Data Destruction: A Technical and Standards Overview

Data Destruction and Media Sanitization
Data destruction, also known as media sanitization, is the process of thoroughly erasing data from a storage medium using physical or logical methods, rendering it unrecoverable. This prevents the unauthorized disclosure of sensitive information. The technology is widely used in government agencies, businesses, and other organizations to sanitize various information carriers, including hard drives, magnetic tapes, optical discs, and paper documents. The choice of destruction method must be strictly based on the media type, storage principles, and the classification level of the information.

I. Working Principles and Characteristics of Storage Media

1. Hard Disk Drive (HDD)

HDD
  • Working Principle: Data is stored on magnetic tracks on a spinning platter and is accessed by a read/write head.
  • Challenges in Media Sanitization: A standard deletion operation (e.g., deleting a file in an operating system) only removes file system metadata (e.g., the File Allocation Table or MFT record). The actual data remains on the platter's tracks. Therefore, more thorough methods (e.g., data overwriting, degaussing, or physical destruction) are required to achieve irreversible data sanitization.
  • Applicable Methods: Data overwriting (multiple passes required), degaussing, and physical disintegration (shredding/crushing).

2. Solid-State Drive (SSD) / NVMe Drive

SSD
  • Working Principle: Data is stored in flash memory cells (NAND) and managed by a controller using a Flash Translation Layer (FTL) for read/write operations and wear leveling.
  • Challenges in Media Sanitization:
    • FTL Impact: Traditional data overwriting methods are ineffective and inefficient on SSDs. Overwrite operations are mapped by the FTL to new, empty blocks, while the original data blocks may be marked as invalid but are not immediately erased. The actual erasure happens later during a Garbage Collection process. This can lead to data remanence.
    • Life Span Degradation: SSD flash cells have a limited number of Program/Erase (P/E) cycles. Repeated write operations (like multiple overwrites) will significantly degrade the SSD's lifespan.
  • Applicable Methods: The preferred methods are controller-based commands such as Secure Erase (SE) or Sanitize (as per ATA/NVMe standards). These commands efficiently instruct the controller to reset all storage cells (including over-provisioned space) to their factory state (usually through an internal discharge process). The data is theoretically unrecoverable, and the process causes far less wear and tear than multiple overwrites. Physical destruction is also a reliable method.

II. Detailed Data Overwriting Standards (Primarily for HDDs)

1. One-Pass Overwrite

A single pass of writing a fixed pattern (e.g., all 0x00, all 0xFF) or random data to the entire disk.

  • Speed: Fast.
  • Security Assessment: Low.
  • Applicable Scenarios: Non-sensitive data requiring quick clearing.

2. GA/T 1143-2014 (China)

GA/T 1143-2014, "Information Security Technology - Security Requirements for Data Destruction Software Products," was drafted by the Public Security Computing Information System Security Product Quality Supervision and Inspection Center, the Network Security Laboratory of the Chinese Academy of Sciences High Energy Physics Institute, Beijing Jinyuan Longmai Information Technology Co., Ltd., Xiamen Meiya Pico Information Co., Ltd., and the Third Research Institute of the Ministry of Public Security.

GA/T 1143-2014

2.1 Single-Pass Overwrite (Same as One-Pass)

2.2 Three-Pass Data Destruction Method

A three-pass overwrite: The first pass writes a fixed character (e.g., 0x00), the second pass writes its complement (e.g., 0xFF), and the third pass writes a random character.

  • Speed: Relatively fast.
  • Security Assessment: High.
  • Applicable Scenarios: Sensitive data requiring a balance of efficiency and security.

2.3 Seven-Pass Data Destruction Method

A seven-pass overwrite: The first pass writes a fixed character, the second writes its complement, the third writes a single-character pattern, the fourth writes a random character, the fifth writes a fixed character, the sixth writes its complement, and the seventh writes a random character.

  • Speed: Slow.
  • Security Assessment: Extremely high.
  • Applicable Scenarios: Highly sensitive data requiring the highest level of unrecoverability.

3. DoD 5220.22-M (USA)

The U.S. Department of Defense's data sanitization standard, which is the basis for most other standards.

DoD 5220.22-M

3.1 Short Version

The first pass writes all 0x00, the second writes all 0xFF, and the third writes random data.

  • Speed: Relatively fast.
  • Security Assessment: High.
  • Applicable Scenarios: Sensitive data requiring a balance of efficiency and security.

3.2 Standard (ECE) Version

A seven-pass overwrite: The first pass writes 0x00, the second writes 0xFF, the third writes random data, the fourth writes 0x00, the fifth writes 0x00, the sixth writes 0xFF, and the seventh writes random data.

  • Speed: Slow.
  • Security Assessment: Extremely high.
  • Applicable Scenarios: Highly sensitive data requiring the highest level of unrecoverability.

4. IEEE Std 2883-2022

Minimum of two passes required.

The first pass writes a fixed character (e.g., 0x00), and the second pass writes its complement (e.g., 0xFF).

Verification Step: Randomly inspect ge5 of the addressable space.

  • Speed: Relatively fast.
  • Security Assessment: High.
  • Applicable Scenarios: Sensitive data requiring a balance of efficiency and security, in scenarios where verification is needed.

Key Notes 👇

  1. Standard Applicability: The GA/T 1143-2014 and DoD 5220.22-M standards are designed primarily for the physical characteristics of HDDs (magnetic remanence). The core goal of multiple overwrites is to overcome the residual magnetism of the media, making it difficult to recover original data using specialized equipment like a Magnetic Force Microscope (MFM).

  2. SSD/NVMe Warning: It is strongly not recommended to apply the above multi-pass overwriting standards directly to SSD/NVMe drives for the reasons mentioned earlier:

    • Poor Efficacy: The FTL mechanism makes it difficult for overwrite operations to reach the original physical locations.
    • Life Span Degradation: The large number of write operations will rapidly deplete the SSD's P/E lifespan.
    • Low Efficiency: The speed is significantly slower than dedicated Secure Erase commands.

III. Detailed Data Sanitization Standards (Primarily for SSDs)

NIST SP 800-88 Purge / ATA/NVMe Secure Erase (SE) / Sanitize

  • Principle: A specific command (such as ATA SECURITY ERASE UNIT, or NVMe Format NVM with Sanitize option) is sent to the SSD controller. The controller performs an internal operation, which typically resets the electrical charge level of all NAND flash cells (including user-invisible over-provisioned space), returning them to an unprogrammed state (equivalent to a factory reset).

  • Advantages:
    Efficient and Thorough: Theoretically erases all data at once, including all physical blocks managed by the mapping table.

    • Fast: Much faster than multi-pass overwrites.
    • Low Wear: Causes minimal degradation to the SSD's lifespan (typically counts as a single P/E cycle).
    • Standard Compliance: This is the recommended "Clear" and "Purge" method for solid-state media in NIST SP 800-88 Rev. 1.

  • Requirements: The SSD controller and firmware must properly support this command. Any BIOS/UEFI password or drive password must be removed before execution.

IV. Common Data Destruction Tools

1. AOMEI Partition Assistant

Supported Standards: One-Pass, DoD 5220.22-M, Gutmann (35 passes), etc.

AOMEI Partition Assistant
  • Pros: User-friendly Graphical User Interface (GUI), easy to operate.
  • Cons: Requires a Windows operating system or WinPE environment. Use caution when applying overwrite methods to SSDs.

2. nwipe

Supported Standards: Multiple overwrite modes (including DoD, Gutmann, etc.).

nwipe
  • Pros: Open-source command-line tool that runs on Linux distributions and Live CD/USB environments. Newer versions (0.35+) can generate PDF erasure certificates, which is useful for audits and compliance.
  • Cons: Use caution when applying overwrite methods to SSDs.

3. DiskGenius

Supported Standards: Primarily supports sector filling (similar to One-Pass).

DiskGenius

-Pros: Provides a GUI.

  • Cons: Requires a Windows environment. Functionality is relatively limited (primarily for sector operations). Use caution when applying overwrite methods to SSDs.

4. RAID/HBA Hardware Erasure (Hardware Erase)

Principle: Uses the built-in erase functionality of modern RAID cards or Host Bus Adapters (HBA). The processor on the card directly sends erase commands (which could be overwrite or Secure Erase) to the connected disks (HDD/SSD).

  • Pros: Does not rely on a host operating system. Operations can be performed in the BIOS/UEFI configuration interface or dedicated management software. It may send the more efficient Secure Erase command to SSDs (depending on hardware support).
  • Cons: The functionality and reliability depend on the specific hardware vendor. It's necessary to confirm the specific erasure methods and supported media types.

V. Summary and Recommendations

The distinction between media types is critical: the destruction method must be selected based on the core principles of the storage medium (HDD or SSD/NVMe).

  • HDD: For sensitive data, multi-pass overwrite standards such as GA/T 1143 (3-pass/7-pass), DoD 5220.22-M ECE (7-pass), or IEEE 2883 (2-pass + verification) are recommended. Degaussing and physical disintegration are also reliable alternatives.
  • SSD/NVMe: The first choice is the controller-based Secure Erase (SE) or Sanitize command, which is compliant with NIST SP 800-88 Purge. Physical destruction is the ultimate guarantee. Avoid using multi-pass overwrite standards designed for HDDs, as they are ineffective, slow, and severely degrade the SSD's lifespan.

Tool Selection: Choose the appropriate tool based on your operating environment and requirements (e.g., the need for an audit trail). For SSDs, prioritize tools or hardware features that support and correctly execute the Secure Erase command.

Verification and Auditing: For high-security scenarios, it is crucial to select a tool that supports erasure verification (e.g., IEEE 2883) or can generate audit certificates (e.g., nwipe).

Hardware Erasure: If your hardware supports it and you have confirmed the erasure method (especially whether it uses SE for SSDs), this is an efficient and independent option.

✦Ryan Zhang

© 2025 Ryan Zhang. All rights reserved.

GitHubEmail