# SEC-9: Data Destruction Status: not started Domain: - 2.0 Security Objective alignment: - 2.9 Data destruction ## What You Need To Know Data destruction means making stored data unrecoverable before a device is reused, recycled, sold, returned, or thrown away. The exam wants you to match the method to the situation: - Reuse the drive: securely wipe it. - Dispose of the drive: physically destroy it. - Magnetic hard drive: degaussing can work. - SSD or flash storage: degaussing does not work. - Legal or regulated data: keep a certificate of destruction. ## Memory Trick Use **W-D-S-C**: - **W**ipe if you want to reuse it - **D**estroy if you want it gone forever - **S**SDs do not degauss - **C**ertificate proves destruction Shortcut: - **Reuse = wipe. Retire = destroy. Regulated = certificate.** ## Deleting Is Not Destruction Normal delete: - Removes the file entry from normal view. - The data may still exist on the storage device. - Recovery tools may be able to bring it back. Recycle Bin or Trash: - Even less final than deletion. - The user can often restore the file. Exam clue: - If the question asks for secure removal, normal delete is not enough. ## Formatting Quick format: - Rebuilds the file system structure. - Usually does not overwrite all old data. - Data recovery may still be possible. Regular format: - Overwrites sectors on modern Windows versions. - Takes longer than quick format. - Better for data removal than quick format. Low-level format: - Factory-level process. - Not a normal user or technician procedure on modern drives. - Usually not the right exam answer for everyday data destruction. ## Secure Erasing and Wiping File-level overwrite: - Overwrites a specific file. - Useful when only one file must be removed. - Does not wipe the rest of the drive. Whole-drive wipe: - Overwrites the entire drive. - Useful before reusing or repurposing a drive. - Takes longer but covers all data. Examples: - Windows Sysinternals `sdelete` can securely delete files or clean free space. - DBAN can wipe traditional hard drives. SSD caution: - SSDs use wear leveling, so old data may not be overwritten the same way as a spinning hard drive. - Use manufacturer secure erase tools, OS reset options designed for SSDs, or cryptographic erase when available. Cryptographic erase: - Destroys the encryption key instead of overwriting all storage blocks. - Fast when the device was already fully encrypted. - Without the key, encrypted data is not practically readable. ## Physical Destruction Physical destruction makes the drive unusable. Common methods: - Drill or hammer through platters/chips - Shredding - Incineration - Degaussing for magnetic media Use physical destruction when: - The drive will not be reused. - The data is highly sensitive. - Regulations or company policy require destruction. - You cannot trust a software wipe. ## Degaussing Degaussing uses a strong magnetic field to destroy data on magnetic media. Works for: - Magnetic hard drives - Some magnetic tapes Does not work for: - SSDs - USB flash drives - SD cards - Other flash storage Exam clue: - If the device is SSD or flash, do not choose degaussing. ## Certificate of Destruction A certificate of destruction is proof that a drive or batch of drives was destroyed. It may include: - Date - Serial numbers or asset tags - Method used - Vendor name - Chain-of-custody details - Signature or confirmation Use it when: - A third party destroys the drives. - Data is regulated. - The organization needs an audit trail. ## Choosing The Best Method Scenario shortcuts: - Old company laptop will be reused: whole-drive wipe or secure erase. - Failed hard drive with patient records: physical destruction plus certificate. - Magnetic hard drive disposal: shred, drill, incinerate, or degauss. - SSD disposal: shred or use SSD secure erase/crypto erase; do not degauss. - One file must be removed but the drive stays in use: file-level secure delete. - Drive is encrypted and being retired: crypto erase may be appropriate if policy allows it. ## Commands To Enter Only run these against disposable test files. Do not run wipe commands against real drives in this course unless you intentionally want to destroy data. Windows PowerShell: ```powershell New-Item -ItemType Directory -Path "$env:USERPROFILE\AplusDataDestructionLab" ``` What it does: - Creates a safe lab folder in your user profile. ```powershell "Practice data" | Set-Content "$env:USERPROFILE\AplusDataDestructionLab\test.txt" ``` What it does: - Creates a small test file for the lab. ```powershell Remove-Item "$env:USERPROFILE\AplusDataDestructionLab\test.txt" ``` What it does: - Deletes the test file. - This is normal deletion, not secure destruction. ```powershell Get-Volume ``` What it does: - Lists mounted volumes and file systems. - Use it for inspection only in this section. Linux: ```bash mkdir -p ~/aplus-data-destruction-lab ``` What it does: - Creates a safe lab folder in your home directory. ```bash printf "Practice data\n" > ~/aplus-data-destruction-lab/test.txt ``` What it does: - Creates a small test file. ```bash rm ~/aplus-data-destruction-lab/test.txt ``` What it does: - Deletes the test file. - This is normal deletion, not secure destruction. ```bash lsblk -f ``` What it does: - Lists block devices and file systems. - Use it to identify storage types for inspection only. macOS: ```bash mkdir -p ~/aplus-data-destruction-lab ``` What it does: - Creates a safe lab folder on the Mac. ```bash printf "Practice data\n" > ~/aplus-data-destruction-lab/test.txt ``` What it does: - Creates a small test file. ```bash rm ~/aplus-data-destruction-lab/test.txt ``` What it does: - Deletes the test file. - This is normal deletion, not secure destruction. ```bash diskutil list ``` What it does: - Lists disks and partitions. - Use it for inspection only. ## Quick Checks You should be able to answer: - Why is normal delete not secure destruction? - What is the difference between quick format and regular format? - When should you use whole-drive wiping? - Why does degaussing not work on SSDs? - When is a certificate of destruction needed? - What method would you choose for a drive that must be reused? - What method would you choose for regulated data on a retired drive?