Choosing a tool for irrevocable destruction of documents in the electronic archive
When introducing an electronic archive in an organization, we had to automate the destruction of electronic archive documents. The archive itself is a Directum system, in which, using the built-in IS-Builder development tool, a large amount of logic has been written for receiving documents into the archive from source systems, converting electronic signature formats, granting and revoking access rights to entire cases or individual documents. The texts of the archive documents are stored on a magnetic carrier, and when carrying out the routine deletion procedure from the carrier, files of only those documents whose storage period has expired must be irrevocably deleted. That is, the destruction of an entire medium was out of the question, and the task was to find a suitable tool for destroying document data on the medium.
Since the process of deleting documents is also implemented in IS-Builder, we were looking for a tool for deleting files, which can be controlled from code in the built-in programming language of the Directum system. From a performance point of view, a requirement was imposed on the tool: the tool should spend no more than one second destroying a one megabyte file. As for the algorithm used by the tool for data destruction, it is obligatory to comply with GOST R 50739-95, and support for several algorithms is encouraged for a choice. Also, the tool should be free and free for commercial use.
Most of the tools, information about which we managed to find by searching on the Internet, did not meet the requirements, since they were utilities only with a graphical interface, without the possibility of programmatic interaction. For a more detailed study, only:
- Sysinternals SDelete utility;
- Eraser is a utility with an interesting approach to destruction;
- Well, we also put our hopes on the implementation of the tool directly on IS-Builder.
How we tested
For testing, we have prepared a small partition on the hard drive to make it easier to take a look at our theater of operations. On this disk, we created files, destroyed them in various ways and then looked at what was left of them. Destruction is considered successful if it is performed at a speed not lower than the required one, and no fragments of the original file can be found. And to make the comparison between the tools honest, the same algorithm was used in all tools to destroy files, which is supported by all of them – DOD 5220.22-M, which formally meets the requirements of GOST.
To monitor the results of destruction, we used the following tools:
- WinHex is a shareware utility that accesses media content at a low level, allowing you to search for data by a piece of content and recover it;
- DiskView is another utility from Sysinternals. It was used more in the process than to monitor the results – with its help we observed the “geography” of the location of file fragments in clusters on disk.
Tool on IS-Builder
The essence of the DOD 5220.22-M algorithm is quite simple, and we implemented it in the built-in programming language of the Directum system. The algorithm receives the file name as input and asks the file system for its size in bytes. Then a buffer of the calculated size is generated three times and written to the specified file. The beauty of the approach is that the destruction algorithm can be implemented absolutely any, with any number of passes and the most inconceivable rewriting patterns. In addition, since the tool is implemented on IS-Builder without dependencies on external software, there are absolutely no difficulties with its integration into the application development of the Directum system. And it works quickly. It just doesn’t destroy data! WinHex found not just fragments of the original file on the disk, but the entire file and successfully restored it. It turned out that at the moment the first buffer was written to the disk, the location of the file on the disk changed: the original file was located at the beginning of the section, but ended up in the middle or at the end. We found this out using DiskView. The original clusters, though marked as free, still contain data. This, of course, is no good. We used different methods of writing to the file, the result is the same everywhere, the data can be found and restored. It turns out that we can generate a buffer for rewriting, but we cannot write it to disk correctly. And since it was not possible to find working schemes, I had to say goodbye to the idea of getting by with the tools built into Directum.
Sysinternals’ SDelete utility has only one delete algorithm (DOD 5220.22-M), but you can specify the number of overwrite passes, destroy a directory tree with all its contents, and even clean up unallocated disk space. SDelete is a command line utility with only a few switches, so it’s easy to invoke it from IS-Builder calculations:
SDelete = "C:SysinternalsSDeletesdelete.exe" Command = Format('"%s" -p 1 "%s"'; ArrayOf(SDelete; Filename)) ExecuteProcess(Command; smNormal; wmYes)
As a result of using the utility, the files disappeared from the disk almost without a trace: using WinHex it was possible to detect only traces of the file name rewriting, but the contents could not be found and restored. At the same time, the utility worked quite quickly (deleting a 1 megabyte file = 0.2 seconds) and deservedly took the lead.
A free utility with a graphical interface. What sets Eraser apart from the rest is its work with a kill queue. If you want to delete something, then you must create the corresponding task and add it to the queue. Each task in the Eraser queue is a collection of information:
- about the object of destruction – it can be a specific file or directory, the contents of the user’s “Recycle Bin”, unallocated disk space. It can also be a safe movement of files or folders, or a complete cleanup of a partition on a hard drive;
- about the destruction algorithm – Eraser knows several ready-made rewriting algorithms, and also offers the ability to create your own by configuring the required number of passes and specifying for each of them its own data template for rewriting;
- about start time – the task can be executed immediately after being placed in the queue, according to the schedule, when the operating system boots, or manually.
The Eraser process running in the background processes the queue and performs tasks. Thus, data destruction in Eraser is always an asynchronous process, very much like server events in Directum.
Controlling the utility using command line switches also works, and for a long time, although work on the command line has not yet been officially announced and is in the status of a developed functionality:
Eraser = "C:Program FilesEraserEraser.exe" Command = Format('"%s" erase /method="ecbf4998-0b4f-445c-9a06-23627659e419" /quiet file="%s"'; ArrayOf(Eraser; Filename)) ExecuteProcess(Command; smNormal; wmYes)
File destruction with Eraser was successful. It was not possible to estimate the speed of work due to the asynchronous destruction. From the point of view of use in applied development, the suspended status of work in the command line is confusing, but the ability to create arbitrary destruction methods looks interesting.
If not for the annoying file with writing the buffer to disk, the implementation on IS-Builder would have looked like a million, but, alas, it did not reach the finish line. The other two tools performed much better, with the SDelete utility looking the most advantageous. It does not require installation, although it has minimal, but sufficient functionality and good performance.