I. Purpose & Scope

George Mason University Policy Number 1311, Information Technology Security Program, mandates compliance with the Information Technology Security Standard. This standard requires that information system media (both digital and non-digital) must be sanitized or destroyed prior to its disposal (e.g. surplus electronic devices deemed for destruction) or release for reuse (e.g. for interdepartmental transfers or return for replacement).

This procedure provides instructions for permanently removing data from Mason-owned electronic devices, verifying their sanitization, and documenting the process. This document only applies to all university departments and offices at all George Mason University locations that are planning to release for reuse Mason-owned computers.

II. Roles

The following roles have been identified for this procedure:

Role Responsibilities
Departmental Staff #1
(or System Administrator)
  • Performs recommended data sanitization technique on Mason-owned electronic device
  • Completes the top half of the Data Sanitization Certification Sticker
Departmental Staff #2
  • Performs verification that data have been removed from Mason-owned electronic device
  • Completes the bottom half of the Data Sanitization Certification Sticker
  • Applies the sticker on the electronic device, closest to the Asset Tag

III. Workflow

This workflow below provides a graphical representation of the data sanitization procedure. More detailed steps are provided in the following sections.

Figure 1: Data Sanitization Process

IV. Determine Which Data Sanitization Technique to Use

Use this chart below to determine which data sanitization technique to use on a Mason-owned electronic device.

NOTE: Optical media such as CD, CD-RW, DVD, and DVD RW can NOT be released for reuse. They must be physically destroyed through a shredder.

Figure 2: Data Sanitization Technique

V. Implement the Data Sanitization Technique

A. Using DBAN on Hard Disk Drives

1. Create a Bootable DBAN Disk

ACTIVITY INPUTS: CD
ACTIVITY OUTPUTS: DBAN program, bootable DBAN CD

NOTE: DBAN has been recently purchased by a commercial entity, and as a result, the license has changed to personal use only. ITSO is searching for an adequate replacement.

An updated fork of DBAN is the nwipe project. It is functionally equivalent, but without the restrictive license. There are few standalone nwipe bootable images: it is available on some Linux LIVE iso images.

  1. Download DBAN on the electronic device by clicking on the green download button.
  2. When prompted to download DBAN, save the iso file in a sub-folder called “dban” under “Downloads”. (Note that you need to create the “dban” sub-folder).
  3. Create a bootable DBAN disk using a CD by simply copying the iso file from the “dban” sub-folder under “Downloads” onto the CD, and then go to Step VI. Else, go to Step V to create a bootable DBAN disk using a USB device.
2. Creating a Bootable DBAN on USB (optional)

ACTIVITY INPUTS: USB
ACTIVITY OUTPUTS: Rufus program, bootable DBAN USB

  1. Download Rufus, free tool that will correctly prepare the USB drive, automatically extract the contents of the ISO file you have, and properly copy the files contained within it to your USB device, including any files in the ISO needed to make it bootable.
  2. Rufus is a portable program (does not install) and works on Windows 10, 8, 7, Vista, and XP. Select Rufus 3.4 Portable from the download screen.
  3. Double-click on the rufus-3.4p.exe file that you just downloaded. The Rufus program will start right away.
  4. Insert the flash drive or other USB device into your computer that you want to "burn" the ISO file to, assuming it's not already plugged in. NOTE: Burning an ISO image to a USB drive will erase everything on the drive!
  5. From the Device drop-down at the top of the Rufus program screen, choose the USB storage device you want to burn the ISO file to.
  6. From the Boot selection drop-down, make sure Disk or ISO image (Please select) is chosen. Click the SELECT button.
  7. When the Open window appears, locate and then select the ISO file you want to burn to the flash drive. Once selected, click the Open button.
  8. Wait while Rufus inspects the ISO file you chose. This might take several seconds or may go by so quickly. NOTE: If you get an Unsupported ISO message, the ISO you chose is not supported for burning to USB by Rufus. In this case, try one of the other programs such as UNetbootin, ISO to USB, and Universal USB Installer.
  9. Under the Image option area, pick Standard Windows installation (if you see this).
  10. Leave the Partition scheme, Target system, File system, and Cluster size options alone.
  11. Accept the default on the Volume label field.
  12. Click on the START button to start the "burning" of the ISO file to the USB device you chose. NOTE: If you get an Image is too big message, you'll need to use a larger USB device or choose a smaller ISO image.

  13. Click on the OK button to the WARNING: ALL DATA ON DEVICE 'XYZ' WILL BE DESTROYED message that appears next.
  14. Wait while Rufus properly formats the USB drive so it's bootable, and then copies all of the files to the drive that are contained in the ISO file.
  15. Once the status at the bottom of the Rufus program window says READY, you can close Rufus and remove the USB drive.
3. Sanitize Hard Disk Drive using DBAN

ACTIVITY INPUTS: bootable DBAN CD/USB, hard disk drive (magnetic disk)
ACTIVITY OUTPUTS: “wiped” hard disk drive (magnetic disk)

  1. Insert the CD or USB onto the computer.
  2. Restart your computer. You should see the DBAN Main Menu below.
  3. Using your keyboard, select the F3 key to list the Quick Commands. This opens the Quick Commands screen as shown below.
  4. DBAN can use one of several different methods to erase files as shown on the screen above. The pattern used to erase the files, as well as how many times to repeat that pattern, are the differences you'll find in each of these methods. Type “autonuke” at the cursor to start wiping ALL your hard disk drives. The autonuke command is the same as the dodshort. The dodshort command only does 3 passes versus 7 on the dod command.
  5. Once DBAN starts running, you should see this screen below. You can neither stop or pause the process.
  6. Once DBAN is done, you should see this screen below.
  7. At this point, you can safely remove the CD or USB device that you've installed DBAN to, and then shut down your computer.

B. Using Erase on Solid State Drive Running on Mac OS

  1. Reboot the computer.
  2. After hearing the boot sound, simultaneously press COMMAND + OPTION + R until the spinning globe appears and “Internet Recovery” is displayed.
  3. In the menu that is presented, select “Disk Utility” and press “Continue”.
  4. Highlight the internal disk entry and click the “Erase” button.
  5. The erase function will take several seconds.

C. Using Secure Erase on Solid State Drive Running on Windows

Some Dell workstations after 2015 with a compatible drive will have a “Data Wipe” option in the BIOS Setup.

  1. Boot to the system BIOS by press the F2 at the Dell Splash screen during system startup.
  2. Once in the BIOS, select the Maintenance option, then Data Wipe option in the left pane of the BIOS using the mouse or the arrow keys on the keyboard
  3. Ensure “Wipe on Next Boot” is checked, and confirm you would like to continue the operation by clicking “OK”
  4. When asked if you want to cancel this operation, click “NO”
  5. The machine will reboot and issue the secure erase command.

For Non-dell systems, refer to the computer manufacturer’s site OR use the hard disk manufacturer-recommended utilities. Some manufacturers may not have a specific tool, but may mention any tool advertising ATA Secure Erase as a valid method.

Samsung Magician
https://www.samsung.com/semiconductor/minisite/ssd/product/consumer/magician/

Kingston SSD Manager
https://www.kingston.com/us/support/technical/ssdmanager

Western Digital SSD Dashboard
https://support.wdc.com/downloads.aspx?lang=en

Crucial Storage Executive
https://www.crucial.com/usa/en/support-storage-executive

SanDisk SSD Dashboard
https://kb.sandisk.com/app/answers/detail/a_id/15108/~/sandisk-ssd-dashboard-support-information

Seagate SeaTools
https://www.seagate.com/support/downloads/seatools/

PNY
PNY states that they support any other tool that advertises secure erase

Silicon Power SP ToolBox
https://www.silicon-power.com/web/download-ToolBox

ADATA SSD ToolBox
https://www.adata.com/us/ss/software-6/

D. Using hdparm on Solid State Drive Running on UNIX

  1. Verify that the hard disk is not frozen
    # hdparm -I /dev/X
    Security:
    Master password revision code = 65534
    supported
    not          enabled
    not          locked
    not         frozen
    not         expired: security count
    supported: enhanced erase
    2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.
  2. Set a password on the drive
    # hdparm --user-master u --security-set-pass mypassword /dev/X
  3. Verify the password set
    # hdparm -I /dev/X
    Security:
    Master password revision code = 65534
    supported
    enabled
    not           locked
    not           frozen
  4. Issue the command to erase the drive
    # hdparm --user-master u --security-erase mypassword /dev/X
    security_password="mypassword"/dev/X:
    Issuing SECURITY_ERASE command, password=" mypassword ", user=user

E. Secure Erase on Flash-memory Device(s)

Any software capable of executing 3 pass, DoD-standard wiping is acceptable. One capable of erasing individual files or entire drives is Eraser (https://eraser.heidi.ie/)

F. Using a Factory Reset on Multi-function Printer(s)

Follow the device manufacturer’s recommendations. If internal storage involves a removable flash memory or hard disk, remove it from the device and follow the aforementioned procedures.

G. Using a Factory Reset on Mobile Device(s)

1. Apple iPhone
  1. Unpair your apple watch (if applicable)
  2. Turn off “Find my iPhone”
  3. Back up the device to iTunes (optional)
  4. Sign out of the Apple account associated with the device
  5. Open Settings, then tap "General." Next, select "Reset," then "Erase All Content and Settings."
  6. Power off the phone and remove SIM card, if applicable
2. Android
  1. Navigate to Settings  Security
  2. If necessary, expand Advanced
  3. Validate that “Encryption and Credentials” says “Encrypted”
    (1) If not, activate full disk encryption on the device
  4. Navigate to Settings, then System
  5. If necessary, expand Advanced
  6. Tap “reset options”
  7. Tap “Erase all Data (factory reset) and follow confirmation prompts
  8. Power down phone and remove the SIM card, if applicable

H. Deleting Configuration on Non-volatile Memory Devices (Routers, Switches, and Firewall Hardware)

Follow manufacturer recommendations for the specific hardware. If internal storage involves a removable flash memory or hard disk, remove it from the device and follow the aforementioned procedures.

I. Physical Destruction of defective/non-functioning media

Some media may be non-functioning, rendering execution of a secure erase operation impossible. Typically, it is the controller on the device that has malfunctioned, leaving the data areas intact and recoverable with time and the right resources.

For standard hard disk drives, ITS has a NSA-certified degaussing tool to apply strong magnetic fields to effectively erase hard disk platters. ITSO still recommends executing a software-based wipe on any standard hard disk drive before degaussing, if possible.

George Mason University has a contract with a third-party electronic recycler that is able to execute certified destruction of this media. Contact the IT Security Office to coordinate delivery of media to be destroyed. The vendor can provide a certificate of destruction if requested for record-keeping purposes.

VI. Fill-out the Data Sanitization Certification sticker

ACTIVITY INPUTS: Data Sanitization Certification sticker
ACTIVITY OUTPUTS: Data Sanitization Certification sticker

  1. Print out the Data Sanitization Certification stickers (last page) onto a standard 2-inch high by 4-inch wide shipping labels.
  2. On one of the stickers, check the appropriate sanitization technique checkbox (e.g. SUCCESSFUL WIPE (DBAN, Encrypt & Erase), FACTORY RESET, CONFIGURATION DELETED). Note that if you checked off the SUCCESSFUL WIPE (DBAN, Encrypt & Erase) checkbox, you also need to circle whether the data was wiped using DBAN or Encrypt & Erase.
  3. On Media Type, write what type of information system media or electronic device was sanitized.
  4. Find the Asset Tag on the computer. Write down the Asset Tag Number on the Surplus/Asset Tag#.
  5. Print your name and enter the date on the Removed By (Print Name) & Date on the sticker.
  6. Find a Departmental Staff to do the verification process in Section VII. Give the sticker to the staff.

VII. Verify a Successful Media Sanitization

A. On Electronic Device with Hard Disk Drive

ACTIVITY INPUTS: “wiped” hard disk drive, Data Sanitization Certification sticker
ACTIVITY OUTPUTS: “wiped” hard disk drive, Data Sanitization Certification sticker

  1. To verify if the hard disk drive was wiped out successfully, turn on the computer and you should see “Operating System not found” error on start up.
  2. Print your name and enter the date on the Verifier’s Name (Print Name) & Date on the Data Sanitization Certification sticker.
  3. Sign your name on the Verifier’s Signature on the sticker.
  4. Take the sticker and stick it on the side of the computer, preferable near the Asset Tag.

B. On Electronic Device with Solid State Drive Running on iOS

ACTIVITY INPUTS: “wiped” SSD, Data Sanitization Certification sticker
ACTIVITY OUTPUTS: “wiped” SSD, Data Sanitization Certification sticker

  1. After completion of the erasure process, the target drive should not have any recognizable partitions viewable by the Disk Utility.
  2. To complete the Data Sanitization Certification sticker, perform Steps #2-4 of Section VII.A, On Electronic Device with Hard Disk Drive.

C. On Electronic Device with Solid State Drive Running on Windows

ACTIVITY INPUTS: “wiped” SSD, Data Sanitization Certification sticker
ACTIVITY OUTPUTS: “wiped” SSD, Data Sanitization Certification sticker

  1. The output screen of the drive wipe utility will show completion.
  2. To complete the Data Sanitization Certification sticker, perform Steps #2-4 of Section VII.A, On Electronic Device with Hard Disk Drive.

D. On Electronic Device with Solid State Drive Running on UNIX

ACTIVITY INPUTS: “wiped” SSD, Data Sanitization Certification sticker
ACTIVITY OUTPUTS: “wiped” SSD, Data Sanitization Certification sticker

  1. To verify, run hdparm and validate the password on the drive is not enabled
    # hdparm -I /dev/X
    Security:
    Master password revision code = 65534
    supported
    not     enabled
    not     locked
    not     frozen
    not     expired: security count
    supported: enhanced erase
    2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.
  2. To complete the Data Sanitization Certification sticker, perform Steps #2-4 of Section VII.A, On Electronic Device with Hard Disk Drive.

E. On Flash-memory Device(s)

ACTIVITY INPUTS: “wiped” flash-memory device, Data Sanitization Certification sticker
ACTIVITY OUTPUTS: “wiped” flash-memory device, Data Sanitization Certification sticker

  1. To verify, view confirmation page from tool of choice.
  2. To complete the Data Sanitization Certification sticker, perform Steps #2-4 of Section VII.A, On Electronic Device with Hard Disk Drive.

F. On Multi-function Printer(s)

ACTIVITY INPUTS: “wiped” Multi-function Printer, Data Sanitization Certification sticker
ACTIVITY OUTPUTS: “wiped” Multi-function Printer, Data Sanitization Certification sticker

  1. To verify, follow manufacturer’s recommendations for verification.
  2. To complete the Data Sanitization Certification sticker, perform Steps #2-4 of Section VII.A, On Electronic Device with Hard Disk Drive.

G. On Mobile Device(s)

ACTIVITY INPUTS: “wiped” mobile device, Data Sanitization Certification sticker
ACTIVITY OUTPUTS: “wiped” mobile device, Data Sanitization Certification sticker

  1. To verify, phone will power up and begin setup procedure as if it were a new device.
  2. To complete the Data Sanitization Certification sticker, perform Steps #2-4 of Section VII.A, On Electronic Device with Hard Disk Drive.

H. On Non-volatile Memory Devices (Router, Switch or Firewall Hardware)

ACTIVITY INPUTS: firewall/network/switch, Data Sanitization Certification sticker
ACTIVITY OUTPUTS: firewall/network/switch, Data Sanitization Certification sticker

  1. To verify, follow manufacturer’s recommendations for verification.
  2. To complete the Data Sanitization Certification sticker, perform Steps #2-4 of Section VII.A, On Electronic Device with Hard Disk Drive.

VIII. Definitions

Acronym/Term Definition
data sanitization This is a process of deliberately, permanently and irreversibly removing or destroying the data stored on a memory device to make it unrecoverable.
DBAN This program is also known as Darik's Boot and Nuke. It is designed to securely erase a hard disk until its data is permanently removed and no longer recoverable, which is achieved by overwriting the data with pseudorandom numbers generated by Mersenne Twister or ISAAC. DBAN erases all the files on the hard drive including installed applications, files, and the operating system.To download a free version, go to: https://dban.org/.
electronic device Any electronic equipment that has a storage device or persistent memory, including but not limited to computers, servers, mobile devices, routers, switches, firewall hardware, and certain models of printers and copiers.
information system media These are components in an electronic device that store data or use persistent memory. Information system media includes both digital and non-digital forms. Digital media include magnetic disks, flash-memory or Solid-State Devices (SSDs), and optical media. Non-digital media include paper and microfilm.
RUFUS This is a free tool that will correctly prepare the USB drive, automatically extract the contents of the ISO file you have, and properly copy the files contained within it to your USB device. It is a is a portable program (does not install) and works on Windows 10, 8, 7, Vista, and XP.

To download this free tool, go to: https://rufus.ie/.

IX. Dates:

  1. Effective Date:
    This procedure will become effective upon the date of approval.
  2. Date of Most Recent Review:
    N/A.

X. Timetable for Review

This procedure shall be reviewed every year or more frequently as needed.

XI. Signatures

The following authorized parties hereby approve the above procedure:

Curtis McNay
IT Security Office Director
Information Technology Services

Curtis McNay
Interim Executive Director/Chief Information Security Officer
Information Technology Services

Version: 1.0
Date of last revision: 25 July 2019