Closed Captioning Closed captioning available on our YouTube channel

How to safely erase data under Windows

CSO Online | Oct 2, 2019

Bitlocker and self-encrypting hard drives can make it easier to erase data so that it cannot be recovered. This is how the “crypto-erase” method works.

Similar
This Susan Bradley for CSO Online.

So the other day was electronic waste day at my office and quite frankly I used the good old fashioned hammer to destroy the hard drives. But obviously that doesn't scale in all locations. Over 10 years ago Microsoft listed the 10 laws of security and law number three states that if the bad guy has unrestricted physical access to your computer. It's not your computer anymore. These days it's also the case of if they have unrestricted access to those hard drives. So make sure when you're getting rid of any electronic information electronic equipment computers, Scanners printers phones thinks Think of all of the digital information that's stored on those and how you can destroy that electronic information before you recycle it or before you get rid of it. The National Institute of Standards and Technology actually has guidance in this special publication 800- 88 that talks about what you need to do. You have a couple of options. There are some third party tools you can use to erase and sanitize drives. Now in this sample I'm actually just erasing the recycle bin. And there's some sensitive information there that I don't want out. We can choose what kind of level of of drive we can do.

We can do U.S. Army. I want to even shred the previous versions.

In the era of bitlocker and self encrypting hard drives knowing when the data is added to the hard drives either before the encryption or after means you can make it possible change to make the entire drive unreadable. In the case of self encrypting hard drives you can change the existing password that is the data encryption key and the data is no longer readable. This process is called crypto erase and it's been approved by ISO and NIST as an acceptable data sanitation method. In order to use it you make sure you you test the process to ensure that you can't recover that data. Now note there's been some recent changes regarding bit locker and how it handles encryption. Now back in November last year there was some information about esearchers that did some research into cellphone encrypting hard drives. The researchers at Radboud University found some solid state drives that allowed an attacker to bypass the disk encryption feature and access the local data without even knowing the user chosen disk encryption password. There were certain models more in the consumer space that provided self encrypting. They found that these drives were actually able to be compromised. Now back when this issue came out in November Microsoft actually recommended that you can figure a group policy to force software encryption, then unencrypt drives and reencrypt them to be safe. So now they've done one better in the recent September Updates. In late September what's called the D week updates for Windows 10 specifically for Windows 10 1803, 1709 , 1703 and 1607. They've actually changed how bit locker is handled. As noted right down here changes the default setting for bit locker when encrypting a self encrypting hard drive. Now they default to to use software encryption for newly encrypted drives. If you have an existing drive that's using the self encrypting hard drive method it won't change it. But notice this is going forward if you have any brand new self encrypting hard drive from the manufacturer bit Locker will instead use software. So how do you know what kind of encryption you have whether hardware or software. Well if you put in the command from a command prompt manage-bde.exe -status you can see right here where it says encryption method. If that has AES or some other listing there. That means its software based. If the word hardware is there it specifically then is tied to the hardware. So again look for encryption method. And if it just is AES then you know its software method not hardware. Specific group policy you're looking for is under computer configuration policies administrative templates windows components bit locker drive encryption under the setting of configure use of hardware based encryption for fixed data drives you want to choose the setting to disable. When it's set to disable bit lockerr cannot use hardware based encryption and instead uses software based encryption by default. Unfortunate the only way to move data from a potentially hackable hardware drive encryption method to the more protected software base is unencrypted. Change the methodology that you used re encrypted again. Obviously you want to plan on the proper encryption settings going forward or test your SSD drives to make sure that they're doing the proper encryption. But what happens when you move to the cloud and you no longer have control of that physical location. You then have to rely on statements agreements and contracts. For example in the Microsoft privacy statement they note in their privacy section. That if you terminate a cloud subscription Microsoft will store the customer data in a limited function account for 90 days to give you time to extract the data or renew your subscription. During this period you'll get several warnings from Microsoft indicating that your data is about to be removed. After the retention period Microsoft will disable that account and delete the customer data including any backup copies. Microsoft in their own data centers follows the NIST guidelines for data destruction. What about Azure? What if we do in a virtual machine in Azure? Remember there's lots more things to virtual machines than just the subscription itself. So you want to make sure that you go up to the Azure portal. Not only remove the virtual machine but also think about the other things that you've left behind. For example network interfaces public ip addresses. Storage blobs operating system disks data disks so you want to make sure you go through all of the places where you've stored data up in the cloud and make sure those are deleted as well. Always take the time to review where your date is located. Remember where it's stored. And make sure you delete all those locations. As always don't forget to sign up for the TechTalk channel from IDG. look for us on the YouTube channel. Until next time. This is Susan Bradley for CSO Online.
Featured videos from IDG.tv