Judith A. Gosselin, CCE, CIPP/US, LPI
603-682-4568
jag@jagdigsdeeper.com
www.jagdigsdeeper.com

Date:  April 25, 2013
To:     Michael Saia, XTechnology Global
Subject:   Data Destruction Analysis

Basis for Analysis:

Determine if any data resides on the four (4) hard drives provided.  All tools used for the analysis are NIST certified and in use by international and national security agencies, as well as Federal and State Law Enforcement agencies to name a few.

CONCLUSIONS:

Based on my experience, hard drive destruction criteria must adhere to the following best practice methodologies to ensure data destruction.

  1. Eliminate data beyond forensic reconstruction;
  2. Maintain care, custody and control throughout the process;
  3. Provide an automated certification process that completes a Best Practice audit trail;
  4. Deploy a scalable process providing corporate-wide compliance;
  5. Verify drive sanitization by sector – “trust but verify”;
  6. Provide a green solution that allows reformatting and repurposing of hard drives per client requirements.

Based on the drives analyzed, XTechnology Global’s business processes adhere to data destruction best practices.  No data of any value was recoverable on the devices provided.

OBSERVATIONS / FINDINGS:

  • On April 15, 2013 I toured XTechnology Global’s facility located at27 Garden St.Danvers,MA.   Key focus was the security and data destruction processes of storage devices.  Based on my experience and responsibilities at Digital Equipment Corporation, Compaq Computer and HP, this allowed me to evaluate the life cycle management processes and policies.
  • To verify the processes used by XTechnology Global, I picked up four (4) drives on April 16, 2013 from Michael Saia to be analyzed at my lab.
  • Drives provided for testing were
    • -Seagate ST3120025AS           SN:  3JT48X9R                      Status:  Degaussed
    • -Western Digital WD400BB    SN:  WMAMMA5859609      Status:  Degaussed
    • -Seagate ST3500418AS           SN:  5VMNV5GK                 Status:  NIST 1x
    • -Seagate ST3400832AS           SN:  3NF061ZW                    Status:  DOD 1x
  • Prior to analysis, I attempted to forensically image the drives.  Only the NIST/DOD devices were able to be forensically imaged.
  • The two (2) degaussed drives were neither recognizable nor accessible as storage devices by software Encase or FTK, nor with write-blocking hardware by Voom or Tableau.  These drives were tested on three different machines all with the same results.
  • After imaging the NIST/DOD wiped drives, I recovered data on each of the drives.  The only readable data existing on the drives was that of X1 Global Technology erasure log file.
  • The data remnants consisted of random patterns and single patterns of data.  Attempts were made to decode to no avail.  I then reviewed sector levels to ensure data destruction.  Both drives had secure data destruction to government standards based on the methods used.

Results:

1.  Seagate Barracuda 7200.7   120GB     SN:  3JT48X9R        Firmware:  8.05
Process:  Degaussed –    Drive was not recognized on any system or application

2.  Western Digital WD400BB    40GB IDE    SN:  WMAMMA5859609
Process:  Degaussed – Drive was not recognized on any system or application.

3. Seagate Barracuda  7200  ST3500418AS    500GB      SN:  5VMNV5GK    Firmware:  CC36
Process:  NIST 1x

Type,Time,Description

  • ,23/04/13 18:31:06,Starting search on Hard Disk 2
  • ,23/04/13 18:31:06,Searching for files in Hard Disk 2
  • ,23/04/13 18:31:06,Searching for lost partitions.
  • ,23/04/13 18:39:58,Searching for files in Hard Disk 2
  • ,24/04/13 04:38:47,Analysing found data for NTFS partitions.
  • ,24/04/13 04:38:47,No NTFS partitions found. Another type of search may help.
  • ,24/04/13 04:38:47,No FS records found for NTFS partition type.
  • ,24/04/13 04:38:47,Analysing found data for FAT partitions.
  • ,24/04/13 04:38:47,No FAT partitions found. Another type of search may help.
  • ,24/04/13 04:38:47,No FS records found for FAT partition type.
  • ,24/04/13 04:38:47,Analysing found data for exFAT partitions.
  • ,24/04/13 04:38:47,No exFAT partitions found. Another type of search may help.
  • ,24/04/13 04:38:47,No FS records found for exFAT partition type.
  • ,24/04/13 04:38:47,Analysing found data for HFS partitions.
  • ,24/04/13 04:38:47,No HFS partitions found. Another type of search may help.
  • ,24/04/13 04:38:47,No FS records found for HFS partition type.
  • ,24/04/13 04:38:47,Number of known files : 0
  • ,24/04/13 04:38:47,Number of known folders : 2
  • ,24/04/13 04:38:47,Number of system items : 0
  • ,24/04/13 04:38:47,Number of deleted items : 0
  • ,24/04/13 04:38:47,A total of 2 item(s) were located.
  • ,24/04/13 06:58:18,All searches completed

Number of known folders: 2
A total of 2 item(s) were located.

1.XERASE v7.8.13

1x Write – NIST Clear

—————

5VMNV5GK

PASSED

—————

HSH 3c2a8981 fa9f6e8a 43572960 9618ed52 f7b3c7bb—————

04/16/2013

12:11:43

Michael Saia | Sanitized by XTechnology Global, LLC -Danvers,MA

2.  Hundreds of pages consisted of the following data based on the secure erase method used:

��2�gK#ETx


�r��%���p’�3@�7�/�����tN��!��6�&�­�^            a[1]$�Q�+y�l+��U�Z�Qkz$�)��u(G5��LC}�9�d�O�����姣��GkÞҚ

�����Pl+�E-O�m��O�[UK*�LL��#i�”�P�)


̖�i�’V�O�������Fǵ�gt���A�L�d�/9k��x)#�<�^�u{�A�c,��v0


���-b����t&a�mB&~�@�[5�]<��Esv�B(��{��#��dAg1������f<����x���^X��0�VZu���J�}dK�U�i�&��^ѣ����1^[o�5Q_���[1]���:n�


����K��q����#l���^Y�Y!~���
]��qq�?����O�l}���’אx9zVVL~�qj�            h


4*G���e�ޒ|��gx��ß��I>�ԭI/�H^�yŝ�/�*������fv �w�����7˅fG�H��m


� ���)|P�e�]Wg�*�:�{��2�gK#ETx


�r��%���p’�3@�7�/�����tN��!��6�&�­�^            a[1]$�Q�+y�l+��U�Z�Qkz$�)��u(G5��LC}�9�d�O�����姣��GkÞҚ

�����Pl+�E-O�m��O�[UK*�LL��#i�”�P�)


̖�i�’V�O�������Fǵ�gt���A�L�d�/9k��x)#�<�^�u{�A�c,��v0


���-b����t&a�mB&~�@�[5�]<��Esv�B(��{��#��dAg1������f<����x���^X��0�VZu���J�}dK�U�i�&��^ѣ����1^[o�5Q_���[1]���:n�


����K��q����#l���^Y�Y!~���
]��qq�?����O�l}���’אx9zVVL~�qj�            h


4*G���e�ޒ|��gx��ß��I>�ԭI/�H^�yŝ�/�*������fv �w�����7˅fG�H��m


� ���)|P�e�]Wg�*�:�{��2�gK#ETx


�r��%���p’�3@�7�/�����tN��!��6�&�­�^a[1]$�Q�+y�l+��U�Z�Qkz$�)��u(G5��LC}�9�d�O�����姣��GkÞҚ�����Pl+�E-�m��O�[UK*�LL��#i�”�P�)


̖�i�’V�O�������Fǵ�gt���A�L�d�/9k��x)#�<�^�u{�A�c,��v0


���

4. Seagate Barracuda  7200.8 ST3400832AS    400GB      SN:  3NF061ZW    Firmware:  3.01

Process:  DOD 1x

 

Type,Time,Description

  • ,24/04/13 10:05:02,Starting search on Hard Disk 2
  • ,24/04/13 10:05:02,Searching for files in Hard Disk 2
  • ,24/04/13 10:05:02,Searching for lost partitions.
  • ,24/04/13 10:13:13,Searching for files in Hard Disk 2
  • ,24/04/13 16:46:53,Analysing found data for NTFS partitions.
  • ,24/04/13 16:46:53,No NTFS partitions found. Another type of search may help.
  • ,24/04/13 16:46:53,No FS records found for NTFS partition type.
  • ,24/04/13 16:46:53,Analysing found data for FAT partitions.
  • ,24/04/13 16:46:53,No FAT partitions found. Another type of search may help.
  • ,24/04/13 16:46:53,No FS records found for FAT partition type.
  • ,24/04/13 16:46:53,Analysing found data for exFAT partitions.
  • ,24/04/13 16:46:53,No exFAT partitions found. Another type of search may help.
  • ,24/04/13 16:46:53,No FS records found for exFAT partition type.
  • ,24/04/13 16:46:53,Analysing found data for HFS partitions.
  • ,24/04/13 16:46:53,No HFS partitions found. Another type of search may help.
  • ,24/04/13 16:46:53,No FS records found for HFS partition type.
  • ,24/04/13 16:46:53,Number of known files : 0
  • ,24/04/13 16:46:53,Number of known folders : 2
  • ,24/04/13 16:46:53,Number of system items : 0
  • ,24/04/13 16:46:53,Number of deleted items : 0
  • ,24/04/13 16:46:53,A total of 2 item(s) were located.
  • ,24/04/13 16:53:40,All searches completed

 

Again, with the same results:

 

XERASE v7.8.13

1x Write – DOD Clear

—————

3NF061ZW

PASSED

—————

HSH 45b20e97 43c61934 a64e0a9d b0080548 c7df2856—————

04/16/2013

14:50:18

 

Michael Saia

Sanitized by XTechnology Global, LLC -Danvers,MA

 

��2�gK#ETx


�r��%���p’�3@�7�/�����tN��!��6�&�­�^            a[1]$�Q�+y�l+��U�Z�Qkz$�)��u(G5��LC}�9�d�O�����姣��GkÞҚ

�����Pl+�E-O�m��O�[UK*�LL��#i�”�P�)


̖�i�’V�O�������Fǵ�gt���A�L�d�/9k��x)#�<�^�u{�A�c,��v0


���-b����t&a�mB&~�@�[5�]<��Esv�B(��{��#��dAg1������f<����x���^X��0�VZu���J�}dK�U�i�&��^ѣ����1^[o�5Q_���[1]���:n�


����K��q����#l���^Y�Y!~���

 

Attachment A:  Data Destruction Best Practices and Methods Summary

*** END OF REPORT ***

Attachment A:  

Data Destruction Best Practices & Methods

Please Note:

Some degaussing machines need to be routinely calibrated to ensure magnetic field is strong enough to destroy all the data.  Degaussing disables the hard drive making it very difficult and expensive to test and ensure the data is gone.  Random ‘test and verify’ is recommended.

Mechanical destruction depends on the extent to which the disks have been shredded (NSA and NAID require that the maximum disk particle size is no larger than 1/250th in.

Commercial Software does not provide physical lock down of the hard drives while they are being erased.  Need to audit Third Party Provider’s process for security and lock down capabilities.