CITES Security | University of Illinois

Disk Scrubbing FAQ

Q. What do you mean by "scrub" or "overwrite"?

A. Scrubbing a disk means writing over each bit on the drive with new (and usually random) information. Since sophisticated techniques exist for recovering data even from drives that have been "erased" or reformatted, the Department of Defense has recommended that drives be overwritten seven times before being recycled; drives containing top secret information are never recycled but physically destroyed.

Q. What do you mean by "High Risk" and "Confidential"?

A. University policy places all information into one of three categories:

  • High Risk: Information assets for which there are legal requirements for preventing disclosure or financial penalties for disclosure. Data covered by federal and state legislation, such as FERPA, HIPAA or the Data Protection Act, are in this class. Payroll, personnel, and certain financial information are also in this class because of privacy requirements.
  • Confidential: Data that would not expose the University to loss if disclosed, but that the data owner feels should be protected to prevent unauthorized disclosure. It is the data owner's responsibility to implement the necessary security requirements.
  • Public: Information that may be freely disseminated

If you have doubts about which category your data falls into, contact the data owner. The full University Information Security Policy is available at http://www.cam.illinois.edu/viii/VIII-1.2.htm

Q. When can I just throw away a drive?

A. You should never simply toss a drive into the trash. If you feel a drive is not worth repairing or the time it would require to scrub, contact surplus. Inform them that you want to dispose of a drive and they will come out and inspect the drive. Once they approve the scrapping of a drive or other media, they will arrange for its secure disposal.

Q. The drive in the PC I want to send to surplus is broken. Does this mean I have to fix it and scrub it before I dispose of it?

A. No. However, if the drive contains High Risk or Confidential data as described above, ensure the drive is physically damaged so any data on it is permanently unrecoverable. To ensure the broken drive is handled properly, contact surplus to have them arrange for secure disposal of the drive.

Q. We can't afford to buy new computers for everyone in my unit and student employees or clerical staff use the older machines. Do I need to scrub the drives in these ten times before handing them to their new user?

A. No. If the data on the drive falls into the High Risk or Confidential category, you may scrub the drive a single time and then reinstall the operating system or re-image the drive. However if the new user of the drive has, in the course of performing their job duties, need to access the same data as was previously stored on the drive, scrubbing is not necessary.

Q. I don't want to scrub the drive even a single time when transferring it between users since then I'll have to buy a new OS license!

A. Windows users can use the "Active Eraser" utility, which may allow you to scrub all the data from a drive and leave the operating system intact.

Q. How do I scrub or wipe a disk multiple times?

A. While you are free to use the disk scrubbing utility of your choice, the following software (available only to campus technical staff) is recommended:

* Windows: Either use Active Eraser licensed by ACCC at UIC or DBAN.
* Linux: DBAN
* Mac: If your Mac supports OS X, use Apple Disk Utility Secure Erase.
* Unix and Unix-like Operating systems: If your hardware is Intel based and capable of supporting Linux then use DBAN. Otherwise boot to a CD and run dd if=/dev/zero of=/dev/hda multiple times over the disk.

Note 1: The precise format of the dd command will vary depending on the flavor of Unix you are using. There are a few freeware disk scrubbing programs for Unix available such as Autoclave and Wipe. You may wish to explore these as an alternative.

Note 2: Most commercial packages will overwrite a disk a maximum of 7 times by default.

Q. How long will it take to scrub the average drive?

A. Tests with the software provided above suggest 1 overwrite takes an average of 2 minutes per gigabyte (around 40 minutes for a 20 GB drive). Fortunately, there is no need to monitor the process once it has started.

Q. So what exactly do I need to do before sending a machine to surplus?

A. Perform the following steps

1. Submit a request to the Property Accounting office to surplus or scrap the equipment.
2. Boot the appropriate disk scrubbing software.
3. Configure the software to overwrite 1 time.
4. Start the software.
5. When the overwriting process has finished, complete a surplus tag, filling in all the information requested.
6. Affix the tag to the computer case where appropriate.
7. Complete your log entry for the device.
8. When the disk has been scrubbed and approval to dispose of the item has been received from Property Accounting, contact Facilities and Services to deliver the equipment to the campus surplus equipment redistribution facility.

Q. Where do I get the disk scrub labels?

You can make your own labels to place on the surplus/scrapped machine by downloading the following file and printing it onto Avery label paper.

Avery 5160 (30 labels/sheet, 1" x 2 5/8")

Avery 5163 (10 labels/sheet, 2" x 4")

Q. I have an older model Apple computer that is pre G3/G4 and can not run SuperScubber. What should I do?

A. Generally speaking these older computer are not worth the time and effort to scrub as they have long outlasted their use and because there operating systems are no longer supported by the vendor. When contacting Property Accounting indicate that wish to scrap the hard drive as opposed to surplusing the hard drive and they will handle the destruction of the hard drive for you.

Other Questions or Comments

Please feel free to contact us at securitysupport@illinois.edu with additional questions or suggestions. We recognize that in an environment as diverse as the Urbana campus there will be issues that were overlooked or inadequately addressed while developing disk scrubbing guidelines. We welcome your bringing these to our attention.