The invention relates to secure erasure of sensitive or private data from storage media and recording the disposition of a command to initiate such secure erasure.
Many photocopiers, printers, multifunction devices, and other reproduction and printing devices now include non-volatile memory (NVM), such as magnetic and optical storage media and including removable disk systems, hard drives, and other storage media systems allowing the device and/or a user to store a job the device uses or is directed to use the stored job. In high security areas (e.g., military installations), there is often a requirement that all jobs that stored on NVM of a device shall be inaccessible once the job is completed. Additionally, users in lower security area often wish to erase data they would like to keep private or confidential for various reasons.
The currently prevalent method of deleting a file is to delete the pointers and/or directory information that allows the device to locate the data; the document images/data files themselves are still resident in the NVM. This method usually does not meet the requirement that the job data shall be erased from the NVM once the job is complete. Current workarounds include: (1) removal of the NVM from the device and locked up at night, or (2) prohibiting NVM installation in the first place.
Lately, secure erase systems that overwrite the data with patterns of 1s, 0s, or random combinations thereof have come into use to meet erasure requirements. However, government agencies and other customers have different requirements as to how many times one can overwrite the appropriate portions of NVM once a job or task is completed, which can lead to difficulties in product design and implementation.
Embodiments allow a user or a system administrator (SA) to program a device to overwrite an entire NVM device or the particular region of NVM in which the data file associated with a print, scan, fax, copy, or other job resides. In embodiments, the data file is overwritten more than once, such as from 2 to about 50 times, with the exact number of overwrites being determined according to a stored default value or a user-input value. Further, in embodiments, the data file is overwritten with a different pattern on each overwrite according to a stored default value or a user-input value. For example, if a user has just printed something stored on a floppy disk, the user can erase it securely with a sequence of patterns of choice. Instead of trying to settle on a single algorithm (e.g., overwrite 3 times, first time with 1s, the second time with 0s, the third time with a random pattern), this allows overwriting “n” times with a set of patterns that can be downloaded to the device. Further, embodiments can implement Department of Defense approved overwrite routines.
The device, medium, and process of the present invention can have, in various embodiments, for example, three parameters:
1. A set of patterns with which the portion of the hard drive that is to be erased will be overwritten. This could be a table of patterns that will be used to overwrite the disk. In embodiments, the table of patterns can be generated in a manner allowing a customer/SA to preprogram the patterns so that the patterns are in a sequence that satisfies an installation's particular security requirements. In pseudo code, this looks like:PatternTable (N)←Pattern1, Pattern2, Pattern3, . . . PatternN;
2. A site settable value that allows the customer/SA to program how many patterns with which to overwrite the portion of the hard drive that should be overwritten. The site settable value can be, for example, between 1 and about N (N is the number of patterns in PatternTable). In various embodiments, for example, NumPatternToUse is this site settable value.
3. A site settable value that allows the customer/SA to program how many times the entire set of patterns should be run. It can have any positive value. In various embodiments, NumberOfTimesToCycle can be this value.
The algorithm then uses, in various embodiments, the patterns and the number of overwrites to overwrite the portion of the disk N times. An example of a routine that can be used in embodiments of the invention employing a value like NumberOfTimesToCycle is the pseudocode expression:For count←1 to NumPatternToUse Do                Overwrite region of storage media that stored the data file with PatternTable(count);        
This allows for a flexible, programmable sequence of overwrites that should satisfy any overwrite requirement by any customer. Embodiments using a value like NumberOfTimesToCycle can use a routine such as, for example, that expressed by the pseudocode expression:For NumberOfOverwriteCycle←1 to NumberOfTimesToCycle DoFor count←1 to NumPatternToUse Do                Overwrite region of storage media that stored the data file with PatternTable(count);        
Embodiments of the invention employ a user interface (UI) or client activated erase trigger to automatically place the digital copier or printer into, for example, an Image Disk Erasing Routine, where an Image Disk is a storage media used by the device to store data files including scanned images of documents and/or print job data and the like. An example of such an Erasing Routine is a routine that executes three complete erasures with a check to ensure the data is completely erased; per industry or security approved processes. The Erasing Routine removes or destroys any residual data files including documents, images, and the like, on the Image or ESS Disks. In embodiments, a customer selectable UI/client button with confirmation that the process was completed could activate this routine. During this erasing feature, the system would be offline.
Thus, a feature of the invention to provide a storage medium security erase system comprising an erase trigger that tells a drive sector analyzer to retrieve data file location information from a CPU and send the location information to a secure storage medium eraser that overwrites the data file according to a predetermined secure erase method, the eraser using a type of overwrite pattern and a number of overwrites determined by an erase pattern determiner according to predetermined criteria and/or user input.
An additional feature in embodiments is to apply a method of securely erasing a data file by a providing an erase trigger, determining a location of the data file on the storage medium, overwriting the data file according to a predetermined secure erase method, and determining at least a number of times to overwrite the data file in response to the erase trigger and according to predetermined criteria.
Additionally, in embodiments, upon completion of an overwrite, a report is generated indicating the status of the overwrite. The report can be of various types and can be sent to various locations depending on the particular arrangement and desire of the user and/or administrator. Such a report can provide immediate feedback and logging/tracking of the overwrite events.