Skip to main content

This section of the ISM provides guidance on media sanitisation.

Media in ICT equipment

ICT equipment will often contain devices that are quite small and may not be immediately recognisable as memory. Examples of these include M.2 or Mini-Serial Advanced Technology Attachment (mSATA) devices. When sanitising M.2 or mSATA devices, the methods for flash memory devices apply. Generally, if a device offers persistent storage of information, it is likely that the methods for flash memory will apply.

Hybrid hard drives

When sanitising hybrid hard drives, the methods for flash memory devices apply.

Solid state drives

When sanitising solid state drives, the methods for flash memory devices apply.

Media that cannot be sanitised

When attempts to sanitise media are unsuccessful, the only way to provide assurance that all information has been erased is to destroy the media. Additionally, some types of media cannot be sanitised and therefore should be destroyed.

Media sanitisation process and procedures

Sanitising media prior to reuse in a different environment ensures that information is not inadvertently accessed by unauthorised personnel or otherwise insufficiently protected.

Using approved methods provides a level of assurance that no information will be left on media. The methods described in these guidelines are designed not only to prevent common information recovery practices but also to protect from those that could emerge in the future.

When sanitising media, it is necessary to read back the contents of the media to verify that the overwrite process was completed successfully.

Security Control: 0348; Revision: 3; Updated: Aug-19; Applicability: O, P, S, TS
A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented.

Volatile media sanitisation

When sanitising volatile media, the specified time to wait following removal of power is based on applying a safety factor to the time recommended in research into preventing the recovery of the contents of volatile media.

If read back cannot be achieved following the overwriting of media contents, or information persists on the media, destroying the media is the only way to provide complete assurance information no longer persists.

Security Control: 0351; Revision: 5; Updated: Sep-18; Applicability: O, P
Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification.

Security Control: 0352; Revision: 3; Updated: Sep-18; Applicability: S, TS
Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes.

Treatment of volatile media following sanitisation

Published literature suggests that short-term remanence effects are likely in volatile media. Data retention times have been reported to be measured in minutes at normal room temperatures and up to hours in extreme cold. Furthermore, some volatile media can suffer from long-term remanence effects resulting from physical changes to the media due to continuous storage of static data for an extended period of time. It is for these reasons that under certain circumstances TOP SECRET volatile media retains its classification following sanitisation.

Typical circumstances preventing the reclassification of TOP SECRET volatile media include a static cryptographic key being stored in the same memory location during every boot of a device and a static image being displayed on a device and stored in volatile media for a period of months.

Security Control: 0835; Revision: 3; Updated: Sep-18; Applicability: TS
Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time.

Non-volatile magnetic media sanitisation

Both the host-protected area and device configuration overlay table of non-volatile magnetic media are normally not visible to an operating system or a computer’s basic input/output system. Therefore, any sanitisation of the readable sectors of media will not overwrite these hidden sectors leaving any data contained in these locations untouched. Some sanitisation programs include the ability to reset media to their default state removing any host-protected areas or device configuration overlays. This allows the sanitisation program to see the entire contents of media during the subsequent sanitisation process.

Modern non-volatile magnetic media automatically reallocates space for bad sectors at a hardware level. These bad sectors are maintained in what is known as the growth defects table or ‘g-list’. If data was stored in a sector that was subsequently added to the g-list, sanitising the media will not overwrite these non-addressable bad sectors. While these sectors may be considered bad by the media, quite often this is due to the sectors no longer meeting expected performance norms and not due to an inability to read/write to them. The Advanced Technology Attachment (ATA) secure erase command was built into the firmware of post-2001 media and is able to access sectors that have been added to the g-list.

Modern non-volatile magnetic media also contain a primary defects table or ‘p-list’. The p-list contains a list of bad sectors found during post-production processes. No data is ever stored in sectors on the p-list as they are inaccessible before the media is used for the first time.

Security Control: 1065; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation.

Security Control: 0354; Revision: 5; Updated: Sep-18; Applicability: O, P, S, TS
Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification.

Security Control: 1067; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten.

Treatment of non-volatile magnetic media following sanitisation

Due to concerns with the sanitisation of the host-protected area, device configuration overlay table and growth defects table, highly classified non-volatile magnetic media retains its classification following sanitisation.

Security Control: 0356; Revision: 5; Updated: Sep-18; Applicability: S, TS
Following sanitisation, highly classified non-volatile magnetic media retains its classification.

Non-volatile erasable programmable read-only memory media sanitisation

When sanitising non-volatile erasable programmable read-only memory (EPROM), the manufacturer’s specification for ultraviolet erasure time should be multiplied by a factor of three to provide an additional level of certainty in the process.

Security Control: 0357; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS
Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification.

Non-volatile electrically erasable programmable read-only memory media sanitisation

A single overwrite with a random pattern is considered best practice for sanitising non-volatile electrically erasable programmable read-only memory (EEPROM) media.

Security Control: 0836; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification.

Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation

As little research has been conducted into the ability to recover information from non-volatile EPROM and EEPROM media following sanitisation, highly classified EPROM and EEPROM media retains its classification following sanitisation.

Security Control: 0358; Revision: 5; Updated: Sep-18; Applicability: S, TS
Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification.

Non-volatile flash memory media sanitisation

In flash memory media, a technique known as wear levelling ensures that writes are distributed evenly across each memory block. This feature necessitates flash memory being overwritten with a random pattern twice as this helps ensure that all memory blocks are overwritten.

Security Control: 0359; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification.

Treatment of non-volatile flash memory media following sanitisation

Due to the use of wear levelling in flash memory, it is possible that not all memory locations were written to when attempting to overwrite the media. For this reason, highly classified flash memory media retains its classification following sanitisation.

Security Control: 0360; Revision: 5; Updated: Sep-18; Applicability: S, TS
Following sanitisation, highly classified non-volatile flash memory media retains its classification.

Encrypted media sanitisation

When applied appropriately, the use of encryption can provide additional assurance during media sanitisation, reuse and disposal. However, unless otherwise stated in consumer guides for evaluated encryption software, the use of encryption does not reduce the post-sanitisation classification of media.

Security Control: 1464; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed.

Further information

Further information on sanitising ICT equipment can be found in the ICT equipment sanitisation and disposal section of the Guidelines for ICT Equipment.

Further information on recoverability of information from volatile media can be found in the paper Data Remanence in Semiconductor Devices at https://www.usenix.org/legacy/events/sec01/full_papers/gutmann/gutmann.pdf.

The random-access memory (RAM) testing tool MemTest86 can be obtained from https://www.memtest86.com/.

The graphics card RAM testing tool MemtestG80 and MemtestCL can be obtained from https://simtk.org/projects/memtest.

HDDerase is a freeware tool developed by the Center for Memory and Recording Research at the University of California San Diego. It is capable of calling the ATA secure erase command for non-volatile magnetic media. It is also capable of resetting the host-protected area and the device configuration overlay table information on the media. The tool is available for download from https://cmrr.ucsd.edu/resources/secure-erase.html.

Information on reliably erasing information from solid state drives can be found in the paper Reliably Erasing Data From Flash-Based Solid State Drives at https://www.usenix.org/legacy/event/fast11/tech/full_papers/Wei.pdf.