How To Permanently
Erase
Data from a Hard Disk
Copyright©2003-2006
by Daniel B. Sedory
Introduction
NOTE:
This page is mainly for the average consumer
who keeps a great deal of personal and financial data on computer hard disks,
and after obtaining a new computer or just a larger drive (and
copying data to it) wants to sell or give away an old
disk (or whole computer) and never have to worry about someone finding
any of his old data.
[ But,
see HERE for reasons why wiping your hard disk
before installing an operating system is a good idea. ]
For executives concerned
about company secrets on a large number of disks in old computers that must
be sold for their remaining assets, your company's IT Dept. should have a recommended security
procedure ( most likely using a costly security program to wipe the disks
). But, we believe simply 'zeroing-out' a drive is more than adequate.
For example, say a competitor was able to buy every one of your old machines
(and assuming, of course, that your IT Dept. employees follow the proper procedures
for doing at least a one-pass 'wipe' of each drive), without knowing which drive
contained any valuable data (or even if any of them ever did), we highly doubt
anyone could justify the TIME and COST to employ an experienced Electron Microscope
operator in a Data Lab to hunt down bit by bit whatever tiny amount of info
they MIGHT find; with no assurances that ANYTHING ( let alone something of value
) could ever be recovered!
If you need to know how to delete data from a computer used in a Military,
Government or Defense contractor's office, there are proscribed procedures for
doing so! Personally, from the information I have read about such procedures,
I consider them to be ridiculous in their extreme measures; hostile forces will
always look for the 'weakest link' in obtaining desired information, and I think
it's still easier and quicker to obtain it from communications and vulnerable
human sources than any adequately overwritten hard disk. We believe that all
Departments of the US GOVernment have orders that any media containing info
classified as TOP SECRET, must be PHYSICALLY DESTROYED, so there isn't
even an issue involving erasure in that case!
If you're a Billionaire (that keeps very sensitive data on hard disks), I doubt
that you'd ever NEED to resell your hard disks. You will, of course, have many
'simultaneous' [RAID array] backup disks full of your data, and most likely
you'd use them until they 'died,' then have a TRUSTED and knowledgeable employee
DESTROY those disks as you certainly would any floppy disk that failed.
[ If you'd like to hire me, I'm very honest! ]
For the Average Consumer
who wants to get some money back for an old system (including the hard disk),
you need to make sure every byte has been overwritten at least, once.
Caution:
Outrageous Claims!
First, Keep this in mind:
Be cautious of any statement using
the words "quick" and "permanently" regarding Data Erasure
from Hard Disks!
There will most
likely always be a widespread misuse of the terms: 'Wipe,' 'Erase,'
'Delete,' 'Destroy' and even the word 'Permanent.' However, when someone
describes a particular software program or technique using such terms as these,
you should pay very close attention to what is really meant; especially if
you are trying to make sure that NO ONE will ever be able to retrieve
ANY DATA AT ALL from your old disk drive(s)!
Here are a few statements I've seen that use such terminology, and why you need
to be sure about what they really mean:
WARNING:
Because all data on your hard disk will be
destroyed by this procedure, you must back up your
hard
disk before using this Debug script.
— Microsoft
Knowledge Base Article - 106419
Want to WIPE
a drive? .... "WARNING: Delpart is the easiest and most complete way
to erase a drive. It warns you once and only once about what it will do,
so be careful! Use it only on a drive you want to completely erase, as you
will not be able to recover any data that was on the drive prior to running
delpart." — Let's say Anonymous
Another site states: "Use
Delpart to 'wipe clean' a hard drive." This seems clear enough, right?
WRONG! The ONLY thing that DELPart
does is to remove a maximum of just 64 bytes of information from each
hard disk's Partition Table in the Master Boot Record (MBR) and possibly
in each Extended Boot Record (EBR). Well...
If
you gave me a drive that only Delpart
had been used on, in about 10 minutes or less I
could recover all of your computer's data using a single software tool !
Even a company such as Power Quest in their old Partition Magic
4.0 program, made use of phrases such as: "
WARNING: Deleting a partition will DESTROY
any existing data" or even this one: "The
DELETE operation deletes a partition and destroys all
its data"; which certainly seems to imply that it does
more than just remove partition information from the drive! But, once again,
these were nothing more than poorly worded statements trying to stress
that the average home user would most likely not have been able to fix
such a mistake, whereas, a person who is familiar with data recovery
techniques could very easily do so!
| So, statements
such as these are not true at all from
the point of trying to make sure you have erased all traces of sensitive
data in a partition or on a drive! |
So, How Do You Permanently
Erase Data from a Hard Disk ?
First you need to realize that only by changing the contents of EVERY BYTE on
a disk to a random, zero, or some other value, can you be assured that none
of your data can be read again *.
When you change all the bytes on a disk to a ZERO byte, it's commonly called
'zero-filling', 'zeroing-out' or 'initializing' a drive;
it should not be called a low-level format
(though we've seen that term being used incorrectly, to describe this initialization
process).
How Long will
this take?
This procedure may
take anywhere from only
about 10 minutes
for a small drive on a computer with a fast UDMA/UATA
EIDE interface to
10 or more hours(!)
for a very large drive on a computer with an old 33 MHz IDE bus! The exact
length of time depends upon the
rate at which data can be written
to the drive and the size (capacity)
of the drive. So, a fully implemented UDMA or 'Ultra'
ATA interface of 66 or 100 MHz (using 80-wire cables)
will complete the process in much less time than an old
slow machine that doesn't have UDMA capability (if it has only 40-wire
drive cables, it can't do UDMA). Generally, you're looking at 20+ minutes
to about 1.7 hours for most drives in use today (40GB to 200GB).
EXAMPLES:
Years ago now, we noted a computer with a 1.5 GHz CPU correctly employing
UATA 100 (a 100 MHz interface), took only
34 minutes to completely wipe a 60
GB drive. On the other hand, a 40
GB drive took all night (8+
hours?) to zero-out on a computer with an old 40-wire 33MHz
interface! These old boxes are rarely used now.
|
So what programs can be used to do this?! The best type of
program (and often FREE) for what's called a SINGLE PASS ZERO-OUT is
the same one some drive manufacturers ask you to run before allowing you to
return a drive under warranty! For example, Western Digital®'s new
DLG
DIAG (included with their Data Lifeguard Tools packages or available
separately) will easily zero-fill every byte on a WD drive; just run
dlgdiag.exe and choose “Write Zeros to the drive.” We've also used
a similar program (
Maxtor®
) to zero-out their drives. You must obtain this type of program from the manufacturer
of your particular drive, since they're almost always limited to working only
on their own drives!
However,
many of these diagnostic program will still give you some valuable info about
other manufacturer's drives: For example, there's a nice DOS utility that
will identify the Model, S/N and drive capacity of any HDD
it finds on your system. It's from Hitachi (Global
Storage Technologies) and it's called: "Drive Fitness
Test (DFT)"
http://www.hgst.com/hdd/support/download.htm
. It's made for IBM® and Hitachi drives, so will zero-out
bytes from its “Utilities” menu
for those drives only! If
you know how to make a floppy disk from just an image file (such
as WinImage or by
using the Linux 'dd' program), all you need is the 1440 KiB dft_v407.img
image file. Otherwise, get the Windows floppy disk creator
version (dft32_v407.exe)
that makes its own boot/DFT floppy disk for you.
There's a nice collection
of links to many Drive Manufacturing sites with some type of drive utility program
here: http://tacktech.com/display.cfm?ttid=287.
If your drive has
a capacity under about 8.4 GB, you can use a program I compiled and tested
on my own 6.4 GB drive: WIPE8.zip. It does not
have the ability to easily test the bytes on your drive though; manufacturer's
programs use special software functions their drives respond to directly, whereas
WIPE8 (and other simple wiping tools)
only use INT 13 calls to software routines in the BIOS code.
However, I've recently
found a FREE program with open source code at the SourceForge site called
Darik's
Boot and Nuke (dban)
which is a self-contained 1440 KiB boot disk that will wipe any
drive! It has many options too; the simplest way to use it is to boot
up with the disk, press the ENTER key at the "Boot: prompt"
and then use its Interactive Menu. But you must exercise
caution with this disk: It's easy to set it up to automatically
wipe every drive on your computer! This is the same exact program
that's now bundled with Eraser, since that program was never designed
to do drive wiping. At the bottom of the dban web page, you'll find links
to a list of "Similar Products" (all commercial). DBAN also creates
and saves an interesting logfile of its operations at the end of a run.
|
Caution:
Misuse
of the term “low-level format” can
even be found on the web pages of major HDD manufacturers! Due to the
misconception by consumers (probably because of faulty
media stories) that erasing a drive can only be accomplished with
a "low-level format" utility, many HDD manufacturers have finally
started to use that term to describe zero-fill utilities instead; but
it's still incorrect usage! (Some techs/HDD manufacturers are also
using the mixed term: “low-level
zero-fill” which is more accurate).
To Low-Level Format
(LLF) a drive, really means to set up the physical locations
of its tracks and sectors on the platter itself! And embed that data in
the control structures of the drive! Because of the complexity of a modern
drive's internal structures (which includes zoned-bit recording and even
servo data on the disk itself), a true LLF can only be done at
the factory! Very old (less than 30 MiB in most cases) MFM drives
did have LLF programs that consumers could occasionally
use; thus the reason for the idea that they might still be useful.
The only site I've
found which gives a comprehensive view and correct definitions for all
formatting terms is: Low-Level
Format, Zero-Fill and Diagnostic Utilities; or this page specifically
about misuse of the term: Low-level
Formatting. One of the few HDD manufacturer pages that
gently tries to guide the consumer in the right direction can be
found at Seagate's
site here. A confusing letter from one HDD manufacturer
dated JAN 2000 is found here;
first it refers to a tiny drive utility as a "low-level format tool"
(incorrectly), but then it proceeds to state
why you can not perform a low-level format on the HDD!
|
NOTE: If you use
Linux or have access to a Linux boot disk with the "DD"
program on it, it's fairly easy to execute a command that will 'zero-out' a
drive.
Here's an example
of how one would zero-out a 1440 KiB floppy diskette in
the first floppy drive:
DD if=/dev/zero of=/dev/fd0 bs=512
count=2880
where the Bs tells it to
use 512-bytes per sector and write zero bytes to 2,880 sequential sectors on
the diskette in drive 'fd0'. Anyone who's skilled in the use of Linux scripts
could easily create a program for the unattended overwriting of a drive many
times with different values; and maybe even throw in a random number generator
as the 'if' (input file) device for good measure. [ If you're interested
in learning more about Linux, see my Intro.
to Linux Console Commands using 'tomsrtbt' Boot Disk here. ]
NOTE:
This has already been accomplished!!! See my comments on the DBAN
program above; it uses a Linux kernel inside a RAM drive to carry out
its drive-wiping tasks!
Why else
would you want to Wipe a Drive?
There are at least two
other reasons (apart from security) for initializing (zero-filling) a drive:
1) When you first obtain a hard disk, you may wish to test every
byte on the drive using a “zero-out and test”
program from the drive's manufacturer. Most OEM drives (non-boxed; often a short
store warranty only) do not undergo the same testing as fully-warranted products.
2) Whenever you decide to "start all over again" and reformat
a drive, it's a very good idea to make sure there are no left over partition
data structures (EBRs) just in case you need to run a data recovery program
at some time in the future. If you've never had any Extended
Partitions on the drive, you can forget about this. Problems for data recovery
occur only when there are EBR sectors and Boot Records
that were never deleted (zeroed-out) before a new Extended partition
(with one or more logical drives) was created. Then if you try
to get your data back after accidentally deleting a partition or the MBR,
you (or a recovery program) might have a difficult time deciding which EBR
sectors were used last! By
'zeroing-out' a disk that has had many Extended partitions created on it, you
ensure data recovery programs will see ONLY the correct size of the partitions
you are about to create.
The Starman.
_______________________
* Data
Recovery experts seem to have a different opinion than those working in, let's
call it theoretical research, of what constitutes an 'adequate overwriting'
of a hard disk to keep any previous data from ever being recovered. If you have
the time and money to purchase and use a guaranteed secure wiping program, go
ahead and do so; especially if you plan on reselling MANY lots of HDDs that
have valuable data on them. However, for most individuals, I
don't see any reason to use more than a single-pass overwrite as explained on
this page.
If you want to read about the details regarding Data Erasure and Security, you
could start with the old and "oft quoted" reference to Peter
Gutmann's paper*.
This is a somewhat technical paper, but it also appears to have been too
theoretical even at the time it was written, and is now (2006) very
'out-of-date' concerning any viable threat to your security! For example, the
TPI (tracks per inch) value that he called "state of the art" for
a disk's track density is at least 10 (even more!) times LESS than what is actually
being used today. For a recent review of Gutmann's paper, see: Can
Intelligence Agencies Read Overwritten Data? by Daniel Feenberg. For those
who wish to truly understand just how very complex modern hard disk drives are
(including how magnetic data stored on their platters is thoroughly encoded
by drive electronics), you should study (it may take you quite
some time to work thorugh it) Charles Sobey's white paper: Recovering
Unrecoverable Data (Note: this title concerns data that's at risk because
a drive has physical damage; not data that was purposely
overwritten!). It's purpose is to describe the procedures and
limitations of good Data Recovery labs.
[*Secure
Deletion of Data from Magnetic and Solid-State Memory - Read at least sections
1 thru 3 and conclusion.] NOTE: Prof. Gutmann added an
Epilogue to his original paper (some time later) in which he commented
that people treated his research “more as a kind of voodoo incantation
to banish evil spirits than the result of a technical analysis of drive encoding
techniques.” ( Please read
his comments in full here. I think he probably shakes his head a bit every
time he sees the phrase 'the Gutmann method,' since most people never applied
his work correctly. ) In a reply to an e-mail we sent Prof. Gutmann about advances
in hard disk technology, he stated:
“ Not much has changed except that the older, easier-to-read
formats are mostly dead and everyone is now using Extended PRML which is even
harder to recover data from than PRML, as well as using smaller dimensions and
assorted exotic new technologies, so the problem is slowly fixing itself. ”
[ February 01, 2002; quoted with Prof. Gutmann's
permission. ]
We take this to mean even Prof. Gutmann reluctantly
stated the obvious about modern high density hard disks: You really don't need
to worry about anyone trying to use electron microscopy to find data from hard
disks you discard today! However, if you're the kind of person
who cherishes their paranoia(!), you can still find programs on the Net
such as: Sami Tolvanen's Eraser which
overwrites files up to 35 full passes! Maybe if you especially hate a particular
file this could give you some sort of satisfaction too? But, in order to
completely overwrite a whole drive (Sami's program will not 'clean out'
your Virtual Memory Swap Files!), you need to use the "dban" diskette
that now comes with it! Eraser is mainly for eliminating certain files;
not for 'wiping' the whole disk. Since traces of what's been in a file (if not
the whole file) can often be found in download caches, SWAP files and other
cache locations as well, you need to make sure you know what you're doing; especially
if you're trying to erase an encrypted message full of company secrets! For
example: Did the 'plain text' of the message get left anywhere else on the drive?
Note: Perhaps you should encrypt all of your sensitive data on a disk
drive first, then 'wipe' the drive afterwards! Sounds like a good method to
me.
Personally, I'm not at all concerned about anything I 'zero-out' on a hard disk
ever being seen by someone else again. If you think that any local law enforcement
or government agency is going to attempt to find data on a drive with ALL zeros
by taking a very long time and spending more money than they can really afford
with no assurance whatsoever of finding anything(!), then you're living in a
dream world that's already beyond all the fictional elements in
TV shows like CSI
and other such scientific forensic evidence dramas. It's much easier
for criminals, terrorists and government agencies to obtain data about you using
many other means!
I remember one TV drama where a tech told a D.A.
that he couldn't find anything incriminating on a guy's HDD because he used
a scrubber to clean out all of his cache files, etc. Then the tech
added something like: “If you gave me $50,000.00 to hire a lab with
an electron microscope and skilled technicians, maybe I could come up with a
few more words here or there in 6 months time.” [We used to
say here: "that's a fairly real attitude of most organizations
that deal with evidence on HDDs," but now (2006) we think even that
statement has become fiction!] Do YOU as an average home user think you
need to take even more precautions than a enemy spies? Do YOU really
need to worry about the CIA or a foreign government being interested enough
in YOUR hard drive to expend all the necessary resources in an ATTEMPT to find
only a tiny (if even that!) amount of its contents!? Get
real.
Floppy disks, though, are something that
ALL the experts agree on:
The data tracks are so wide and the drives so 'forgiving' that an overwritten
floppy could possibly be recovered using only a sophisticated software
program to adjust the placement of the heads and hunt for alternate data on
either side of the last overwrite. It takes so much TIME to adequately 'wipe'
a floppy (with MANY passes), that the easiest way to dispose of one with a number
of 'bad sectors' is to just crack it open and shred into tiny pieces
the flexible disk media that's inside ( it looks similar to the material used
for audio tape)!
Last Update: June 22, 2006.
You can write to me using this:
Online Reply Form.
(It opens in a new window.)
MBR and Boot Records Index
The Starman's Realm Index Page