How to properly erase/scrub/wipe a hard drive?

Discussion in 'privacy technology' started by KrazyKong, Aug 18, 2010.

Thread Status:
Not open for further replies.
  1. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Secure Erase is the best by far for speed and thoroughness of wipe.
    You can access with a Linux LiveCD using hdparm.
    It is about 35 minutes per 100gb.

    Enhanced Secure Erase is even faster if your drive supports it.
    Enhanced Secure Erase usually is available in drives that have built in encryption, and will wipe a drive at 100gb/per second.

    While they're breaking your door down, you can initiate an Enhanced Secure Erase and be wiped before they put their hands on the computer. :D

    @ chronomatic

    It's nice to see a faster dd solution than shred and /urandom with openSSL.
    That's pretty impressive.
    dd with OpenSSL, according to your numbers posted, is about the same for speed as Secure Erase.
    36 minutes per 100gb

    Does dd wipe bad sectors, reallocated sectors?
     
    Last edited: Aug 23, 2010
  2. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Thanks for posting the link to this discussion. As commentators in that thread noted, however...

    And...
    And...
    Who knows if an advanced version of a TWIRL machine for integer factorization hasn’t already been built? For these reasons, it seems more prudent to employ hard disk wiping than full disk encryption as a means of data destruction, in my opinion.
     
  3. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    TWIRL and integer factorization only matters for asymmetric encryption algos (like RSA and ElGamal). It has no effect on symmetric algos (like AES) that are used for disk encryption. And Grover's algorithm (for quantum computing) can only cut the keyspace of a symmetric algo in half, which means AES-128 can be turned into AES-64. That's why NIST wanted all candidates to provide 256 bit keys during the AES competition. So, if quantum computers ever become a reality, then AES-256 can only be cut to AES-128, which will still be very uncrackable.
     
  4. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    For TrueCrypt, I believe you are correct, because the product does not support RSA public/private key pairs -- right?

    The key point, however, is some unanticipated breakthrough may someday (tomorrow? a decade hence?) occur and, if it does, then the full disk encryption approach to data destruction will be compromised. That risk may be perceived as miniscule today, but it is a risk that is not applicable to the disk wiping approach whatsoever. Thus, the latter is more prudent than the former, in my opinion.
     
  5. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    No, and there's no reason for it to. Public keys are only needed when key exchange must take place. With disk encryption, there is obviously no key exchange.


    It's doubtful that such a breakthrough will happen in our lifetimes. Bruce Schneier, who is always very conservative with his estimates, said this about Rijndael (AES):

    Keep in mind most "breaks" of ciphers you hear about do not allow the attacker to read traffic -- they are mostly theoretical breaks that slowly chip away at the cipher's security. If the attacks improve (which they always do), then it is feasible that perhaps one day in the distant future the cryptanalysts can read traffic, but it's extremely doubtful such an attack will occur overnight. If anyone can read Rijndael right now it would be NSA, but I doubt even they can. And if they can, it will certainly be one of their most highly classified secrets.

    I am in agreement with you on the wiping thing -- I think it's the best way to go. You do not save much (if any) time by encrypting the drive and encryption always has that possibility of a future break (even if it's remote).
     
  6. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,027
    Location:
    Hawaii
    You're mistaken about TrueCrypt. When it encrypts an entire device (e.g. a hard drive) it overwrites the entire drive with high-quality random data in a single pass. It's a decent way to wipe a drive if that's the outcome you're after.

    TrueCrypt also has the ability (under certain conditions) to encrypt the existing data within a partition, and I think that's what's throwing you off.
     
  7. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Exactly, but it still has to overwrite. So, my point is, why encrypt? Why not just overwrite and be done with it? There are plenty of ways to overwrite a drive with one random pass.
     
  8. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,027
    Location:
    Hawaii
    Well, it's quick and convenient, especially if you already have TrueCrypt installed and know how to use it. I just did a practice "wipe" of a 5GB partition on an internal drive (I merely encrypted an existing partition without specifying a filesystem) and it took only 53 seconds to completely fill it with random data, for an average speed of about 94 MB/sec. This was done using a dual-core Intel CPU on an internal SATA drive. I'm not sure how that speed would compare with other disk wiping solutions, but it seemed pretty quick to me! TrueCrypt supports multi-core processors, so the speed will vary considerably based on the number of cores, but the hard disk interface and the maximum supported write speed is ultimately the limiting factor.

    I don't normally wipe my drives like this, as I have no need for random output. I prefer to perform a zero-wipe using the hard drive manufacturer's diagnostic tools. But for those who desire random output and don't mind a single pass, TrueCrypt is one of the options.

    PS: The password was "test". This does not represent a security risk because the partition's previously existing data was overwritten, not encrypted.
     
  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    123,212
    Location:
    Texas
    Securely disposing data on hard drives and other storage media

    Article
     
  10. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,327
    Location:
    Here, There and Everywhere
    I was going to say that exact thing earlier and decided it's best to let it go. You're absolutely right though.
     
  11. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,227
    Location:
    Sydney, Australia
    Thanks for the link ronjor :cool:
    timely advice there.
    If you aren't going to physically destroy the disc: fairly simple method of wiping/hiding/rendering any data unrecoverable except in some future extreme circumstance is:
    1: Encrypt however you like.
    2: Eraser or DBan.
    3. Linux live CD with shred

    There will still be "data" on the disc; but non-recoverable.
    Can happily toss the disc or give to a friend.
    Doubtless the disc will be reformatted b4 use; or even just written over with new data.

    Posted by Lockbox at post #2 in this thread :
    :thumb: :)

    What would be of real concern to me is all the "cloud" data floating about: no control over that what. so. ever.
     
    Last edited: Sep 1, 2010
  12. vuuh

    vuuh Registered Member

    Joined:
    Sep 1, 2010
    Posts:
    2
    DBAN is not able to wipe the HPA (Host Protected Area) which, in your case, is a good thing :)
    I think you can encrypt your computers without touching the HPA since you can decide which partitions you want to encrypt.

    @ LockBox & chronomatic

    I think you are both right. LockBox just suggested the TC way as an alternative. Since the problem KrazyKong had was that the wiping tools he used weren't able to wipe file names, using TC to encrypt the whole drive and then wipe it is a way to solve it. I think it would be faster too but I never did a comparison. By the way, TC has the option to wipe freespace before encrypting a whole disk/partition.
    Another way is obviously to find a program that can wipe not only unallocated space but also slack, MFT and swap like Eraser, BCwipe, CyberScrub Privacy suite, etc.

    Very interesting thread btw :)

    Rob.
     
  13. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,227
    Location:
    Sydney, Australia
    Now were cookin'...
    That particular feature is regarded by some as a 'bug' in DBan.
    It really acts as a safety feature imo.
    Then HPA is an interesting area:
    :D :D

    Ya, HPA +/- DCO are interesting tools.

    Users can "hide" data in the HPA.

    The HPA can be used to register a computer every time it logs onto a network !! :shifty: Security feature of course !! :cautious:

    Rootkits can get to HPA

    HPA:
    https://www.utica.edu/academic/inst...icles/EFE36584-D13F-2962-67BEB146864A2671.pdf
    http://en.academic.ru/dic.nsf/enwiki/3858119
    DCO ( short search ;) )
    http://en.wikipedia.org/wiki/Device_configuration_overlay
    I think pehaps wiping the DCO on a lappie may not be too helpul ??

    I have not done this as not an issue for me but the HPA can be used to burn recovery media and then wiped: dont take my word for it.

    Easy ?? to remove in Windows:
    Active@kill disc and other erasers from bootdisc can wipe the partition as any other paritiion.

    If we refer back to the OP: he just wants to wipe the drive: if there aint enough info in this thread: We're all in trouble :eek:
    :D

    Thanks to all for the considered info here.
    Always good info ferreted out here for the less abled: cest moi. :cool:
     
    Last edited: Sep 2, 2010
  14. KrazyKong

    KrazyKong Registered Member

    Joined:
    Aug 18, 2010
    Posts:
    9
    Wow alot of great information in this thread.

    When I've had the time, I've still been playing around with some programs trying to find one that does it all. It seems far too many scubbers/wipers/deleters simply focus on filling up the drive with one big file using whatever method (Gutman, 1 pass, random etc. etc.) you choose. But the archiles heal is that often the filenames are left. You can gleam quite a lot of information just by having a filename. And knowing a filename, you can then search other drives and computers for it if a person has multiple hard drives etc.

    I might have mentioned this before, but it also muddles things when you delete files in different ways, then reformat the drive. Often the data is still there, but you have to go deeper (Inception anyone lol?) in being able to see what's there.

    Right now I'm finding it easier to actually not run any scrubbers and use Directory Snoop. That way I can them manually see what's leftover, and use it's purge feature to remove the MFT entry.

    The search still continues however for a program that will do it all. I'm having a little difficulty in being able to create a system or method for testing each erasing program. I'd like to just try them all one at a time with a set way of adding files, deleting them, doing the scrub, then running a recovery/undelete tool to see what's leftover, but right now there's almost too many options. So maybe it might be easier to start backwards.

    What are the best recovery tools out there? I have EasyRecovery Pro, Recuva, O&O Unerase6. Are these 3 good enough or some of the best out there? If so, then it will make it easier to forge ahead with my extensive tests. Any and all thoughts/opinions would be most appreciated too. Like repeating the tests for FAT formatted and NTFS formatted drives etc.
     
  15. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    UBCD and UBCD4Win are amazing, filled with tools that can do most of what you want.

    You need to be able to:
    Determine how many partitions are present.
    Determine if there is data present.
    Determine if the drive has been resized.
    Write or create an HPA.
    Create bad sectors.

    A fun project:
    Infect yourself with TDL, build an UBCD4Win, Wipe with Secure Erase, boot from UBCD4Win.
    You get to watch TDL create its file system on an empty drive.
    It doesn't create the FS right away, there's a delay.
     
  16. KrazyKong

    KrazyKong Registered Member

    Joined:
    Aug 18, 2010
    Posts:
    9
    Not to sound too dumb, but are UBCD and UBCD4Win the same program (Ultimate Boot CD) or different??

    TDL??
     
  17. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Yes, in the future, some discovery might occur which allows an adversary to ‘easily’ recover overwritten disk clusters. However, that risk applies equally well to wiping a volume through full disk encryption.

    Thus, full disk encryption as a wipe method suffers from both potential risks -- decryption plus forensic improvements -- while standard disk wiping is only subject to the latter risk. As a consequence, standard disk wiping seems to be the more prudent approach.
     
  18. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Dantz, please explain: why are the disk clusters on the partition “overwritten” but “not encrypted” using TrueCrypt?

    Thanks for the clarification.
     
  19. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    They are two projects by the same author.
    UBCD uses a Linux based OS that boots from read only media.
    UBCD4Win uses BartPE and Your Windows Disc to make a boot off of read only media Windows environment.

    A nasty rootkit that is difficult to find and remove, though nothing survives Secure Erase.

    I am only smart when dumb is a point of reference other than me.
     
  20. vuuh

    vuuh Registered Member

    Joined:
    Sep 1, 2010
    Posts:
    2
    You can try photorec. I've recently used it to recover thousands of photos from a drive after a format and OS reinstall. You can download and run it or you can find it on UBCD. Of the ones you already tested, I like Recuva for its semplicity. Anyway, recovering deleted (not overwritten) files is a very easy task so I suggest you use the tool you like the most. If you want more, you probably have to take a look at forensics tools.
    To be honest, I still don't understand why you are able to recover file names. An easy to use, free, powerfull utility like Eraser can get rid of filenames.


    I think he meant that we are using the layer of encryption provided by TrueCrypt to overwrite the data on the drive. In this scenario the TC job is to scramble the data on the drive with its encryption capabilities.
    Please Dantz, correct me if I'm wrong.

    Thanks.
     
  21. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,027
    Location:
    Hawaii
    Yes, that's basically it. You merely set up new encryption on an entire partition or an entire hard drive. TrueCrypt uses a cryptographically secure algorithm to fill the selected partition or drive from beginning to end with psuedo-random data which completely overwrites the previous contents. It's basically a random wipe, except the user has the option of building a filesystem within the encrypted volume and adding data to it. However, you can also just leave the new volume unformatted and empty, as I did when I used TrueCrypt to quickly "wipe" my partition.

    Of course, other drive-wiping tools that support multi-core processors should be at least equally fast if not faster.

    chronomatic is correct in that creating a completely functional encrypted volume is an unnecessary component of the TrueCrypt drive (or partition) wiping technique. However, TrueCrypt lays down the layer of encryption very quickly and easily, so it's hard to get too worked up about the fact that it's doing a bit more than is actually necessary.

    TrueCrypt also has the ability (under certain conditions) to encrypt pre-existing data, and from reading the various posts in this thread it's obvious that many posters are thinking about TrueCrypt only in those terms. However, this would be a comparatively slow and inefficient way to deal with unwanted data on a drive, and it also introduces unnecessary risk. Data that has been encrypted can potentially be decrypted, wheras data that has been overwritten is gone.

    Incidentally, I would recommend using a hex editor to check a wiped drive for the existence of plaintext or other data fragments that might have survived the wipe. Most data-recovery tools focus on reassembling files, but they will for the most part completely overlook uncategorized or unidentifiable data fragments. A good hex editor can use many different techniques to search for plaintext on a raw drive.
     
  22. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,327
    Location:
    Here, There and Everywhere
    Hi Dantz,

    As Bruce Schneier uses as a rebuttal for your argument.... either a fully encrypted computer is secure -- or it's not. If it's not good enough to consider the data gone - (if you encrypt the drive and destroy the key) - why depend on it to keep your data secure while it's on your desk or wherever?

    In-Place system encryption is extremely simple with TrueCrypt as long as your using NTFS. A fully encrypted system drive with strong encryption and destroyed keys = same as overwriting. Even NIST is finally coming around to this conclusion. Schneier was perplexed why they wouldn't back in '07. FDE is either secure - or it's not. As far as future capabilities are concerned, it is actually more likely to find technology that is light years ahead forensically than for strong encryption to be broken. In other words, that hard drive that you thought you had "wiped" in 2010 may be open for all in 2015. The chances, because of the mathematical elements, that strong encryption will be broken is near zero by that time - or maybe our lifetime.
     
  23. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Please correct me if I am mistaken, but TrueCrypt is not writing pseudo-random data to disk -- it is reading a disk cluster, encrypting the contents of that cluster, and writing the encrypted contents back to the same disk cluster. Thus, the underlying information on the disk is preserved through this process and can be recovered through a decryption operation.

    In contrast, a standard disk wiping procedure does in fact write pseudo-random data to disk. These data are independent of the original contents of each disk cluster, and thus there is no mechanism similiar to 'decryption' that can be used for recovery.

    If true, then it does not bode well for wiping a hard disk drive through full disk encryption, because the single-pass overwrite is more likely to be forensically undone than a multiple-pass standard disk wiping procedure.
     
  24. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,027
    Location:
    Hawaii
    Perhaps this will help...

    TC screenshot.JPG
     
  25. dialxdrop

    dialxdrop Registered Member

    Joined:
    Sep 21, 2010
    Posts:
    35
    Does anyone know if this method works without doing a full disk encryption?

    For example, let's say my hard drive is 1000 gigs, and I would create 2 partitions let's say 500 gigs each and leave 0 free space left. If I were to just encrypt each partition and leave no traces of free data unencrypted, would this be equivalent to me doing an official whole disk encryption?

    The only difference I can see is that this method doesn't encrypt the MBR and first track or a host protected area. But would this compromise my wiping operation?
     
    Last edited: Oct 4, 2010
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.