PDA

View Full Version : FAQ #48 - Cleaning data off a hard drive so it can't be recovered



-FAQ-
30-08-2004, 05:29 PM
FAQ #48 - Cleaning data off a hard drive so it can't be recovered

Originally written by robsonde


Question:
How can I wipe my hard drive so that no one can recover my data?


Technical stuff first:
The disks of a hard drive are divided into lots of little parts called sectors, each sector holding 512 bytes of data. So that the computer knows which sectors are being used to hold data, there is a reserved and protected part of the disk called the FAT (file allocation table).

When a file is written to the disk, the OS marks off in the FAT each sector used by the file. It also makes a note of the file name and the first sector of that file. When the file is read back, the OS looks up the first sector of the file and then reads-in the 512 bytes from the sector along with the address of the next sector for the file, and so on to the end of the file.

When you permanently delete a file (by emptying the recycle bin, allowing the bin to get full so that it overwrites the oldest files, or using a utility that bypasses the recycle bin) the OS does not delete data from every sector because this takes time. Instead it simply marks as free in the FAT every sector used by that file, and then removes the file name from the directory listing. It also makes the file name invisible to normal disk search methods, usually by replacing the first letter. This means that the space is now free to be used by other files, but the actual data is still present on the drive and can be recovered using undelete utilities provided it has not been overwritten by newer files.

Formatting the drive will empty the FAT and directory listing but again, it will not remove the data, and at this point your data can be recovered by reading directly from the sectors and putting the files back together like a puzzle.

So back to the question, how to stop people getting the data back?


Answer:
This depends on how much you care and how much cash you have.

1) The first and easiest way is just to reformat the drive. This will be OK if you just want to keep the drive and reuse it for other data. Your original data could still be recovered if a person wanted to, but it will get rid of data that you don't want, clearing the disk for you to reuse.

2) The next level of security is provided by wiping the free space using a program like pgp or drive-crypt. This writes random data to all unused parts of the drive and is a good plan if you are selling the drive. If you do this and then change your mind, then no one can (economically) help you recover your data. Note that some programs don't write random data but instead they only write lots of 0's (zeros) to fill up the drive.

There are several programs that you can use to perform a random wipe:

pgp: www.pgp.com
drive-crypt: www.securstar.de
Partition Magic: www.powerquest.com
Window Washer: www.webroot.com/washer.htm
ERASER: www.prdownloads.sourceforge.net/eraser/eraser53.zip
Steganos: www.steganos.com
KillDisk: www.killdisk.com/features.htm

I don't know how well each of the above programs work, so do your own research. Read the info about them at their web pages and see if it is a random wipe or a 0's fill, because a 0's fill is not quite as good. Search for and read any user reviews to help you decide.

3) If you are a Linux user then a random wipe can be done as follows:

dd if=/dev/random of=/dev/hda bs=1024k count=4096

The Linux "dd .." method requires care. You need to calculate the "count=" value to match the size of the disk (or not include it... no "count=xxxx" will "probably" write the whole disk). The "hda" in the example means "the whole of the first disk on the first IDE interface". That might be your system disk. There is no permission byte for "the whole disk"; it's not part of a file system -- it's the whole disk. So use the correct "/dev/XXX" value, the idea is to unrecoverably erase a disk. For "complete" erasure, repeat the command a few times. Seven seems to be the US DoD number.

The above Linux magic is thanks to Graham L.

4) Any true random wipe program will take a lot of time to run, so don't trust any program that says it can wipe a disk in under 10 minutes. Just stop for a moment and consider how long it should take to write 40Gb of data to the drive 7 times over!

5) A special note for the paranoid or those who have something to hide - even after random data has been written to the drive it is still possible to recover data using special tools that security consultants, police and government agencies have access to.

6) If this is a problem for you and you really think that the government is out to get you, then you should simply destroy the drive and buy a new one. Exactly how you destroy it is up to you but I read that the US government has a system for destroying computer equipment by cross cut, crush, grind, burn and then spread on the roads as grit in winter.

7) For more info about data recovery and the art of data destruction, have a read here (http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/).

8) As for setting up a system that will destroy the drive at time of boot unless some special start-up procedure is followed, this might have worked in years gone by but in today's world serious investigators won't boot a system until the drive has been copied.


REMEMBER: "The computer allows you to make mistakes faster than any other invention, with the possible exception of handguns and tequila." - Mitch Ratcliffe.


Use of any of the programs in this FAQ will wipe ALL your DATA and it will no longer be recoverable by any ECONOMICALLY AVAILABLE means so be very very sure you want (or need) to do this before you start.



Original FAQ available here (http://pressf1.pcworld.co.nz/thread.jsp?forum=1&thread=33127&message=146623&q=recovered#146623).