Securely earsing your harddrive the hard way

There is always a concern that, if you give you hard-drive away, you may have data left on the hard-drive you don’t like for anyone to see.

Usually, if you just format a hard-drive it will reset the tables but still has all the datas present on the actual hard-drive.
To counter this, there is this method that will simply write every bit with a zero, thus ensuring that any data on the hard-drive will be ‘really’ overwritten and not retrievable. Of course there is not real 100% solution, but it comes close.

This should be done by anyone who calls him/herself advanced. Otherwise you might erase your disk you don’t want to. So be careful. I am not taking any responsibility on either your hard-drive or your data.

Its a mere two commands you want to enter.

Starting with you becoming root.

Open your terminal and enter

**fdisk -l**

You do this to find your hard-drive, the one you want to erase.

It looks like this.

linux-ia48:/home/yourname # fdisk -l

Disk /dev/sda: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders, total 976773168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x5d8c637e

Device Boot Start End Blocks Id System
/dev/sda1 63 198643786 99321862 7 HPFS/NTFS/exFAT
/dev/sda2 311965696 976773119 332403712 f W95 Ext’d (LBA)
/dev/sda3 303581184 311965695 4192256 82 Linux swap / Solaris
/dev/sda4 * 198660096 240670719 21005312 83 Linux
/dev/sda5 311967744 376948735 32490496 83 Linux
/dev/sda6 376950784 976752639 299900928 83 Linux

Partition table entries are not in disk order

Disk /dev/sdb: 2000.4 GB, 2000398934016 bytes
255 heads, 63 sectors/track, 243201 cylinders, total 3907029168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000c4672

Device Boot Start End Blocks Id System
/dev/sdb1 2048 3907028991 1953513472 83 Linux

Disk /dev/sdc: 160.0 GB, 160041885696 bytes
256 heads, 63 sectors/track, 19381 cylinders, total 312581808 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xa8a8a8a8

Device Boot Start End Blocks Id System
/dev/sdc1 * 2016 312578783 156288384 a5 FreeBSD

In my example we will erase the very last hard-drive named FreeBSD which is device sdc1.
You may want to write the name of the hard-drive down just not to forget in your real life.

Now, after we know the hard-drive, and you sure about it, you only need to enter this command.

**dd if=/dev/zero of=/dev/sdc1**

dd will duplicate and copy onto sdc1, thus erasing every single bit.

Also, this method will take time. In fact a lot of time. I did it with a 160GB HD and it took about 3 hours. So, depending on the size of your drive you may want to let it run till its done and go out or do some shopping, reading or whatever you feel like.

P.s. if you feel to comment or add to this faq, please do so since i do it to the best of my knowledge and it may not complete.
Thank You

I like to throw in a pass of

if=/dev/urandom

in before zeroing the drive if I REALLY want any data to be unrecoverable.

On 2011-05-24 04:36, skaterich wrote:
>
> I like to throw in a pass of
> Code:
> --------------------
> if=/dev/urandom
> --------------------
> in before zeroing the drive if I REALLY want any data to be
> unrecoverable.

Doubtful. And very slow.

Rather, write all with zeros once, then another with 0xFF.

Or you can try hdparm --security-erase (see man first).


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

I think a simple zero should do it. Since everything is written once with zeros, there is nothing one can retrieve.

The other method i haven’t checked but will look into it.

On Thu, 26 May 2011 02:06:03 +0000, JoergJaeger wrote:

> I think a simple zero should do it. Since everything is written once
> with zeros, there is nothing one can retrieve.

Usually this is sufficient, but advanced forensics can be used to recover
data from a drive that hasn’t been more thoroughly wiped. But recovering
data from a drive like that is very expensive to do.

That’s why there’s a DoD standard that specifies multiple passes of 0x00
and 0xFF (AFAICR), I want to say it’s 6 passes total.

I usually will run a pass with /dev/urandom over the first couple
thousand sectors of each partition; not completely unrecoverable, but
whacking the directory structure and partition table makes it very
painful to try to reassemble data from a larger drive.

> The other method i haven’t checked but will look into it.

Typically supported on only some drives (it’s a firmware-implementation
of a wipe, so bypasses the data bus from the PC to the drive itself).

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On 2011-05-26 06:12, Jim Henderson wrote:
> That’s why there’s a DoD standard that specifies multiple passes of 0x00
> and 0xFF (AFAICR), I want to say it’s 6 passes total.
>
> I usually will run a pass with /dev/urandom over the first couple
> thousand sectors of each partition; not completely unrecoverable, but
> whacking the directory structure and partition table makes it very
> painful to try to reassemble data from a larger drive.

I fail to see why writing random data would erase better, compared to
writing zeroes and ones on all bytes.

However, if you want random data, paranoic mode, you need /dev/random, not
/dev/urandom. The first one waits till there is enough entropy in the
system before returning with a “real” random figure. The urandom variant
will return fast, even if the data is not as random as it should.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

Jim Henderson wrote:

> That’s why there’s a DoD standard that specifies multiple passes of 0x00
> and 0xFF (AFAICR), I want to say it’s 6 passes total.

Last time I looked, the Orange Book now approves a 3-pass method. One pass
writes a pattern, the second pass write the binary complement of the pattern
and a third pass writes the random pattern. They specify the first two
patterns but I’m too lazy to look it up just now so if anyone wants to know
what they are email me and I’ll dig it out.

As I read the DOD spec, that is sufficient up through some ridiculous
security level. Above that that, complete mechanical destruction/burn is
the only way.


Will Honea

I would seriously question that anyone you may sell your drive with the first method, will have any luck to retrieve information from the harddrive.
Are there any tools i can test this?

Anyway, from the input i would say that the faq is ok, isn’t it and we can add the other methods for a advance secure way of erasing data’s. Or do you think it is not good really.

Thank You for the input.

For use with a recent linux,


shred /dev/sdc1

would probably work. And it should be easier for people to remember.

Currently, I am encrypting the partitions with sensitive data (including swap). When it comes time to ditch this system, I shouldn’t have to worry about it.

On Thu, 26 May 2011 10:08:07 +0000, Carlos E. R. wrote:

> On 2011-05-26 06:12, Jim Henderson wrote:
>> That’s why there’s a DoD standard that specifies multiple passes of
>> 0x00 and 0xFF (AFAICR), I want to say it’s 6 passes total.
>>
>> I usually will run a pass with /dev/urandom over the first couple
>> thousand sectors of each partition; not completely unrecoverable, but
>> whacking the directory structure and partition table makes it very
>> painful to try to reassemble data from a larger drive.
>
> I fail to see why writing random data would erase better, compared to
> writing zeroes and ones on all bytes.

It probably doesn’t, but since the data is stored in magnetic domains,
having varying magnetic domains seems like a better idea.

> However, if you want random data, paranoic mode, you need /dev/random,
> not /dev/urandom. The first one waits till there is enough entropy in
> the system before returning with a “real” random figure. The urandom
> variant will return fast, even if the data is not as random as it
> should.

Yeah, but the point isn’t about the random seed for the data, more about
varying the magnetic signatures. Whether it’s “truly” random or pseudo-
random, it achieves that goal.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On Thu, 26 May 2011 19:36:03 +0000, JoergJaeger wrote:

> I would seriously question that anyone you may sell your drive with the
> first method, will have any luck to retrieve information from the
> harddrive.
> Are there any tools i can test this?

You’d have to talk to a professional recovery service. If the buyer
knows where the drive came from and what value the data may have, they
may see it as cost effective to engage one of those services to recover
what data they can.

I’m talking about a service like the one that was used to recover data
from storage devices that were recovered from the wreckage of space
shuttle Columbia, not a tool that you buy off-the-shelf or that’s
available in OSS form. We’re talking about very specialized equipment.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

I read on About.com, that it is

CAUTION: Note that shred relies on a very important assumption: that the filesystem overwrites data in place. This is the traditional way to do things, but many modern filesystem designs do not satisfy this assumption. The following are examples of filesystems on which shred is not effective:

  • log-structured or journaled filesystems, such as those supplied with

AIX and Solaris (and JFS, ReiserFS, XFS, Ext3, etc.) * filesystems that write redundant data and carry on even if some writes

fail, such as RAID-based filesystems * filesystems that make snapshots, such as Network Appliance’s NFS server

  • filesystems that cache in temporary locations, such as NFS

version 3 clients * compressed filesystems
In addition, file system backups and remote mirrors may contain copies of the file that cannot be removed, and that will allow a shredded file to be recovered later.

So, i am not sure if its better then. But need to try to see. Or you need to turn off the journal.

Roger that. I assumed that there were ‘some’ tools one can use like to recover data. I think i have seen some on Windows, but its probably not the software you are talking about.

On Fri, 27 May 2011 00:06:02 +0000, JoergJaeger wrote:

> Roger that. I assumed that there were ‘some’ tools one can use like to
> recover data. I think i have seen some on Windows, but its probably not
> the software you are talking about.

I’ve seen tools like OnTrack’s Data Recovery software in the past, but
nothing really recent.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

JoergJaeger wrote:

> I would seriously question that anyone you may sell your drive with the
> first method, will have any luck to retrieve information from the
> harddrive.

I certainly don’t have anything worth the equipment cost and time it takes
to do this sort of forensic analysis but just about any single pass over-
write can be recovered to some degree with some fairly simple techniques and
equipment. The recovery essentially recognizes that the effective width of
a track is not perfectly uniform - it depends to some degree on both the
write current and the bit pattern written - so over-writing a single pattern
will not necessarily splatter enough to wipe the edges of the old track.
Also, there is slop in the actual track center just about every time it’s
read or written so there is a fair amount of leftover info if you can offset
the track location on the recovery read. If the over-write proceded from
the center out, reading from the outside to the inside will give you a fair
chance of getting a different signal.

It’s all black magic but there are wizards who play with this stuff. They
have more time, money and patience than anything I have on disk is worth!


Will Honea

On 05/27/2011 07:46 AM, Will Honea wrote:
> It’s all black magic but there are wizards who play with this stuff. They
> have more time, money and patience than anything I have on disk is worth!

we have been through all this before (huh?)!

the security of erasing a hard drive and handing it off to another is
directly dependent on the importance of the information stored and the
capability of the person(s) who receives the drive anytime there after…

if you have a hard whose most secret info is not very secret or
important then the wiping ideas above will probably do the trick…as
long as you give the drive to someone who won’t look to see if you left
your online banking ID/Pass or homemade p0rn on it…

but if you have data on your drive which is VERY secret and (say) law
enforcement wants to read it…they might send it to (say) DEA, NSA,
CIA, FBI (or their equivalents in several countries) and after the wipes
discussed so far in this thread have been done, there would remain a
high likelihood of extracting more than enough info to put you away…

as mentioned by Will, at some point the value of the data and the skill
of all potential lookers requires one to physically destroy the drive…

for example:
mechanical destruction http://www.youtube.com/watch?v=yd_O7-rqcHc
chemical/heat destruction http://www.youtube.com/watch?v=k-ckechIqW0


dd CAVEAT: http://is.gd/bpoMD
[NNTP via openSUSE 11.4 [2.6.37.6-0.5] + KDE 4.6.0 + Thunderbird 3.1.10]
Dual booting with Sluggish Loser7 on Acer Aspire One D255

On 2011-05-27 02:06, JoergJaeger wrote:
>
> nrickert;2345309 Wrote:
>> For use with a recent linux,
>>>
> Code:
> --------------------
> > >
> > shred /dev/sdc1
> >
> --------------------
>>> would probably work. And it should be easier for people to remember.

> I read on ‘About.com
> (http://linux.about.com/library/cmd/blcmdl1_shred.htm), that it is
>
>> CAUTION: Note that shred relies on a very important assumption: that the
>> filesystem overwrites data in place. This is the traditional way to do
>> things, but many modern filesystem designs do not satisfy this
>> assumption. The following are examples of filesystems on which shred is
>> not effective:

That is not an issue when you are shredding the entire partition, the
filesystem is bypassed.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

DenverD wrote:

> as mentioned by Will, at some point the value of the data and the skill
> of all potential lookers requires one to physically destroy the drive…

These discussions always bring back memories of the problem at Offut back in
the 60’s. 36" IBM disk platter with War Plans info sitting in the corner of
the vault because the only legal way to dispose of it was to melt it down -
but that required a certified furnace faciliy which no longer existed. Some
day, I’m gooin to see if I can find out if that conundrum was ever resolved
or if that thing is stil sitting there…


Will Honea

On 05/27/2011 09:02 PM, Will Honea wrote:

> 36" IBM disk platter

wow, THAT big…in the late '70s the “disk packs” were about
18 inches across and maybe a foot high…

> with War Plans info sitting in the corner of
> the vault because the only legal way to dispose of it was to melt it down -
> but that required a certified furnace faciliy which no longer existed.

heh…never heard that story before…and, i worked for years (seemed
like centuries) in that building…worked over a year a floor lower than
the Joint Plans, and a guard more…


dd CAVEAT: http://is.gd/bpoMD
[NNTP via openSUSE 11.4 [2.6.37.6-0.5] + KDE 4.6.0 + Thunderbird 3.1.10]
Dual booting with Sluggish Loser7 on Acer Aspire One D255

Before we get to fancy, i was interested mainly in a guide that will give a user a hand in how to erase the harddrive.
Now, i will assemble a reworked faq that includes some of the ideas mentioned. Therefore, it will go from low erase to hard erase.
Mostly people want to re-sale a drive or give it to a friend for further use. I assume that even if you give a drive to a junkyard, they will not try to recover datas unless they know you and assume you have valuebale data.
Or you real paranoid in which case you really want to hard shred the harddrive for good.
This of course is my assessement.
I would still argue that a simple overwrite is suffice for most users.