Initial Core 2 study project

notes/SEC-9-data-destruction.md

@@ -0,0 +1,260 @@
+# SEC-9: Data Destruction
+
+Status: not started
+
+Domain:
+- 2.0 Security
+
+Objective alignment:
+- 2.9 Data destruction
+
+## What You Need To Know
+
+Data destruction means making stored data unrecoverable before a device is reused, recycled, sold, returned, or thrown away.
+
+The exam wants you to match the method to the situation:
+- Reuse the drive: securely wipe it.
+- Dispose of the drive: physically destroy it.
+- Magnetic hard drive: degaussing can work.
+- SSD or flash storage: degaussing does not work.
+- Legal or regulated data: keep a certificate of destruction.
+
+## Memory Trick
+
+Use **W-D-S-C**:
+
+- **W**ipe if you want to reuse it
+- **D**estroy if you want it gone forever
+- **S**SDs do not degauss
+- **C**ertificate proves destruction
+
+Shortcut:
+- **Reuse = wipe. Retire = destroy. Regulated = certificate.**
+
+## Deleting Is Not Destruction
+
+Normal delete:
+- Removes the file entry from normal view.
+- The data may still exist on the storage device.
+- Recovery tools may be able to bring it back.
+
+Recycle Bin or Trash:
+- Even less final than deletion.
+- The user can often restore the file.
+
+Exam clue:
+- If the question asks for secure removal, normal delete is not enough.
+
+## Formatting
+
+Quick format:
+- Rebuilds the file system structure.
+- Usually does not overwrite all old data.
+- Data recovery may still be possible.
+
+Regular format:
+- Overwrites sectors on modern Windows versions.
+- Takes longer than quick format.
+- Better for data removal than quick format.
+
+Low-level format:
+- Factory-level process.
+- Not a normal user or technician procedure on modern drives.
+- Usually not the right exam answer for everyday data destruction.
+
+## Secure Erasing and Wiping
+
+File-level overwrite:
+- Overwrites a specific file.
+- Useful when only one file must be removed.
+- Does not wipe the rest of the drive.
+
+Whole-drive wipe:
+- Overwrites the entire drive.
+- Useful before reusing or repurposing a drive.
+- Takes longer but covers all data.
+
+Examples:
+- Windows Sysinternals `sdelete` can securely delete files or clean free space.
+- DBAN can wipe traditional hard drives.
+
+SSD caution:
+- SSDs use wear leveling, so old data may not be overwritten the same way as a spinning hard drive.
+- Use manufacturer secure erase tools, OS reset options designed for SSDs, or cryptographic erase when available.
+
+Cryptographic erase:
+- Destroys the encryption key instead of overwriting all storage blocks.
+- Fast when the device was already fully encrypted.
+- Without the key, encrypted data is not practically readable.
+
+## Physical Destruction
+
+Physical destruction makes the drive unusable.
+
+Common methods:
+- Drill or hammer through platters/chips
+- Shredding
+- Incineration
+- Degaussing for magnetic media
+
+Use physical destruction when:
+- The drive will not be reused.
+- The data is highly sensitive.
+- Regulations or company policy require destruction.
+- You cannot trust a software wipe.
+
+## Degaussing
+
+Degaussing uses a strong magnetic field to destroy data on magnetic media.
+
+Works for:
+- Magnetic hard drives
+- Some magnetic tapes
+
+Does not work for:
+- SSDs
+- USB flash drives
+- SD cards
+- Other flash storage
+
+Exam clue:
+- If the device is SSD or flash, do not choose degaussing.
+
+## Certificate of Destruction
+
+A certificate of destruction is proof that a drive or batch of drives was destroyed.
+
+It may include:
+- Date
+- Serial numbers or asset tags
+- Method used
+- Vendor name
+- Chain-of-custody details
+- Signature or confirmation
+
+Use it when:
+- A third party destroys the drives.
+- Data is regulated.
+- The organization needs an audit trail.
+
+## Choosing The Best Method
+
+Scenario shortcuts:
+- Old company laptop will be reused: whole-drive wipe or secure erase.
+- Failed hard drive with patient records: physical destruction plus certificate.
+- Magnetic hard drive disposal: shred, drill, incinerate, or degauss.
+- SSD disposal: shred or use SSD secure erase/crypto erase; do not degauss.
+- One file must be removed but the drive stays in use: file-level secure delete.
+- Drive is encrypted and being retired: crypto erase may be appropriate if policy allows it.
+
+## Commands To Enter
+
+Only run these against disposable test files. Do not run wipe commands against real drives in this course unless you intentionally want to destroy data.
+
+Windows PowerShell:
+
+```powershell
+New-Item -ItemType Directory -Path "$env:USERPROFILE\AplusDataDestructionLab"
+```
+
+What it does:
+- Creates a safe lab folder in your user profile.
+
+```powershell
+"Practice data" | Set-Content "$env:USERPROFILE\AplusDataDestructionLab\test.txt"
+```
+
+What it does:
+- Creates a small test file for the lab.
+
+```powershell
+Remove-Item "$env:USERPROFILE\AplusDataDestructionLab\test.txt"
+```
+
+What it does:
+- Deletes the test file.
+- This is normal deletion, not secure destruction.
+
+```powershell
+Get-Volume
+```
+
+What it does:
+- Lists mounted volumes and file systems.
+- Use it for inspection only in this section.
+
+Linux:
+
+```bash
+mkdir -p ~/aplus-data-destruction-lab
+```
+
+What it does:
+- Creates a safe lab folder in your home directory.
+
+```bash
+printf "Practice data\n" > ~/aplus-data-destruction-lab/test.txt
+```
+
+What it does:
+- Creates a small test file.
+
+```bash
+rm ~/aplus-data-destruction-lab/test.txt
+```
+
+What it does:
+- Deletes the test file.
+- This is normal deletion, not secure destruction.
+
+```bash
+lsblk -f
+```
+
+What it does:
+- Lists block devices and file systems.
+- Use it to identify storage types for inspection only.
+
+macOS:
+
+```bash
+mkdir -p ~/aplus-data-destruction-lab
+```
+
+What it does:
+- Creates a safe lab folder on the Mac.
+
+```bash
+printf "Practice data\n" > ~/aplus-data-destruction-lab/test.txt
+```
+
+What it does:
+- Creates a small test file.
+
+```bash
+rm ~/aplus-data-destruction-lab/test.txt
+```
+
+What it does:
+- Deletes the test file.
+- This is normal deletion, not secure destruction.
+
+```bash
+diskutil list
+```
+
+What it does:
+- Lists disks and partitions.
+- Use it for inspection only.
+
+## Quick Checks
+
+You should be able to answer:
+- Why is normal delete not secure destruction?
+- What is the difference between quick format and regular format?
+- When should you use whole-drive wiping?
+- Why does degaussing not work on SSDs?
+- When is a certificate of destruction needed?
+- What method would you choose for a drive that must be reused?
+- What method would you choose for regulated data on a retired drive?
+