If you want to know the best ways of deleting data, there's no better information than that offered by government agencies. One such agency is the UK's National Cyber Security Centre (NCSC), and it has published guidelines for how to deal with the factory reset and reprovisioning of end-user devices, and it makes very interesting reading.
The guidelines consider four common scenarios, some of which apply more to governments and businesses, while others apply equally to home and small business users.
The four data sanitization scenarios considered are:
- Wiping devices compromised by malware
- Preparing new devices
- Reissuing a device to someone else at a similar level within an organization
- Sanitizing a device for resale or reissue to someone with lesser access to data within an organization or for resale
- Android devices that have been infected with malware should not be trusted in a high-security environment even after a factory reset or reinstallation of the firmware, as advanced malware may still persist
- Remember that with Android, external SD cards are not wiped during the factory reset
- A DFU (Device Firmware Upgrade) Mode restore is considered to be the most secure way to wipe an iOS device, especially a compromised device
- There are risks to using older version of iTunes to carry out a DFU Mode restore on iOS devices, so make sure to upgrade to the latest version
- Wiping the TPM on a Windows machine does not guarantee that the data is not recoverable because the recovery key may still exist, so the drive will still need wiping
The NCSC also has a separate document on sanitizing storage media, and this too has some very useful – and easily overlooked – information.
- Remember that commercial photocopiers and printers can contain gigabytes of information in their internal memory that can be retrieved
- It is worth checking displays for "burn-in" as this could display sensitive information
- Chips on printed circuits can contain information, which can be recoverable forensically
- When shredding circuit boards, everything should be destroyed to fragments no larger than 6 mm.
- Hard drives that have held sensitive information should be degaussed their platters broken into at least four roughly equal-sized pieces to assure complete destruction
- Encrypting drives – especially SSDs and hybrid drives (HDD+SSD) – helps prevent data leaks through improper or incomplete wiping
There's also a handy page offering basic advice for end-users. This is good for those who want a primer of security, or a refresher on what is considered good practice.
How do you handle devices when they are being reprovisioned or have come to the end of their life?