation.
  1. Use a bootable floppy disk to boot the server or workstation in DOS mode. At the A:\> prompt, insert the DiskSearch32 utility disk.
  2. Type DS32 and press ENTER.
  3. At the licensing and version information screen, press the ENTER key to Continue or use the right arrow key to move to the Quit key.
  4. At the main menu screen, use the arrow keys to move between pull-down menus. Press ENTER to pull down a menu. From the Drive pull-down menu use the up/down arrow keys to select the drive you wish to search. Press ENTER to confirm the selection.
  5. From the Source pull-down menu select the "File" option. This selection directs DiskSearch32 to accept a keyword string from a floppy disk file and record results on another floppy disk file. Note: For this search, any readable ASCII character except the one selected for "fill" during the wipe operation is of concern. Presence of non-fill characters indicates that the wipe operation has missed part of the disk and will need to be repeated for the indicated sectors, after the disk has been reformatted at the lowest level.
  6. From the Options pull-down menu use the TAB key to highlight options and the ENTER key to toggle menu items on/off. Under the "Outputs" options, select the location where you want the text output to appear ("File" is recommended for most users). "Other options" allows you to select sound alarm features and "Skip System Area" allows you designate areas of the system that you want your search to bypass. The bypass feature will not operate on a disk that has no defined partitions. Tab to OK and press ENTER to set your configurations.
  7. When selecting the Begin pull-down menu, a prompt will appear asking you for the name and path of the keyword search file. At this point press ENTER and the default list will appear in the Search Definition Window, where you may edit the list or change the accuracy setting (the default setting is 100%). Do not set this value below 50%, because the search results become too vague and generic to provide useful output. If you have not created a keyword search list, you may do so at this time in the Search Definition Window. Make a list that includes the individual letters, (except for the letter used as the "fill" character, if that sanitization option has been chosen) numbers and commonly used special characters such as period, comma, backslash and parentheses. It is recommended that you give your search list an eight-character DOS text name that matches the name of the system that you are searching (e.g., A:\AFR.TXT). After creating a new list, tab to Save to disk and type the file and path name of the saved file at the prompt. (Remember to direct this file to the A-disk; the hard disk is not formatted for data.) Otherwise, tab to the OK button at the bottom of the window and press ENTER.
  8. A prompt for a search output file name and path will appear. Remove the DiskSearch32 utility disk from the floppy drive and insert the disk on which you are saving the search output files. Enter the file and path names of the search output file. Again, choose a name that matches the name of the drive or system being searched (e.g., A:\AFRSRVR1.TXT. Note: Search text output file names must differ from those of the associated search keyword list file names). Press ENTER to begin the search.
  9. The End-of-Search dialog box will appear when the search is complete. Press OK to end the search and return to the main menu. Since there are no other logical disk partitions to search, tab to the Quit pull-down menu and press ENTER to exit to the DOS prompt. Remove the search output text disk from the floppy drive.

NOTE: Search process will hang if output disk is removed while search is in progress. If the search output disk fills to capacity before search is complete, simply replace the disk and press OK to resume.

  1. Use the NotePad utility to see if there are any readable contents reported in the search output file. It should be empty when a sanitized disk has been searched. If it contains entries, repeat main procedure Step 6 until DiskSearch32 finds no readable characters on the sanitized disk. Note: Utility GREP32 may be used to scan for specific character strings in the search output file.
3.1.2.4 Symantec Norton DiskEditorTM
This utility verifies that no readable data remain on the disk after the sanitize operation.
  1. Reboot the target system in DOS mode. Insert the DiskEdit diskette into the system floppy drive.
  2. At the A:\> prompt, type diskedit. A dialog box will appear in front of the main menu screen informing you that the program is in "Read Only" mode and that you should got to the Configuration option of the Tools pull-down menu to enable the program in "Write" mode. Press OK with the ENTER key. Use the ESC key to exit a dialog box or option at any time in this program.
  3. At the main menu use the ALT key to access the pull-down menu bar. Proceed to the Tools menu (use the down-arrow key to open the menu) and select Configuration.
  4. Press the space bar to deselect the Read Only option. Tab down to the Save button and press ENTER. This will save your configuration update. Press OK when the message box informs you of the save.
  5. From the Object pull-down menu, select Drive. In the drive selection dialog box, select the drive to be inspected for data. Tab to the Type dialog box and use the space bar to select the Physical disks type. Tab to OK to save your selections.
  6. From the Object pull-down menu, select Physical Sector. Using your Search Text Output file as a reference, enter the following physical sector location data for the partition you wish to access and edit:
  • Cylinder [___]
  • Side [___]
  • Sector [___]

Toggle to the OK button and press ENTER. For the sector number you may wish to enter a value less than that listed on your Search Text Output in order to find the beginning of the data area.

  1. The sector you selected will probably appear as a hexadecimal display. To change this to readable text, go to the View pull-down menu and select the as Text option.
  2. You should see no readable text in this view. If readable text other than the optional fill character appears, exit DiskEditorTM and return to main procedure Step 6.
    Note: Norton DiskEditorTM has an optional sanitizing capability, which can be selectively applied to a particular file identified by its physical disk address parameters (Cylinder, Side and Sector values). This BSP does not use the sanitizing function.
  3. To select a new disk drive for inspection, return to the Drive option on the Object pull-down menu.
  4. When you have completed all desired inspection, select Exit from the Object menu. This will return you the DOS prompt.
3.1.3 Outputs
  1. Project after-action report, listing the machines treated and any deviations from the standard process.
  2. Signed permission certificates
  3. Sanitized machines or signed receipts for their return to owners.
3.2 Relationship to Other BSPs
A future BSP dealing with forensic investigation procedures will call for a disk sanitizing sub-procedure. This procedure may be used.

As other BSPs, for instance those dealing with procedures for accessibility controls and need-to-know rules, are added to the library, new relationships will be identified.

4.0 How To Use This BSP
4.1 Implementation Guidance
  • Caution: Be sure that all possibly useful data has been removed from the candidate machines before performing the sanitization process. Nothing intelligible will be left on the treated disk drives at the end of the procedure.
  • This process may be carried out either in a workshop or at a user’s desk. The required tools include a disk for the sanitizing utility and a container (envelope, clipboard, etc.) for the permission certificates. These are easier to carry than a group of workstations, but if there is another reason to clear the office space the sanitization may be done at a central location.
  • The existing workstation operating system does not matter to a sanitizing process. Sanitizing destroys all programs and data and a fresh software suite (disk format, file system, operating system and applications) must be loaded before the machine can be used again.
  • The New Technologies, Inc. Scrub utility is easier to use on machines equipped with more than one logical hard disk drive, when the task is to clear all data. One initiation sequence can specify that "all" drives must be sanitized, and the program proceeds from there. The Norton WipeInfo or DiskEdit utilities are preferable if only portions of a machine must be cleared.
  • Using batch script files can speed the job and reduce operator errors.
  • Depending on the accessibility of the workstations, doing several sanitizing operations in parallel can save time. A separate kit of floppy disks will be needed for each operation. The disks must remain installed in the subject workstations for the duration of the process.
4.2 Implementation Resource Estimates
4.2.1 Personnel
Contractor Technical Personnel:
  • Salvage data:One, Full Time (see NOTE)
  • Initiate sanitization operations:  One, Part Time.
  • Program run time:   See Section 4.2.2. Technician intervention is required as noted. Longer run times are associated with network file servers having multiple disks to be sanitized.
  • NOTE: The local ISSO must decide whether the contractor or a USAID staff person should perform the data salvage task.

Contractor QA Personnel: One, Part Time, 0.25 staff-hours (Verify technical approach, record keeping and results)

USAID Affected Organization: One, Part Time, 1 to 3 hours per workstation (if ISSO decides that a USAID staff person should salvage useful data)

USAID Office of Security: One, Part Time, 1 - 2 hours (designate workstations, prepare sanitization certificates, specify data to be salvaged)

USAID Facilities Management: One, Part Time, 0.5 – 1 hour (guide Contractor to selected workstations or gather workstations into the shop)

USAID IRM: One, Part Time, 0.5 hour (POC for Contractor)

4.2.2 Time
Total time requirements may vary depending on the volume of data to be salvaged from each workstation and the number of workstations treated in parallel. Times are given for one workstation.

Stage

Average Duration per Workstation

Preparation
  • Select workstations, prepare certificates: 0.3 hours.
  • Salvage useful data: 1 to 3 hours.
Execution
  • Operator starts sanitize utility: 0.25 hours.
  • Sanitize utility run time: 2 hours per drive.
Wrap Up
  • Gather certificates, prepare final report: 1 hour per task
  • Total staff time, 1.25 to 3.25 hours per workstation plus 1 hour for report
  • Total program run time, 2 to 9 hours per workstation
4.3 Performance Goals and Indicators (Metrics)
4.3.1 General Goal:
Assurance that equipment returned to service after processing sensitive but unclassified data will not compromise that data.
4.3.2 Performance Goal:
Ensure that sensitive but unclassified data no longer exists on target machines.
4.3.3 Performance Indicators:
  • Sanitized workstations are seen to have no useful data on their hard disk drives.
  • Technician reports that all procedures completed successfully.
  • Technician reports that one or more procedures terminated abnormally.
  • Time required to perform all procedures.
  • Quality Assurance review
4.4 Tools
The following software tools are capable of performing the sanitizing task.

The following software tools are capable of inspecting a newly sanitized hard disk drive to ensure that no readable data remains on it.

4.5 Training Materials
Not used
Appendices
A Executive Overview and Briefing
None available
B Reference List
None at this time
C Procurement Information
USAID has contracted for general IRM support with CSC under the Agency's Principal Resource for Information Management Enterprise-wide (PRIME) contract (GS00K96AJD0012) with FEDSIM. USAID obtains its information system security support from CSC under the PRIME contract using the Performance Work Statement (PWS) at AppendixC.doc

Norton Disk Utilities, Release 4.0, is available commercially. Norton DiskEditor is part of the SystemWorksTM utility suite.

Products from New Technologies, Inc. are listed in the General Services Administration catalog.

D Evaluation Information
Not yet evaluated
E Recommended Changes
None applicable
F Glossary
None applicable.