How to REALLY delete a hard drive

[Schlotkins]

Good day-

I have some hard drives which I no longer use. I've managed to go through the data, get everything off I'd like and format the drives. However, I know this isn't a 'full proof' method to make sure the data is really deleted and unrecoverable. Since some of the drives may be useful (2 150gig Raptors, 160 gig Samsung with a Nidec motor) I was hoping I can be comfortable enough the data is wiped out to pass these on to others.

Any suggestions?

Thanks,
Chris

[Matija]

Try this: http://www.dban.org

Edit: Be VERY careful with it. I think the wipe process is automatic and done for all detected drives.

[line]

Another option is to use a program called Eraser within Windows.

http://www.heidi.ie/node/6

After you install the program, create an empty parition that spans across the entire drive, right-click the partition and click Erase Unused Space.

[mkk]

Or use Windows' command line program CIPHER.EXE to wipe unused space on a drive. http://support.microsoft.com/kb/315672 On an empty drive it will wipe all of the space three times which is secure enough for home users. An example of the command line for a wiping of the empty space on drive E: looks as follows.
cipher /w:e:\

For more securely wiping the free space of drives that still contain other data or to do wipes with more passes, see Eraser as recommended above.

[Vicotnik]

DBAN and a few other wiping tools are included on the Ultimate Boot CD.

[Stefan S.]

http://www.gaijin.at/dlwipedisk.php

[lm]

In linux you don't even need any extra software to do it, these tools come with every linux system and are pretty much trivial.

WARNING THE FOLLOWING COMMANDS COMPLETELY WIPE OUT THE DATA ON YOUR HDD SO DON'T RUN THEM ON SOMETHING YOU DON'T WANT TO LOSE AND YOU DO THIS COMPLETELY AT YOUR OWN RISK. HOWEVER IF SOME PROFESSIONAL DATA RECOVERY COMPANY STILL MANAGES TO GET YOUR DATA BACK, THAT IS NOT MY PROBLEM EITHER

In these examples I assume that the drive to be deleted is connected to the second SATA port, and so it appears in linux as the device /dev/sdb. Make sure you know which device really represents the drive you want to wipe and substitute it to the commands shown below.

These commands do not ask for any confirmation, so if you typo even one letter, you might lose the wrong drive, so be careful.

sudo dd if=/dev/zero of=/dev/sdb
sudo dd if=/dev/urandom of=/dev/sdb
sudo dd if=/dev/random of=/dev/sdb

Any of the 3 commands above wipe your whole drive for good.

The first one writes it full of zero. As fast as a raw write to your drive.
Second one writes it full of random data. On my machine, about 7MB/s
The third one writes it full of even more random data. Too slow to be usable in reality.

You can repeat them multiple times, if you think that someone is going to take your wiped drive to IBAS and pay several thousand dollars to get the data back. If you alternate between writing zeros and urandom, for 7 full iterations, it's going to be pretty damn hard to analyze what the data originally was. I don't hold that important information, so just wiping the drive once with zeroes is enough for me.

[twoscoreandfour]

There is no real solid evidence that a drive that has been dd'ed to zero even once can yield retrievable data, so one iteration of dd is all you need

[mrk22]

The "Great Zero Challange" (http://16systems.com/zero/index.html) has thus far gone unaccepted.

One would think any of the data recovery companies would be interested in the national attention that defeating it would bring.

[lm]

If I were an agency that can open a zeroed drive, I would not tell anyone.

[Cryoburner]

The "Great Zero Challange" (http://16systems.com/zero/index.html) has thus far gone unaccepted.

One would think any of the data recovery companies would be interested in the national attention that defeating it would bring.

Maybe it hasn't been accepted because no one considers it worth their time and effort. In order to take part in it, you have to send them a $60 deposit, plus pay shipping both ways, all for a potential reward of $40 and a slightly used 80GB drive. If your company failed to recover data off of it for whatever reason, then it wouldn't be helpful to your business, and would just be a waste of time and money.

The rules are rather silly too. You're not allowed to disassemble the drive unless you can be verified as an established data recovery agency, which makes the ability for anyone else to recover data off of it pretty much impossible. I have little doubt that a zeroed drive can't be read from using the standard drive interface, unless the zeroing process failed in some way. That doesn't necessarily mean that trace values couldn't be read with the platters removed and accessed through other means though. Even the contents of RAM modules can be recovered for some time after a computer is shut off by using a specialized device. At the very least, I would think that equipment at a drive manufacturer's research and development department could do it.

As was mentioned, would an agency involved in recovering such data want that to be known? It seems like it would just convince anyone hiding data from them to do a better job disposing of it. : )

That site doesn't exactly seem all that legitimate either. They provide utilities for doing things like locating social security numbers on hard drives and recreating missing digits from credit card numbers. Those seem like they have more potential to be used for identity theft than for useful security purposes.

[nautikal]

You just have to write all zeroes to the drive. You can do this with Western Digital's diagnostic utility.

[m0002a]

That doesn't necessarily mean that trace values couldn't be read with the platters removed and accessed through other means though. Even the contents of RAM modules can be recovered for some time after a computer is shut off by using a specialized device. At the very least, I would think that equipment at a drive manufacturer's research and development department could do it.

As was mentioned, would an agency involved in recovering such data want that to be known? It seems like it would just convince anyone hiding data from them to do a better job disposing of it. : )

Can you explain what a trace value is? When a utility replaces the existing data with binary zeros, can you explain where the trace values are located?

I can sort of understand that one “mayâ€

[Schlotkins]

Thank you all for your help. I did a couple of different methods, although I'm sure none are 100% full proof. I used the windows command and eraser on the 35 pass setup. On my 160gig Samsung drive, it took about 24 hours to run.

Cheers,
Chris

[twoscoreandfour]

The "Great Zero Challange" (http://16systems.com/zero/index.html) has thus far gone unaccepted.

One would think any of the data recovery companies would be interested in the national attention that defeating it would bring.

Maybe it hasn't been accepted because no one considers it worth their time and effort. In order to take part in it, you have to send them a $60 deposit, plus pay shipping both ways, all for a potential reward of $40 and a slightly used 80GB drive. If your company failed to recover data off of it for whatever reason, then it wouldn't be helpful to your business, and would just be a waste of time and money.

The rules are rather silly too. You're not allowed to disassemble the drive unless you can be verified as an established data recovery agency, which makes the ability for anyone else to recover data off of it pretty much impossible. I have little doubt that a zeroed drive can't be read from using the standard drive interface, unless the zeroing process failed in some way. That doesn't necessarily mean that trace values couldn't be read with the platters removed and accessed through other means though. Even the contents of RAM modules can be recovered for some time after a computer is shut off by using a specialized device. At the very least, I would think that equipment at a drive manufacturer's research and development department could do it.

As was mentioned, would an agency involved in recovering such data want that to be known? It seems like it would just convince anyone hiding data from them to do a better job disposing of it. : )

That site doesn't exactly seem all that legitimate either. They provide utilities for doing things like locating social security numbers on hard drives and recreating missing digits from credit card numbers. Those seem like they have more potential to be used for identity theft than for useful security purposes.

Here is the epilogue from the orinigal Guttmann paper (written in '96) that spawned all this hullabaloo (http://www.cs.auckland.ac.nz/~pgut001/p ... e_del.html):

"In the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques. As a result, they advocate applying the voodoo to PRML and EPRML drives even though it will have no more effect than a simple scrubbing with random data. In fact performing the full 35-pass overwrite is pointless for any drive since it targets a blend of scenarios involving all types of (normally-used) encoding technology, which covers everything back to 30+-year-old MFM methods (if you don't understand that statement, re-read the paper). If you're using a drive which uses encoding technology X, you only need to perform the passes specific to X, and you never need to perform all 35 passes. For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do. As the paper says, "A good scrubbing with random data will do about as well as can be expected". This was true in 1996, and is still true now.

Looking at this from the other point of view, with the ever-increasing data density on disk platters and a corresponding reduction in feature size and use of exotic techniques to record data on the medium, it's unlikely that anything can be recovered from any recent drive except perhaps a single level via basic error-cancelling techniques. In particular the drives in use at the time that this paper was originally written have mostly fallen out of use, so the methods that applied specifically to the older, lower-density technology don't apply any more. Conversely, with modern high-density drives, even if you've got 10KB of sensitive data on a drive and can't erase it with 100% certainty, the chances of an adversary being able to find the erased traces of that 10KB in 80GB of other erased traces are close to zero.

Another point that a number of readers seem to have missed is that this paper doesn't present a data-recovery solution but a data-deletion solution. In other words it points out in its problem statement that there is a potential risk, and then the body of the paper explores the means of mitigating that risk."

Even though I highly doubt that even cash rich governments have the ability to pull data off a zeroed disk, assuming they can (or have contractors that can), there are NO commercial companies that offer this service to businesses/general public. Try asking any data recovery agency if they can recover data from a zeroed drive and see the response. I will also guarentee you that your standard hacker without access to an elecron microscope cannot recovery anything from a zeroed drive.

So unless you are REALLY paranoid about the possibility of the CIA/FBI going through your drive, (trying to hide your kiddie-porn collection or your plans to blow up the Sydney Harbour bridge) , it's safe to say that single pass dd-zero will be secure enough.

[lm]

Can you explain what a trace value is? When a utility replaces the existing data with binary zeros, can you explain where the trace values are located?

Imagine hard drive platter is paper, writing a "one" is done by a pencil, and writing a "zero" is done by a rubber eraser. Unless you rub hard enough, there's still some traces of the original stuff you wrote. Now, the same principle might work with a hard drive too. But the hard drive's own read heads of course need to say that the value is zero after it has been written as zero, because otherwise the hard drive would be broken. But suppose you use a very expensive device to read directly from the hard drive platter, and instead of 0 or 1, you would find something like 0.001 and make educated guesses based on that.

[tomsmith]

Now, the same principle might work with a hard drive too. But the hard drive's own read heads of course need to say that the value is zero after it has been written as zero, because otherwise the hard drive would be broken. But suppose you use a very expensive device

That's all speculation. It's entirely unproven. That's why no one has taken the great zero challenge. A lot of folks talk about the possibilities of recovering data that has been zeroed, but no one can actually demonstrate it.

[yefi]

Here is the epilogue from the orinigal Guttmann paper (written in '96) that spawned all this hullabaloo (http://www.cs.auckland.ac.nz/~pgut001/p ... e_del.html):

Pseudodoxia epidemica, isn't it? The 35-pass wipe was meant to deal with theoretical vulnerabilities in very much less dense media using very different encoding, e.g., the earliest single-megabyte HDs. Applying that logic to modern drives is like applying flying buttresses to skyscrapers to transfer lateral forces. It's an anachronism and it doesn't make sense. For all modern hard drive one pass is sufficient.

[lm]

Someone now has actually tried using an electron microscope to read the hard drive platter directly after wiping. The results seem to be that usually 1 pass of wiping makes any attempts at recovery too hard.

http://www.securityfocus.com/brief/888

[QuietOC]

Someone now has actually tried using an electron microscope to read the hard drive platter directly after wiping. The results seem to be that usually 1 pass of wiping makes any attempts at recovery too hard.

Also no special software is needed to zero a drive. Simply do a full format instead of a quick format and the data is gone for good.

[whiic]

lm, reading a non-wiped HDD platter with electron microscope would be equally futile as trying to read it with optical microscope, binoculars, bare eyes, X-ray microscope, X-ray diffractometer, etc. All these are used to observe substance (large crystalline structures, molecules, even atoms), their positions to each other, their composition, etc. But not their magnetic polarity.

Magnetic force microscope could be more useful... though with modern encoding methods recovering data from even a non-erased multigigabyte HDD would take an eternity without assistance of HDD's own decoding circuits. And using these circuits with a MFM isn't possible.

Even if HDDs weren't encoded at all, reading enough data of it with MFM to have even a 1% chance of spotting a credit card number located somewhere on the platter... totally futile. And HDDs are encoded. There's fundamental reasons why they are.

Which is why HDD data recovery tries to utilize the HDD itself instead of manual labour. Use software recoverly, replace bad PCBs, replace bad heads, use statistical methods to interpret corrupted sectors, etc. Single platter drives can have their platters removed to another drive but multi-platter drives pretty much have to be dealt with in the original casing to prevent misalignment. I don't know if they can even swap heads for drives with multiple heads of if the heads need to be aligned with each other as well.

About encoding (in general): even if they didn't have error correction code, they would still need encoding. Not for compression but to keep it readable. If you "zero-fill" a drive for example, physically the HDD get written with certain sequence of 0s and 1s. Too many sequential same values would cause the data to be unreadable because it would be impossible to
- follow the track where data is located or
- keep in synch with how many similar bits passed as there's lack of clock pulse. Clock pulse must be implemented within the bits written.

External clock pulse would be impossible because data transfer rate varies from track to track. With old HDDs that had same transfer rate in inner and outer tracks, having an external clock, pulse would be possible. Also, some old HDD has a servodata surface. And even older HDDs didn't have to be track follow capable because they used stepper motors, thus actuators were able to only perform also fixed length jumps. This caused problems with temperatures as data written in one temperature would be readable only in roughly the same temperature. Too much temperature difference and the tracks would shift. Same of course applies to dedicated servo surface but probably an issue only at higher temperature differences. I can easily imagine lots of data to be recoverable when HDD is written twice at different temperatures, some trace of data may be left slightly off-track.

But modern HDDs are way more tricky to recover if they have been overwritten. Embedded servo data makes sure heads try to follow the very track it's reading, without trusting any extrenal information. Unless HDD is bumped while it writes, it shouldn't write off-track. How often an off-track write occurs... not that often. Either if the original is written off-track of it overwrite is off-track, some could be recoverable. To find such sectors would be futile. And most likely as a side-product of high density, the residual magnetization of off-track write would be deleted by superparamagnetic effect: the areas with residual data would be much smaller than typical grains storing magnetic polarity, and they could easily flip around due to thermal vibration (even at rooms temperature) thus the residual data would self-destruct over time, possibly quite fast.

Ok. what I have written here contains some "educated guessing" and some non-referenced stuff I've read and don't remember where, etc.

Conclusion remains: due to various reasons, it's pretty darn safe to assume zero fill will keep even FBI and CIA out of your CP cache or plans to assassinate the president. :p

The only problem is: when they knock on the door (with a battering ram) you don't actually have 2 extra hours to perform a zero-fill. If you had, it would be more secure data deletion than 1kg of dynamite rigged inside your computer. But I believe 1kg of dynamite or or less does the trick as well. Might be charged with illegal possession and use of firearms, though... Darn those overly zealous Feds. Don't they have life of their own? lolol

[whiic]

BTW, I would definitely not rely on "full format" to securely delete previous data. Are you sure it writes the partitioned space? Are you sure it doesn't perform a read or verify pass to surface scan it for bad sectors? If you are sure it writes, does it actually apply to all formatting tools (all OSes and all third-part format tools)?

I would prefer low-level (LBA based) zero-fill over zero-filling of usable, partitioned space. The only thing that LBA erasure doesn't erase are reallocated bad sectors. Data stored on them remain.

[QuietOC]

BTW, I would definitely not rely on "full format" to securely delete previous data. Are you sure it writes the partitioned space? Are you sure it doesn't perform a read or verify pass to surface scan it for bad sectors? If you are sure it writes, does it actually apply to all formatting tools (all OSes and all third-part format tools).

Yes, the normal Windows long format writes zeros. I learned this after I tried to recover some pictures and video off a partition I had just done a normal format to. Absolutely no data left on it. Luckily most of the files were recoverable off the camera's 4GB flash card. Evidently the camera just does quick formats.

[whiic]

Are you sure? I mean, most recovery software acts as practically some sort of undelete tool. They sniff filesystem tables for information on deleted files and re-enable deleted files if they haven't been overwritten. Some stuff like parts of filename might be lost in deleting (as opposed to just trashcaning in Windows) but files should be completely intact unless overwritten.

If the format just cleaned the filesystem tables and wrote new ones, and did a verify pass on usable empty space, many undelete tool wouldn't recognize the deleted files. If filesystem tables are rewritten clean, the only way to recognize files would be to read the entire drive for recognizable patterns and heuristically make guesses if they might be pictures, zip files, video, executables.

What was your data recovery tool you used?

[QuietOC]

What was your data recovery tool you used?

PhotoRec

[lm]

lm, reading a non-wiped HDD platter with electron microscope would be equally futile as trying to read it with optical microscope, binoculars, bare eyes, X-ray microscope, X-ray diffractometer, etc. All these are used to observe substance (large crystalline structures, molecules, even atoms), their positions to each other, their composition, etc. But not their magnetic polarity.

Now I don't really know anything about those microscopes, but this was from the piece of news I read:

In research published on Thursday, auditor Craig Wright tested the ability of a special type of electron microscope, known as a magnetic force microscope, to read data that has been erased.

Maybe the news site got it wrong then. I don't know. But they link to the original article by the researcher, so anyone who is interested in what kind of microscope was actually used, read that one.

Thanks for the details though.

[sneaker]

BTW, I would definitely not rely on "full format" to securely delete previous data. Are you sure it writes the partitioned space? Are you sure it doesn't perform a read or verify pass to surface scan it for bad sectors? If you are sure it writes, does it actually apply to all formatting tools (all OSes and all third-part format tools).

Yes, the normal Windows long format writes zeros. I learned this after I tried to recover some pictures and video off a partition I had just done a normal format to. Absolutely no data left on it.

I just created a 1GB NTFS partition R: on my XP system, shoved 30 MP3s spread across various folders on it, did a format r: (no /q) via the command line, rebooted, ran Recuva, and it identified and recovered all the copied files (complete with original file names, but no directory structure) except one. They played fine.

Reformatted r: this time in diskmgmt.msc (quick format unchecked), rebooted, started Recuva. All except two of the files were recoverable.

That's consistent with everything I've read and experienced in the past 15 years in DOS/Windows. A standard format does not wipe the data.

[zoatebix]

It's possible you got that result because your master file table (or what have you) isn't on the R: partition. Someone should try with a spare drive.

EDIT: Hmm, maybe I'm being silly. Why would Format do something to devices/physical drives that it wouldn't do to partitions/logical drives? We may have to chalk up my post, in its original form, to exhaustion.

[QuietOC]

That's consistent with everything I've read and experienced in the past 15 years in DOS/Windows. A standard format does not wipe the data.

Hm, I did change the cluster size when I did the full format and did a second quick format back to the default cluster size. I didn't use the command line or Disk Management.

I had actually planned to boot OSX and use Disk Utility to write zeros to the drive, before I realized I wanted those pictures, but finding the data was already gone--I didn't bother.

[Cirkus]

Doesn't it say when you run a full format in DOS/Windows that it will will format the drive and "check the entire surface"? At least that is my impression on what the full format will do. If you have any bad sectors on the drive they will be detected and removed from the file allocation table so you don't put data there.

Cirkus