Journal of Digital Forensics, Security and Law

Volume 15 Number 1 Article 2

June 2020

An Evaluation Of Data Erasing Tools

Andrew Jones University of Suffolk, [email protected]

Isaac Afrifa University of Hertfordshire, [email protected]

Follow this and additional works at: https://commons.erau.edu/jdfsl

Part of the Computer Law Commons, and the Information Security Commons

Recommended Citation Jones, Andrew and Afrifa, Isaac (2020) "An Evaluation Of Data Erasing Tools," Journal of Digital Forensics, Security and Law: Vol. 15 : No. 1 , Article 2. DOI: https://doi.org/10.15394/jdfsl.2020.1615 Available at: https://commons.erau.edu/jdfsl/vol15/iss1/2

This Article is brought to you for free and open access by the Journals at Scholarly Commons. It has been accepted for inclusion in Journal of Digital Forensics, Security and Law by an authorized administrator of (c)ADFSL Scholarly Commons. For more information, please contact [email protected]. Data Erasing Tools JDFSL V15N1

AN EVALUATION OF DATA ERASING TOOLS Isaac Afrifa1, Andrew Jones2 1 2Cyber Security Center, University of Hertfordshire 2Cyber Security CRC, Edith Cowan University [email protected] [email protected] ABSTRACT The permanent removal of data from media is a major area of concern mainly because of the misconception that once a file is deleted or storage media is formatted, it cannot be recovered. There has been the development of both commercial and freeware data erasing tools, which all claim complete file or disk erasure. This report analyzes the efficiency of a number of these tools in performing erasures on an electromechanical drive. It focuses on a selection of popular and modern erasing tools, taking into consideration their usability, claimed erasing standards, and whether they perform complete data erasure with the use of the Write Zero method.

Keywords: Data wiping, Write Zero, Data Erasing Tools

1. INTRODUCTION In another fairly recent incident, the Mir- ror (2017) also reported a massive data loss threat that involved a USB stick, which was Data in the 21st century has become an found in the streets of London, containing epitome of controversy due to the count- highly confidential information belonging to less occurrences of crimes associated with Heathrow Airport. The drive consisted of 76 data breaches and data loss. Most physi- unencrypted folders, which included precise cal drives that are used to store either cor- routes Her Majesty the Queen uses in the air- porate or personal data usually end up be- port, maps showing the tunnel networks and ing sold when they are no longer required, escape shafts linked to the Heathrow Express, stolen, or lost. Examples include a report by and many more. These pieces of information, Historycoalition.org (2009), that the US in the wrong hands, can be used in malicious National Archives and Records Administra- attacks. tion (NARA) reported the loss of an external hard drive from the NARA College Park fa- A significant question that is related to cility in Maryland. This hard drive contained data removal is, “Can data be completely copies of sensitive personal information such erased if no longer required?” The perception as names and social security numbers of indi- that non-technical individuals tend to have is viduals who may have worked or visited the that once a file is deleted from the recycle bin White House during Clinton’s Presidency. or a drive is formatted, and the data cannot

c 2020 JDFSL Page 1 JDFSL V15N1 Data Erasing Tools

be recovered. However, when the Recycle items are lost every second (Drolet, 2019). bin or Trash folder is emptied, the operating Corporate organizations are spending mil- system only removes pointers to the deleted lions of pounds to avoid data breaches and data. The information remains on the hard losses. The general public also had their fair disk until another file overwrites it. With the share of data loss due to the general lack of formatting of drives, if the ‘quick’ format is knowledge in relation to media sanitization. used, data is not removed as formatting only It is therefore essential to address the prob- reinitializes the file system of the drive, as lem of data erasure and help identify the best explained by Rothke (2009). Even with new and most easily accessible tools for media overwrites, some of the data might still be sanitization associated with storage devices recovered. This misconception has led to nu- notably hard drives, as they are considered as merous data breaches and loss of confidential one of the most commonly used primary stor- information to identity thieves and hackers. age devices to store confidential and sensitive The aim of this research was to examine information (Valli and Jones, 2005). some of the most popular and easily acces- sible data erasing tools and evaluate their 1.2 Project Phases efficiency based on their performance and The project started in February 2019 and ability to completely erase drives with the was carried out in 5 phases: Write Zero wiping method. The reasons for carrying out this study were that it had been • Literature review. This phase includes some time since a comparative study was car- an investigation of past and recent pa- ried out, and in the intervening period, new pers that relate to erasing of data on tools have become available and existing tools storage media devices, the known data have been updated. In view of this, standard erasing standards, and other notable top- experiments were conducted on an electrome- ics associated with data erasing; chanical hard disk using 8 data erasing tools, namely, Hard Wipe, Eraser, Macrorit Data • Research of Erasing Tools. This phase Wiper, Active KillDisk, Disk Wipe, Puran involves the study and investigation into Wipe Disk, Remo Drive Wipe, and Super free versions of data erasing tools that File Shredder. Solid state drives were not have the Write Zero method as one of the included in this research because, with the supported erasing standards. As a result, wear leveling algorithms that are in use and 8 tools were acquired and installed; the current state of the art, there is no scien- tifically proven method that can be used to • Creation of dataset for evaluation. This ascertain that all sectors of the storage me- phase consisted of the acquisition of dia have been accessed and overwritten. This different file types that were used as issue will be examined in future research. datasets for the research;

1.1 Motivation • Experimentation and Analysis. This With the surge in data related crimes, orga- phase involved the testing of all the nizations and individuals are investing heav- selected erasing tools and also exam- ily in keeping data safe and secure from un- ines their wiped disk images to enable wanted parties. Studies show that almost 5 the analysis of the results and included, million data items are reported missing or where relevant, an attempt to recover stolen worldwide every day, which implies 58 deleted data;

Page 2 c 2020 JDFSL Data Erasing Tools JDFSL V15N1

• Conclusion and Recommendations. In paper printouts, and Electronic or Soft Copy, this phase, the results of the analysis and which include hard drives, Random Access evaluation of the selected erasing tools Memory (RAM), Compact and Floppy Disks are documented. Recommendations of etc. The document further explained the dif- the top performing tools are also made ferent types of sanitization. It grouped sani- during this phase of the project. tization into four types, namely, Discarding, Clearing, Purging, and Destroying. Discard- ing involves getting rid of media without any 2. RELATED WORK sanitization method. The digital forensics area has witnessed a Discarding has consequences as reported plethora of contributions confirming and dis- in a news article by BBC (2019), where the proving major data concepts, and data era- medical records of patients, which had sen- sure is not an exception. Data storage has sitive information such as bank and contact immensely improved from the days of mag- details were found in an abandoned nursing netic tapes and floppy disks to the more cur- home in Hampshire. The second type of rent forms of storage devices such as flash sanitization, Clearing, entails high levels of drives, electromechanical hard drives, Solid- data destruction, which include overwriting State Drives (SSDs), and cloud storage. Most using hardware or software tools. Purging forms of storage, at the end of their lifecycles, is similar to Clearing and includes methods are sold, donated, or destroyed. such as Secure Erase and Degaussing. Lastly, Sahri et al. (2018) argued how fragile soft- destroying as the name implies involves physi- ware and hardware involved in data storage cally destroying media by shredding, melting, could be and estimated the lifespan to be disintegration etc. about five years. Other reports on the life Countless data wiping techniques, in the expectancy of data storage devices were pro- form of software or hardware, have been vided by (Brook, 2017), which highlighted adopted to aid in data erasure from storage that the lifespan of such devices depends on media devices. Companies and individuals a number of factors, including usage rates, tend to purchase or freely download eras- environmental factors, and manufacturing. ing tools to remove data on storage devices. In addition, (Brook, 2017) provided an esti- Sansurooah et al. (2013) revealed that the mated life expectancy for hard disks to be licensing of such data erasing tools, whether 3 to 5 years and flash storage devices to be freely available or commercial based, does not 5 to 10 years, depending on the number of reflect on their data wiping efficiency and fur- write cycles, meaning the more you delete ther recommended some free and commercial and write new data on the devices, the faster tools for secure data removal. the devices deteriorate. Martin and Jones (2011) argued in their The sanitization of media is of great im- paper, how inefficient some eraser tools can portance to both corporate organizations and be and further pointed out how some files af- individuals. The NIST SP 800-88 Guidelines ter supposed total wiping were still accessible to Media Sanitization by the National In- using recovery tools. stitute of Standards and Technology (2006) Similar to the recommendations of the addresses the need for adequate media saniti- NIST Guidelines to Media Sanitization zation and the impact it has, if not properly (2006), experts advise that one of the best conducted. The document categorizes media and safest ways to destroy data from stor- into two types; Hard Copy, which includes age devices is to destroy these devices phys-

c 2020 JDFSL Page 3 JDFSL V15N1 Data Erasing Tools

ically. According to (Veritysystems.com, fluid. This fluid contains ferro-particles 2017), smashing storage devices such as hard that associate most strongly with the drives with a hammer is a faster and more field vectors on the drive providing a direct method of getting rid of data. How- magnetization pattern. This is known ever, this method is considered wasteful and as “Bitter patterns” and maps to the costly, especially for private individuals, and magnetic field vectors. Depending on is not environmentally ‘friendly.’ the track density, either a high powered There are numerous software-based data optical microscope or a scanning elec- erasing standards currently being used. tron microscope (SEM) can be used to These include the Peter Gutmann’s Algo- observe the platters. This technique has rithm, Bruce Schneier’s Algorithm, the US become far less effective in recent times Department of Defense (DoD) 5220.22-M due to the increasing drive density. The standard, Secure Erase, Random Data, Write technique is invasive and will result in Zero, the Russian GOST R 50739-95, the Ger- the destruction of the drive platter. man VSITR method and the British HMG IS5, both Baseline and Enhanced. • Lorentz microscopy uses an electron One of the earliest erasing standards was beam that is fired at the drive platter. the Peter Gutmann Algorithm, proposed by Magnetic fields produce an effect known Peter Gutmann in 1996. Gutmann (1996) as the Lorentz force. This force deflects proposed an algorithm for erasing magnetic the electron beam. These deflections can media, which implements 35 overwrite passes, be measured using a Scanning Electron with the first and last four passes being ran- Microscope (SEM). The SEM will then dom data overwrites. However, Gutmann’s return the deflection pattern, which can algorithm is considered by most experts to be used to “map” the encoded drive im- be overkill and not relevant to modern drives. age. More recently, Transmission Elec- With the increasing size of storage media, tron Microscopes (TEM) have been used it is also impractical as the time taken to for this process. This is a slow process erase a drive would be considerable. Wright that is economically infeasible for use on et al. (2008) indicated that one overwrite is most modern hard drives. required for data wiping and that the mis- conception that recovery tools can retrieve • Magnetic Force Microscopy is a variety gigabytes of data from erased media drives of imaging techniques known as Scan- is unfounded. ning Probe Microscopy (SPM). This Several methods that were previously ex- technique uses an enormously fine (and amined in Wright et al., (2008) for the re- expensive to replace) point that is covery of data from electromagnetic disks, mounted on a flexible cantilever. This including the Bitter technique, Lorentz mi- tip “raster-scans” the drive platter fol- croscopy, and Magnetic Force Microscopy, lowing the magnetic force vectors. As were discounted as unachievable given the de- the reader is coated with a ferromagnetic velopments in data storage densities of mod- material, the field interactions attract or ern disks. For completeness these are detailed repel the tip. These movements are mea- below: sured through the cantilever, allowing an accurate map of the magnetization- • “The Bitter technique involves the coat- induced field to be produced. Magnetic ing of the platter with a thin film of ferro- Force scanning Tunnelling Microscopy

Page 4 c 2020 JDFSL Data Erasing Tools JDFSL V15N1

(MFSTM) is one form of MFM. This 3. EREASING TOOLS method uses the tunneling currents that are created through the movement of There are a large number of data erasing tools the probe to produce a two-dimensional available on the internet, either for free down- spatial map of the magnetic field coordi- load or under a commercial license. These nates. This map is used to decode the tools use the earlier stated erasing standards “bits” on the drive.” to wipe and dispose of data. It should be noted that the tools to be used in this re- search have been selected mainly because of their easy accessibility, free license, and their ability to use the write zero method. The Another popular erasing standard, the tools selected for the research are: DOD 5220.22-M, was developed by the US National Industrial Security Program (NISP). • Active @ KillDisk (https://killdisk. It involves the 3 passes, namely: writing 0’s com/eraser.html): This is produced and verify for Pass 1, writing 1’s and verify by LSoft Technologies Inc. This prod- for Pass 2, and for Pass 3; writing random uct has both free and commercial ver- characters and verify. There are other forms sions. Some of the limitations of the of DOD 5220.22-M, such as DoD 5220.22- freeware version are that: it only sup- M ECE, which has seven passes. Also, the ports only one pass zeros, no verification Random Data method, as the name implies, after erasing, no customization for cer- overwrites the drive sectors with pseudoran- tificates, and erase methods, and it is dom data in order to disrupt data recovery. limited to two parallel disk erases. Another widely-known erasing standard is the Write Zero standard, which is sometimes • Eraser (https://eraser.heidi.ie/): known as Single Overwrite or Zero-fill. It This is produced by Heidi Computers is an erasing standard that overwrites all and is free to use. The software erases sectors on the media with zeros in order to previously deleted data and supports any prevent data recovery (Disk-partition.com, drive that works with Windows. The lat- 2019). The Write Zero standard is one of est version of Eraser is 6.2.0. 2982 the fastest erasing standards, as discussed by and it allows users to specify file targets Sansurooah et al. (2013) in their paper “An to be erased. The free version only pro- Investigation Into The Efficiency Of Foren- vides the one pass zeros option, while sic Data Erasure Tools For Removable USB the paid version offers the options of the Flash Memory Storage Devices.” This is the DoD 5220.22.M 3 pass and 7 pass and standard that has been adopted for this re- Peter Gutmann’s Algorithms. search for the primary reason that it is pos- sible to examine a disk that has been ‘ze- • Disk Wipe (http://www.diskwipe. roed’ and have a level of confidence in the org/): This is a free and portable eras- results, whereas a disk that has been over- ing software for Windows. It supports written with pseudorandom characters would DoD 5220.22-M, Peter Gutmann’s be much more difficult and time consuming Algorithm, and other advanced erasing to analyze. A disk that has been ‘zeroed’ can standards. It can be used to erase USB also easily have the hash compared to the sticks, SD cards, and other portable original cleaned disk. memory devices.

c 2020 JDFSL Page 5 JDFSL V15N1 Data Erasing Tools

• Macrorit Data Wiper (https: It is a Windows compatible tool and //macrorit.com/): This is owned supports both 32-bit and 64-bit. The by Macrorit Inc and has both free and free version supports Write Zero, commercial software versions. Macrorit Random Data Overwrite, and the US Data Wipe supports Windows and DOD 5220.22-M. can also be used as bootable media It should be noted that two other erasing (Commercial version only). The free tools, namely, DBAN and CBL Data Shred- version supports SSDs and does not der, were reviewed but not included in the include adware, spyware, and malware. experiments. Even though these tools are • Super File Shredder (http: popular and easily accessible, there is a lack //www.kakasoft.com/): This is of technical support available, which implies owned by Kakasoft Software Company that they are no longer supported. No recent Limited and is a free data destruction updates were found for these tools. tool. It is compatible with Windows and Appendix A provides a visual summary of supports Write Zero, DoD 5220.22-M, the selected erasing tools, giving details such the Secure Erase algorithm with 7 as the name of the tool, the version number, passes, and Gutmann’s Algorithm. their licenses, the Operating System (OS) needed to run the tool, the size of the down- • Hard Wipe (https://www.hardwipe. loaded setup file, and other relevant features com/): This is licensed by Big Angry of the tools: Dog Ltd, is an erasing tool with both free and commercial versions. It supports 3.1 Evaluation Tools Windows and bootable media (commer- There are a number of tools that were used cial version only). The free edition of in the evaluation and analysis of the selected Hard Wipe does not support verification Data Erasers. These are detailed below: of each pass. The latest version is 5.2.1 • USB Write Blocker: This was used to and is a 64-bit only software. prevent the operating system from writ- • Puran Wipe Disk (http://www. ing to an attached device. This was used puransoftware.com/): This is owned in the creation and analysis of the image by Puran Software and is a free software of the wiped disk for analysis. utility. The latest version of this tool • WinHex Editor: This was used to ex- is 1.2. Puran Software also provides amine, view, and analyze the physical other utility suites under its commercial contents of disk images. license, such as a Registry Cleaner, a disk cleaner, a file recovery kit etc. • Autopsy: This is a forensic tool that Puran Wipe Disk is compatible with is used in examining and viewing hex, Windows and supports 1 pass, 3 passes, strings, and metadata of files. It is the and 7 passes. graphical interface to The Sleuth Kit and also used in providing search and • Remo Drive Wipe (https: data carving functions. //www.remosoftware.com/): This is licensed by Remo Software and has its • OSForensics: This is a forensic software latest software version as 2.0.0.25. It suite that performs similar functional- has both free and commercial versions. ities as Autopsy. It was used in the

Page 6 c 2020 JDFSL Data Erasing Tools JDFSL V15N1

creation of images of wiped disks during • Run tasklist1 to capture the memory and the experiments. CPU usage of the erasing tool;

• Command Prompt “tasklist /v”: this • Disconnect disk on completion of disk Windows CMD command was used to erasure; extract the CPU times and Memory Us- age of the various data erasing tools. • Reconnect the Hard disk using the Write blocker software; 3.2 Experimental Process The experiments were conducted on a Win- • Create an image of the erased disk; dows 10 workstation with 64-bit Operating System, 2.5 GHz i7 CPU, and an 8 GB RAM. • Import image of the erased disk for anal- The Hard Disk used in the data wiping ex- ysis, looking for details such as all zeros periments was an 80 GB 3.5” electromechan- patterns, customized software signatures ical SATA drive. In addition, a Virtual Box, and any other unusual data in the disk version 6.0.4, was used to run virtual work- sectors; stations. During each experiment, the Hard • Export and check the MD5 digests of the Disk was initialized using the Master Boot whole image and also any recovered files Record (MBR) partition style and New Tech- if found, comparing them to the original nology File System (NTFS) file system. In files; order to equally measure and evaluate each erasing tool, a known set of file types was • Analyze recovered files with Autopsy to copied onto the Hard disk for erasure. These carve fragments. are detailed below: The file types occupied approximately 9 GB of the disk. This was done to allow for 4. ANALYSIS OF excess space on the disk, which would be evaluated when viewing unallocated clusters TOOLS during the analysis of the various erasing The erasing tools were downloaded from their tools. In evaluating each erasing tool, for respective websites and installed. The anal- consistency, individual experiments were con- ysis of each tool conformed to the following ducted by following the processes listed be- template: low: • Review of claims made by the erasing • Use a hardware tool to wipe a disk in tool; which every sector was wiped with 0’s and from which an MD5 hash value was • Assess how informative and user friendly created; the tool is; • Copy data set files onto the wiped disk • Record the running time, CPU time and and compare the MD5 sums of the files Memory Usage of the tool; on the disk with their originals for veri- fication; 1The TASKLIST command is used to display a list of currently-running tasks and displays the process • Run the erasing tool using the single- ID number for each running task and the name of pass Write Zero method; the executable program that started the task.

c 2020 JDFSL Page 7 JDFSL V15N1 Data Erasing Tools

Figure 1. Summary of File Types used in the experiment

• Import wiped disk image to OSForensics, boasts support for Zero Overwrites, Random Autopsy and Win Hex for hash file com- Data, GOST R 50739-95, DOD 5220.22-M, parison and raw disk viewing at sector Schneier’s Algorithm, German VSITR, and level; Gutmann’s Algorithm. Hard Wipe claims permanent erasure of data on disks and other • Record outcome of disk analysis; portable storage devices. It integrates with the Windows file explorer, which allows users • Perform data recovery and carving from to right-click in order to gain access to the the wiped disk image if any artifacts software. The tool also has the facility for the found. cleaning of the recycle bin, page file, and free Below is the analysis of the data erasing tools: space. It has an informative and straightfor- ward user interface that is easy to navigate. 4.1 Hard Wipe In addition to the benefits of Hardwipe, the Hard Wipe for desktop is a popular eras- tool provides a log report that informs users ing tool that has a portable version, which of vital information such as I/O Errors that enables users to boot from a USB drive. How- occurred during wiping, failed items, and ever, this functionality is limited to the profes- whether there was a verification pass. One sional version. The free version of Hard Wipe disadvantage is that it contains an advertise-

Page 8 c 2020 JDFSL Data Erasing Tools JDFSL V15N1

ment panel, which is found in the window of line) is similar to the Write Zero method. the tool. Also, Hard Wipe does not allow the Also, Eraser permits a user to unlock locked wiping of an active running Windows drive. files for erasure and also replace erased files with user-selected folders or files. The down- 4.1.1 Analysis side of the tool is its high memory usage and During the analysis phase, the md5 checksum CPU time as compared to the other erasing of the image of the wiped disk corresponded tools. Another demerit is its inability to pro- with that of the baseline hardware-wiped disk, vide ample information during data wiping. 1b26c0e62b79f528793199a3d2de4034. This Lastly, it does not allow the wiping of an initial outcome suggested complete disk era- active running Windows drive. sure, but further analysis of the wiped disk was conducted to confirm this hypothesis. 4.2.1 Analysis The run time, CPU time, and memory usage Below are the details of the run time, CPU used by the tool in wiping the disk are shown time, and memory usage of the tool: Dur- below: ing disk analysis, it was found that the The wiped disk image, when viewed in md5 checksum of the wiped disk image was WinHex showed a total of 80,026,361,856 1e74a04dc99e2d938458047a942db2df, which bytes with every byte being 0’s, including the differed from that of the hardware-wiped disk, boot sector. This outcome implied that the 1b26c0e62b79f528793199a3d2de4034, and as disk was wiped completely. a result, warranted further examination. The Eraser-wiped disk image was analyzed, firstly 4.2 Eraser using WinHex to determine what accounted Eraser is a free, simple, and easy to use for the md5 checksum discrepancy. It was erasing tool that possesses many features. observed that the boot sector still contained It supports Windows XP (Service Pack 3), 512 bytes of data. Also, during the analy- Vista, Windows Server 2003 (Service Pack sis of the disk image with OSForensics, it 2), Server 2008, Server 2012, Server 2016, was discovered that there were data in the Windows 7, 8, and 10. Eraser is also re- last sector of the disk. This observation de- garded as a file eraser due to its ability to noted that Eraser did not wipe the FAT2 erase user-specified files and folders. It allows portion of the disk. The wiped disk image the erasure of the recycle bin, unused disk was subjected to data recovery and carving space, partitions, SSDs, and electromechan- using both OSForensics and Autopsy, which ical drives. It possesses the ability for data yielded no results. There was no evidence of erasure to be scheduled for a specified time Images, Videos, Audio, databases, archives, and provides users the option to set recurring and other deleted files. Indexes could not be data erasure either daily, weekly, or monthly. created using OSForensics due to the absence Eraser boasts supporting a variety of eras- of recovered file types from the image. ing standards namely: Pseudorandom data, British HMG IS5 (Baseline), British HMG 4.3 Macrorit Data Wiper IS5 (Enhanced), Russian GOST P50739-95, Macrorit Data Wiper is a data wiping soft- US Army AR380-19, DOD 5220.22-M (E), ware that has both free and commercial ver- DOD 5220.22-M (ECE), US Air Force 5020, sions and supports Windows XP, Vista, Win- Canadian RCMP TSSIT OPS-II, German dows Server 2003, 2008, 2012, Home Server VSITR, and Schneier’s Algorithm. It should 2011, Windows 7, 8, and 10. Macrorit Data be noted that the British HMG IS5 (Base- Wiper also supports bootable media, but this

c 2020 JDFSL Page 9 JDFSL V15N1 Data Erasing Tools

Figure 2. Run Time, CPU Time and Memory Usage of Hard Wipe

Figure 3. Run Time, CPU Time and Memory Usage of Eraser

is limited to the commercial version. The tem usage when the tool was run: The tool allows users to wipe the recycle bin, par- MD5 checksum of the wiped disk was titions, external drives such as USB flash 925860097154ed5eab45ec6724650a86, which drives and memory sticks, and entire hard did not correspond with that of the Hard- or Solid-State drives. Macrorit Data Wiper ware wiped disk. Further disk analyses were does not wipe optical storage media such as conducted in an attempt to determine the rea- compact disks, optical disks (DVD) etc., and sons for the discrepancy. Firstly, the wiped prescribes that these media should be physi- disk was viewed in WinHex to view the in- cally destroyed. Macrorit Data Wiper claims dividual sectors. WinHex showed that the permanent data erasure with no possibility boot sector contained data in the first 512 of recovery. It also boasts of high-speed drive bytes, and the rest of the sectors were ze- wipes and not using large amounts of system roed out. This implied that Macrorit Data resources. Macrorit Data Wiper supports Wiper ignored the first sector and started the following erasing standards: write zeros data sanitization afterward. (1 pass), pseudorandom data (1 pass), zero The hypothesis of Macrorit Data Wiper and one writes (2 passes), DoD 5220.22-M ignoring the first sector was confirmed again (3 passes), DoD 5220.28-STD (7 passes), and when the wiped disk was viewed using OS- the Gutmann’s Algorithm (35 passes). The Forensics’ Raw Disk Viewer. The rest of the tool has a very simple and uncomplicated sectors were filled with 0’s. User Interface. Another advantage of the Lastly, the wiped disk was imported into tool is that it provides users with a confir- Autopsy to confirm all files, including System mation window before data wiping. This is Volume was erased completely. The unallo- to prevent the erasure of wrong storage me- cated blocks did not produce any contents dia devices. Despite its advantages, Macrorit hence confirming the hard disk was wiped Data Wiper is unable to wipe the primary clean with the exception of the first 512 bytes. drive that has an active-running Windows OS installed. 4.4 Active KillDisk Active KillDisk is a feature-filled data san- 4.3.1 Analysis itization software that has a detailed and During the analysis phase, the erasing attractive user interface. It is a portable eras- tool showed a minimal number of CPU ing tool that provides complete data wiping cycles. Below are details of its sys- on electromechanical disks, solid-state drives,

Page 10 c 2020 JDFSL Data Erasing Tools JDFSL V15N1

Figure 4. Run Time, CPU Time and Memory Usage of Macrorit Data Wiper

USBs and Memory sticks etc. It has both 948685d2633821f0533fdfc3fbcc86da, which free and commercial versions with the free- was different from that of the hardware- ware version supporting Windows, MacOS, wiped disk image. Using WinHex, it was and bootable media. Active KillDisk boasts observed that all the sectors were zeroed, of parallel erasing where multiple drives can with the exception of the first 512 bytes. The be wiped simultaneously and independently. disk image was imported into OSForensics’ It also has its own “Disk Viewer”, for analysis Raw Disk Viewer To confirm that all of the of specified devices, its own “File Browser”, other sectors were 0’s and that disk erasure and the ability to wipe both unused drive started after the boot sector. The results clusters and slack space in file clusters. from OSForensics were similar to those of Active KillDisk provides users with the WinHex showing O’s in every sector apart option to customize the first sector with a from that of the boot sector. user-specified fingerprint or signature. In ad- dition, it provides a report and certificate 4.5 Disk Wipe of erasure, which comprises of notable infor- mation such as the duration and status of Disk Wipe is a free and portable data sani- erasure, and the erase method used. Lastly, tization tool licensed under a EULA license. Active KillDisk allows users to have control It is designed for personal use and supports of handling read/write errors by providing only the Windows Operating System. Disk options, including aborting entire disk era- Wipe claims permanent erasure of data on sure or aborting only failed items from group disk partitions and volumes and also erases processing. complete electromechanical hard disks and Even though Active KillDisk supports Solid-State Drives. It has an attractive and many erasing standards such as US DoD easy-to-use User Interface. Disk Wipe pro- 5220.22-M and British HMG IS5 Baseline, vides users the option to view contents of the free version is limited to only the One specified drives and also allows users to skip Pass Zero. some wizard pages such as the ‘File System’ page and ‘Confirmation’ page. 4.4.1 Analysis The tool supports seven erasing stan- The results from running the “tasklist /v” dards namely: One Pass Zeros, One command also showed an unfavorable quality Pass Random, Russian GOST P50739-95 in terms of its memory usage and showed (2 passes), British HMG IS5 (3 that it uses enormous amounts of memory as passes), DoD 5220.22-M(E) (3 passes), compared to the other erasing tools. Below DoD 5220.22-M(ECE) (7 passes) and are details of the run time, CPU Time and Gutmann’s Algorithm (35 passes). Memory Usage of the erasing tool: During the erasure of the disk using the It was found that the md5 check- One Pass Zero method, it was discovered sum of the wiped disk image was that Disk Wipe performs an extraneous and

c 2020 JDFSL Page 11 JDFSL V15N1 Data Erasing Tools

Figure 5. Run Time, CPU Time and Memory Usage of Active KillDisk

unneeded for wiping pattern (Secure Erase), 4.6.1 Anlysis which lengthens the run time of the tool. It was observed that the run time of Pu- ran Wipe Disk was similar to that of the 4.5.1 Analysis majority of the other tools being reviewed. It was observed that the run time of Disk It also had a fairly low CPU Time as com- Wipe was almost twice that of most erasing pared to the other erasing tools. Below are tools under review; this is due to the extra details of the run time, CPU Time and Mem- Secure Erase performed during the disk wip- ory Usage of the erasing tool: On analysis ing process. Below are details of the run time, of the disk image, it was discovered that CPU Time and Memory Usage of the erasing md5 checksum of the Puran Wipe Disk was tool: f73fc8a0f499c5f226d87543d24a351d, which did not match with that of the Hardware 4.6 Puran Wipe Disk image. The wiped image was then imported into WinHex to determine whether the boot Puran Wipe Disk is a data sanitization tool sector and the other sectors were completely which is produced by the Puran Software wiped. WinHex showed that the boot sec- group. It has both free and commercial soft- tor and the remaining space on the disk were ware versions with the free version intended wiped clean with all bytes being 0’s. OSForen- for personal and non-commercial use. It sup- sics also showed all the disk sectors, including ports only Windows OSs and is compatible the boot sector to be zeroed. The reason for with Windows XP, Vista, Windows Server the discrepancy in the md5 checksums could 2003, 2008, Windows 7, 8, and 10. Puran not be determined. Wipe Disk claims complete wiping of disks, The observation from the analysis per- including the file system and all free disk formed on Puran Wipe Disk confirmed com- space. It also supports the wiping of multi- plete disk erasure. ple disks simultaneously. The Puran Wipe Disk tool has a very simple and presentable 4.7 Remo Drive Wipe user interface and supports three data erasing Remo Drive Wipe is a Windows based eras- standards, namely: Write Zero, DoD 5220.22- ing tool that supports both 32-bit and 64-bit M, and Schneier’s Algorithm. However, the versions of Windows 10, 8, 7, Vista, XP as tool refers to the erasing standards differ- well as Windows 2003, 2008 and 2012. It ently as; 1 pass (faster and secure enough), 3 has both free and commercial licenses; both passes (slower and more secure), and 7 passes intended to completely wipe disks and logical (extremely secure and slow). drives. The tool supports 9 data sanitization The downside to using Puran Wipe Disk is standards, but the free version is limited to the tool’s inability to wipe an active running just three standards, namely: Fast Zero Over- Windows drive. It also does not provide a write, Random Overwrite, and the US DOD log report after completion of erasure. 5220.22-M . Remo Drive Wipe has a simple

Page 12 c 2020 JDFSL Data Erasing Tools JDFSL V15N1

Figure 6. Run Time, CPU Time and Memory Usage of Disk Wipe

Figure 7. Run Time, CPU Time and Memory Usage of Puran Wipe Disk

and attractive design, and it provides an in- Zero), DoD 5220.22-M, Secure Erasing Algo- formative user interface that makes it easy for rithm with 7 passes, and Gutmann’s Algo- users to navigate the software. The tool also rithm (35 passes). Super File Shredder has a provides users with a log report to provide simple and an easy-to-use user interface, as feedback after the completion of erasure. shown above. The erasing tool also integrates 4.7.1 Analysis with Windows Explorer, which allows users to right-click in order to gain access to the The observation made after the running of software. Remo Drive Wipe showed that the run time was longer as compared to most of the other 4.8.1 Analysis erasing tools under review. Below are the After the running of Super File Shredder, it run time, CPU Time and Memory Usage of was observed that the run time was similar to the erasing tool: that of most of the other tools under review. The md5 checksum of the disk im- Below are details of the run time and system age from this tool matched with that resource usage of the erasing tool: of the Hardware-wiped disk image - The md5 checksum of the wiped disk im- 1b26c0e62b79f528793199a3d2de4034. Anal- age, 4c0f90e5b4e87adc100fadd9fdf897f7, var- ysis with WinHex confirmed that all sectors, ied from that of the Hardware-wiped disk including the boot sector, wiped and over- image, and as a result, an additional, more written with 0’s. comprehensive analysis was undertaken. The wiped disk image was imported into 4.8 Super File Shredder WinHex, and it was observed that the boot Super File Shredder, as the name implies, is sector contained data. OSForensics also con- a file shredder that is used to destroy and firmed this hypothesis, which meant that Su- remove files from storage devices. It is a free per File Shredder did not wipe the boot sec- erasing tool that supports only the Windows tor. Interestingly, OSForensics recovered a OS and is compatible with Windows 2000, number of files from the disk image. The XP, 2003, Vista, Windows 7, 8, and 10. It Searched Indexes, which included pre-defined claims complete erasure of unwanted files, types such as emails and attachments, zip folders and free space on drives. and compressed archives, images, and text Super File Shredder supports 4 erasing files, produced 30 results. The results from standards, namely, Simple One Pass (Write the search included System Volume Infor-

c 2020 JDFSL Page 13 JDFSL V15N1 Data Erasing Tools

Figure 8. Run Time, CPU Time and Memory Usage of Remo Drive Wipe

Figure 9. Run Time, CPU Time and Memory Usage of Super File Shredder

mation files, $Extend files, $RECYCLE.BIN These recovered files, similar to the previously files, $LogFile , $MFT, $Volume, $Bitmap, recovered video file, had known filenames but and other NTFS metadata files. The System null metadata dates. Also, the md5 sums Volume Information folder comprised of In- of all the known recovered files were not the dexerVolumeGuid and WPSettings.dat files. same as those of the original files. The $Extend folder included the $TxfLog.blf Based on the analysis of the disk image, it file and other log files. Also, the $RECY- can be concluded that some files, even though CLE.BIN folder contained a desktop.ini file, having a size of 0 bytes, had valid filenames which is a Windows file that stores customiza- and could be recovered after erasure using tion details of folders (Computerhope.com, Super File Shredder. Super File Shredder 2018). also failed to erase a number of system files In attempts to recover more system files from the disk. and possibly known user files, the disk im- age was imported into Autopsy and scanned. 5. CONCLUSIONS Autopsy recovered 2035 Orphan files from un- The experiments conducted on each erasing allocated clusters, which had no data stored tool produced a range of results. Some tools in them but had valid modified, accessed, and completely wiped the entire disk, including created dates. the boot sector. Other tools also wiped the Autopsy also confirmed the results from disk but excluded the boot sector, and one OSForensics by showing the $Extend files, tool, while removing the content of a number $RECYCLE.BIN folder, and System Volume of files, still contained a number folder and Information files. In addition to the system file names. Appendix B gives a summary of files, Autopsy recovered four known direc- the analyses of the erasing tools under review. tories, but these directories had no files in There are several conclusions that can be them apart from one that had one known drawn from the analysis performed on the video file. The video file showed a known data erasing tools. First and foremost, the filename and type but had a size of 0 bytes successful and complete wiping of the disk by and null metadata dates. some of the erasing tools such as Hard Wipe Lastly, Autopsy recovered an additional and Puran Wipe Disk confirmed that the 30 PNG image files, two archive files, one write zero method is sufficient for disk era- office document file, and one database file. sure. Also, a single overwrite pass is enough

Page 14 c 2020 JDFSL Data Erasing Tools JDFSL V15N1

to completely wipe a disk as Wright et al. (2011). Sansurooah et al. (2013) concluded (2008) indicated in their paper, “Overwriting that free erasing tools could securely and per- Hard Drive Data: The Great Wiping Contro- manently erase storage devices. This theory versy”. Although one pass overwrite is not was confirmed in the outcome of the analysis necessarily sufficient to make any potential of tools such as Hard Wipe and Puran Wipe future recovery of the data infeasible, it is Disk, where the disks were wiped clean, and adequate for the cleaning of personal disks. no data was recovered. In the case of Martin It is advised that all erasing tools should have and Jones (2011), it was discussed that file verification after each pass they perform and erasers fail to erase some system generated that this should be displayed to users to pro- files. This hypothesis was confirmed when vide feedback on erasure. Super File Shredder, a well-known file eraser, Another conclusion derived from the anal- failed to completely wipe system files such ysis relates to the system resources of the as $Extend files and the $RECYCLE.BIN host machine. Based on the experiments folder. It was also deduced that the file eraser performed, it can be deduced that there is removed files but ignored some directories, no direct correlation between the system re- thereby keeping the file structure. sources (CPU time and Memory Usage) and the effectiveness of the erasure tool. 5.1 Recommendations It was observed that Active KillDisk had Based on the results of the various experi- the highest memory usage of 115 MB while ments, it can be recommended that for an Remo Drive Wipe had the highest CPU time effective and secure erasing of an entire disk, of 6 minutes 24 seconds. Hard Wipe, Remo Drive Wipe, and Puran In addition, it was concluded that some Wipe Disk should be considered. Complete erasing tools do not address the boot sector disk erasure means total wiping of the en- of the disk that is being erased and start the tire disk, which includes the boot sector. overwrites after the first sector. This can be The three previously mentioned erasing tools seen in tools such as Macrorit Data Wiper achieved this by wiping the entire disk com- and Active KillDisk. In this context, data pletely. found in the boot sector of a disk does not Secondly, file erasers should be avoided if infer that files, either user or system files, can the intention is to wipe an entire disk since be recovered or carved from the disk being they have the tendency of ignoring the file erased. system, some directory names, and system After compiling the summary of the analy- generated files. As a result, Super File Shred- sis, it was also observed that five of the eras- der was the least effective erasing tool that ing tools (i.e., Hard Wipe, Eraser, Macrorit was reviewed. The disk image wiped by Super Data Wiper, Active KillDisk, and Puran File Shredder still contained known directory Wipe Disk) had similar run times ranging names and even some known file names. This from 28 minutes 37 seconds to 28 minutes 51 can be detrimental to owners who want to seconds. This may suggest that these tools permanently erase unwanted traces of activ- use either an identical or very similar base ity from their storage device. code or algorithm in building their erasing Lastly, it is advised that users avoid data software. erasing tools that are obsolete and not being Lastly, the results of the analysis confirmed supported and updated. The reason behind some of the conclusions drawn by Sansurooah this recommendation is that outdated tools et al. (2013) and one by Martin and Jones no longer receive technical support, hence

c 2020 JDFSL Page 15 JDFSL V15N1 Data Erasing Tools

during instances where there are software Boot Record(MBR). This is because GUID errors and bugs, expert assistance cannot be drives use Unified Extensible Firmware In- consulted, and as new versions of operating terface (UEFI) BIOS, which supports more systems are brought into use, there is no than four partitions on a disk and also sup- guarantee that the tools will work effectively ports disk partitions that are larger than 2 on them. TB. GPT can support up to a maximum disk capacity of 9.4 ZB. As a result of using 5.2 Future Work the GUID partition style, a larger number of The area of the forensic analysis of data on files can be used as datasets, and also larger storage media is far from exhausted. From storage devices can be used in conducting ex- the analyses and experiments performed in periments. This will aid in checking if these this project, it is our hope that improvements popular erasing tools have a maximum stor- can be made to enhance testing in order age capacity they can wipe. to make more concrete conclusions and rec- ommendations. Future experiments will in- volve a number of adjustments, such as using 6. GLOSSARY other popular erasing standards, for example, • CPU Time: is the measure of how DoD 5220.22-M, pseudorandom data, and much CPU cycles have been used since Schneier’s Algorithm for disk wiping. This the start of a process (Intel, 2019). is to test if the recommended tools from this report perform equally well using other meth- • Degaussing: involves the introduction ods. of strong magnetic fields to a magnetic Secondly, future experiments in data eras- media in attempts to destroy the mag- ing will include a Solid-State Drive (SSD) netic components of the device (National in place of an electromechanical hard drive. Institute of Standards and Technology, The rationale behind this notion is because 2006). of the different ways these two types of stor- • GUID Partition Table: GUID stands age drives store data. SSDs store data on for Globally Unique Identifier, and it is a interconnected microchips and have wear lev- new disk partition architecture that acts elling software embedded while hard drives as an improvement of the MBR parti- store data on a rotating platter, which im- tion scheme because of its partition size plies there may be a need for different ways capacity and other advantages (Diskge- of wiping these two types of drives. Similar nius.com). tests performed in this research will be con- ducted to determine if SSDs can be easily • MBR: stands for Master Boot Record and completely erased, and the results ver- and is a type of boot sector stored in ified. In addition, future tests will include storage devices that holds information an assessment of the base codes of multiple on how to start the boot process (Fisher, erasing tools. This is because of the suspicion 2018). derived from the research in relation to the very similar run times of the reviewed tools • Media Sanitization: is the process and to determine if the erasing tools use a of ensuring confidentiality by effectively similar production code. erasing unwanted data from media Lastly, GUID Partition Table (GPT) will sources (National Institute of Standards be used as a partition style in place of Master and Technology, 2006).

Page 16 c 2020 JDFSL Data Erasing Tools JDFSL V15N1

• Orphan files: are deleted file items [3] Datasecurityinc.com. SSD vs. that still have their metadata in the file HHD. [online] Available at: http: system. //datasecurityinc.com/solid\ _state\_storage\_devices.html • System Volume Information: is a [Accessed 28 Apr. 2019]. hidden system location on computer par- titions that is used by the system’s repair [4] Diskgenius.com. MBR VS GPT, tools to save restore points and other which is the best choice for your related data of the computer system computer? . [online] Available at: (Verma, 2017). https://www.diskgenius.com/how- to/mbr-vs-gpt.php#03-2 [Accessed • $Bitmap: is a volume representation 28 Apr. 2019]. which indicates the clusters that are al- located (NTFS.com) [5] Disk-partition.com. (2019). How to Write Zeros to a Hard Drive • $LogFile: is a log file used by Effortlessly? . [online] Avail- NTFS in recovery after a system crash able at: https://www.disk- (NTFS.com). partition.com/articles/write- • $MFT: is a file that contains informa- zeros-to-hard-drive-8523.html tion of all files on the NTFS volume [Accessed 17 Apr. 2019]. (NTFS.com). [6] Diskwipe.org. Disk Wipe - Free soft- • $TxfLog.blf: TxF stands for Transac- ware. [online] Available at: http://www. tional NTFS, and it is a temporary log diskwipe.org/ [Accessed 8 Mar. 2019]. file used in backing up transactions to [7] Eraser. Eraser – Secure Erase Files prevent sudden crashes. from Hard Drives. [online] Available at: https://eraser.heidi.ie/ [Accessed • $Volume: is a file that stores volume 8 Mar. 2019]. details such as volume version, flags, and labels (NTFS.com). [8] Fisher, T. (2019). 40 Free Programs to Completely Wipe Data From Hard REFERENCES Drives. [online] Lifewire. Available at: https://www.lifewire.com/free- [1] Brook, M. (2017). Data storage lifes- data-destruction-software- pans: how long will media really programs-2626174 [Accessed 7 Mar. last? - Media Releases - CIO. [online] 2019]. CIO. Available at: https://www.cio. com.au/mediareleases/29049/data- [9] Fisher, T. (2018). Data Sanitiza- storage-lifespans-how-long-will- tion Methods: Everything You Need media-really/ [Accessed 8 Mar. 2019]. to Know. [online] Lifewire. Available at: https://www.lifewire.com/data- [2] Computerhope.com. (2018). What is sanitization-methods-2626133 [Ac- the Windows desktop.ini file and can cessed 8 Mar. 2019]. I delete it? . [online] Available at: https://www.computerhope.com/ [10] Fisher, T. (2018). What’s an MBR issues/ch001060.html [Accessed 25 and How to You Repair MBR Prob- Apr. 2019]. lems? . [online] Lifewire. Available at:

c 2020 JDFSL Page 17 JDFSL V15N1 Data Erasing Tools

https://www.lifewire.com/what-is- at: https://ro.ecu.edu.au/adf/ [Ac- a-master-boot-record-mbr-2625936 cessed 8 Mar. 2019]. [Accessed 30 Apr. 2019]. [18] Moore, B. (2019). Medical records left [11] Gutmann, P. (1996). Secure Deletion in abandoned nursing home. [online] of Data from Magnetic and Solid-State BBC News. Available at: https:// Memory. In: The Sixth USENIX Secu- www.bbc.co.uk/news/av/uk-england- rity Symposium. hampshire-47860424/thousands-of- patient-files-left-in-westbury- [12] Hardwipe.com. Hardwipe - Data Sani- house-nursing-home?intlink\ tization Security Toolset. [online] Avail- _from\_url=https\%3A\%2F\%2Fwww. able at: https://www.hardwipe.com/ bbc.co.uk\%2Fnews\%2Ftopics\ [Accessed 8 Mar. 2019]. %2Fc0ele42740rt\%2Fdata- [13] Historycoalition.org. (2009). NARA breaches&link\_location=live- Provides Update on Missing Clinton reporting-map [Accessed 18 Apr. Hard Drive – National Coalition 2019]. For History. [online] Available at: [19] National Institute of Standards and http://historycoalition.org/ Technology (2006). NIST SP 800- 2009/07/24/nara-provides-update- 88, Guidelines for Media Santifization. on-missing-clinton-hard-drive/ Gaithersburg, Maryland: U.S. Govern- [Accessed 7 Mar. 2019]. ment Printing Office. [14] Kakasoft.com. Kakasoft: USB Security, Copy protection, File/Folder Locking [20] NTFS.com. NTFS System Files. [online] Software. [online] Available at: http:// Available at: http://www.ntfs.com/ www.kakasoft.com/ [Accessed 19 Apr. ntfs-system-files.htm [Accessed 25 2019]. Apr. 2019].

[15] Killdisk.com. How to erase hard drive [21] Puransoftware.com. Puran Software - by Active@ KillDisk? Disk Eraser, Quality First. [online] Available at: Disk Wiper, Disk Format Disk San- http://www.puransoftware.com/ [Ac- itizer. [online] Available at: https:// cessed 19 Apr. 2019]. killdisk.com/eraser.html [Accessed 8 Mar. 2019]. [22] Remosoftware.com. Remo Software - Tools to Recover, Repair, Erase, Man- [16] Macrorit.com. Permanently Erase Data age Optimize Data. [online] Available at: with Free Data Wiper. [online] Avail- https://www.remosoftware.com/ [Ac- able at: https://macrorit.com/free- cessed 19 Mar. 2019]. data-wiper.html [Accessed 8 Mar. 2019]. [23] Rothke, B. (2009). Why Informa- tion Must Be Destroyed, Part [17] Martin, T. and Jones, A. (2011). An Two. [online] CSO Online. Avail- evaluation of data erasing tools. In: 9th able at: https://www.csoonline.com/ Australian Digital Forensics Conference. article/2123985/why-information- [online] Perth Western Australia: Edith must-be-destroyed--part-two.html Cowan University, pp.85-92. Available [Accessed 18 Apr. 2019].

Page 18 c 2020 JDFSL Data Erasing Tools JDFSL V15N1

[24] Sahri, M., Huda Sheikh Abdulah, S., [29] Veritysystems.com. (2017). What is Firham Efendy Md. Senan, M., Yu- the best way to destroy a hard drive? sof, N., Zarina Binti Zainal Abidin, N., | VS Security. [online] Available at: Bin Shaiful Azam, N. and Josalmin https://www.veritysystems.com/ Bin Tajul Ariffin, T. (2018). The Ef- uk/news-blog/what-is-the-best- ficiency of Wiping Tools in Media Sani- way-to-destroy-a-hard-drive/ tization. In: 2018 Cyber Resilience Con- [Accessed 8 Mar. 2019]. ference (CRC). [online] IEEE. Available at: https://ieeexplore.ieee.org/ [30] Verma, A. (2017). What Is System document/8626824 [Accessed 8 Mar. Volume Information Folder In Win- 2019]. dows? How To Access And Shrink It? . [online] Fossbytes. Available at: [25] Sansurooah, K., Hope, H., Almutairi, https://fossbytes.com/system- H., Alnazawi, F. and Jiang, Y. (2013). volume-information-folder- An Investigation Into The Efficiency Of windows-shrink/ [Accessed 24 Apr. Forensic Data Erasure Tools For Remov- 2019]. able Usb Flash Memory Storage Devices. [31] Warburton, D. (2019). Terror In: 11th Australian Digital Forensics threat as Heathrow Airport se- Conference. Perth, Western Australia: curity files found dumped in the Edith Cowan University. street. [online] Mirror. Available at: https://www.mirror.co.uk/news/uk- [26] Software.intel.com. (2019). CPU news/terror-threat-heathrow- Time. [online] Available at: airport-security-11428132 [Ac- https://software.intel.com/en- cessed 7 Mar. 2019]. us/vtune-amplifier-help-cpu-time [Accessed 19 Apr. 2019]. [32] Wright, C., Kleiman, D. Sundhar R.S, S. 2008“ "Overwriting Hard Drive [27] Stiennon, R. (2017). Everything Data: The Great Wiping Controver”y" You Need to Know About DoD in Springer Berlin Heidelberg, Berlin, 5220.22-M Wiping Standard. [online] Heidelberg, pp. 243-257. BTG English. Available at: https: //www.blancco.com/blog-dod-5220- [33] Drolet, M. (2019). What does 22-m-wiping-standard-method/ stolen data cost [per second]. [on- [Accessed 8 Mar. 2019]. line] CSO Online. Available at: https://www.csoonline.com/ [28] Valli, C. and Jones, A. (2005). A UK article/3251606/what-does- and Australian Study of Hard Disk stolen-data-cost-per-second.html Disposal. In: 3rd Australian Com- [Accessed 17 Apr. 2019]. puter, Network and Information Foren- sics Conference. [online] Perth, West- ern Australia: School of Computer and Information Science, ECU, pp.74- 78. Available at: https://ro.ecu.edu. au/ecuworks/2763/ [Accessed 17 Apr. 2019].

c 2020 JDFSL Page 19 JDFSL V15N1 Data Erasing Tools

Figure 10. Appendix A - Summary of Data Erasing Tools evaluated

Figure 11. Appendix B - Results from the analysis of the data erasing tools

Page 20 c 2020 JDFSL