Why traditional sanitization methods as specified in DoD 5220.22-M are not sufficient for SSD erasure and can leave recoverable data behind.

The DoD specification was set long ago, when rotating magnetic media hard drives ruled the IT world. To erase these drives, overwriting all data with zeros or random patterns - whatever the standard offered - was enough. But the world changed and entered the age of digitalization, and with it came new hard drives like SSDs (solid state drives). 

But first, let's start with: What is DoD 5220.22-M anyway? 

The DoD 5220.22-M standard is a widely accepted data erasure procedure used by governments and organizations around the world to perform drive erasure. The term DoD 5220.22-M is often used in the data erasure industry in reference to the "DoD Standard." The DoD (Department of Defense) standard was developed in 1995 for high-security institutions such as the Pentagon, etc. This erasure method is one of the simplest techniques used to erase data previously stored on the hard drive, as it overwrites the previous information on the hard drive with patterns of ones and zeros. As a result, the original data cannot be recovered. 

This erasure method is a 3-pass method, meaning the procedure requires three secure overwrite passes and a verification at the end of the last pass. 

 

The three passes are: 

Pass 1: Overwrite all addressable locations on the disk with binary zeros. 

Pass 2: Overwrite all addressable locations on the hard disk with binary ones. 

Pass 3: Overwrite all addressable locations on the hard disk with a random bit pattern. 

 

Why would an erasure with traditional erasure methods like DoD 5220.22-M not be sufficient for SSDs? 

The hard disks with rotating magnetic media back then had a predictive behavior, as with the software the exact sector of the drive can be addressed to be written into. In other words, these hard drives take whatever data they receive and write it uncorrected to where you write it, even if you overwrite something in the process. For this type of hard drive, the DoD standard works perfectly, but unfortunately not for solid state drives, which are now based on flash memory. 

Since SSDs' flash memory has a limited number of read/write cycles per cell, the drives' controllers have had to get smarter about distributing all drive operations evenly across the entire storage and trying to use each cell as little as possible. So now, when a write command is issued, the disk controller has to decide exactly where to write or even encrypt and, if possible, compress the data stream. 

Since the hard disks are now smarter, a traditional method such as DoD5220.22-M can never be relied upon to actually sanitize all cells that might have existing data stored in them, since even with an n-pass write, some areas could be reserved by the SSD controller and thereby not overwritten. The problem there is that if not all data can be overwritten, it possibly can be recovered by forensic methods, which would defeat the purpose of the erasure. 

 

Is there a way to erase solid state drives safely and efficiently? 

The answer is YES! 

SEC-2021-SSD Performance (validated, NIST 800-88 compliant, Common Criteria EAL2+ certified, ADISA, etc.) solves this problem by using a technique that overwrites and cleans all addressable data on an SSD in a secure and NIST compliant way. This erasure method is optimized for securely erasing solid-state drives (SSD) and all other flash-based storage and can also handle traditional storage such as HDD in an optimized manner. Securaze invented this method as there was no standard for secure erasure of SSDs until then and it was urgently needed. 

 

For more information visit our website or contact us at: www.securaze.com