I'm looking to wipe a hard drive and pretty much get it back closest to factory default as possible, whats the best way about going about this?

dban is good
http://www.dban.org/

whats the best method to run though, just running 1 pass of zeros dont totally wipe it does it?

it has to be 3 passes,i think there is also a fre version of killdisk.
also you have copywipe from terabyte.
then format and reinstall OS

the free kill disk only lets you do 1 pass, so would i be better off getting dban and running the 3 passes or just using kill disk and running 1 pass?

gotta be 3 passes,in this case dban or copywipe
remember to backup your important files first.
i think there is also heidi eraseweb..

im just gonna run dban 3 pass, so after this is ran, the hard drive is pretty much factory default again?

sorry if these are stupid questions lol but i never did this before and wanna make sure im doing the right one, im loaded into DNAB right now and i see a few options under method, do i wanna choose the "DoD" Short" method which says security level: medium (3 passes)?

1 is plenty for everything else use hammer

I've used lots of HDD wipe utilities and DBAN is my favorite, but if you are looking for something relatively fast and simple, the Maxtor HDD wipe utility is pretty good.

Just offers zero-fill, but it can be run from a cd and I use it that way whenever I want to wipe a drive quickly.
I'm told it can also be run from a USB flash drive but I haven't tried that.


Here's a download link:
http://hddguru.com/content/en/software/2006.04.13-HDD-Wipe-Tool/

Im in dban right now on the pc i wanna format, and i have it set for

Method: DoD Short
Verify: Last Pass
Rounds: 1

does that all look right? and running this like this will totally wipe the drive like its brand new?

Personally, I prefer a full pass with random characters; three passes, actually.
DBAN's Pseudo-Random Number Generator method (PRNG) with verify is what I would choose.
It takes more time than DOD short, but is more thorough.

Linux Live CD and hdparm using the secure erase feature.
http://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

It is equivalent to physical destruction, fixes bad sectors, re-allocated sectors (DBAN doesn't), wipes the HPA if present (DBAN doesn't), will wipe a standard HDD of 300GB in 88 minutes. :) DBAN 13+ hours. :(
Drive must be in primary slot, not usb.

-{ Quote: "Linux Live CD and hdparm using the secure erase feature.
http://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

It is equivalent to physical destruction, fixes bad sectors, re-allocated sectors (DBAN doesn't), wipes the HPA if present (DBAN doesn't), will wipe a standard HDD of 300GB in 88 minutes. :) DBAN 13+ hours. :(
Drive must be in primary slot, not usb." }-

Yeah I agree with this ^^

Dban is nothing but a Linux liveCD, so you can do the same thing with any Linux LiveCD if you know the commands. I believe DBan just uses the "dd" command for wiping.

I think you should use the secure erase function built into all modern HD's for faster wiping. You can do that with any Linux LiveCD using the "hdparm" command as outlined in the link Searching posted above.

at the end of the page posted by Searching there is a link as an alternative method,and is for HDDErase
does it work the same?..in your opinion.

Why not just use something like Eraser or R-Wipe?

-{ Quote: "whats the best method to run though, just running 1 pass of I thought there was a general consensus here that there was no evidence that anything could be recovered after just one pass.

-{ Quote: "1 is plenty for everything else use hammer" }-

One is plenty. Using a hammer wont help. Spin stand microscopy in addition to other forensic techniques can pull data off even highly damaged platters.

-{ Quote: "Why not just use something like Eraser or R-Wipe?" }-
Wiping programs vary in their ability to accomplish a complete 100% erasing of data on a HDD.

Using Linux livecd and hdparm and the hot replugging method works well for a BIOS frozen situation.

@acuariano
HDDErase accesses the secure erase function also. HDDErase is the child of the creators of the secure erase standard.

It is the first time I hear about the ATA Secure Erase command...

So, basically, the only things it could give you that a normal disk wiping utility doesn't are the destruction of bad sectors as well as the destruction of a HPA (if present, but it can be done with other things, not only the ATA command)


So... If you run a normal software (I normally use the Acronis true image cd that can be used as a boot cd... there is a disk wiping utility on it) to wipe your drive... Only with a single pass write of zeros, you are now with the same result as that secure erase command, with the exception of the HPA and bad sectors...


I get it for the HPA... but the bad sectors?... I mean... They are already bad, so harder to read... They are 512 bytes each... and they are not all from the same area...

So, I mean... random 512 bytes chunks from your disk... you won't be able to find really helpful infos in there... unless you are REALLY unlucky and it happend to be the sector used to store your credit card number or something... But even there...
And you sure won't recover any document, picture or anything else...


But I may be missing something there...

-{ Quote: "It is the first time I hear about the ATA Secure Erase command..." }-It is a hardware based wiping utility making it more secure than a software based utility like DBAN.

-{ Quote: "So, basically, the only things it could give you that a normal disk wiping utility doesn't are the destruction of bad sectors as well as the destruction of a HPA (if present, but it can be done with other things, not only the ATA command)" }-
Criteria I used to sort wiping programs.
1. Length of time to complete a wipe.
2. Does it overwrite the data.
3. Does it overwrite data everywhere that data can be stored on a HDD.

-{ Quote: "Only with a single pass write of zeros, you are now with the same result as that secure erase command, with the exception of the HPA and bad sectors..." }-
Then it's not the same.
"I got the same shoes but different" ???

-{ Quote: "I get it for the HPA... but the bad sectors?... I mean... They are already bad, so harder to read... They are 512 bytes each... and they are not all from the same area..." }-
I think their is malware that can create bad sectors with it's data, which is then restored by Windows Checkdisk feature. This was used to survive rollback softwares like Ayrecovery I believe.

A bad sector happends when the drive isn't able to read back or write to a sector... Then the sector will be marked as bad in the g-list and a new one from the spare pool will take it's place.

Once it's done, it's done...
How could chkdsk read them back and execute malware???

It would mean that chkdsk reads back bad sectores ??? wich is like... not a good idea! And more than this, it also means that windows will execute the code found in bad sectors?!???

And how could the virus create bad sectors?...

I tried LLF once in my Seagate 30 GB Disk, i tried KillDisc, MHDD, HDD Wipe tool, and i was not pleased by them. I noticed HDD responded little slowly, after LLF.
My Hard Disc never responded the wasy it used to. Thankfully for Seagate HDD theirwas a Seatool Utility for LLF.
Although DBAN, Maxtor utility are good too. Most of all always have a Hiren Boot CD. It has a list of Utility for Writing O's, performes format, etc ec etc .
So far i h' saved two HardDisc with Hiren Boot CD.;D :thumb:

-{ Quote: "Dont mind my writing ::) " }-

-{ Quote: "And how could the virus create bad sectors?..." }-
Here is some info for bad sector generators by malware.

-{ Quote: "Data Hiding Techniques

* NTFS Streams
* Extra Sectors
* Bad Sectors
* Last Sector
* Hidden Partitions

...

Bad Sectors

The original application of this technique saves the original boot sector of a disk to an alternate location, and then marks the sector (the archived boot sector) as BAD. From Section 4.1.2.3, Boot Viruses That Mark Sectors as BAD of Szor's work:

... save the original sector, or additional parts of the virus body, in an unused cluster marked as BAD in the DOS FAT. An example of this kind of virus is the rather dangerous Disk Killer, written in April 1989. [22]

...

Hidden Partition

Modern Enterprise servers allow the administrator to bootstrap the installation of an Operating System using utilities. These utilities are provided by companies such as HP, Compaq and Dell. For Compaq, the program is a bootable CD named the System Configuration Utility (SCU). The configuration utility creates a hidden partition named the System Partition. The System Partition is a special area of the fixed disk which can contain items such as configuration information, diagnostics and other utilities.

The utility partitions create another area where one may hide data. Taking from 3.22, Multipartite Viruses, "Junkie can infect COM files on the hidden partitions that some computer manufacturers use to hide data and extra code..."." }-
Protection Schemes Based on Virus Survival Techniques (http://www.codeproject.com/KB/cpp/VirusProtect.aspx)

Searching one question:..have you ever tried other programs like wipedrive,killdisk,acronis drive cleanser,bc total wipeout...and what you think of them

Pinso: I think there is a little terminology problem here...

You say you do Low Level Formats on the drives...

Here is a good article on the subject :

http://en.wikipedia.org/wiki/Disk_formatting#Low-level_formatting_.28LLF.29_of_hard_disks

This is low level format... where you write back new servo data for the drive to locate the sectors...

It's just impossible to do on a modern drive!


What most people mean by low level format now is simply writing 0 on all the sectors... It's just an error to call that a low level format...





About the data hiding techniques... you could mark some sectors as bad I guess... as well as do hidden partitions... or change the mbr...

But nothing will survive simples 0 written on every sectors....
Maybe the sectors marked as bad! But as written in your article, it was used on a 1989 virus! In that time, the operating sysmtem could keep a list of bad sectors...it is just not done anymore! ( edit: yeah, they were marked as bad in the FAT filesystem... not in the hard drive itself... there is no real way to do that... maybe if you take control of the hard drive firmware itself... but... I don't think that's something we will see anytime soon... )

But in any case, if you reinstall the operating system... even if some code is on bad sectors (and I don't think it will happend...)... there is NO WAY it will he executed....

-{ Quote: "But nothing will survive simples 0 written on every sectors...." }-
Wiping programs, minus secure erase, do not wipe bad sectors.
DBAN does not wipe bad sectors,
Heidi Eraser does not wipe bad sectors,
Copywipe does not wipe bad sectors,
Active @ Killdisk does not wipe bad sectors,
dd does not wipe bad sectors,
shred does not wipe bad sectors.

(@ acuariano I have used all of the above plus more. I am not a fan of anything Acronis.)

Secure Erase does wipe bad sectors.

BCWipe is the only program in addition to Secure Erase that wipes HPA and DCO's (hidden partitions).

-{ Quote: "But in any case, if you reinstall the operating system... even if some code is on bad sectors (and I don't think it will happend...)... there is NO WAY it will he executed...." }-
If you have any links supporting this I will read them.

Searching firstable thanks for sharing your knowledge,,
so secure Erase is equal the same alternative you told us in another threat
the one with live cd and using command prompt i think...

---did you read this about bcwipe total wipeout http://www.jetico.com/wiping-bcwipe-total-wipe-out/

•BCWipe Total WipeOut recognizes and can wipe Host Protected Area (HPA) on hard drives.
•BCWipe Total WipeOut can identify the number of sectors hidden by the Device Configuration Overlay (DCO) function (present since ATA-6 standard) and can wipe the DCO hidden sectors.

and what do you think of it?

-{ Quote: "gotta be 3 passes," }-

What do you base that assertion upon?

-{ Quote: "i think there is also heidi eraseweb.." }-
Last I checked, Heidi’s Eraser was for individual files and folders or unused disk space- not for whole-disc wipes. (Though it did come with DBAN for the latter)

-{ Quote: "Drive must be in primary slot, not usb." }-

What are the options for an external USB drive, then?

What about a USB Flash drive?

-{ Quote: "Yeah I agree with this ^^

Dban is nothing but a Linux liveCD, " }-

DBAN uses the Linux kernel, yes.

But contrast a simple utility such as DBAN to even the most minimal so-called 'Linux’ distro that is an actual operating system and it would seem that if the former can properly be called simply ‘Linux’, than the latter cannot. (Hence, ‘GNU/Linux’ or GNU+Linux)

-{ Quote: "I think you should use the secure erase function built into all modern HD's for faster wiping. " }- Is it all drives manufactured since 2001?

Are there any options for older drives (besides total physical destruction)?

-{ Quote: "Wiping programs, minus secure erase, do not wipe bad sectors." }-
What about the Maxtor utility that was mentioned? (didn't see it in your list)

-{ Quote: " I have used all of the above plus more. I am not a fan of anything Acronis." }-
I was surprised to discover that the (free!) Paragon Backup & Restore appears to be at least as good as Acronis True Image. EASEUS Todo Backup also (also free) appears rather impressive, esp. for it's much smaller size (around 30-40 MB). Seems its major lack is the ability to make incremental back-ups.

-{ Quote: "BCWipe is the only program in addition to Secure Erase that wipes HPA and DCO's (hidden partitions)." }-
What about bad sectors?

-{ Quote: "Wiping programs vary in their ability to accomplish a complete 100% erasing of data on a HDD." }-

That is my understanding as well; that anything software- based has certain limitations.

I have read that a good software wiping utility such as DBAN can reliably protect against a keyboard attack but not a laboratory attack.
I wonder:
a.) Can any software-based wiping utility be 100% reliable against even a keyboard attack?
and
b.) What are the approximate odds of successful data recovery from a laboratory attack on a drive that had been wiped with such a software utility?

Any sources would be most appreciated.

-{ Quote: "One is plenty." }-
Not that I’m disputing this but would you have a source? (I also read that one pass is at least almost-always sufficient but don’t recall the source now)

-{ Quote: "Using a hammer wont help." }-
Can’t be relied-upon or isn’t foolproof, okay but to say “won’t help” seems an exaggeration- see below.

-{ Quote: "Spin stand microscopy in addition to other forensic techniques can pull data off even highly damaged platters." }-

But how many people have access to such techniques?

Furthermore, wouldn’t the odds of recovering any significant data from a drive that had first been wiped (even by a software utility) and then smashed with a hammer be extremely low?

(Also, if smashing a drive, be sure to take precautions against inhaling particles. Likewise for toxic fumes when burning or otherwise subjecting any media to high heat. And please remember that just about all computer components contain toxic compounds and cannot be safely disposed of in land fills or rubbish incinerators but must be properly recycled. )

Finally, regarding DBAN, please note the following from the DBAN site:
-{ Quote: "Does DBAN conform to my favorite certification or fulfill my local regulatory requirements?

(HIPAA, NIST, Sorbanes-Oxley, PIPEDA?)

We will not issue a statement of conformity for DBAN because it would be construed as a warranty or promise.

If, however, you find a deviation or can suggest some way to improve the conformity of DBAN, then the software will be enhanced appropriately. Contact support or open a bug ticket." }-

-{ Quote: "
If you have any links supporting this I will read them." }-

Just think about it...

The sector is marked as bad...
In the case of the 1989 virus that was talked about before, they are bad sectors marked in the FAT file system... if you do a simple format, without even wiping the drive, the sectors won't be marked as bad anymore... and even if the code is still there, unless you ask the system, the code won't be executed.

Now, if but only IF it was possible for a virus to mark store itself in bad sectors on the drive itself (in the p-list), well, they would be invisible to the system... IMPOSSIBLE to read back... unless you somewhat modifiy the circuit board on the drive OR you change the drive firmware... but even if you do, you still have to ASK the system to execute this code... it could happend if you are infected back with the same malware... but if you are, it's not because of the bad sectors on the drive...

I have no links, only some computing knowledge and a few hours reading technical documents about hard drive technology.

I could say the same... point me to some links that say that (and explain how) and I will believe it


But, for malware protection (and not data destruction), a SIMPLE format.... without data wiping is enough if you make sure the mbr is erased too...
This way, even if malware is stored on a HPA of the drive, it will never be executed back.

It not a good job, the malware is still there, but wil never be executed and will be invisible to the operating system. I do like to wipe the whole drive by writing zeros everywhere, but even if you don't, the malware won't be executed.


For complete data destruction, yes, it's a good idea to do the ATA Secure Erase command. It's simple and it is even better than everything else.

And for the multiple wiping passes... One is enough...
YES, is could be POSSIBLE to get back some data back... With days of work and a million dollars worth of equipement it could be possible... But if you have such private data on the drive, and you think that someone will try to get your data back at all costs, just open the drive, destroy it and put it in the garbage.

Alex

This may be a good place to post a sad story, and perchance get some useful suggestions. Some months ago, I started playing with approaches to inexpensive SATA-based mass storage. The players: five 500GB SATAs (three WD, and two Seagate) and five 1TB WD RE3 SATAs.

My first experiment was attaching them to an old LSI SCSI MegaRAID card using cheap SATA-SCSI interface cards. That failed abysmally; although I did manage to create some RAID arrays, I couldn't modify them. After this failure, I checked all of the drives in normal SATA channels, and they seemed fine.

My next experiment was using an inexpensive SATA RAID PCIe4 HBA and two 1-to-5 SATA port multipliers. At first, I could see all the drives, but intermittantly, and just as JBOD, with no RAID capability. Then I realized that the HBA hadn't been flashed with the (compatible, supposedly) RAID firmware. And so I did that (unfortunately, perhaps, while the disk array was connected).

After that, all ten drives are stone cold dead. None of them show up on any SATA channel I've tried, even with diagnostic software from WD and Seagate.

I'd appreciate insight into what I've done, and how it might be fixed. I'm too honorable to just return them, because I'm clearly responsible.

-{ Quote: "The sector is marked as bad...
In the case of the 1989 virus that was talked about before, they are bad sectors marked in the FAT file system... if you do a simple format, without even wiping the drive, the sectors won't be marked as bad anymore... and even if the code is still there, unless you ask the system, the code won't be executed.
" }-
Bad sector marking is an internal process of the hard drive.
Bad sector data can be recovered by Chkdsk because S.M.A.R.T. saves the data to a new location.
-{ Quote: "guest is confused because verifying the disk surface with software (for example by using Windows Scandisk) does not report any problems or bad sectors.

S.M.A.R.T. is constantly analysing the disk surface during normal operations. If it finds a problematic area (one or more sectors where the data is hard to read or write), it tries to read the data and copy it to the spare area. The original location is then (internally) marked as bad and all further read/write operations pointing to the original location is then redirected to the spare area." }-
http://www.hdsentinel.com/smart/index.php
-{ Quote: "What are the options for an external USB drive, then?" }-
Remove it from its enclosure and plug it into a primary SATA port or primary IDE port for secure erase to work, according to CMRR.
-{ Quote: "What about the Maxtor utility that was mentioned? (didn't see it in your list) " }-
Covered under in the statement "plus more".
The Maxtor wiping program appears to be no more than a block wiping program.
-{ Quote: "few hours reading technical documents about hard drive technology." }-
I would be interested in reading these. Can you supply the names of the documents so that I too can understand?

a SIMPLE format is not enough.
MBR virus trojans use this technique today, surviving in bad sectors.

Also:
-{ Quote: "Chkdsk inspects the physical structure of a disk to make sure that it is healthy. It can repair problems related to bad sectors, lost clusters, cross-linked files, and directory errors.
...
the option "Scan and attempt recovery of bad sectors"
...
Chkdsk [/R] Locates bad sectors and recovers readable information." }-
http://vlaurie.com/computers2/Articles/chkdsk.htm

-{ Quote: "
MBR virus trojans use this technique today, surviving in bad sectors." }-

Could you please point me to a whitepaper, a magazine article, anything that shows that the above is possible, in the wild, and is even a realistic scenario?

-{ Quote: "SIMPLE format is not enough.MBR virus trojans use this technique today, surviving in bad sectors." }-I have thested 3 samples of killdisk MBR virii.A simple rewrite of the partition table and no more MBR virii.I don't even have any lowlevel formatting software at that time only a partition software to delete all partitions then an installation of LINUX. Then I was able to restore back to my clean image as if nothing happened.

So...

Bad sectors marking is internal to the drive, you are right.

BUT, in the case of the virus you talked about before, the sectors are marked as bad in the FAT filesystem

A virus has no way to store itself in a real, internal to the drive, bad sector.

And you seem to forget that in order to do bad things, a virus MUST be executed!

When the drive finds a bad sector, it will change it for a spare one. It is invisible to the system!


I would love to know HOW a virus could be stored in bad sectors AND be executed... Please explain it to me...

-{ Quote: "

Secure Erase does wipe bad sectors.

BCWipe is the only program in addition to Secure Erase that wipes HPA and DCO's (hidden partitions).


." }-

Do these programs wipe bad sectors by default without having to do anything?

I read that Bruse Schneier uses BCwipe. Is that a good enough utility bto use?

I have an HP and I do not want to destroy all of the software thyat comes with it. I assume that dban will do just that.

i have the same question...bcwipe looks good..but we need to hear from people who uses it..also how to verify when the job was done properly.

Nothing but the ATA Secure Erase command will erase old bad sectors


For the HP programs, there is REALLY NO NEED for dban or anything like it... just reinstall the operating system... that will do it as well as anything else...

The wiping programs are good for one thing: erase private data do that nobody can read it back...

For viruses and computer cleanup, a simple format is enough if you also erase the MBR.
Some traces CAN be left on the disk (like in a HPA), but there is no risks for the code to be executed back.

How can a bad sector be wiped? A bad sector is an area that is physically damaged and no software can restore it, it can only be re-allocated. It,s my understanding.

-{ Quote: "

For the HP programs, there is REALLY NO NEED for dban or anything like it... just reinstall the operating system... that will do it as well as anything else...

The wiping programs are good for one thing: erase private data do that nobody can read it back...

For viruses and computer cleanup, a simple format is enough if you also erase the MBR.
Some traces CAN be left on the disk (like in a HPA), but there is no risks for the code to be executed back." }-

So if I run BCwipe or something like that and reformat that should be good enough? That is great! I love the way HP has their reinstallation set up with a built in destructive recovery.

-{ Quote: "But, for malware protection (and not data destruction), a SIMPLE format.... without data wiping is enough if you make sure the MBR is erased too...
This way, even if malware is stored on a HPA of the drive, it will never be executed back." }-
However, note that there exists the potential of malware residing in the BIOS, which would be impervious to a hard disk format or wipe operation (see Researchers demo BIOS attack that survives hard-disk wipe (http://blogs.zdnet.com/security/?p=2962&tag=col1;post-3828)).

What is a BIOS?

-{ Quote: "“You can remove the hard drive, trash it, and even reinstall the operating system,” Sacco said. “This will still reinstall the rootkit.”" }-

So it is not on the hard drive?

-{ Quote: "What is a BIOS?" }-
Please see: BIOS (http://en.wikipedia.org/wiki/BIOS).

-{ Quote: "So it is not on the hard drive?" }-
Correct. This class of malware has the potential to reinstall itself from the BIOS onto any new (or newly formatted/wiped) hard disk drive.

and is there any solution for it?..like reflashing bios..? hope.

-{ Quote: "So if I run BCwipe or something like that and reformat that should be good enough? That is great! I love the way HP has their reinstallation set up with a built in destructive recovery." }-
You don't even need to care avout BCwipe. Just use a windows dvd and reinstall the system. Everything will be gone! BBCWipe, DBAN and everything like this is only good to wipe the drive in the case you want to give it to someone else that might attempt to get some private information back!

For the BIOS virus, this is possible, yes.

However, in most cases, I guess they would be using a HPA or something similar because there is not enough place in the bios to store a complete virus code.

If there is enough place, well it can be possible.

But it is really hard to do and honnestly, I have never heard of such a virus yet. Of all the computers with viruses I have seen (and I see more than one everyday), I never saw or heard about a case of bios virus.

So the risks are close to zero.

Alex

subject-line is not a complaint against this forum but rather an expression of general frustration at the difficulty in finding what one would think should be pretty basic information

(I had asked what the options were for an external USB drive.)
-{ Quote: " Remove it from its enclosure and plug it into a primary SATA port or primary IDE port for secure erase to work, according to CMRR." }-

Thanks.

I would still like to know about flash drives:

-How secure is simply wiping free space on them?

- Are there any other options for flash media?

-{ Quote: "The Maxtor wiping program appears to be no more than a block wiping program.
" }-
I figured that was most likely the case but wanted to make certain.

-{ Quote: "I have an HP and I do not want to destroy all of the software that comes with it. I assume that dban will do just that." }-
Any complete disk wipe will; if you want to preserve data on a drive, the only wipe you can do is of free (unused) space only

-{ Quote: "So if I run BCwipe or something like that and reformat that should be good enough?" }-

It's not clear just what you want to do. Whenever you reformat, you will have to reinstall everything. If you're prepared to do that anyway, then why would you be concerned about wiping all of the data beyond recovery?

In any event, you should always make regular images of your system, as restoring from an image is much easier and quicker than reinstalling an OS and all of your programs from scratch, updating all of them, setting all of your preferences...

Acronis True Image has been the most popular imaging program for several years now, a claim previously held by Norton Ghost.

But you might want to try one of the two free* alternatives I mentioned earlier in this thread:

Paragon Backup & Recovery (http://www.paragon-software.com/home/db-express/) (which some actually find better than Acronis TI) and EASEUS Todo Backup (http://www.todo-backup.com/download/)

(*free-of-charge; not necessarily free in the FSF (http://www.fsf.org/) sense of the word.)

-{ Quote: "and is there any solution for it?..like reflashing bios..?" }-
From the blog entry linked above in this thread (http://blogs.zdnet.com/security/?p=2962&tag=col1;post-3828):

-{ Quote: "infecting the BIOS with persistent code that will survive reboots and reflashing attempts." }-
........
Regarding BC Wipe:

1.) I had a look at the site and did not see any third-party certifications or endorsements.

2.) How would it be possible for BC Wipe to get around the limitations that all other software utilities apparently have? Is it not, after all, a software utility?

3.) Looks like one has to be running Windows in order to create the bootable BCWipe disk that uses the Linux kernel.

Okay, I suppose the average GNU/Linux user wouldn't have too much of a problem activating the ATA Secure Erase mechanism via hdparm commands (as referenced earlier in this thread) but the BIOS lock can be a real problem...
_________

Finally, I still would welcome any information on the following questions that I had raised earlier.

1.) Can any software-based wiping utility be 100% reliable against even a keyboard attack? (much less, a laboratory attack)

2.) What are the approximate odds of successful data recovery from a laboratory attack on a drive that had been properly wiped a software utility?

-{ Quote: "You don't even need to care avout BCwipe. Just use a windows dvd and reinstall the system. Everything will be gone! BBCWipe, DBAN and everything like this is only good to wipe the drive in the case you want to give it to someone else that might attempt to get some private information back!" }-

Thanks for explaining that. Much appreciated.

-{ Quote: "Please see: BIOS (http://en.wikipedia.org/wiki/BIOS).


Correct. This class of malware has the potential to reinstall itself from the BIOS onto any new (or newly formatted/wiped) hard disk drive." }-

Thanks for that.

-{ Quote: "It's not clear just what you want to do. Whenever you reformat, you will have to reinstall everything. If you're prepared to do that anyway, then why would you be concerned about wiping all of the data beyond recovery?" }-

I had read somewhere that even a reformat does not get rid of personal information on a hard drive.....that it could still be recovered. But I guess that was incorrect.

-{ Quote: "
In any event, you should always make regular images of your system, as restoring from an image is much easier and quicker than reinstalling an OS and all of your programs from scratch, updating all of them, setting all of your preferences...

Acronis True Image has been the most popular imaging program for several years now, a claim previously held by Norton Ghost.

But you might want to try one of the two free* alternatives I mentioned earlier in this thread:

Paragon Backup & Recovery (http://www.paragon-software.com/home/db-express/) (which some actually find better than Acronis TI) and EASEUS Todo Backup (http://www.todo-backup.com/download/)

(*free-of-charge; not necessarily free in the FSF (http://www.fsf.org/) sense of the word.)


From the blog entry linked above in this thread (http://blogs.zdnet.com/security/?p=2962&tag=col1;post-3828):
." }-

I will look into that. That sounds pretty amazing. Thanks.

-{ Quote: "What are the approximate odds of successful data recovery from a laboratory attack on a drive that had been properly wiped a software utility?" }-
About two years ago, I asked this same question of a technical support representative of Ontrack (http://www.ontrackdatarecovery.com/index.aspx), a leading data recovery provider, and was told that if the data was actually overwritten, then their company had no mechanism to recover it.

-{ Quote: "I had read somewhere that even a reformat does not get rid of personal information on a hard drive" }-
Correct -- a basic format operation does not overwrite the contents of the majority of disk clusters, and thus does not actually destroy the information contained in those clusters.

-{ Quote: "Acronis True Image has been the most popular imaging program for several years now" }-
How do you know this to be true?

P.S.: Interested readers may wish to also look at ShadowProtect Desktop (http://www.storagecraft.com/shadow_protect_desktop.php), which is the PC Magazine Editor’s Choice (see here (http://www.pcmag.com/article2/0,2817,2254465,00.asp)).

I've been using ShadowProtect for several months, and love it. One can mount drive images as virtual drives -- read-only or read/write. For example, one could remove malware from a copy of an image before restoring. Hardware-independent restore, even to VMs, is also supposedly doable. I haven't done that yet.

Would there be any problems, that you know of, in using ShadowProtect with Returnil installed?

-{ Quote: "Would there be any problems, that you know of, in using ShadowProtect with Returnil installed?" }-
I do not use Returnil, so I can’t say for sure -- but, I do use VMware Workstation 7 and have noticed no conflicts with ShadowProtect Desktop. You might want to post your question on the ShadowProtect forum (http://forum.storagecraft.com/Community/forums).

...should not be done to a drive with data on it that you want to keep.

-{ Quote: "I had read somewhere that even a reformat does not get rid of personal information on a hard drive.....that it could still be recovered." }-

That is correct.

-{ Quote: "But I guess that was incorrect." }-

We're obviously misunderstanding each other.

Data can, in fact, usually be recovered from a drive that has merely been reformatted (as opposed to 'wiped' or, more properly stated, overwritten.)

I never meant to imply otherwise.

But if someone has a drive with data they want to preserve on it, they would not reformat that drive (intentionally, at least) without first making sure that said data had been properly backed-up. (that is, transferred to other media)

Otherwise, what would be the point of reformatting, only to have to go to the trouble of trying to recover data afterward (with no guarantee of complete success)?

That is where you had me lost; you had written of being interested in wiping and reformatting while at the same stating that you wanted to keep certain data on the drive (i.e., programs that came with your computer).

Actually, a drive that has been formatted without re-writing can have data recovered after one pass. Some people (NSA) may be able to recover after as many as three passes (on ntfs at least).

Unless the drive has been written to in a ~random fashion...

I like this utility:

Roadkil's Disk Wipe (http://roadkil.net/program.php?ProgramID=14)

This utility can be used in UBCD4Win (and may be included in the standard distro, but I didn't check.)

HTH

0peratorX: Have you ever heard of a file recovery after a single wipe? Have you ever seen - or even heard of (in the real world) - an electron microscope actually being used for the purposes of retrieving data from a hard drive?

I rest my case. If the NSA is after you, it's not the "On paper, it looks-like-it-might-work-for-data-recovery" electron microscope that's going to get you.

-{ Quote: "0peratorX: Have you ever heard of a file recovery after a single wipe? Have you ever seen - or even heard of (in the real world) - an electron microscope actually being used for the purposes of retrieving data from a hard drive?

I rest my case. If the NSA is after you, it's not the "On paper, it looks-like-it-might-work-for-data-recovery" electron microscope that's going to get you." }-

I have done recovery after a single wipe. :)

And, I was actually thinking of the method with an oscilloscope / microscope and using gamma function deltas to find the original file system configuration before wiping (well beyond the scope of my abilities - pardon the pun ;) )

Also, I do not fear the NSA, for I have nothing that would be of interest to them. Actually, I wish they would visit (so that I could implore them for an apprenticeship!)

-{ Quote: "I have done recovery after a single wipe. :) " }-

Actually recovered the file and used it? Not just see a name and pull up a seriously corrupted piece of nothing? If so, how did you do it? If you do a little research (which I'm sure you've done), you would know it hasn't ever been documented. Not once. 0peratorX - ever seen this before?

-{ Quote: "Actually recovered the file and used it? Not just see a name and pull up a seriously corrupted piece of nothing? If so, how did you do it? If you do a little research (which I'm sure you've done), you would know it hasn't ever been documented. Not once. 0peratorX - ever seen this before?" }-

Are we talking about:
1. random writes
or
2. the Windows standard formatting procedure?

Because if it is #2 (I was referring to this procedure)

I used this:

http://www.diskinternals.com/ntfs-recovery/

So, actually, I didn't do it. Rather, I rebooted the machine that I accidentally reformatted an attached drive to with UBCD4Win, then used their program to recover most of a 120 GB drive.

Now, with other file systems, I am not sure. I know that NTFS lends itself to better recovery because of the way that it stores the information on the drive...

I guess that it is getting confused in here...


I will make it simple.

-If you do a simple windows format and make sure that you also rewrite the MBR (windows does that when you install it on a drive withtout any partitions, no virus can resist to it and no old data will be seen by the new system.

So, delete the old partitions and install windows using the windows DVD and no malware will survive on the disk. The virus code might be on the disk, but unless you want it (and you need some special tools), it will NEVER be executed.


That is for malware. In that case, any data that is no overwritten by the new operating system is still on the drive and CAN be recovered.




-For data destruction, this is not enough. For data destruction, you need to wipe the the drive by writing something (like 0) everywhere to overwrite the old data.
Writing zeros in one pass is WAY enough!! YES, the NSA or something COULD get some traces of data... But it is SMALL amounts and unless the NSA want's your data, you are safe. No one can recover the data unless they have really expensive equipement and a LOT of time.


For data destruction, you don't need to do that, but I agree that it is a good way do to it. If you do the simple format, the virus won't infect your system back but the idea that it is still somewhere on the drive might be unpleasant to some people.




-The argument in favor or the build-in ATA Secure Erase that we talked in the beginning is that it will not only write zeros everywhere but it will delete the HPA/DCO and the old bad sectors that were relocated.


For your private data, you REALLY don't need to do that, unless you manually created a HPA. As for bad sectors, yes, some of your data can be on them, but if some random 512bytes chunks of my drive are not wiped, I'm not really scared even if someone can get them back... And to get them back, you also need more than a normal data recovery software since the bad sectors are hidden by the drive itself and are impossible to see by the operating system or the data recovery tools.

For malware, yes, malware can store itself in a HPA, but even if it is still on there after you wipe the drive, it will NEVER get executed back unless YOU ask for it.
As for malware storing itself in bad sectors, it is IMPOSSIBLE! There was some confusion in this thread because some malware did used some bad sectors to store itself, but it is bad sectors marked in the file system, not in the drive. In that case, everything I said before applies and a simple format would be enough.

Alex

-{ Quote: " I will look into that. [My suggestions for imaging programs] That sounds pretty amazing. Thanks." }-

Glad you appreciated it. I was actually afraid that it might look as if I was merely trying to promote the programs I mentioned but I actually have no vested interest in doing so; I was just pleasantly surprised when I learned of such alternatives to Acronis True Image; I didn't think anything that was available free of charge could compare.

Another popular imaging program seems to be DriveImage XML ( http://www.runtime.org/dixml.htm ). A step-by-step tutorial with screen shots can be found here: http://lifehacker.com/326086/hot-image-your-pcs-hard-drive-with-driveimage-xml

I personally chose EASEUS Todo Backup because I needed something compatible with Windows 2000 and the under 35 MB download was manageable on dial-up. I found it easy to use and it worked well for me. (Though it took me a while to realize that I had to boot from the special Todo Backup bootable CD in order to restore from an image. It seemed they could have made an instruction as basic as that clearer and easier-to-find than being buried somewhere in the FAQ.)

I had written,
-{ Quote: "Acronis True Image has been the most popular imaging program for several years now" }-
to which Pleonasm replied,

-{ Quote: "How do you know this to be true?" }-

Okay, I admit, I don't know it to be true. It was a general impression I had, based in no small part on having read that claim (or very similar) in at least one place- I think it was one of the major computer magazines. Come to think of it, though, that could have been as much as three years ago now.

I should have made this clear and was remiss in making the factual claim I did without backing it up.
............
Note that imaging functionality, as with so many other basic functions that require separate, third-party programs in Windows, appears built into most GNU/Linux distros.

ex_ployt_ed wrote concerning Acronis True Image being the most popular imaging software:

"Okay, I admit, I don't know it to be true. It was a general impression I had, based in no small part on having read that claim (or very similar) in at least one place- I think it was one of the major computer magazines. Come to think of it, though, that could have been as much as three years ago now.

I should have made this clear and was remiss in making the factual claim I did without backing it up."



If you look at the Wilder "Polls" section, Acronis does seem to be the most popular imaging software. I've used it through 3 versions with product satisfaction.

Also, in regards to the absolute destruction of a disk with information you never want anyone to possibly see, you melt the disk. This is the only approved technique for DOD classified disks, the security guys take the disk apart, remove the platters and 2 people hand carry the platters, in a locked cuffed bag, to an approved melting center, watching the platters every inch of the way into the melter. Kind of like the One Ring :)