How to safely erase data under Windows

How to safely erase data under Windows


This Susan Bradley for CSO Online. So the other day was electronic waste day
at my office and quite frankly I used the good old fashioned hammer to destroy the hard
drives. But obviously that doesn’t scale in all locations. Over 10 years ago Microsoft
listed the 10 laws of security and law number three states that if the bad guy has unrestricted
physical access to your computer. It’s not your computer anymore. These days it’s also
the case of if they have unrestricted access to those hard drives. So make sure when you’re
getting rid of any electronic information electronic equipment computers, Scanners printers
phones thinks Think of all of the digital information that’s stored on those and how
you can destroy that electronic information before you recycle it or before you get rid
of it. The National Institute of Standards and Technology actually has guidance in this
special publication 800- 88 that talks about what you need to do. You have a couple of
options. There are some third party tools you can use to erase and sanitize drives.
Now in this sample I’m actually just erasing the recycle bin. And there’s some sensitive
information there that I don’t want out. We can choose what kind of level of of drive
we can do. We can do U.S. Army. I want to even shred
the previous versions. In the era of bitlocker and self encrypting
hard drives knowing when the data is added to the hard drives either before the encryption
or after means you can make it possible change to make the entire drive unreadable. In the
case of self encrypting hard drives you can change the existing password that is the data
encryption key and the data is no longer readable. This process is called crypto erase and it’s
been approved by ISO and NIST as an acceptable data sanitation method. In order to use it
you make sure you you test the process to ensure that you can’t recover that data. Now
note there’s been some recent changes regarding bit locker and how it handles encryption.
Now back in November last year there was some information about esearchers that did some
research into cellphone encrypting hard drives. The researchers at Radboud University found
some solid state drives that allowed an attacker to bypass the disk encryption feature and
access the local data without even knowing the user chosen disk encryption password.
There were certain models more in the consumer space that provided self encrypting. They
found that these drives were actually able to be compromised. Now back when this issue
came out in November Microsoft actually recommended that you can figure a group policy to force
software encryption, then unencrypt drives and reencrypt them to be safe. So now they’ve
done one better in the recent September Updates. In late September what’s called the D week
updates for Windows 10 specifically for Windows 10 1803, 1709 , 1703 and 1607. They’ve actually
changed how bit locker is handled. As noted right down here changes the default setting
for bit locker when encrypting a self encrypting hard drive. Now they default to to use software
encryption for newly encrypted drives. If you have an existing drive that’s using the
self encrypting hard drive method it won’t change it. But notice this is going forward
if you have any brand new self encrypting hard drive from the manufacturer bit Locker
will instead use software. So how do you know what kind of encryption you have whether hardware
or software. Well if you put in the command from a command prompt manage-bde.exe -status
you can see right here where it says encryption method. If that has AES or some other listing
there. That means its software based. If the word hardware is there it specifically then
is tied to the hardware. So again look for encryption method. And if it just is AES then
you know its software method not hardware. Specific group policy you’re looking for is
under computer configuration policies administrative templates windows components bit locker drive
encryption under the setting of configure use of hardware based encryption for fixed
data drives you want to choose the setting to disable. When it’s set to disable bit lockerr
cannot use hardware based encryption and instead uses software based encryption by default.
Unfortunate the only way to move data from a potentially hackable hardware drive encryption
method to the more protected software base is unencrypted. Change the methodology that
you used re encrypted again. Obviously you want to plan on the proper encryption settings
going forward or test your SSD drives to make sure that they’re doing the proper encryption.
But what happens when you move to the cloud and you no longer have control of that physical
location. You then have to rely on statements agreements and contracts. For example in the
Microsoft privacy statement they note in their privacy section. That if you terminate a cloud
subscription Microsoft will store the customer data in a limited function account for 90
days to give you time to extract the data or renew your subscription. During this period
you’ll get several warnings from Microsoft indicating that your data is about to be removed.
After the retention period Microsoft will disable that account and delete the customer
data including any backup copies. Microsoft in their own data centers follows the NIST
guidelines for data destruction. What about Azure? What if we do in a virtual machine
in Azure? Remember there’s lots more things to virtual machines than just the subscription
itself. So you want to make sure that you go up to the Azure portal. Not only remove
the virtual machine but also think about the other things that you’ve left behind. For
example network interfaces public ip addresses. Storage blobs operating system disks data
disks so you want to make sure you go through all of the places where you’ve stored data
up in the cloud and make sure those are deleted as well. Always take the time to review where
your date is located. Remember where it’s stored. And make sure you delete all those
locations. As always don’t forget to sign up for the TechTalk channel from IDG. look
for us on the YouTube channel. Until next time. This is Susan Bradley for CSO Online.