Scrubbing Drives for CSU Surplus A text file by Zube (zube@stat.colostate.edu) Created: Oct 29, 2004 Updated: Dec 18, 2005 http://www.stat.colostate.edu/~zube/csusurplus.txt Prologue One day while dreaming about the space I could recover if I just sent in my surplus forms, I was contacted by a nice person in another department. I was told that there were new rules regarding the surplusing of disks with respect to their sanitation; that is, they have to be wiped. I laughed. I had been wiping disks before it was cool or, as it is now, required. Unfortunately, my laugh turned to a frown when it became clear that everyone, including myself, is in for another load of busy work. This document is an attempt to put all of the sadness in one place so that I can occasionally put in something happy or funny, like the word 'squid' or the fact that 'lukewarm slop' is a very useful phrase. Q: What do I have to do? A: a) wipe each disk to *at least* the DOD 5220.22-M standard. b) For each disk, write down the program used to do the wipe, the date, and the S/N of the disk. All this information must be on letterhead and it must be signed by the person who did the wiping. Q: Why do I have to do this? A: The wiping part is because it is the right thing to do. All disks should be scrubbed before they leave your care, even those that "aren't very important." One can be very surprised at what is on an unimportant disk. If you don't like that answer, then how about a regulation argument? There is _Policy Number P-104A of the State of Colorado_ which is also denoted by the decidedly chewy title of: _Colorado Data Destruction Policy and Computer/Other Electronic Media End-of-Life Policy_ It requires at least DOD 5220.22-M and a bunch of bookkeeping. Finally, if you don't like that answer, how about a $$$ one? If you don't do this, the Surplus people will do it for you and charge you for it. Feel free to take up arms against a sea of troubles, if you like, but this is where we are now. Q: What programs are there for disk wiping? A: The "standard" one is the DiskWipe program from the Software Cellar. It's $22.xx and you can download with your EID after paying. It seems to do the job most of the time, although the interface is IMHO, klunky. *** Known problems with Diskwipe: The following disks show up as 0.00gb and DiskWipe cannot do anything with them: Fujitsu M2624T (M262XT) Maxtor 7080AT Seagate ST9144A (laptop drive) Conner CFS420A Conner CP2124 (laptop drive) The following disks do not show up when using DiskWipe: Quantum Bigfoot CY (6480AT) Imprimis 94181-702 (only one; a different one showed up fine) Seagate ST34342A 4.3gb, from a Sun Ultra 10 *** If you have a version of Symantec Ghost lying around, you might have the gdisk program, the Symantec-enhanced version of fdisk. Something like this does the trick: gdisk 1 /diskwipe /DOD or gdisk 1 /diskwipe /custom:passes where (passes = 7) may be equivalent to /DOD. I usually up the passes to 35 because I'm paranoid. My favorite program for wiping disks is Darik's Boot and Nuke (DBAN) from dban.sourceforge.net. Using the PRNG stream with 8 rounds is listed as "high security" and again, I up this to 35 when wiping. (It has a variety of wiping procedures, including DOD wipe, but PRNG is probably the best you can do). DBAN works very well on ATA/IDE disks but still has some trouble on SCSI disks. The most common problem is that the program quits after 1 round instead of completing the number of rounds selected. There is also a PowerPC version of DBAN. I haven't used it, but if you do, let me know how it works. Finally, please note that the DOD wipe is the *minimum* requirement. If you are surplusing a disk with very sensitive data, additional passes and/or a better method may be in order. Q: Is there a way of retreiving the Serial Number of the disk without taking the computer apart? A: An excellent question. When I asked Roger Marshall about this, he told me to do a Google Search for the IBM/Hitachi Drive Fitness Test. I did that and found version 3.77 here: http://www.hitachigst.com/hdd/support/download.htm (The program sees ATA/IDE drives, but couldn't do anything with a SCSI drive attached to an Adaptec 21960N. I had to install a Symbios SCSI card and choose the right drivers on bootup for it to see a Seagate SCSI disk.) Unfortunately, DFT doesn't work in the general case, meaning at all. I tried four disks: two Quantums IDEs, one Seagate SCSI and one Fujitsu SCSI. On the two Quantums, it correctly identified the last 8 digits of the S/N listed on the label, but did not identify the first four. On the Seagate, it got the last seven right, but changed the K on the label to a 0. On the Fujitsu, it couldn't display anything. Thus, it appears that the DFT may identify a subset of the S/N listed on the disk label but it certainly doesn't inspire confidence. I asked Mr. Marshall about this and he replied that the S/N on the label is required, so the answer to this question is now 'No'. You must physically get at the disk. Q: What the heck is the DOD 5220.22-M standard anyway? DOD 5220.22-M is a document. If you go looking it, you'll find that it deals mostly with not wiping disks. A clearer explanation of what most people mean when they refer to this standard is found in the DOD 5220.22-M Sup 1 of Feb 1995, found here: http://www.fas.org/sgp/library/nispom_sup.pdf On page 8-5-2, you'll find this: To clear magnetic disks, overwrite all locations three (3) times (first time with a character, second time with its complement, and the third time with a random character.