Is a Low Level Format Enough to Guarantee Data Sanitization?

Historically, many organizations have used various forms of formatting (low level format, deep format, full format, etc.) as their process for removing data during asset decommissioning. This has resulted in both process inefficiencies and severe data breaches.

Formatting can go by many names, such as low level format, deep format or full format. This summary will outline why none of these formatting options can be the foundation of a secure decommissioning process.

Note that you will also find several OEM alternatives to formatting that are referred to as “erasure.” These methods also have limitations and do not meet the guidelines for true data erasure, which features a chosen erasure standard, verification and certification.

What is Formatting?

In modern operating systems, there are typically two options for formatting: a format and a quick format. Quick format is not an erasure solution because it only removes the index, but a full format attempts to overwrite the diskspace visible to the OS with zeroes. If everything goes perfectly, then the one round of overwriting with zeroes will remove data to a large extent. However, the reality and level of detail that you need to consider is a bit more complex.

The key issue with formatting is that there is no way to confirm that the data is gone. Verification and certification (as shown in this example report) are key for security and auditing purposes.

Issues that Arise with Formatting

  • It is often unknown if the Windows format has managed to detect the disk size correctly. This is especially true if the disk has HPA or DCO areas. In these cases, it is likely that only part of the disk gets overwritten.
  • There is no verification with a format, so if something goes wrong with the process, there is no way to know it. For example, an operator may choose a quick format instead of a deep format based on misunderstandings or time pressure. Another common issue? Interruptions. When you process more than one computer, it’s likely that one or more of the machines will turn off from loss of power or being accidentally unplugged at some point.
  • With a proper erasure software the (digitally- signed) erasure report creates an audit trail. With it organizations can show that they have done their part in safekeeping data correctly. A format does not provide this type of auditable verification.
  • Many modern computers come with solid-state drives (SSDs), and to safely overwrite those, a special SSD overwriting method is needed. SSDs have overprovisioned areas which will be untouched if formatting is used as a data destruction method.
  • Formatting does not identify bad sectors on hard drives, opening a potential security risk. When organizations use software-based data erasure (overwriting), they can determine how many of their hard drives have been erased successfully—and which of these erased drives contain bad sectors. Those with bad sectors are typically sent for physical destruction to avoid potential security risks.
  • Formatting can be very time-consuming. It is not a process that you can easily scale and run automatically in a production flow. Additionally, if you are formatting servers or desktops with more than one drive, these drives cannot be processed in parallel.

Download the Solution Brief.