Data Remanence and Sanitization


Residual information remaining on storage media.


Sanitization is a process to render access to target data (the data subject to the sanitization technique) on the media infeasible for a given level of recovery effort.


  • A command in the ATA and SCSI standards that leverages a firmware-based process to perform a Sanitization action.
  • If a device supports the sanitize command, the device must support at least one of three options: overwrite, block erase (usually for flash memory-based media), or crypto scramble (Cryptographic Erase). These commands typically execute substantially faster than attempting to rewrite through the native read and write interface.
  • The ATA standard clearly identifies that the Sanitization operations must address user data areas, user data areas not currently allocated (including “previously allocated areas and physical sectors that have become inaccessible”), and user data caches.
  • The resulting media contents vary based on the command used.
    • The overwrite command allows the user to specify the data pattern applied to the media, so that pattern (or the inverse of that pattern, if chosen) will be written to the media (although the actual contents of the media may vary due to encoding).
    • The result of the block erase command is vendor unique, but will likely be 0s or 1s.
    • The result of the crypto scramble command is vendor unique, but will likely be cryptographically scrambled data (except for areas that were not encrypted, which are set to the value the vendor defines).

Clear, Purge, and Destroy are actions that can be taken to sanitize media. The categories of sanitization are defined as follows:

  • Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state (where rewriting is not supported).
  • Purge applies physical or logical techniques that render Target Data recovery infeasible using state of the art laboratory techniques.
  • Destroy renders Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for storage of data.

Source: NIST SP 800-88 R1


Leave a Reply