6.2 KiB
6.2 KiB
SEC-9: Data Destruction
Status: not started
Domain:
- 2.0 Security
Objective alignment:
- 2.9 Data destruction
What You Need To Know
Data destruction means making stored data unrecoverable before a device is reused, recycled, sold, returned, or thrown away.
The exam wants you to match the method to the situation:
- Reuse the drive: securely wipe it.
- Dispose of the drive: physically destroy it.
- Magnetic hard drive: degaussing can work.
- SSD or flash storage: degaussing does not work.
- Legal or regulated data: keep a certificate of destruction.
Memory Trick
Use W-D-S-C:
- Wipe if you want to reuse it
- Destroy if you want it gone forever
- SSDs do not degauss
- Certificate proves destruction
Shortcut:
- Reuse = wipe. Retire = destroy. Regulated = certificate.
Deleting Is Not Destruction
Normal delete:
- Removes the file entry from normal view.
- The data may still exist on the storage device.
- Recovery tools may be able to bring it back.
Recycle Bin or Trash:
- Even less final than deletion.
- The user can often restore the file.
Exam clue:
- If the question asks for secure removal, normal delete is not enough.
Formatting
Quick format:
- Rebuilds the file system structure.
- Usually does not overwrite all old data.
- Data recovery may still be possible.
Regular format:
- Overwrites sectors on modern Windows versions.
- Takes longer than quick format.
- Better for data removal than quick format.
Low-level format:
- Factory-level process.
- Not a normal user or technician procedure on modern drives.
- Usually not the right exam answer for everyday data destruction.
Secure Erasing and Wiping
File-level overwrite:
- Overwrites a specific file.
- Useful when only one file must be removed.
- Does not wipe the rest of the drive.
Whole-drive wipe:
- Overwrites the entire drive.
- Useful before reusing or repurposing a drive.
- Takes longer but covers all data.
Examples:
- Windows Sysinternals
sdeletecan securely delete files or clean free space. - DBAN can wipe traditional hard drives.
SSD caution:
- SSDs use wear leveling, so old data may not be overwritten the same way as a spinning hard drive.
- Use manufacturer secure erase tools, OS reset options designed for SSDs, or cryptographic erase when available.
Cryptographic erase:
- Destroys the encryption key instead of overwriting all storage blocks.
- Fast when the device was already fully encrypted.
- Without the key, encrypted data is not practically readable.
Physical Destruction
Physical destruction makes the drive unusable.
Common methods:
- Drill or hammer through platters/chips
- Shredding
- Incineration
- Degaussing for magnetic media
Use physical destruction when:
- The drive will not be reused.
- The data is highly sensitive.
- Regulations or company policy require destruction.
- You cannot trust a software wipe.
Degaussing
Degaussing uses a strong magnetic field to destroy data on magnetic media.
Works for:
- Magnetic hard drives
- Some magnetic tapes
Does not work for:
- SSDs
- USB flash drives
- SD cards
- Other flash storage
Exam clue:
- If the device is SSD or flash, do not choose degaussing.
Certificate of Destruction
A certificate of destruction is proof that a drive or batch of drives was destroyed.
It may include:
- Date
- Serial numbers or asset tags
- Method used
- Vendor name
- Chain-of-custody details
- Signature or confirmation
Use it when:
- A third party destroys the drives.
- Data is regulated.
- The organization needs an audit trail.
Choosing The Best Method
Scenario shortcuts:
- Old company laptop will be reused: whole-drive wipe or secure erase.
- Failed hard drive with patient records: physical destruction plus certificate.
- Magnetic hard drive disposal: shred, drill, incinerate, or degauss.
- SSD disposal: shred or use SSD secure erase/crypto erase; do not degauss.
- One file must be removed but the drive stays in use: file-level secure delete.
- Drive is encrypted and being retired: crypto erase may be appropriate if policy allows it.
Commands To Enter
Only run these against disposable test files. Do not run wipe commands against real drives in this course unless you intentionally want to destroy data.
Windows PowerShell:
New-Item -ItemType Directory -Path "$env:USERPROFILE\AplusDataDestructionLab"
What it does:
- Creates a safe lab folder in your user profile.
"Practice data" | Set-Content "$env:USERPROFILE\AplusDataDestructionLab\test.txt"
What it does:
- Creates a small test file for the lab.
Remove-Item "$env:USERPROFILE\AplusDataDestructionLab\test.txt"
What it does:
- Deletes the test file.
- This is normal deletion, not secure destruction.
Get-Volume
What it does:
- Lists mounted volumes and file systems.
- Use it for inspection only in this section.
Linux:
mkdir -p ~/aplus-data-destruction-lab
What it does:
- Creates a safe lab folder in your home directory.
printf "Practice data\n" > ~/aplus-data-destruction-lab/test.txt
What it does:
- Creates a small test file.
rm ~/aplus-data-destruction-lab/test.txt
What it does:
- Deletes the test file.
- This is normal deletion, not secure destruction.
lsblk -f
What it does:
- Lists block devices and file systems.
- Use it to identify storage types for inspection only.
macOS:
mkdir -p ~/aplus-data-destruction-lab
What it does:
- Creates a safe lab folder on the Mac.
printf "Practice data\n" > ~/aplus-data-destruction-lab/test.txt
What it does:
- Creates a small test file.
rm ~/aplus-data-destruction-lab/test.txt
What it does:
- Deletes the test file.
- This is normal deletion, not secure destruction.
diskutil list
What it does:
- Lists disks and partitions.
- Use it for inspection only.
Quick Checks
You should be able to answer:
- Why is normal delete not secure destruction?
- What is the difference between quick format and regular format?
- When should you use whole-drive wiping?
- Why does degaussing not work on SSDs?
- When is a certificate of destruction needed?
- What method would you choose for a drive that must be reused?
- What method would you choose for regulated data on a retired drive?