Solved How to completely wipe a hard drive?

[FreeDomBSD]

I have a UFS drive that is terrifying me. I used this guide: http://www.wonkity.com/~wblock/docs/html/disksetup.html to GPT format it, but it looks like the old MBR partitions still have all the files in them. The crazy thing about that is that it retains the old label and Dolphin sees all the data. This must be some ghost data because I wiped the begining and the end of the drive. The paranormal part of it is that there aren't any slices visible where this data could be housed: just the new GPT slices I've created.

I would like a complete wipe: write 0's to the whole drive or something.

Will this work?
dd if=/dev/zero of=/dev/da0 bs=512 seek=1

 

[Sebulon]

@FreeDomBSD,

dd if=/dev/zero of=/dev/da0 bs=512 [b]count[/b]=1

Would take care of the partitions at the beginning but leave the remainder untouched. This can cause confusion in some cases, which is why I wrote a script that takes care of wiping both beggining and the end of each drive. Perhaps you´d like this:
Fast and easy delete of partition and filesystem data

/Sebulon

 

[wblock@]

I have a UFS drive that is terrifying me. I used this guide: http://www.wonkity.com/~wblock/docs/html/disksetup.html to GPT format it, but it looks like the old MBR partitions still have all the files in them. The crazy thing about that is that it retains the old label and Dolphin sees all the data. This must be some ghost data because I wiped the begining and the end of the drive. The paranormal part of it is that there aren't any slices visible where this data could be housed: just the new GPT slices I've created.

This happens because the old MBR/bsdlabel(8) format only has the MBR at the beginning of the drive. The FreeBSD partitions are defined inside each MBR slice. If those are not erased first, they can reappear.

I would like a complete wipe: write 0's to the whole drive or something.

Will this work?
dd if=/dev/zero of=/dev/da0 bs=512 seek=1

Not exactly. If you want to erase only partition information, use gpart(8). On MBR/bsdlabel(8) disks, destroy the bsdlabel(8) partitions first:

# gpart destroy -F ada0s1
# gpart destroy -F ada0

To completely erase the disk, use dd(1), but give it a large buffer size so it completes within the same year:
dd if=/dev/zero of=/dev/ada0 bs=64k

 

[SirDice]

Something that always trips up people that don't know. Partitioning and formatting doesn't actually touch any of the data that's already on the disk. All it does is adjust a few sectors and puts in a clean table. Even a delete doesn't remove a file, it simply removes the directory entry and marks the blocks as free, it never touches any of the blocks themselves. That's why forensic investigators have a wonderful time restoring what was previously thought removed.

 

[tzoi516]

I usually use DBAN. However, some agencies do have the capability to extract data after the recommended wipes.

 

[FreeDomBSD]

Something that always trips up people that don't know. Partitioning and formatting doesn't actually touch any of the data that's already on the disk. All it does is adjust a few sectors and puts in a clean table. Even a delete doesn't remove a file, it simply removes the directory entry and marks the blocks as free, it never touches any of the blocks themselves. That's why forensic investigators have a wonderful time restoring what was previously thought removed.

I was quite aware of the relationships between partitioning tables and data.

What tripped me out was that I could access data through Dolphin from a MBR that was erased with two methods:

# gpart destroy -F da0
da0 destroyed

and

# dd if=/dev/zero of=/dev/da0 bs=512 count=34
# dd if=/dev/zero of=/dev/da0 bs=512 seek=60030398 (With the correct end-sector calculations for my drive)

After running these commands I've set up the drive with GPT method suggested in the guide. And I thought that it was successfully erased because it did not show up under dev (only the new GPT partitions showed up). So imagine my surprise when the drive automounted and I was able to access all the data.

 

[FreeDomBSD]

@FreeDomBSD,

dd if=/dev/zero of=/dev/da0 bs=512 [b]count[/b]=1

Would take care of the partitions at the beginning but leave the remainder untouched. This can cause confusion in some cases, which is why I wrote a script that takes care of wiping both beginning and the end of each drive. Perhaps you´d like this:
Fast and easy delete of partition and filesystem data

/Sebulon

Hi @Sebulon! I haven't seen you post in my threads for over a year now! And if I was having storage nightmares back then, boy, did they ever get worse! The positive to this is that I'm locked in the deep end of the pool, so to speak, and I'm learning a bunch in the process!

What is the difference between seek= and count= in this instance?
(the man explanation below eludes me)

count=n  Copy only n input blocks.

 seek=n   Seek n blocks from the beginning of the output before copying.
	      On non-tape devices, an lseek(2) operation is used.  Otherwise,
	      existing blocks are read and the data discarded.	If the user
	      does not have read permission for the tape, it is positioned
	      using the tape ioctl(2) function calls.  If the seek operation
	      is past the end of file, space from the current end of file to
	      the specified offset is filled with blocks of NUL bytes.

And I've tried your script on the drive in question: It works well!

 

[FreeDomBSD]

I usually use DBAN. However, some agencies do have the capability to extract data after the recommended wipes.

Thanks for the tip! I have a lot of drives that I'm planning to send to the manufacturer due to sector fails. I'll connect them all to one box and nuke 'em!

 

[Sebulon]

I haven't seen you post in my threads for over a year now!

Well, you know, been busy

And if I was having storage nightmares back then, boy, did they ever get worse! The positive to this is that I'm locked in the deep end of the pool, so to speak, and I'm learning a bunch in the process!

As you say, sometimes that can be a good thing. Just remember backups, backups, backups.

What is the difference between seek= and count= in this instance?

I´ve always had easier to understand things when put in a graphical example, so here goes...

So, say you´ve got a 30 MB HDD (yeah, well, they have been even smaller not that long ago). This is just bs(block size) 1 MiB and count 10 (10 MiB's):
dd if=/dev/zero of=/dev/daX bs=1m count=10

|          ____________________|

And this what happens if you use seek 10 MiB's in from the beginning of the drive before you start writing 1 MiB times 10:
dd if=/dev/zero of=/dev/daX bs=1m count=10 seek=10

|__________          __________|

Makes sense?

/Sebulon

 

[Deleted member 13721]

Safety glasses, a plastic bag, a hex screwdriver and a hammer.

 

[FreeDomBSD]

Thanks Sebulon! Good to know you're keeping busy! I think you had a typo in the command you've used in your explanation, but I understood it anyway.

 

[laufdi]

Safety glasses, a plastic bag, a hex screwdriver and a hammer.

I heard it was a myth that data could be regained after overwriting the drive once with zeros.

 

[Sebulon]

I heard it was a myth that data could be regained after overwriting the drive once with zeros.

The great zero challenge

/Sebulon

 

[youngunix]

I've tested wipe(1) utility on a hard drive and was unable to recover the deleted data. It is proven to be a very effective piece of software. However, it can take hours to wipe an entire drive depending on the size of the hard drive and data stored on it (e.g.:1MB file will take less than a minute to wipe where a 1GB file can take up to an hour), speed of the drive, number of passes, etc...

You can get the wipe(1) utility from security/wipe. The manpage will help you understand the utility and choose the options that fit your needs.

 

[PKern]

wipe(1) worked great.

Can now pass along the dumpster-rescued laptop without having to worry about leftover data.