Data Destruction Effiency

[Thunderkhoac4213]

BACKGROUND:

 

I work as a data destruction technician for a state government contractor and I figured this might be the best place to ask.

 

I work as a contractor for the Commonwealth of Pennsylvania and therefore I have to follow the policies set forth by the state.  What this boils down to, aside from the boiler plate "you're dealing with classified and private information, any unauthorized access will be punishable by law", is that I need to wipe disks in all kinds of form factors, and when I wipe them, they need to produce logs that show destruction verification.

 

Currently, my work uses Parted Magic, which works great, but seems to be a little slow or finicky with certain systems or brands of drives; for example, Lenovo ThinkPad systems all fail instantly wipes instantly; or Intel branded 2.5" SSDs will fail without any explanation. 

 

Systems are wiped natively (i.e., drives remain in their native systems as opposed to being removed and wiped in another system) until they can't be, at which point, those HDDs and SSDs meet my "test bench" which is: 

 

ASUS TUF B550

Ryzen 5

16GB DDR4 3200MHz RAM

~500W Thermaltake PSU

Aftermarket bifurcation board with 4x NVMe slots

 

In total, I can wipe about 12 storage drives (6-7 SATA III, 6 NVMe).

 

THE QUESTIONS

 

1. What form factors do I need to know about?

• I've come across SATA, M.2, mSATA, SAS, and IDE/PATA. Typically the last 3 FFs get marked as failed or otherwise set aside to degauss as a last-resort measure. 

 

2. What other parts can I add in to expand my wiping capacity? 

• I've seen PCIe X1 AIBs that can add SATA expansion
• Possibly X1 AIBs that add a single or dual slot NVMe

3. Can I find reliable adapters? I.E., I need to be able to convert everything to a SATA or NVMe adapter

 

4. Is there other software that would perform similarly or better than Parted Magic but still produce the information I need to submit for wipe verification?

 

5. Is there hardware, tools, or other toys in general that would increase quality of life? Not necessities, but nice-to-haves, like a HDD backplane with SATA connections

 

Thanks in advance for your advice

[IkeaGnome]

2 minutes ago, Thunderkhoac4213 said:

other toys in general that would increase quality of life?

[Electronics Wizardy]

Are you selling the drives? Are you reusing them internally? If not, just destroy them. Wiping is just a waste of time.

 

For SSDS, you should be able to use the secure erase command, take a handful of seconds on many drives. There are tools that should let you do this easily.

 

This feels like a work with your team, look at NIST documents, rather than some random people online.

[Crunchy Dragon]

SATA and/or SAS HBA(specifically HBA, not a RAID card) would definitely help you a little bit, it sounds like. As far as NVMe goes, PCIe cards definitely exist for that.

 

Unless the drives absolutely need to be reused, I generally tend to err on the side of destruction, in which case a drill tends to work quite nicely for HDDs.

 

SATA, SAS, and M.2 are pretty much the only form factors you'll likely be encountering. U.2 NVMe is probably the rarest you'll ever encounter, and I'd honestly be a little surprised to see mSATA still kicking around. IDE makes a lot of sense for government work, though.

 

If you're able to say, what kind of specific logs do you need to produce in order to verify destruction?

[Thunderkhoac4213]

12 minutes ago, Electronics Wizardy said:

Are you selling the drives? Are you reusing them internally? If not, just destroy them. Wiping is just a waste of time.

 

For SSDS, you should be able to use the secure erase command, take a handful of seconds on many drives. There are tools that should let you do this easily.

 

This feels like a work with your team, look at NIST documents, rather than some random people online.

From what I understand of our process (very broadly), we install new systems, de-install old ones, and hold them until we're given authorization to wipe them. 

 

Depending on our contracts with the agencies, some systems are kept until we find a buyer; most of the time, they're sent to the Department of General Services to be resold/auctioned.

 

Part of our services contract is data destruction (wiping) and verification.

 

I understand the requirements, it's a matter of how can I do more/faster because we get hundreds of not thousands of systems back per week, and I'm the only member of my "team". The other techs are deployment only or otherwise preoccupied with imaging or other warehouse tasks. 

 

If it were up to me, I probably would be using the degausser on all of them. 

18 minutes ago, Crunchy Dragon said:

SATA and/or SAS HBA(specifically HBA, not a RAID card) would definitely help you a little bit, it sounds like. As far as NVMe goes, PCIe cards definitely exist for that.

 

Unless the drives absolutely need to be reused, I generally tend to err on the side of destruction, in which case a drill tends to work quite nicely for HDDs.

 

SATA, SAS, and M.2 are pretty much the only form factors you'll likely be encountering. U.2 NVMe is probably the rarest you'll ever encounter, and I'd honestly be a little surprised to see mSATA still kicking around. IDE makes a lot of sense for government work, though.

 

If you're able to say, what kind of specific logs do you need to produce in order to verify destruction?

 

From what my manager told me, they need to have both the system and HDD serial numbers, as well as level of verification (we use a 2019 version of PM that verifies to 100% but 2023 version only seems to verify to 10%).

 

I've come across a handful of mSATA (is micro SATA different? I had a drive about half the size of a 2.5 SSD and no one at my warehouse could recognize the connection until I googled the model type), as well as SAS drives from stuff like Dell PowerEdges. We even had a QNAP NAS come in the other day.

 

For the most part, we only get SATA and M.2 coming in, but on occasion we'll get systems coming back that still have windows 95-Vista installed. Obviously, those are systems and storage devices. I'd love to be able to wipe them without having to resort to degaussing, since apparently doing so requires a lot of hoops to jump through. 

[Crunchy Dragon]

35 minutes ago, Thunderkhoac4213 said:

From what my manager told me, they need to have both the system and HDD serial numbers, as well as level of verification (we use a 2019 version of PM that verifies to 100% but 2023 version only seems to verify to 10%).

Sounds like just a couple lines of text written on a paper to me. Destruction is easily 100% verifiable, haha.

 

36 minutes ago, Thunderkhoac4213 said:

I've come across a handful of mSATA (is micro SATA different? I had a drive about half the size of a 2.5 SSD and no one at my warehouse could recognize the connection until I googled the model type), as well as SAS drives from stuff like Dell PowerEdges. We even had a QNAP NAS come in the other day.

Micro SATA is different -- mSATA predated M.2, and is a slightly similar connector:

mSATA is the top connector in this picture, microSATA is outlined in red, normal SATA is obviously on the bottom.

 

M.2 SATA vs mSATA:

 

[NewMaxx]

There are set standards for data destruction including multiple categories/types. Aside from that, Parted Magic works but there are open source solutions. With Linux you can boot and use nvme-cli to sanitize NVMe drives, for example. Secure erase/sanitize is also available in SCSI, read Micron's white paper on this for clarification. mSATA follows SATA so isn't especially difficult with an adapter. This command also has an IDE (ATA) analogue. However, SSDs and HDDs are treated differently in some respects. As for other options for software, well, there's full-on boot packages you can grab (like Hiren's) and you can use Ventoy in combination for an array of utilities, although "recognition" of the devices may require specific things. Verification is more complex. I'm not sure what Parted Magic is doing but as per Micron's document, you cannot interrupt the SE command until it completes (it will continue if repowered). PM I guess uses Disk Verifier but correct me if I'm wrong.

[kokosnh]

3 hours ago, Electronics Wizardy said:

 

For SSDS, you should be able to use the secure erase command, take a handful of seconds on many drives. There are tools that should let you do this easily.

 

Secure erase not always works. It can even falsely give you confirmation that it's wiped, when it's not. You have to check it manually after, to be sure, as it’s reasonable the most effective process ( as erasing in different manner, like rewriting data, can leave some partie of data behind )

SMR HDDs are similar pain.

 

just a reminder of how we just can't trust the manufacturer, just like with sed SSD, or hardware encryption acceleration. 

 

but that should be Irrelevant as NewMaxx already said, there are standards you should be complaying for data destruction. You can't reasonable accelerate the process. The only thing you can do is use HBA to Connect more drives at the same time ( and only if program support it ). Or build second test bench, if license isn't a problem