Destroying ERM

By Jesse Wilkins posted 08-30-2010 11:12



One of the concerns often expressed about electronic records is that the "Delete" key...doesn't. Generally speaking, when an electronic record, document, or any type of information object is deleted, pointers to that information object are erased from one or more systems designed to locate it. The data itself however remains accessible to forensic tools until such time as the actual storage addresses are overwritten with new content. There are a couple of approaches to deal with this based on the type of media in question. 
For magnetic spinning hard disks, the National Institute of Science and Technology (NIST) recognizes three ways to permanently get rid of content. One way is to destroy the physical drive, pulverizing it into 5-mm particles. Another way is to degauss the drive using a strong magnet; this removes the magnetic fields from the drive (and therefore the data stored on the drive) but tends to destroy the firmware of the drive as well. ATA-type hard drives manufactured since 2001 can be purged without destroying the drive by using a special Secure Erase command that completely wipes every block from the hard drive. 
This is all well and good for inherently rewritable media, but what about CDs, DVDs, and other WORM-type media? Until fairly recently organizations had to take care either to put only records with similar retention periods on WORM media, and hope that a legal hold didn't cover part but not all of the information on the media, or they had to go through a laborious migration process that required the copying of longer-retention records onto new media before destroying the older media. This is expensive, time-consuming, and error-prone - and woe be to the organization that kept the 1-year records and destroyed the 10-year ones instead of the desired operation. 
But there may be another way. There are a number of vendors who have developed technology somtimes referred to as "digital shredding". This digital shredding process neatly addresses the challenge of deleting records while safeguarding others by rendering those "deleted" records unreadable and unrecoverable - and demonstrably so from a mathematical perspective. The way it works is to encrypt records at the time they are transferred to the WORM storage medium. As records are retrieved and accessed they are automatically decrypted. The decryption keys are tied to the retention period: once that period expires, the decryption keys are discarded. Given sufficient length of keys, it is not feasible today to recover the decryption key. 
It is analogous to shredding paper into confetti - or rather, pulverization of paper. It's even almost analogous to degaussing tapes which will be reused. If you do proper degaussing, there's very little likelihood of being able to get anything off the tapes forensically. The primary difference between the digital shredding approach and degaussing is that you wouldn't recover that storage space as you would with the degaussed tape. 
I would argue that the digital shredding approach is the most appropriate approach today to ensure that an electronic record is destroyed without causing undue burden to organizations. I am not a lawyer, nor do I play one at industry conferences. But I think this is a great example of where we need to figure out how best to apply our tried and true processes and practices in a new way that is, or should be, defensible.
I think it's incumbent on us to understand this approach and recommend it to our organizations, identify its weaknesses and how to overcome them, and incorporate it into what we believe to be best practices just as we have done in the past for destruction of paper, magnetic tape, microfilm, CDs, etc. That also means getting it into guidance documents like, say, DoD 5015.2 and MoReq, and getting the vendor community to develop or license it and incorporate it into their solutions. 

#nist #digitalshredding #ElectronicRecordsManagement #worm #destruction