What is a "DoD Wipe?"

Copyright©2008 by Daniel B. Sedory

 

What is a DoD Wipe?

First, note that this paper relates only to the wiping (that is, overwriting[1]) of magnetic hard disk drives; other media, such as memory or solid-state devices are not considered here.

To answer this question properly, one also needs to ask, "When?" and "Under whose authority?" The reference to when is necessary, since overwriting methods have changed in later editions of DoD (Department of Defense) documents. Next, we note the DoD has always stated the exact methods used to sanitize a hard disk must be based upon the sensitivity of the information and be proscribed by the government agency overseeing control of that information. Therefore, it is incorrect to use the term "DoD wipe" (as if some single all encompassing standard existed) without citing at least one specific dated reference.

 

What about the DoD 5220.22-M Wipe?

But doesn't DoD 5220.22-M specify a wipe standard? First, we must point out that DoD 5220.22-M (the "M" stands for "manual") is a wide ranging document covering all aspects of the security of classified information when it must be transferred to or from (including networks), or stored outside a government facility, or handled by anyone not directly employed by the US government. Technically, DoD 5220.22-M, which is also known as the National Industrial Security Program (NISP) Operating Manual or NISPOM, was never intended to provide any specific overwriting procedures; it has always referred to the Defense Security Service's Clearing and Sanitization Matrix (DSS C&SM)[1] in such cases, which does contain specific methods for the declassification of various media. The 1995 and 1997 editions of NISPOM included a copy of the DSS C&SM table between sections 8-306(i.) and 8-400, but this is not always true (e.g., the most recent edition of NISPOM does not do so). And as of the June 28, 2007 edition of the DSS C&SM, overwriting is no longer acceptable for the sanitization of magnetic media; only degaussing or physical destruction.[2] However, that same document also contains a note concerning "practical sanitization decisions" for "cost effective security management" (i.e., most organizations need not follow the DoD's policy of destroying hard disks).

 

Clearing and sanitization of media in section 8.301 (see below) without any examples of how to carry out those guidelines.

 

In general, the reasons for the present confusion over what constitutes a DoD wipe, including , appear to be twofold: .

 

While researching this material, we came across an old paper from the National Computer Security Center at the Federation of American Scientists (FAS) archive of the "NSA Rainbow Series and Related Documents" which mentions an overwrite process in A Guide to Understanding Data Remanence in Automated Information Systems.[3] Similar language is also found in the ODAA Process Guide's Appendix O[4], in the section Overwriting; though it presently "refers to sanitization procedures not associated with fixed/rigid media to render such media unclassified." In part, it states: "the contractor must develop an alternative procedure, such as a three-time overwrite, for the media. The passes that are developed must be a character, its complement, and then a third pass with random characters."[5] But even here the guide now adds, "This process will only be utilized as a clearing action and the media must be safeguarded at the TOP SECRET level. When the media is no longer needed, it must be destroyed."

 

An Important Clue?

When reading about Symantec Corporation's GDisk (which may be included with present-day Symantec Ghost products), we discovered this utility has a switch called "/dod" which performs a hard disk wiping action as described in their document, GDisk Disk Wipe Specifications.[6] While reading this document, you can see its author(s) present the contents of the Clearing and Sanitization Matrix table found in the January 1995 edition of NISPOM (where it was inserted between sections "8-306. Maintenance" and "8-400. Networks" of that edition; note that contrary to some popular comments on the web, it had nothing to do with section 8-306 having been merely placed there out of convenience for page layout) as pertaining only to magnetic disks; there are many other media present in the original table. They very clearly show that apart from degaussing, the action for clearing a disk is stated in note "c: Overwrite all addressable locations with a single character," and the sanitization of a disk can be carried out using either note "d: Overwrite all addressable locations with a character, its complement, then a random character and verify [Note: This method is not approved for sanitizing media that contains top secret information.]" or note "m: Destroy (disintegrate, incinerate, pulverize, shred, or melt)." Yet on page 3, after appearing to indicate that GDisk follows the DSS Matrix note d. (it states, "GDisk performs a sanitize operation, as defined by action d, when performing a disk wipe operation with the /dod command modifier."), this document then makes a fantastic leap into the next phrase which says, "The following cycle occurs six times:" Where in any of the DoD or DSS literature did that come from!? And if you took that phrase logically, after examining the next four points in the document, you'd have to conclude that the GDisk utility performs a ridiculous number of wipe passes! (Six times the four items would equal twenty-four; 6 x 4 = 24, for 24 passes.) The items in the list are:

Note that last item. It's a verification that carrying out the first three items does indeed end up writing a "pseudo-random character" everywhere on the disk. If we suppose that the first three items must be done six times, then perhaps you might want to verify that each cycle was performing correctly. But our reading of the original DSS document says that only three passes followed by a verification are necessary! We are going to examine this utility in detail and report back here as to the exact nature of its actions for a /dod wipe, so keep asking us for it if you don't see this soon.

With GDisk's very odd six cycle interpretation of the DSS's straightforward description of three overwrite passes plus a verification pass, is it any wonder that other companies decided to come up with their own interpretations of what a "DoD Wipe" consists of? The most prevalent actions we've seen in a cursory survey of wiping software and hardware available on the Net often describes a DoD wipe' as three cycles of alternating patterns of 0x00 and 0xFF, followed by an 0xF6 byte pattern for a total of seven passes. But, as the DSS and other security organizations have pointed out, they rarely include a verification pass!

 

CAN YOU ANSWER THE QUESTION? Where did the 7-pass overwrite come from?

 

NISP Operating Manual (the real DoD 5220.22-M Specifications)

The NISPOM[7] establishes the standard procedures and requirements for all government contractors, with regards to classified information. As of July, 2008, the current NISPOM is still dated 28 Feb 2006. Although the following list does contain all of its chapter headings, only some chapter sections have been selected to show in detail those subsection paragraphs (either in full or as bolded titles) that could possibly contain any information related to the wiping of a hard disk. In particular, note Section 8-301 (page 8-3-1):

 

Further Reading and References

Department of Defense

 

Footnotes


  1. ^ DSS Clearing & Sanitization Matrix June 28, 2007 edition (retrieved on 2008-06-14; size: 90,386 bytes).


  2. ^ The DSS Clearing and Sanitization Matrix (Updated June 28, 2007), end of second paragraph, states:
    "Effective immediately, DSS will no longer approve overwriting procedures for the sanitization or downgrading (e.g. release to lower level classified information controls) of IS storage devices (e.g., hard drives) used for classified processing."


  3. ^ A Guide to Understanding Data Remanence in Automated Information Systems, Reveision 2, September 1991 . National Computer Security Center. (retrieved from the Federation of American Scientists (FAS) web site on 2008-06-15). We quote the relevant section in full:

    "5.1.1 OVERWRITING
    Overwriting is a process whereby unclassified data are written to storage locations that previously held sensitive data. To satisfy the DoD clearing requirement, it is sufficient to write any character to all data locations in question. To purge the AIS storage media, the DoD requires overwriting with a pattern, then its complement, and finally with another pattern; e.g., overwrite first with 0011 0101 [35h], followed by 1100 1010 [CBh], then 1001 0111 [97h]. The number of times an overwrite must be accomplished depends on the storage media, sometimes on its sensitivity, and sometimes on differing DoD component requirements. In any case, a purge is not complete until a final overwrite is made using unclassified data."

    Note that the hexadecimal byte patterns in the quote above were merely given as an example by the NCSC; yet these same exact bit patterns were used by Symantec for their GDisk utility (see text in body of article).



    "In addition, NIST Special Publication 800-88, Guidelines for Media Sanitization, dated Sep 2006, can assist organizations and system owners in making practical sanitization decisions based on the level of confidentiality of their information, ensuring cost effective security management of their IT resources, and mitigate the risk of unauthorized disclosure of information."




  4. ^ Quote from: Office of the Designated Approving Authority (ODAA) Process Guide For Certification and Accreditation Of Classified Systems under the National Industrial Security Program Operating Manual (NISPOM) Revised May, 2008; Revision 2008.1 Appendix O, page O-5, first paragraph. DSS. May, 2008
    5. (retrieved on 2008-06-14; size: 2,021,899 bytes).

  5. ^ Quote from: Office of the Designated Approving Authority (ODAA) Process Guide For Certification and Accreditation Of Classified Systems under the National Industrial Security Program Operating Manual (NISPOM), Appendix O, page O-5, last sentence.

    [ Note: For the NSA, this has always been the case. Even the National Computer Security Center's almost 20-year-old paper cited as 3. above, A Guide to Understanding Data Remanence in Automated Information Systems, Revision 2 (1991) already stated in section 4.6 (OVERWRITE SOFTWARE AND PURGING): "If any errors occur while overwriting or if any unusable sector could not be overwritten, then degaussing is required." The reasoning is that no matter how slight the chance may be, if that data cannot be verifiably overwritten, then it could still possibly be read by unauthorized parties. Section 4.4 (STORAGE DEVICE SEGMENTS NOT RECEPTIVE TO OVERWRITE) of the same paper elaborates on this: "A compromise of sensitive data may occur if media is released when an addressable segment of a storage device (such as unusable or 'bad' tracks in a disk drive or inter-record gaps in tapes) is not receptive to an overwrite. As an example, a disk platter may develop unusable tracks or sectors; however, sensitive data may have been previously recorded in these areas. It may be difficult to overwrite these unusable tracks. Before sensitive information is written to a disk, all unusable tracks, sectors, or blocks should be identified (mapped). During the life cycle of a disk, additional unusable areas may be identified. If this occurs and these tracks cannot be overwritten, then sensitive information may remain on these tracks. In this case, overwriting is not an acceptable purging method and the media should be degaussed or destroyed." ]


  6. ^ GDisk disk wipe specifications Symantec Corporation (retrieved on 2008-07-13; size: 101,827 bytes).


  7. ^ NISPOM . Current 28 Feb 2006 edition. (retrieved as a PDF document on 2008-06-14; size: 2,014,780 bytes, from the DSS).

 

 

We are still in the process of creating...

A completely new Revision: July 28, 2008.

You can write to us using this: Online Reply Form. (It opens in a new window.)

MBR and Boot Records Index

The Starman's Realm Index Page