Jump to content

Recommended Wiping tool/method for hdd


 Share

Recommended Posts

I'm looking for a fast (and efficient) method to wipe some hdd from within windows (8.1). I'm aware that it isn't the best option as i could use DBAN that would do a good job.

I tried the windows method :

- deleting partitions and mbr

- recreating a partition

- create a bitlocker volume and choose a full disk encryption

- let windows encrypt the full disk

- delete the partition

- check if something is recoverable and most files were recoverable.

So obviously MS bitlocker didn't do what it should have. So if someone know a reliable and fast method to do the job with preferably only windows tools, i would greatly appreciate.

Of course i did a search (google and also here) and found out that there are third party tools that could do the job but i would like to avoid those.

Edited by allen2
Link to comment
Share on other sites


Well, with all due respect :) *somehow* *something* wasn't done "properly" in your case.

And DBAN is not in itself the "best" solution.

The "right way" to wipe a disk is to use the (internal) ATA Secure Erase provisions (I am assuming these drives are either P-ATA or S-ATA).

Under Windows NT family of OS it is a bit more complicated, a hdparm:

https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase
 

port may work, (or it may not depending on the driver used) see:
http://reboot.pro/topic/13601-software-to-wipe-a-systemdrive-from-windows/

But it makes really little sense to wipe a disk from such an OS, usually a boot disk of some kind is used, see also:
http://reboot.pro/topic/16812-best-disk-eraser-for-use-in-win7pe/

http://www.rmprepusb.com/tutorials/erase-your-hard-disk
 

You can try using Victoria (for Windows) , it should run fine in 8.x :unsure: and since it bypasses the internal OS driver can initiate a Secure Erase, but in any case - just like you did - you should check that it worked, some disk drives have Secure Erase poorly implemented.

Personally - short of Secure Erase - I would use a "plain" dd (or dsfo/dsfi).

jaclaz


 

Link to comment
Share on other sites

Thanks for your answer.

I suppose that the quick format before launching bitlocker encryption is the reason why it "failed" to properly erase the data but then why bitlocker is taking such a long time (took more than 6h for 3TB) ?

As i wanted to use a native tool i tried what was the nearest : sysinternals sdelete and it is still running.

I didn't want to reboot my computer (i don't have a test computer anymore) to wipe my drives (not the system ones) and the ATA secure erase need reboot as i understood.

I was looking for a native MS tool that would do the job. Perhaps format (without /q) will be enough but it will leave the at least the MBR. Also i supposed wrongly that security improved (as bitlocker was available natively) and that MS would have provided a proper way to wipe a hard drive. Also i supposed that if such tool existed it would be faster than other not native tools except ATA secure erase.

The reboot.pro thread is interesting but a litlle old and that why i had discarded it when i googled hdd wiping. But it seems nothing changed in the last 5 years.

Link to comment
Share on other sites

Yes, a format (without the /q) on OS later than Vista is more than enough as it will  00 out all sectors within the partition extents. :)

What remains outside is:
1) MBR and "hidden sectors" before the partition
2) spare/excess sectors after the partition
3) HPA (if any)

Unless you wear 24/7 a tinfoil hat :w00t: it is as secure as needed, the larger extension that Secure Erase covers is not *needed*in the real world, the advantage is that it is usually much faster than using the OS to wipe/format, particularly on large disks and with relatively slow bus this makes a noticeable difference.

jaclaz


 

Link to comment
Share on other sites

The Sdelete finished and failed to properly clean the drive and i think the reason is because that the files that i can still see/recover are outside the partition.

So i dropped the format method and i'm currently using dban from a vm within windows using passthrough access to the hard drive (not to the partition/volume). It should take 7h for the same 3TB drive.

Just to let you know, the dban method with a VM was successfull.

Edited by allen2
update
Link to comment
Share on other sites

Well if they (the files) were outside the target this also explains why bitlocker didn't work.

The target of bitlocker or sdelete (and also of format) is the volume (or partition if it is primary) i.e. the thing that gets a drive letter in windows.

The disk drive (whole thing or \\.\PhysicalDrive) contains partitions that contain volumes (\\.\LogicalDrive) to which filesystems are applied.

The volume is what gets a drive letter.

If you want to use the sdelete (or format) methods the areas to wipe need to be within the target, i.e. you first need to make a partition as big as you can then you run the tools, anything within the extents of the partition will be wiped or overwritten, anything outside it won't.

 7 hours for a 3Tb disk was not bad however, it mans that the disk bus (and overall the PC) is fastish.

jaclaz
 

Link to comment
Share on other sites

My elements of answer:

  • Writing 3TB even once takes time. At favourable 100MB/s, the absolute minimum is 8h. Anything shorter would not have overwritten the disk.
  • This is the time needed by the Ata command, which is the best choice because you know what it does. Accessible by the manufacturer's software, often a bootable Cd whose burnable image can be downloaded from the manufacturer's website.
  • Overwriting everything once is not a safe erase, depending on who might read your disks using what methods. "Safe" tends to imply half a dozen of overwrites - 8h each.
  • Files on SSD and Flash media are impossible to safely erase by the overwriting tools, because of their wear levelling algorithm. You must fill the medium with garbage - and do something for the folders.
Link to comment
Share on other sites

On 12/25/2016 at 10:55 PM, pointertovoid said:
  • Overwriting everything once is not a safe erase, depending on who might read your disks using what methods. "Safe" tends to imply half a dozen of overwrites - 8h each.

Please do not contribute to this unfounded myth, if something is overwritten once it stays overwritten and NOTHING can find what was there before.

Though no one ever recovered anything meaningful when at least the theory was valid, nowadays, in times of perpendicular recording, not even the theory stands. 

Making more than a single overwriting pass is only a good way to stress the device, even the Author of the most famous (and BTW most misinterpreted) paper on the subject has added some "Epilogues" (still written somewhat - I have to believe intentionally - ambiguously) :
https://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

Nowadays on hard disks nothing more that a single 00 pass is needed.

jaclaz


 

  • Upvote 1
Link to comment
Share on other sites

Thanks for the link to the paper!

I read quite the opposite conclusions in it. The paper states that the "Epilogue" section(s) are updated. There, I read:

  • "You never need to perform all 35 passes" [because you can target the specific writing method, so you can reduce the passes]. "For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do". [My emphasis]
  • In the Further Epilogue [my rewording]: other people didn't succeed reading data overwritten once. That's because they used the wrong technique.
  • In the Recommendations: "to delete individual files under Windows I use Eraser" [which is a multi-pass eraser], "To erase entire drives I use DBAN" [again a multi-pass eraser]

So unless I missed something, perpendicular recording didn't change the picture, and the author still recommends multipass erasure.

Link to comment
Share on other sites

12 hours ago, pointertovoid said:

So unless I missed something, perpendicular recording didn't change the picture, and the author still recommends multipass erasure.

Perpendicular recording completely changes the rules of the game.

Anyway from the paper (which was and is a theoretical paper and not - as half of the world read it a factual report):

Quote


Any modern drive will most likely be a hopeless task, what with ultra-high densities and use of perpendicular recording I don't see how MFM would even get a usable image, and then the use of EPRML will mean that even if you could magically transfer some sort of image into a file, the ability to decode that to recover the original data would be quite challenging.

Please consider additionally how in the 20 (twenty) years since the paper was published noone ever documented having successfully retrieved any meaningful info from a disk that has been wiped with a single pass of 00's.

Of course this may be the result of a conspiracy by three or more letter government agencies, but - as I said before - with older drives at least the theory was sound, with modern drives even the theory is invalid.

jaclaz

 

Link to comment
Share on other sites

Your quote is about using MFM, not about using any method. It stands that the author still recommends multi-pass erasure software.

"No attack published" isn't the perfect argument. In 1975 the chief of an embassy's encrypted transmissions invited me in his department and told me about knowing what someone types on the keyboard or reads on the screen through the unwanted radiations. The public heard about "Tempest" in 1995 more or less, and it had been operational meanwhile, since some people used it during their military service. So, yes, things exist that the public isn't aware of, even over decades.

Link to comment
Share on other sites

Well, the paper theorized 20 years ago that data recovery through MFM and/or STM was possible (and does not suggest in any way that other methods exists).

AGAIN that paper is ONLY theoretical, no documented experiments ever managed to retrieve any meaningful data with any means from any disk, if not - maybe - a single experiment that allegedly managed to recover some partial data at an excruciating slow rate from an extremely old and low density disk, JFYI:

http://www.forensicfocus.com/Forums/viewtopic/p=6581471/
 

BUT, let's put it in another way.

CERTAINLY a very restricted number of people with infinite time and infinite budget can do that and much more than that.

If you are paranoid, the ONLY way to make sure that noone is ever capable of reading your precious data is to destroy physically the media, break it in several pieces and mail these to random addresses (in China or elsewhere), JFYI:

http://www.forensicfocus.com/Forums/viewtopic/t=9682/
 

BUT, conversely those same people have no issues whatsoever in reading your mind WHILE you are writing or reading the data, so even destroying the media would be untimely.

We have some solutions for these problems also, still JFYI:
http://reboot.pro/topic/13177-an-improved-electromagnetical-shielding-device/ 
 

For all normal people one single 00 pass is enough, please :) DO NOT recommend to other people to stress their devices without any need, or accept the fact that every time you will post your "advice", if I see it, I will reply stating how it represents a baseless assumption that carries no connection whatsoever with reality, at least from the reality as perceived from all the published works on the matter.

jaclaz

Link to comment
Share on other sites

7 hours ago, jaclaz said:

For all normal people one single 00 pass is enough, please :) DO NOT recommend to other people to stress their devices without any need, or accept the fact that every time you will post your "advice", if I see it, I will reply stating how it represents a baseless assumption that carries no connection whatsoever with reality, at least from the reality as perceived from all the published works on the matter.

+1. BTW, the Great Zero Challenge has finished without anyone even claiming to be able to actually recovering any single-pass zeroed-out data, some seven years ago.

Link to comment
Share on other sites

47 minutes ago, dencorso said:

+1. BTW, the Great Zero Challenge has finished without anyone even claiming to be able to actually recovering any single-pass zeroed-out data, some seven years ago.

Yep :) but - on the other hand - you should take into account that in these long seven years new techniques may have been developed .... :whistle: and think about the big money these data recovery companies can make by keeping their abilities secret and selling the technology to noone ;).

There is simply no way to convince a believer, at the most we can try and cite what is documented, but of course the fact that something is not documented and is not reproducible doesn't mean that it doesn't exist or rather that it may exist.

Absence of evidence ...

https://en.wikipedia.org/wiki/Argument_from_ignorance#Absence_of_evidence
 

Now, for NO apparent reason, an excerpt from pressing the "Reionize Electrons" button here:

http://tinyurl.com/lgme3zu

Spoiler
Quote

Have you found your circuit?

Throughout history, humans have been interacting with the dreamscape via ultra-sentient particles. Reality has always been bursting with warriors whose souls are engulfed in rejuvenation. Humankind has nothing to lose.

Our conversations with other dreamers have led to a refining of ultra-ever-present consciousness. Who are we? Where on the great circuit will we be guided? We are in the midst of an enlightened redefining of awareness that will enable us to access the totality itself.


 

jaclaz


 


 


 

  • Upvote 1
Link to comment
Share on other sites

A single overwrite with zeroes is obviously enough against most attacks.

On the other hand, "someone" (which means a secret service or a defence agency) questioned me few years ago over several channels, one of them linked with the French secret services, exactly about how to make disposed magnetic hard disk impossible to read, so at least the interrogation is very real if not the possibility.

Also, people should tackle this potential risk depending on who the attacker can be, rather than depending on their own identity or activity. In 2017 you can't reasonably claim that secret services work against terrorists. This is not paranoia, it's thinking honestly within real life.

Since overwriting a disk several times is no significant stress - only a big time consumption - I do recommend a safe erase to all people supposing a read attempt by a secret service, just like Peter Gutmann still does in the misquoted paper.

----------

Mind reading machines have been around for at least 30 years, about as long as the imaging radars they probably use to map the brain's activity in real time from a very limited distance. But since one can protect himself against these machines with a tinfoil hat, it's still useful to make disks unreadable, indeed.

The study by MIT student is a bunch of nonsense produced by people too little skilled on electromagnetism. They even took argument of the propagation of a magnetic field at 200kHz to infer what should happen to an electromagnetic field at few GHz, the probable band of mind-reading devices. Nor is an attenuation a good argument when the goal is to prevent the acquisition of an image.

Interestingly, you can observe how some people tell "tinfoil hat" as a synonym for "whacko". This is a method to suggest that tinfoil hats don't work or address a wrong concern.

Better take a few plies of space blanket for you hat: it's more comfortable than aluminium foil and it resists corrosion.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.


×
×
  • Create New...