Guidelines for PC Data Destruction Purpose The purpose of this document is to record procedures for the irretrievable destruction of data from computers donated to the Turing Trust (www.turingtrust.co.uk) for the benefit of schools in Africa. It is intended for readers who have at least semi-technical experience with PCs. Background The Trust collects donated PCs and laptops less than 10 years old, wipes them of all personally-identifiable data, rebuilds them with an Operating System and Educational software and despatches them to schools in Ghana run by Integrated Community Centres for Employable Skills. Understanding File Management When files are created and saved on a PC they are generally stored on magnetic, optical or electronic memory using the functions of the PC Operating System (usually Microsoft Windows or Apple MacOS) version on the machine. Typically files are stored on a Hard Disk and need to be completely removed before that equipment is passed to any other user. Pieces of a file are stored in data sectors on the hard disk. Sectors are grouped together into Clusters to form the minimum usable space that can be written to by a file. Details of all the positions of the clusters of data for a file are stored in a File Allocation Table (FAT) also held on the hard disk. A separate Directory Table (DT) stores the filename and first cluster, and when the file needs to be located the OS finds the name and first cluster in the DT then all the linked clusters in the FAT containing the entire file. When a file is deleted by a User its data is not actually removed, rather it is marked as “deleted” in the DT so as to make the Operating System (OS) aware that the space can be re-used. Many modern OS also support a Recycle Bin where the deleted file is made visible to the User and can be recovered to its original location. In this instance the file will not be overwritten by the OS until it has run out of other available free space on the disk, and so can usually still be recovered by a user. It is possible for the user to delete a file so that it no longer appears in the Recycle Bin (for example in Windows Explorer by holding down the “Shift” key whilst pressing delete). However whilst no longer visible to the user the DATA IS STILL PRESENT on the disk. It is simply marked in the DT as deleted and can still be retrieved using data recovery tools. It is even possible to recover a file after a disk or partition has been formatted so we need to ensure that this cannot happen by ensuring that every sector of the disk containing user data is overwritten using professional wiping tools before it leaves our control. This is usually done by writing patterns of 1’s or 0’s over the sectors, sometimes with multiple passes, using specialist wiping tools. Full Wipe or Factory Restore? Many modern PCs produced since 2004 come equipped with a facility to restore the Operating System and Application Software back to exactly the way it was when originally delivered from the factory. This is achieved by using a special Boot Record that allows the user to interrupt the normal PC boot procedure so that it does not run the OS but instead runs a process to overwrite it and rebuild the original OS from an image stored either on a Prepared by: A Clark Version 1.0 2 January 2014 hidden partition or on optical media (CD or DVD). This method is preferred to wiping the entire hard disk as:- 1. It retains the original OS and licence for that machine 2. It restores all necessary specific hardware drivers, utilities and Applications that came with that machine in the manufacturers recommended configuration. 3. It is much quicker (typically taking only 5 – 15 minutes) than wiping the entire hard disk and reinstalling the original OS (or a new one) from scratch, searching for and installing all the drivers and configuring the system. HOWEVER if a Factory Restore option is used free space on the disk must still be wiped afterwards to ensure any files left in sectors are irretrievable. Appendix A lists some procedures to invoke factory restore processes for some manufacturers (they do differ, so google the manufacturer, model number and “factory restore” to find suggestions for a particular machine as to the keystrokes/procedure required). If a potential PC donor asks how they should delete files prior to donation it is best to advise them to let us do it as unless they know what they are doing they can destroy the special boot record and make the factory restore option impossible. Tools to enable wiping to professional standards are available to download from the internet. A suggested list of proven ones is contained in Table B, but others are available too. Table B Tool Source Comment Paragon Hard http://www.paragon-software.com/ Full suite of Disk Manager partitioning, wiping (including Free Space only) and disk management options. Cost about £30 HDDERASE http://www.pcworld.com/article/232164/hdderase.html Boots from Floppy disk. Free tool MHDD http://hddguru.com/software/2005.10.02-MHDD/ Boots from Floppy disk. Free tool DBAN http://www.dban.org/ Boots from CD or floppy. Free tool Note that not all of these tools will work on a particular machine or hard disk configuration. For example Paragon won’t work on old machines with limited memory. HDDERASE relies on ATA secure erase commands built in to hard disk and doesn’t work with all disks. So it is best to have a selection at hand when setting out to wipe machines. Some of them will only handle wiping the entire disk, not free space only, so you can’t safely use the Factory Restore procedure1. If you can’t access that option then the disk will need to be fully wiped before despatch, and TT partners in Ghana will then load it with a Linux-based OS (Xubuntu) and teaching materials from Hyperion. Prepared by: A Clark Version 1.0 2 January 2014 You will also need to know how to boot a machine from external media (Floppy Disk, CD or USB Drive), as the tools usually boot their own OS. Many modern PCs have a “Boot Menu” option at startup where you have to hit F12 (or similar) at the splash screen before it starts booting from its hard disk to select the appropriate external drive. On older machines you may need to go into BIOS setup and change the boot order in there. Again it usually requires a key (e.g. Delete or F2) to be hit on startup varying according to the BIOS manufacturer in order to access the Setup screens. If the machine is unbootable (perhaps due to failed motherboard or memory components) a hard disk can be removed and either installed as an external drive in a suitable USB caddy or connected as a second drive internally on another PC, then wiped using that machine. But make sure you have full Malware protection running on it first as donated PCs are sometimes infected and you don’t want anything spreading to your PC. For the same reason don’t connect a donated PC to any form of network until you are confident it is clean (e.g. fully restored to Factory condition). Caddy devices are available for both Parallel and Serial ATA device interfaces and will usually handle both 3.5” and 2.5” formats. Ideally a clean area should be set up for wiping purposes allowing recording of machine Serial Numbers, Specifications and OS Licence details with segregation between machines ready for wiping and those already done. A sample Wipe Record spreadsheet is provided with this document package to record all the above details as well as donor Name and Address. If required a separate, linked Word Document will generate a suitable Certificate of Destruction for each of the wiped PCs. Image 1 – Restoring two systems simultaneously Image 1 shows the Authors wiping area. The machine on the left is restoring using HP’s Factory Restore option; the one on the right is using Dell’s (by Symantec) Factory Restore. Prepared by: A Clark Version 1.0 2 January 2014 After restoring the machines’ Free Space is wiped using Paragon and then booted up with an internet connection to allow Windows OS patches to be installed up to date. As these processes can take hours, it makes best use of time to do more than one at the same time. Bags or boxes can be used to keep accessories like mice, keyboards and speakers for donated items together with each PC. Details of what has been done on a PC should be recorded on the “TuringTrustWipeRecords1.xls” spreadsheet2, a sample of which is included with the package. This permits us to record by machine Serial Number what we did in the event of any subsequent query by donor or recipient. A convenient way to grab a serial number is to use a digital camera to photograph the label then enlarge it in the viewfinder screen and type it into the spreadsheet. Appendix B details how this spreadsheet can be used to generate a Certificate of Data Destruction should the donor require one. Finally a white sticky label should be attached to the desktop or tower unit summarising the Specification and what has been done to it. This makes it much easier for TT partners in Ghana to select machines for either Windows or Xubuntu usage in school computer labs.