Storage medium is defined as hard disks, floppy disks, computer chips, data tapes or systems of the same, systematically used either individually or in systematic correlation for the storage of data so that such data can be read in from the storage medium/the system to a computer, a network or a system of networks later. Typically, these storage media use electromagnetic signal technology in such a way that re-use is made possible. This method is therefore not applicable to for example punched cards, where the individual bit remains unchangeable and where a new punched card must be applied in the event of changes being made.

The method may be applied for the systematic erasure of all data on a given unit, e. g. a hard disk or a given system of hard disks, e. g. a RAID system. At the same time the method may be used for the erasure of certain segments, e. g. stored documents on a disk.

Following the invention, the overwrite is typically effected for one byte at a time in the system by way of a randomising program. The randomising program determines how many times from a number between one and up to a maximum freely chosen by the user the byte in question should be overwritten with a random character. The erasure may also be effected by way of a sequential overwrite.

When using the known overwrite techniques, data is overwritten the same number of times, as chosen by the program. In this connection reference is made to a de facto standard from the American ministry of defence, according to which the unit is erased at least three times. The method is described in a document titled DOD 5220.22-M., in which it is described as"d"or"e".

Paragraph 8.306 states: "8-306. Maintenance a. Cleared personnel who perform maintenance or diagnostics do not normally require an escort.

Need-to-know for access to classified information must be enforced. Uncleared maintenance personnel must always be escorted by a cleared and technically knowledgeable individual. The ISSR must ensure that escorts of uncleared maintenance personnel are trained and sufficiently knowledgeable concerning the AISSP, established security policies and practices, and escorting procedures.

b. If maintenance is being conducted by appropriately cleared personnel, system sanitizing or component isolation are a local option. If maintenance is being performed by uncleared personnel, steps must be taken to effectively deny access to classified information by the uncleared person and any maintenance equipment or software used; these procedures should be documented in the AISSP. A technically knowledgeable escort is preferred. If access to classified data cannot be precluded by the escort, either the component under maintenance must be physically disconnected from the classified AIS (and sanitized before and after maintenance) or the entire AIS must be sanitized before and after maintenance. c. The dedicated copy of the system software with a direct security function shall not be used for maintenance purposes by uncleared personnel. d. When a system failure prevents sanitization of the system prior to maintenance by uncleared vendor personnel, AISSP procedures must be enforced to deny the uncleared person visual and electronic access to any classified data that may be contained on the system. e. When practical, all maintenance and diagnostics will be performed in the contractor's facility.

Any AIS components or equipment released from secure control is no longer part of an accredited system. f. Vendor-supplied software/firmware used for maintenance or diagnostics must be protected at the level of the accredited AIS. The CSA may allow, on a case-by-case basis, the release of certain types of costly magnetic media for maintenance, such as disk head-alignment. g. All maintenance tools, diagnostic equipment, and other devices used to service an accredited AIS must be approved by the contractor. h. Any component board placed into an accredited AIS must remain in the security area until proper release procedures are completed. i. Remote diagnostic or maintenance services are strongly discouraged. If remote diagnostic or maintenance services become necessary, the AIS shall be sanitized and disconnected from any communication links to network, prior to the connection of any nonsecured communication line.

Clearing and Sanitization Matrix Media Clear Magnetic Tape1 Type I a or b a, b, or m Type II a or b b or m Type m a or b m Magnetic Disk Bernoulli a, b, or c m Floppies a, b, or c m Non-Removable Rigid Disk c a, b, d, or m Removable Rigid Disk a, b, or c a, b, d, or m Optical Disk Read Many, Write Many c m Read Only m, n Write Once, Read Many (Worm) m, n

Memory Dynamic Random Access memory (DRAM c or g c, g, or m Electronically Alterable PROM (EAPROM) i j or m Electronically Erasable PROM (EEPROM) i horm Erasable Programmable (ROM (EPROM) k 1, then c, or m Flash EPROM (FEPROM) i c then i, or m Programmable ROM (PROM) c m Magnetic Bubble Memory c a, b, c, or m Magnetic Core Memory c a, b, e, or m Magnetic Plated Wire c candf, orm Magnetic Resistive Memory c m Nonvolatile RAM (NOVRAM) c or g c, g, or m Read Only Memory ROM m Static Random Access Memory (SRAM) c or g c and f, g, or m Equipment Cathode Ray Tube (CRT) g q Printers Impact g p then g Laser g o then g Type I and Type II magnetic tape can only be sanitized for reuse by using approved degaussing equipment. Type III tape cannot be sanitized by degaussing. The CSA will advise the contractor of currently approved Type I and Type II degaussers. If the contractor uses more than one type of tape (i. e. , Type I, Type II, or Type E) and has an approved degausser, then all magnetic tapes must be labelled as to their"Type"to ensure that each is sanitized by appropriate means. Type I magnetic tape has a coercivity of 350 oersteds or less; Type n has a coercivity between 351 and 750 oersteds; and Type III has a coercivity greater than 750 oersteds.

Clearing and Sanitization Matrix a. Degauss with a Type I degausser b. Degauss with a Type If degausser. c. Overwrite all addressable locations with a single character. d. Overwrite all addressable locations with a character, its complement, then a random character and verify. THIS METHOD IS NOT APPROVED FOR SANITIZING MEDIA THAT CONTAIN TOP SECRET INFORMATION. e. Overwrite all addressable locations with a character, its complement, then a random character. f. Each overwrite must reside in memory for a period longer than the classified data resided. g. Remove all power to include battery power.

h. Overwrite all locations with a random pattern, all locations wltn Dinary zeros, all locations wim binary ones. i. Perform a full chip erase as per manufacturer's data sheets. j. Perform i above, then c above, a total of three times. k. Perform an ultraviolet erase according to manufacturer's recommendation.

1. Perform k above, but increase time by a factor of three. m. Destroy-Disintegrate, incinerate, pulverize, shred, or melt. n. Destruction required only if classified information is contained. o. Run five pages of unclassified text (font test acceptable). p. Ribbons must be destroyed. Platens must be cleaned. q. Inspect and/or test screen surface for evidence of burned-in information. If present, the cathode ray tube must be destroyed."

By repeated overwriting of the storage medium, the traceability of previously recorded signals is made difficult. If the position of each bit is regarded as a flat box unit on top of which the reading/writing head is positioned over the point of intersection of the two diagonal lines, the direct magnetising occurs at the mid-point. Detection of any traces of previously recorded signals is possible due to the fact that the magnetised areas re-magnetise their surroundings with signals weaker than those directly magnetised by the reading heads. In this way layers of previously loaded, weak signals are created. The search for previously loaded signals is made possible by searching further down and towards the sides. If a signal from a previously written file is found in a byte and therefore in its component bits, then the probability that a large number of signals from other data segments will be found in the same positions in corresponding locations as those of the detected bits is relatively high. If signals from previously recorded data that are overwritten according to the presently known techniques can be read by using specially developed equipment, then the unravelling of previously recorded and later overwritten data will be made easier due to the fact that the repetition of the knowledge as to where the signals can be found is made possible in those cases where bits on the storage medium have been subjected to the same historical progress.

Professionals agree that rediscovery of data is made more difficult by repetitive overwrites if these are carried out with different patterns. An increase in the number of overwrites thus makes rediscovery more difficult. In practice, at a given point in time, the number of overwrites that is presently considered to be sufficient for an acceptably high degree of protection will be stated.

Minimum is defined as being the least number of times that the overwrite of the selected area must take place. In theory, minimum can be set to 0, but in practice the value will be considerably higher. The minimum must be expressed by an integer.

Maximum is defined as being the largest number of overwrites used by the process. This is expressed by an integer defining the maximum number of overwrites that a byte on the unit might be subjected to. The value of maximum is going to infinite according to mathematical law.

This invention breaks with the parallel historical progress which makes it possible to retrieve data by using the above mentioned repetitive reading of signals on the premise that signals with the same displacement from the surface centre should be detected for each bit position in order to retrieve previously recorded data.

Following the invention, this is achieved by varying the number of overwrites for each individual byte so that the number of layers from previous overwrites varies from byte to byte from a minimum of 2 and up to a maximum number of overwrites between 3 and infinitely, chosen by the user himself.

In a given version, a random number generator is used to choose the number of overwrites to be carried out for each individual byte. This method can be further extended by the choice of a random number generator with a very low degree of predictability in the selection pattern.

In a given version, a random number generator ('randomizer') is used at the same time for the selection of the characters to be used for each individual overwrite of each individual byte. This method can also be further extended by the choice of a mathematical random number generator, leaving a very little degree of predictability in the selection pattern among all the characters used by the computer's character set. Hereby an overall higher degree of inpredictability is achieved and thereby a lower recognition of the pattern which is available for a re-constructor of overwritten data.