Destroying ERM

Jesse Wilkins

Community Topic(s):

Keywords: digital shredding, worm, destruction, nist

By Jesse Wilkins, Director, Research & Development at AIIM

August 30, 2010 - 11:12 AM

Current Rating:
(0 ratings)

 

One of the concerns often expressed about electronic records is that the "Delete" key...doesn't. Generally speaking, when an electronic record, document, or any type of information object is deleted, pointers to that information object are erased from one or more systems designed to locate it. The data itself however remains accessible to forensic tools until such time as the actual storage addresses are overwritten with new content. There are a couple of approaches to deal with this based on the type of media in question. 
 
For magnetic spinning hard disks, the National Institute of Science and Technology (NIST) recognizes three ways to permanently get rid of content. One way is to destroy the physical drive, pulverizing it into 5-mm particles. Another way is to degauss the drive using a strong magnet; this removes the magnetic fields from the drive (and therefore the data stored on the drive) but tends to destroy the firmware of the drive as well. ATA-type hard drives manufactured since 2001 can be purged without destroying the drive by using a special Secure Erase command that completely wipes every block from the hard drive. 
 
This is all well and good for inherently rewritable media, but what about CDs, DVDs, and other WORM-type media? Until fairly recently organizations had to take care either to put only records with similar retention periods on WORM media, and hope that a legal hold didn't cover part but not all of the information on the media, or they had to go through a laborious migration process that required the copying of longer-retention records onto new media before destroying the older media. This is expensive, time-consuming, and error-prone - and woe be to the organization that kept the 1-year records and destroyed the 10-year ones instead of the desired operation. 
 
But there may be another way. There are a number of vendors who have developed technology somtimes referred to as "digital shredding". This digital shredding process neatly addresses the challenge of deleting records while safeguarding others by rendering those "deleted" records unreadable and unrecoverable - and demonstrably so from a mathematical perspective. The way it works is to encrypt records at the time they are transferred to the WORM storage medium. As records are retrieved and accessed they are automatically decrypted. The decryption keys are tied to the retention period: once that period expires, the decryption keys are discarded. Given sufficient length of keys, it is not feasible today to recover the decryption key. 
 
It is analogous to shredding paper into confetti - or rather, pulverization of paper. It's even almost analogous to degaussing tapes which will be reused. If you do proper degaussing, there's very little likelihood of being able to get anything off the tapes forensically. The primary difference between the digital shredding approach and degaussing is that you wouldn't recover that storage space as you would with the degaussed tape. 
 
I would argue that the digital shredding approach is the most appropriate approach today to ensure that an electronic record is destroyed without causing undue burden to organizations. I am not a lawyer, nor do I play one at industry conferences. But I think this is a great example of where we need to figure out how best to apply our tried and true processes and practices in a new way that is, or should be, defensible.
 
I think it's incumbent on us to understand this approach and recommend it to our organizations, identify its weaknesses and how to overcome them, and incorporate it into what we believe to be best practices just as we have done in the past for destruction of paper, magnetic tape, microfilm, CDs, etc. That also means getting it into guidance documents like, say, DoD 5015.2 and MoReq, and getting the vendor community to develop or license it and incorporate it into their solutions. 
Report

Rate Post

You need to log in to rate blog posts. Click here to login.

Add a Comment

You need to log in to post messages. Click here to login.

Comments

Wayne Hoff

Submitted by Wayne Hoff September 07, 2010 - 3:23 PM

Great idea - no more having to tell end users to put "all the same year and all the same records code" on one CD. (Now if we could only do it for boxes of paper, too.)

A couple of questions on how it works - how are the decryption keys discarded? If they're written onto the WORM media with the files themselves, aren't they just as permanent? And if they check against system time, can't I just set the time on my computer to 1995 and retrieve expired material?

I assume there are answers to the questions - I'm curious to know what they are!

Thanks a ton.

Wayne
Report
Was this helpful? Yes No
Reply

Shubhdeep Maitra

Submitted by Shubhdeep Maitra September 08, 2010 - 1:24 AM

I have the exact questions on my mind. Waiting for an answer.......
Report
Was this helpful? Yes No
Reply
Pedro Picapiedra

Submitted by Pedro Picapiedra September 23, 2010 - 7:41 AM

The answer to where the key is stored is yes, it is stored with the file. But not the key itself, but a hash of it, which is an irreversible operation. The hash algorithm can be any of all the available ones, such as MD5, SHA, Whirlpool, Ripemd160, or even more complicated ones like PBKDF2. So when you enter the key, the program knows what algotirhm or set of algorithm are to be applied to the key, and if the result is the same as the stored one, then that's an OK. There is no way to extract the key from the hash the same is no way to know which pair of numbers add up to a given one (x + y = 10 has infinite results for x and y), but a hash is much more powerful than that. Trying to break a key by brute force is the same as calculating the hashes for all posible words (given a set of characters) and comparing one by one to the stored one; the problem is that there could be billions of trillions (or more) of possible combinations, and calculating one single hash, if one of the newest ones, can take more than a millisecond. Guess how long would it take to try all those possible combinations...
Cheers
Report
Was this helpful? Yes No
Reply

This post and comment(s) reflect the personal perspectives of community members, and not necessarily those of their employers or of AIIM International

Blog email facebook linkedin Rss Twitter Youtube

Copyright © AIIM 2013 Privacy Policy