1. ERASE- EntRopy-based SAnitization of
Sensitive Data for Privacy Preservation
Presenter: Dr. Avinash Srinivasan
Authors: Jeffrey Medsger and Avinash Srinivasan
2. Contributions to the Field of
Computer Media Sanitization
Goal:
ERASE
Contributions to Field Design a more efficient process for non-destructively
Overview of Field
sanitizing (overwriting) computer media.
Problem Statement
New Techniques
ERASE
ERASERS
ERASE - An entropy-based wiping method for sanitizing a
Background
ERASE Process
target area.
Performance Results
Thoroughness of Technique
ERASERS - Random sampling in tandem with the above
Conclusion entropy-based technique for efficiently sanitizing a target area.
Tool Implemented with aforementioned capabilities.
Medsger and Srinivasan - ICITST-2012
2
3. Overview of Field: Computer
Media Sanitization
Deleted Files
ERASE
Contributions to Field Sanitization
Overview of Field
Destructive
Problem Statement
New Techniques Non-destructive
ERASE
ERASERS
Data carving can recover deleted data from unallocated space and
Background file slack.
ERASE Process
Performance Results
Study performed by Garfinkel et. al. [3]
Thoroughness of Technique With little financial expenditure, the authors were able to retrieve thousands of
Conclusion credit card numbers and other personal information.
[3] S. L. Garfinkel and A. Shelat, “Remembrance of data passed: A study
of disk sanitization practices,” IEEE Security and Privacy, vol. 1, pp.
17–27, 2003.
Medsger and Srinivasan - 3 ICITST-2012
4. Problem Statement
Current wipe methods use a brute force approach [overwrite
ERASE
everything]
Contributions to Field
Overview of Field
Hard drive sizes increasing
Problem Statement
New Techniques In 2011, Seagate reported 590GB avg. size HDD
ERASE
ERASERS
Background
ERASE Process
Performance Results
Suppose 50% of area to be sanitized Wipe Pattern
contains sensitive data [590GB HDD]:
Thoroughness of Technique
Conclusion
Current tools [dd] 14.6hrs Pseudorandom
ERASE 9.5hrs Pseudorandom
Current tools [dd] 1.584hrs Zeros
ERASERS 0.85hrs (best case) - Zeros
1.580hrs (worst case)
Medsger and Srinivasan - 4 ICITST-2012
5. New Techniques
ERASE
ERASE
Contributions to Field
Calculate the entropy of each disk block and if that entropy falls within a
Overview of Field
sensitive entropy range, then overwrite that disk block.
Problem Statement
ERASERS
New Techniques
ERASE Divide the area (population) to be sanitized into z subpopulations.
ERASERS For each subpopulation, randomly sample n blocks, and if at least one
Background
sampled block is within the sensitive entropy range, then overwrite that
ERASE Process
entire subpopulation.
Performance Results
Thoroughness of Technique
Conclusion Area to be sanitized
Divide into subpopulations
Randomly sample n disk
blocks from each
subpopulation
Overwrite subpopulations
found to have sensitive
data
Medsger and Srinivasan - 5 ICITST-2012
6. ERASE
Designed to allow for a more efficient wipe in situations where
ERASE
pseudorandom data is being used as the wipe pattern.
Contributions to Field
Overview of Field Reduce the number of writes by performing extra reads.
Problem Statement
New Techniques Perform a read (106.8MB/s) to possibly prevent a write using data from
ERASE /dev/urandom (11.8MB/s).
ERASERS
Background Also, designed to allow for a more efficient wipe when multiple
ERASE Process
overwrites are performed.
Performance Results
Thoroughness of Technique
Conclusion
Medsger and Srinivasan - 6 ICITST-2012
7. ERASERS
Limitation of ERASE is that if a uniform pattern is used as the
ERASE
wipe pattern, such as /dev/zero, ERASE will not be more
Contributions to Field
Overview of Field
efficient when only one overwrite pass is used.
Problem Statement
Assuming read and write speeds are similar on drive.
New Techniques
ERASE
ERASERS was designed to allow for a more efficient wipe
ERASERS
Background
when a uniform wipe pattern is used.
ERASE Process
Accomplished by randomly sampling blocks in areas on the drive and
Performance Results
Thoroughness of Technique
only overwriting those areas which are found to have sensitive data.
Conclusion
Thus, a limited number of reads are performed to possibly prevent writes.
Envision ERASERS could be used to periodically wipe unallocated
space.
Medsger and Srinivasan - 7 ICITST-2012
8. Background
Sanitization Algorithms
ERASE
Contributions to Field
Overview of Field Entropy – Compressibility of Data
Problem Statement
New Techniques
ERASE Random Sampling
ERASERS
Background
ERASE Process
Performance Results
Thoroughness of Technique
Conclusion
Medsger and Srinivasan - 8 ICITST-2012
9. ERASE Process
1. Number of wipe passes
ERASE
Contributions to Field
2. Wipe pattern - e.g., /dev/zero or /dev/urandom
Overview of Field 3. Sensitive entropy range for the target area
Problem Statement
New Techniques
4. Random sampling confidence level and interval (if using ERASERS)
ERASE
ERASERS
Background
ERASE Process
Performance Results
Thoroughness of Technique
Conclusion
Medsger and Srinivasan - 9 ICITST-2012
10. One Pass or Multiple Passes
ERASE Publication Wipe Method
Contributions to Field
Overview of Field NIST SP800-88 1 pass with random data
Problem Statement
New Techniques
Original DoD 5220.22-M 3 pass wipe
ERASE
ERASERS New DoD 5220.2-M Doesn’t specify
Background
ERASE Process
One Pass or Multiple Passes
Wiping – Zeros vs. Random
Guttman [6] states overwritten data can be read by specialized
Patterns equipment, such as magnetic microscopes.
Sensitive entropy range Has been severe criticism of this idea in the Forensic community.
Performance Results
Numerous other wipe pass recommendations
Thoroughness of Technique
Proposed Method significantly outperforms Brute Force Method using
Conclusion
NIST SP800-88 1 pass random recommendation
Performance even better with multi-pass wipes
[6] P. Gutmann, “Secure deletion of data from magnetic and solid-state memory,” in Proceedings of the
6th USENIX Security Symposium, 1996, pp. 77–89.
Medsger and Srinivasan - 10 ICITST-2012
11. Wiping –
Zeros vs. Random Patterns
ERASE Pattern What does that tell the
Contributions to Field
Overview of Field
second owner of the
Problem Statement drive/forensic analyst?
New Techniques
ERASE
Zeros Drive has not been used
ERASERS
Drive has been wiped
Background
ERASE Process
Random Difficult to tell if wiped or just
One Pass or Multiple Passes
high entropy data [jpg, zip, pdf]
Wiping – Zeros vs. Random
Patterns
Sensitive entropy range
Performance Results
Thoroughness of Technique
Conclusion
Medsger and Srinivasan - 11 ICITST-2012
12. Sensitive entropy range
User tunable parameter (0 – 8 bPB)
ERASE
Contributions to Field
All blocks that have an entropy greater than zero.
Overview of Field All blocks of a certain file type.
Problem Statement
All blocks that have an entropy between a very low entropy and a very
New Techniques
high entropy
ERASE
ERASERS
Background
ERASE Process
One Pass or Multiple Passes
Wiping – Zeros vs. Random
Patterns
Sensitive entropy range
Performance Results
Thoroughness of Technique
Conclusion
Medsger and Srinivasan - 12 ICITST-2012
13. Performance Results
Test Setup
ERASE
Contributions to Field
Overview of Field
Problem Statement
New Techniques
ERASE
ERASERS
Background
ERASE Process
Performance Results
Test Setup
ERASE/EWNS Test – x% of blocks in the partition were filled with data within the
ERASE /EWNS vs. DD sensitive entropy range. Tool ran in ERASE/EWNS mode.
ERASERS/EWS vs. DD
Thoroughness of Technique
ERASERS/EWSBC (Best Case) Test – x% of the blocks in the partition were
Conclusion sequentially filled with data within the sensitive entropy range. Tool ran in
ERASERS/EWS mode with 95% CL and 5% CI. 8 subpopulations of 4GB. Best
case because data clustered compactly and sequentially.
ERASERS/EWSWC (Worst Case) Test – x% of the blocks in the partition were
filled with data within the sensitive entropy range. However, the blocks were
spread out to equally fill the drive, causing all subpopulations to have data within
the sensitive entropy range.
Medsger and Srinivasan - 13 ICITST-2012
14. ERASE/EWNS vs. DD
(/dev/urandom)
ERASE
Contributions to Field
Overview of Field
Problem Statement
New Techniques
ERASE
ERASERS
Background
ERASE Process
Performance Results
Test Setup
ERASE /EWNS vs. DD
ERASERS/EWS vs. DD
Thoroughness of Technique
Conclusion
Medsger and Srinivasan - 14 ICITST-2012
15. ERASERS/EWS vs. DD
(/dev/zero)
ERASE
Contributions to Field
Overview of Field
Problem Statement
New Techniques
ERASE
ERASERS
Background
ERASE Process
Performance Results
Test Setup
ERASE /EWNS vs. DD
ERASERS/EWS vs. DD
Thoroughness of Technique
Conclusion
Medsger and Srinivasan - 15 ICITST-2012
16. Thoroughness of Technique
Probability of not sampling a sensitive block, when 384 blocks
ERASE
are randomly sampled from a population of 1048576 blocks.
Contributions to Field
Overview of Field 384 out of 1048576 == 95% CL and 5% CI
Problem Statement Probability evaluated for scenarios when there are 10, 100, 1000, and
New Techniques
10000 sensitive blocks in a population of 1048576 blocks.
ERASE
ERASERS
Background
ERASE Process
Performance Results
Thoroughness of Technique
Conclusion
Medsger and Srinivasan - 16 ICITST-2012
17. Conclusion
Presented a novel disk sanitization technique.
ERASE
Contributions to Field
ERASE calculates the entropy of data blocks in the target area to decide
Overview of Field
whether the blocks need to be overwritten.
Problem Statement ERASERS enhances ERASE by using random sampling to further
New Techniques optimize the wiping process.
ERASE
ERASERS
Background
ERASE Process
Performance Results
Thoroughness of Technique
Conclusion
Medsger and Srinivasan - 17 ICITST-2012