Forgot your password?
typodupeerror
Hardware

How To Really And Fully Wipe A Hard Drive? 108

Posted by timothy
from the say-what-do-you-have-on-there-anyhow? dept.
root_dev_X ventures: "Admittedly, this is a random question, but here goes - Does anyone out there know of any ways to totally erase the data on a drive? Some friends of mine got into a discussion about this not too long ago; one of them told me they had heard from a friend in the military that they hooked up old HDDs to modified stun-guns and zapped them in order to totally erase them - apparently this method scrambled the magnetic field of the disk, leaving the data irrecoverable. Does this work? Are there any other methods for "data-destruction" (keeping the platter intact, that is)?" A nice "obliberate data to the point of senselessness" tool would be nice -- or is keeping the platter intact a senseless question if you want true security?
This discussion has been archived. No new comments can be posted.

How To Really And Fully Wipe A Hard Drive?

Comments Filter:
  • by babbage (61057) <cdevers AT cis DOT usouthal DOT edu> on Wednesday February 21, 2001 @01:05PM (#413718) Homepage Journal
    ...and ineffective.

    Playing off ideas from Bruce Schneier's writings, there are three different people you want to protect yourself against here: casual snooopers, experienced hackers, and dedicated experts.

    The casual snooper is someone like, say, my mom, who is baffled by Windows Explorer. You strategy will handle people like this very well, for the most part. If however you're trying to "really" wipe out the hard drive though, that's not enough.

    The next person is the moderately adept hacker, who probably has the smarts but doesn't necessarily have the tools to get everything. This kind of person might be able to, for example, mount your hard drive on a Linux system and use various filesystem tools to retreive the contents of the disc. This is easier to do than you might think (anecdote: on my last computer, I went through various partitioning schemes to make room for Win95, BeOS, and Linux. I was surprised to find that one of my reinstalls brought me back to an earlier state of the disc, because the "new" partitioning was one I had used before, and the data was now accessible again. What I thought I had thrown away forever was once again accessible). A quick format might or might not fend off this level of cracker, but don't get your hopes up. A more thorough defense here would be to rewrite the whole drive at least once, if not a handful of times, with something like 1010101010101010101 etc.

    The third level of cracker is someone with both the expertise and the tools needed to get whatever they want from your drive. Apparently, the magnetic field on the disc stores an imprint of the last dozen or so writes, thus the above 101010101 strategy only masks the contents of the disc, but it does not remove them. Slightly more clever destruction attacks add more entropy to what you're writing to the disc (add in enough variation to disrupt the magnetic field in various ways: 0000000111111111000000001111111) but even still you're just sweeping over your tracks, not really eliminating them. For this level of attacker, the only sure defence is really to thoroughly destroy the disc -- break it, burn it, scratch it up & cast the remains to the four corners of the world.

    So, the short answer to the original question would be something like: "yes, it's possible to *really* erase a disc, but you have to know who you're trying to hide things from and how far you're willing to go to hide it."



  • A few points that haven't been mentioned yet.

    1) Even if you overwrite the data with a "Military grade" data wipe tool, there exist pieces of hardware that will still be able to recover your data, if they want to enough.

    2) Low-level formating is left for the factory. Modern drives have embedded servo information that you can't recreate without the aid of expensive factory hardware. And that wouldn't help you too much, anyways, given that it won't do a satisfactory job of wiping the disk.

    This is why the manual warns you to not degaus the drive.

    So your best bet is to just destroy the sucker. First wipe the drive using one of the wiping tools mentioned and then have fun.

    I'd suggest you try microwaving it. But don't use your own microwave, because it'll probably end up frying the microwave given enough time. The fireworks are sure to be a crowd pleaser.

    You also might consider playing hard disk platter frisbee. Although, with modern 3.5" drives, it's a lot harder than 5.25" or 8" platters.

    And, once you've had your fun -- make sure that your disk platter frisbee buddies are people you trust -- just thermite the platters. You can find instructions on how to do thermite at any popular anarchist webpage.

    If you leave the drive usable, there is always the possibility of discovery.
  • 4. Put picosats in an unstable orbit and allow them to burn up re-entering the atmosphere.

  • Burning lighter fluid in a metal wastebasket won't do all that much to the data on the platters. There's not very good air circulation, and lighter fluid burns at a low temperature. There should be air holes in the incinerator, at least, and preferably plenty of fuel.

    You need to raise the temperature of the magnetic coating above the Curie temperature [britannica.com] (770 C for iron). But as the platters are probably aluminum, and the melting point of aluminum is around 660 C -- you're probably going to have to settle for melting the platters and stirring them up.

    Be aware that melting aluminum in your wastebasket will damage your wastebasket. And you probably should not do this near your cubicle.

  • If this is a must, brutal (and safe) methods like using high-capacity de-magnetizers, sanding off the platter cannot be used.

    I guess you want to re-use the hard drive after deleting? Then you are stuck with software methods. A stated before you will need MANY truly random overwrites before the disk really is not recoverable. With Linux try (for drive /dev/hdX) something like below and repeat it 50 times. That should do the job.

    dd if=/dev/random of=/dev/hdX

  • Give it to a five-year-old with one of these [iwarp.com], and watch the fun.

    Alternatively, store all of your important data on a Conner CFS1275A [seagate.com]. Probably one of the worst drives ever built. Had no less than five of them die on me in one week. Just wait for the "thunk-thunk-thunk" sound, and you're all set.

  • (Works almost every time I have tried it.) 1. Buy a Western Digital HDD; 2. Wait a short time; 3. Repeat, if necessary.
  • I think the best way to destroy would be to bring it to the Herkimer Diamond Mines (http://www.wpi.edu/~stype/herk2k.html (see pictures)). Just use it as a fulcrum or a chisel and it won't last long. I have seen old leaf springs (tempered steal, VERY hard!) that had been converted into wedges twisted worse than Dale Earnhardt's car.

    Or you could just give it to my friend Liz, she seems to break everything....
  • they're erased with no effort

    Who are? The disks, or the people who are leaving?


    --

  • From Secure Deletion of Data from magnetic and solid state memory. [auckland.ac.nz]

    In conventional terms, when a one is written to disk the media records a one, and when a zero is written the media records a zero. However the actual effect is closer to obtaining a 0.95 when a zero is overwritten with a one, and a 1.05 when a one is overwritten with a one. Normal disk circuitry is set up so that both these values are read as ones, but using specialised circuitry it is possible to work out what previous "layers" contained. The recovery of at least one or two layers of overwritten data isn't too hard to perform by reading the signal from the analog head electronics with a high-quality digital sampling oscilloscope, downloading the sampled waveform to a PC, and analysing it in software to recover the previously recorded signal. What the software does is generate an "ideal" read signal and subtract it from what was actually read, leaving as the difference the remnant of the previous signal. Since the analog circuitry in a commercial hard drive is nowhere near the quality of the circuitry in the oscilloscope used to sample the signal, the ability exists to recover a lot of extra information which isn't exploited by the hard drive electronics (although with newer channel coding techniques such as PRML (explained further on) which require extensive amounts of signal processing, the use of simple tools such as an oscilloscope to directly recover the data is no longer possible).

    So, in conclusion - Sorry, can't be done without modifying the electronics in the drive. That might be a challenge to the drive manufacturers though... how to get your density doubled by purposefully use the overwrite and read both the previous and current data! Kind of the same idea as the two bits per cell technology used by flash memory manufacturers...
  • Heat the magnetic medium. Heat randomly orients the poles.
  • by PapaZit (33585) on Thursday February 22, 2001 @04:27AM (#413729)
    There is at least one military organization that decomissions drives by overwriting them a bunch of times. Then, they cut the drive in half with a saw and take each half to a different facility for disposal (which usually involves melting the drive).

    See Peter Gutmann's Usenix paper on secure deletion of data from magnetic and solid state memory [auckland.ac.nz] for some truly impressive data recovery methods.


    --

  • >if you're not going to damage the surface of the drive, you're going to need to format like crazy, and fill it with junk every time.

    Yup. And even this won't work. Suppose you've got data in marginal sectors on the drive - the data gets mapped to spare tracks, and the marginal sectors are blocked out and remapped by the drive's firmware.

    No amount of repartitioning and reformatting and "overwriting with junk" will overwite the mapped-out sectors, because the OS (and BIOS) never sees the mapped-out sectors.

    Whether this is sufficient depends on who your imagined adversary is.

    If it's Joe Average, who bought your used P166, repartition and don't even bother reformatting.

    If it's Joe Linuxgeek, who bought your used P166, repartition and overwrite with junk.

    If it's Fred the Fed, degauss. This will likely ruin the drive, as there's lots of information embedded between tracks on the platters that the drive heads use to figure out whether they're tracking correctly. This is why you can't "low-level" format (in the sense that you could with old-sk00l MFM drives) an IDE drive.

    If you are Fred the Fed, and just got busted for selling secrets to the Russians... it's too late to use thermite.

    There are reasons why military and intelligence organizations require physical destruction of drives on which classified material has been stored.

  • Well, I can tell you how the Navy at a top-secret comm installation was supposed to do it if the place was in danger of being overrun: pile all sensitive stuff (hard drives, crypto machinery, etc.) in the parking lot, put thermite bricks on top of it, then melt everything into slag. I think it was more for speed than effectiveness. They might not necessarily have the time to do it in a less spectacular fashion.
  • by Tackhead (54550) on Thursday February 22, 2001 @11:18AM (#413732)
    >Several wiping programs are available that will overwrite data multiple times with binary patterns - checkerboards, solid 0's, solid 1's, random patterns, etc.

    You correctly point out that physical destruction of media is the only way to be sure.

    One thing to be aware of when overwriting data with patterns is that what you think you write to disk isn't what you write to disk.

    A string of "00000000" isn't "all magnetic north poles up", and a string of "11111111" isn't "all magnetic north poles down".

    Drive firmware maps these bit streams into encodings that are broken up into patterns of ones and zeroes that the heads can always read - much the same way that your serial port would get very confused if you tried to download a 100K file of "all zeroes" by just holding the ReceiveData line low for 30 seconds with no parity or stop bits.

    The actual encoding method by which the bitstream is encoded into alternating magnetic patterns is probably drive-dependent. As a result, the "ideal" pattern of bytes the controller should write to the drive to create patterns of alternating, or mostly-North, or mostly-South, magnetism, will also be drive-dependent.

    Practical application: The Apple ]['s "disk ][" floppy controller used to have a feature where you could tell the floppy drive to give you the data as seen by the read/write head. By changing the encoding scheme to a less-redundant, but equally-reliable one, you went from 13 sectors per track to 16 sectors per track. Many copy-protection-breaking programs of the day would give you the bytes as seen by the drive head and use this to determine what encoding (or if a custom encoding) was in use.

    In hard drives - MFM and RLL are two encoding schemes. RLL drives were exactly the same hardware inside, but used a different encoding scheme. RLL stood for Run-Length-Limited, where "Run-Length" can be loosely translated into "number of consecutive all-north-poles-in-a-row the drive firmware will tell the head to read/write for any given input bit sequence. As such, the RLL version of a drive typically had 30M of user space, whereas the MFM-encoded drive - same hardware - had 20M of user space.

    Today's drives work on the same mechanism at the head/platter level, it's just buried under many more levels (BIOS, C/H/S remapping, LBA, etc. etc. etc.) of abstraction.

    Others have posted links to this paper [auckland.ac.nz]. I've merely summarized section 3. It's a damn good paper.

    If it's important - whether military or corporate secrets - physically destroy the media and buy a new drive.

  • >Memory is recoverable from DRAM/SRAM for some time. Not trivially, but it takes a long time for the electron density in all of the cells to return to a statistically meaningless state.

    True. An old stunt we used to love doing as kids was to load an image into an Apple ]['s graphics RAM, then power-cycle the machine and go into graphics mode on power-up.

    Most of the time, there was corruption, but the image remained recognizable - the chips retained the ability to return a TTL signal to within spec - even after 5-10 seconds of power-down.

    I have no doubt the data was recoverable (i.e. measure analog voltages) for power-down periods of time much longer than that.

  • # dd if=/dev/zero of=/dev/hd? # dd if=/dev/urandom of=/dev/hd?

    --

  • And I'm not kidding.

    I've done it before, works like a charm.


    ---
  • Here's what I would do:

    $max = size of drive in Kb;

    $drive = location of drive in /dev

    fdisk $drive
    delete all partitions
    dd if=/dev/zero of=$drive bs=1024 count=$max

    That should completely wipe it out.

  • Wouldn't surprise me if the producers of Terminator 3, somehow managed to get one of the Terminators out of that foundry vat though.
  • by Anonymous Coward
    i wouldn't trust this method.

    drives have gotten so dense that it is very difficult to depolarize all the data reliably.

    you would probably need an alternating electromagnet capable of picking up a car to do serious damage... and even then...?
  • by Royster (16042) on Wednesday February 21, 2001 @02:02PM (#413739) Homepage
    ...and ineffective.

    /. needs a new moderation category "didn't get the joke".
  • by SanLouBlues (245548) on Wednesday February 21, 2001 @02:04PM (#413740) Journal
    Put it under that gun that shrinks quarters. Give it to a friend. Say "Hey man I compressed my hard drive" :)
  • http://www.lassp.cornell.edu/sethna/hysteresis/Wha tIsHysteresis.html

    Stick the platters near a source of strong alternating magnetic fields, change the relative 3d orientation of the source a few times, and run the source for a long time. Make sure there's no interposing metal that could reduce the field density at the surface of the platter, or increase field strength to compensate, and then melt the entire drive.
  • When you cannot have ANY data recoverable, you either acid bath the thing into non-existance, or melt it into undifferentiated slag, and break the lump into little bits, and pass it around. Lets assume that doing the standard 'alternating 10-pattern fill' routine is 99.999 percent effective. On a 10 gig drive, that leaves 1 megabyte recoverable. For some applications, that's 1 megabyte too much that can be recovered.
  • Data recovery labs can recover just about all of the information you destroy like that, writing just once isn't enough.. twice probably wouldn't do it either. Couple of dozen times of this and perhaps you've erased most of the stuff you had there.

    Using different patterns for different passes is advisable so that there's no recognizable residue left. Writing just zeros two dozen times probably wouldn't obfuscate the residue enough to stop someone determined with the right equipment. So you need to replace /dev/zero with /dev/random to make the data on your hd unrecovable for say the fbi..

  • No, it's apparently far far far more difficult than that to erase a hard drive.

    There is a paper from a 1996 USENIX Security Symposium that might be of interest. The paper is titled Secure Deletion of Data from Magnetic and Solid-State Memory [sourceforge.net]. It's chock-full of interesting tidbits...

    Included are not only current (as of 1996) techniques for wiping a drive as well as your RAM(!?!?!).

    Now, if that was current in 1996 (for the mainstream at least), what did organizations like the NSA have then. And, better yet, what do they have now?

  • Well, all these methods kind-of touch on various things you need to do to ensure data is irrecoverable.
    Now, we can discard 3/4 of the posts that have something along the lines of "destroy the platters" as you _don't_ want to do that.
    Next, overwriting with random data a few times is good. You will need to overwrite many times, using both sequential and random access patterns. If using just, say, sequential access (a-la format, even a low level one) there will be recoverable traces of your data at the edges of the tracks. The hard drive itself can't recover this data, but experts can.
    Then overwrite the drive multiple times, not with random data, but with a fixed pattern to fully magnetize with the new data, say overwrite it with 0xFF multiple times in a row (sequential and random access) and then with 0x00, again multiple times in sequential and random access patterns)
    Then you will need an implicit knowledge of the particular drive geometry and encoding methods, so you can calculate Worst Case Scenarios for both access patterns and data modulation.
    One poster mentioned the old MFM worst case data pattern of 0xDAC3. This will be differnet with newer drives and encoding schemes.
    Do this a few times and you should be safe
    -- kai

    Verbing Weirds Language.
  • On a 10 gig drive, that leaves 1 megabyte recoverable.
    That 1 megabyte is not consistent. A byte here and a byte there still make no sense...

    Cheers...
    --
    $HOME is where the .*rc is

  • Yeah, I can just imagine it now.. some fellow carrying a server walks out of the room. In doing so, some shoplifting-type sensor picks up this little detail, discharging an arc-welder into a thick coil wrapped around the doorframe.

    The fellow notices a loud "wooosh", kind of a rapid tinkling as wiring squeezes about the doorframe and shifts in its mountings, fine ferrous dust immediately sucks towards the extremeties of the door, instantly forming a fine iron fur. All zippers, key rings, watch springs, and other iron sundries jolt imperceptably. The case of the computer is torn through inches of open space and slammed into the door frame. Anybody within 30 yards with a pacemaker dies instantly. The hard drive jumps as its magnets align to the strong magnetic field.

    Then great capacitor in the arc welder fades, and only the smell of melted insulation and positive ions is left in the air.

    I bet the data would still be intact... if not, easily recovered using advanced techniques. A uniform magnetic field would probably leave the ferrite in a predictable alignment... anything which isn't is part of the old data structure.

    Encryption and writing random data acros the drive would probably work better. Maybe even mounting a coil near the platters then using a garage-door-opener type device to trip a battery inside the case to send crazy fields through the platters.

  • Can you take that chance? Even thirty contiguous bytes can give you a username and password.
  • 3. Overwrite all your data with a good random or pseudorandom stream of data.
    I think creating a stream of plausable-looking data, ie. with a similar bit distribution to the original data, would be better. If you overwrite with random data enough times, the original data may become partially visible therough statistical analysis.
  • Also from Norton; gdisk, part of the Norton/Symantec Ghost suite, supports wiping from 1 to 99 passes.

    Or if you don't mind waiting...reformat your system and put WinME on it -- it'll be completely trashed in about a month or so. :)

    Thus sprach DrQu+xum.
  • Sans Education and Research Organization

    Is it just a coincidence that sans means "in the absence of?"
  • Well, there isn' really a tool necessaryily, but you can try this:

    dd if=/dev/random of=/dev/sda

    You could of course adjust it to repeat the process with a shell script.
  • Some time back, I was sysadmin for a project that generated a number of SECRET classified hard drives. They were perfectly good, large, and totally unusable. The difficulty in preserving the physical integrity was that although disk wipe software existed, it didn't overwrite every block. Remember, for a standard SCSI disk (and IDE too, I believe) there are "hidden" spare blocks (not visible to standard operations) - they are used to replace bad blocks by the drive controller. Any real disk overwrite utility had to overwrite all of those blocks too, which are generally accessible only through manufacturer-specific operations and damaged, so writes didn't work correctly. Then you had to demonstrate to a technically unsophisticated, very skeptical security officer that you really did erase everything. Couple that with the many passes (hours and hours worth) required by overwrite utilities and it translated to more hassle (read labor hours) than the government wanted to spend, just to recover the use of a hard drive - cheaper to physically destroy it. Nothing particularly exotic, just a sledgehammer (but it was so satisfying...).
    Pachooka-san
  • by Anonymous Coward
    The difficulty of erasing data from a hard drive is a very good reason for using encryption to store your data. By simply storing all your data in encrypted form, removal of the key to your encrypted data will erase all of it. For instance you can keep your key on a floppy disk or by remembering your key (although most keylengths you can remember seem to be crackable these days). In the floppy disk case, you simply destroy your floppy and the data on your hard drive is gone forever.

    Look at www.kerneli.org [kerneli.org] for information about how you can encrypt your hard drive on Linux. Other tools exists too.

  • Glad I wasn't the only one thinking of this idea! It sure worked for me. Soon after I got a warranty replacement, I was able to repeat the process EVERY TIME!
  • I've done it before, works like a charm.

    And how did you confirm that the data was fully wiped?
    By doing something more than double-clicking on the C: icon in Windows Explorer, I hope!

    Details, man! Need details!
  • Posted by polar_bear:

    I didn't see this in any other comments...

    Radio stations typically use a hand-held "bulk eraser" that's basically a big magnet to wipe clean tapes and such. We had a used hard drive in the station that I bulk-erased and it certainly seemed to get rid of all the information - and it still worked. Had to reformat it, but it worked.

    You can probably purchase a bulk eraser for around $100 or so.
  • I currently uses BestCrypt [jetico.com] for linux. Its really easy to install. But is not Rubber Hose proof!

    Taken off the http://www.rubberhose.com/ [slashdot.org]

    Rubberhose transparently and deniably encrypts disk data, minimising the effectiveness of warrants, coersive interrogations and other compulsive mechanims, such as U.K RIP legislation. Rubberhose differs from conventional disk encryption systems in that it has an advanced modular architecture, self-test suite, is more secure, portable, utilises information hiding (steganography / deniable cryptography), works with any file system and has source freely available. Currently supported ciphers are DES, 3DES, IDEA, RC5, RC6, Blowfish, Twofish and CAST.

    For thoses that don't know about the software you can read about it here [rubberhose.org].

    PS:I never post to /. This is a first! back to getting the new /. DB built...

  • Hmmm, this sounds alot like the algorithm for how memory works in our brain.

  • Flight recorders used to use a metal wire that would run in an endless loop as its "tape". It was common in the 1970s to be able to read 6 generations of recordings off of them.
  • You don't know what a modern drive will do.

    We got some brand new 1 Gig IDE drives in a few months ago. They look like 10 gig drives but they claim 1. maybe they have 9 gig worth of bad sectors or maybe they have 9 gig worth of sectors that can be remapped.

    When a modern drive is told to put a sector at a specific location, its going to do its own mapping and if its detected an area of the disk is going bad, it will put the new data someplace else leaving the old data there where you can't delete it as a user.

  • Hi,
    The only non-destructive method that works well is a bulk tape eraser. A tape eraser contains a very weighty coil that generates an extremely strong magnetic field.
    When I was in the Navy, that is what we used to erase hard media that contained TS information. The thing had a warning about not wearing a watch, using it near anyone wearing a pacemaker, or using it within 10 feet of any media that you didn't need to erase.
    Laying that puppy on top of a hard drive for half an hour will randomize it _quite_ well. I don't want to make any guarantees about the drive electronics, though. So proceed at your own risk.
    You can probably find one at a place that handle commercial video. Try the Yellow Pages.

    Cheers!
  • My College roomate worked for the Airforce as a computer guy while he was in college. They had a harddrive on a topsecret machine go bad. Before they could send it in to Seagate to get a replacement they took the cover off the drive and sanded the platters with a rotary sander. I am pretty sure all that data was erased.....

  • Granted I'm no expert on hard drives at a purely hardware level, but I don't think this would be that hard to do.

    Start with the usual re-partition and reformat so you have a completely blank drive. Then completely fill up the drive with essentially meaningless crap, white noise. Then reformat again to blank it. All data should be completely gone.

    Something like Eraser [tolvanen.com] should do it I'd think. Granted it's for windows, but I'm sure there'd be a Linux or BSD equivalent somewhere.
  • by ndfa (71139) on Wednesday February 21, 2001 @10:08AM (#413765)
    right click on the drive and choose format, quick format is nice and fast!!!

    ;)
  • Several wiping programs are available that will overwrite data multiple times with binary patterns - checkerboards, solid 0's, solid 1's, random patterns, etc. Even after all of that, it is still possible for an organization with lots of resources such as a data recovery service or a three-letter agency to recover the residual remains of the data, though it would be very difficult.

    The only sure way to eliminate the data entirely is to completely destroy the media. Sandpaper on hard disk platters or CD-Rs (the top side, make sure you sand off the silver and dye layers) works, incinerating also works. Be careful. I saw a case where a suspect tried to destroy a floppy disk with incriminating evidence by cutting it up with scissors. The FBI was able to put the disk back together like a jigsaw puzzle and recover the data. Make sure there is nothing left of the recording surface.

  • There isn't a cut and dry answer in my opinion. It all depends on the data you're trying to destroy. The more undesirable the outcome if the data escapes the greater the lengths you've got to go to obliterate it.

    If you're a newlywed and getting rid of your vast pornography collection a format is probably sufficient. Rewrite over the data with a random pattern if you're paranoid your new wife will use Norton Marriage-Breaker 2K1.

    If you're dealing in contraban, whether the contraban is on the harddrive or the harddrive just contains incriminating evidence, destruction of the device would be your best bet. Remove the platters, stick them in the microwave for a few seconds (mostly just for the fireworks), sand them, sand blast them and melt them.

    Just like cryptography the lengths you should go to depend on the difficulty in going to those lengths, the probability that those lengths can be compromised and the cost if those lengths are compromised.

  • Blancco Ltd. [blancco.com] is a company that sells piece of software that erases your hard drive permanetly. It is based on Septem OverWrite method that they have developed which seems to consist of overwriting the data seven times with random data. They claim that it is impossible to recover the data but the hard disk is still usable. See the Brochure [blancco.com] and decide for yourself if it makes any sense.

    No, I don't work for them, they are just located a few blocks away from where I live.
  • wipedisk - old Norton applet writes 1s and 0s to the disk in alternate patterns. Read more below.

    I can't speak for how it was done other than 1990 - 1993 .. I was enlisted with an MOS (Military Occ. Speciality) of 4063 (programmer) with a secondary MOS of 4066 (small systems specialist). Oddly, I never programmed, and spent all of my time as a PC specialist and LAN guy.

    Norton (pre buyout) had a nice tool called wipedisk. Put this on a bootable floppy, set it in the autoexec.bat to execute and let it go to town. The app wrote 1 and 0 in alternate patterns to every byte on the drive.

    If memory serves, our standards were to write in 1s, then 0s, then 1s again. This was standard practice for all drives that held classified data, including the unix servers (long story behind THAT bit o' weirdness).

  • Others have already suggested it, and even though you're looking for a method that will keep the drive intact and usable, I think the best way is to completely annihilate the drive. With drive prices being as low as they are, it'd probably be cheaper and more secure to do this occasionally than it would be to invest in software to do it, and still not be sure that the data *really* is gone.
  • Like all questions with security, the answer depends on your threat. Ensuring data isn't recoverable by your spouse or parents is very different from ensuring it isn't recoverable by a TLA.

    PARENTS: <code>dd if=/dev/zero of=/dev/hdc</code> will make the disk appear empty to anyone who uses the standard access hardware.

    TABLOID JOURNALISTS: you'll probably want to use one of the multi-pass programs. Civilian data recovery sites might still be able to pull up the data, but multiple writes (properly done) will make it expensive enough to discourage most people. If the material is sufficiently sensitive (e.g., you're protecting medical records of celebrities and the tabloids have been caught dumpster-diving) you might want to proceed to the next step.

    TLA: big vat-o-acid to dissolve the platter. Forge to heat the platter to melting temperature, or at least hot enough to completely scramble all magnetic domains. Heavy duty sanders, again producing enough heat to scramble any magnetic domain that survives the abrasion and magnetic fields in the motor.

    ALL: don't forget that data rarely exists in only one place. It's a waste of time to carefully scrub hard disks, yet toss backup CD-Rs into the trash as-is.
  • by chipuni (156625) on Wednesday February 21, 2001 @10:35AM (#413773) Homepage
    Give it to a five year old. They can destoy anything .
  • None of these are guaranteed to be 100% effective, but they're probably better than doing nothing.

    • Low-Level format the drive. No, that's NOT the same as a typical user-land format. We're talking actual hardware-level. This is usually not done on hard drives, simply because it has a tendancy to mangle them.
    • Place the drive in a variable, high-power magnetic field. Ideally, the magnetic field should be comparable to those used in linear accelerators. You -DON'T- want a constant field, though, unless you want the drive permanently magnetized, rendering it useless.
    • Smash the heads against the buffers, repeatedly, until they're no longer aligned with where they were. Don't go too far, or you'll lose the heads altogether.
  • I went to www.ontrack.com to see if, by chance, they had a FAQ like "Can I erase my data to the point that even you can't recover it ??". Didn't find it, nor did I look very hard, but did find this faq [ontrack.com]
  • by Smitty825 (114634) on Wednesday February 21, 2001 @10:35AM (#413776) Homepage Journal
    Here is a fool-proof method to keep people from even wanting to read your data:

    For the next week, take all of the Trolls posts on Slashdot and store them in random places on your harddrive where the data needs to be destroyed. Anybody who trys to read that data would get so sick of reading "Frist Post", "wh00p", "pron" & "3133t h4x0r" and seeing lots of nasty goatse.cx links that they would immediatly dispose of the hard drive without getting any sensititve material

    I guess that method wouldn't work if you were a troll trying to cover your footsteps, though! :-)
  • it *must* be a slow day at Slashdot.

    format just really seems to make the data go away, but it's still available w/ the right tools - just like deleting a file doesn't really make it 'go away' but removes the first letter of the file name, making the space available to the OS (okay, okay, that was how it is/was under FAT16) I'm sure other file sysetm types are similar.

  • by Wakko Warner (324) on Wednesday February 21, 2001 @11:32AM (#413778) Homepage Journal
    In order to truly erase a drive, for good, you need to wipe it dozens of times. There are data recovery centers that can recover files on drives that have been written to (i believe) 8 or 9 times after a file has been deleted or a disk has been formatted, so if you're not going to damage the surface of the drive, you're going to need to format like crazy, and fill it with junk every time.

    - A.P.

    --
    * CmdrTaco is an idiot.

  • by JediTrainer (314273) on Wednesday February 21, 2001 @03:00PM (#413779)
    All of you who said that no matter what, data can't be erased, gave me an idea.

    Unlimited storage.

    That's right. Every time you need more disk space, simply delete something not used in a while, then overwrite it with a new file. Need that old file back? Great - have the filesystem automagically run a recovery on it. Put it into the kernel, and we've got blackholefs.

    The end result is a bottomless pit of unlimited drive space :) Even more interesting is that the files you use the least may eventually become unrecoverable and forgotten over years, lessening the need to clear out your clutter. Files that you haven't used in a while might take a bit of time to come up, but you usually won't mind the wait. Stuff you use all the time will always be available. So how about it, kernel hackers? And my sig's appropriate this time around, too!

    (and yes, I am joking, but if someone can think of a way to really do this them I'll REALLY be impressed!)
  • Impossible, the platters of a Hard Disk are about the density of Card-board
  • There are two scenarios: with disk reuse and without. Without disk reuse, you simply destroy the magnetic material by raising it well above the curie temperature for a long time. A conventional gas or electric oven (NOT a microwave) will do the job fine, just remember to pierce or open the casing to avoid an explosion! The weakness of this is that the bad guys can still find the dead drive and get suspicious. You could use thermite or other thorough destruction method, but that can leave evidence that's even more suspicious. A domestic oven is a very innocent degausser. If you want to keep the use of the disk (you might have a regime of regular data shredding - weekly, maybe) then you have to accept compromise. Although you won't have to explain the molten pool of metal, your disks will still retain the secure deletion software, so that might need explanation. Also, for technical reasons, there is NO WAY to guarantee complete destruction of all data. You can make it difficult to recover. You can make it so difficult that it isn't worth they're making the effort, but they just might get lucky and recover something important. It's a matter of a trade-off. One method is to use encrypted loopback devices to store the data in the first place. Just change your password (which you NEVER wrote down) and they'll have to break AES to recover it. This is quick and easy, just give the device the new password and store something innocent in it and hand the new password to the baddies. Destroying plain text is difficult, destroying encrypted data is not so bad. Just a thought.
  • by satch89450 (186046) on Wednesday February 21, 2001 @11:46AM (#413782) Homepage

    Lawrance Livermore used to take decommissioned hard drives and Syquest style media in the green area and dump the platters into a vat of acid. Floppy disks went through the three-pass shredders, so you end up with fine magnetic dust.

    The original specification for overwriting disks containing classified but not secret data called for 300 overwrite passes, alternating between all-zeros, all-ones, alternating zero-one, alternating one-zero, and "worst case pattern" (for those old MFM drives, the 16-bit pattern 0xDAC3). You needed to know the exact drive geometry, because you want to do all the tracks on a platter individually, using a back-and-forth sweep so as to get into the guard bands as much as possible.

    (In other words, wipe from cylinder 0-max on head zero, then from cylinder max-0, then go to the next pattern and wipe. Then you go to the next head.)

    Is it worth it? At today's prices, I don't think so.

  • Where I work, we have a tape degausser that is powerful enough to erase all of the credit cards in your wallet and stop your heart pacemaker if you are anywhere near it while it is in operation. It still isn't powerful enough to erase high coercivity media to NSA standards.
  • Know where I can get one of those??
  • There is a little hacker tool called "Burn" [staticusers.net] that has been out for the mac for like 5 years (i know i know, nobody here uses a mac....)

    Burn is a file-deletion utility that does what this poster just described---you can set the pattern (0000, 1111, or maybe 1010101)---and the number of passes it makes. Highly configurable.

    Also has a command to "erase free space" on the hard drive---same options as the file deletion, only it cleans all the os-marked "free space."
    --
  • Several wiping programs are available that will overwrite data multiple times with binary patterns - checkerboards, solid 0's, solid 1's, random patterns, etc. Even after all of that, it is still possible for an organization with lots of resources such as a data recovery service or a three-letter agency to recover the residual remains of the data, though it would be very difficult.

    About a year ago I worked for a company (which shall remain nameless) that tasked me with writing a secure disk wiping algorithm. I did a little homework, and found that the US Department of Defense had a recommended 7-pass algorithm. A little more homework, and I discovered a crypto guru named Peter Gutmann [auckland.ac.nz] who had a 35-pass algorithm. I implemented both of those, and then took it a step further and allowed the user to create a custom wiping algorithm, up to 99 passes (I figured any more than that would probably be overkill). We had a professional cryptographer on staff who assured me that even after 99 passes of overwriting the data on disk with different patterns, the NSA or some other such agency could still recover the data if they wanted to badly enough. I had my doubts, but then I've never ventured into the field of electron microscopy.

    Anyway, the project was killed due to management/marketing cluelessness, so we never actually shipped it, but it sure was educational to implement. I had been under the impression that simply overwriting a file even once with 0's and 1's would be enough to render it unrecoverable, how naive I was.


    --

  • I do not know. Mine is from a 1960s disk drive that was nine feet tall, had two stacks of twelve platters, and used hydraulics to move the heads. It did not have much capacity, but it had a good transfer rate due to reading 12-bit words off all 12 platters in parallel. Support for them got very expensive around 1980 so they probably all vanished around that time, and that was when I got mine.
  • AFAIK standard procedure for local law enforcement/military in Sth Australia is to utterly physically destory the drive (crush it, melt it ...) then BUY a replacement.

    Like some other people have said, it's much cheaper and securely reliable to destoy and replace the HDD, at least that way they can't cause a national security problem by loosing them behind photocopiers (see the Los Alamos incident late last year) ;)
  • You can erase the drive with software. But the reason why you can recover data from a drive erased with software is magnetization creeping.

    The magnetization starts out as a narrow track with a high signal to noise ratio. If the magnetization is not altered it will slowly spread out from the narrow track.

    You might want to think of it as a hill of sand: over time the hill will be worn down and spread out, but it will still be a hill.

    If you have written something a year ago the magnetization will have spread some. If you overwrite the data today then it will be possible to read the one year old data by reading just beside the track. If you overwrite the new data tomorrow it will still be possible to retrieve the 1 year old data, but it will be significantly harder to retrieve the data written yesterday.

    So: while it does help to overwrite data several times, it is still possible to retrieve data that has been on the drive for long.

    If data is only altered once a year, it will be possible to retrieve the individual years. I think IBAS [www.ibas.dk] is capable of recovering up to 6 generations back. As you might expect this is not cheap.

  • Good one! Don't answer the wrong question, answer the right one: "how do i prevent others from reading my data?"

    If everyone remembers, Kevin Mitnik's encrypted hard drive [slashdot.org] was in the possession of the FBI for years, and they couldn't get the data off it.

  • Then it was either Flash or had a battery built into the module.
  • Strikes me that mechanical media may not suffice in high secrecy operations. You'd be better off to run a solid-state drive with no battery. With a relatively innocuous label "accidental" erasure would be guaranteed. Secrecy is always perceptual - preventing physical access or high strength encryption would be much more efficient methodology.
  • I realize that from this story is not so much about security as it is science, but honestly; unless it's a 80gig 15,000 rpm Ultra160 SCSI HD that's $1200 to replace, if you have anything THAT sensative that you MUST destroy the data, just destroy the drive. If it is that big of a deal what is on the drive, a $140 drive is probably not worth the effort. Better yet, if it's that important, just don't do anything that would piss off a 3 letter agency.


    "Everything that can be invented has been invented."

  • We never wanted to spend the time required to overwrite with hundreds of streams of non-algorithmically generated data. In order to do this properly, we'd have to spend literally hours at it.

    So, we'd go down to the chem lab and rub the harddrive with a Vigorous Circular Motion [TM] against the side of the NMR machine (MRI for you politically correct types) that houses the liquid-helium cooled superconducting electromagnet. If you forgot to leave your wallet in another room, you lost all the mag stripes on your library cards etc.

    This worked, but it so thoroughly polarized the heads and platters that they became useless for recording or reading anything ever again. This really pissed off the recyclers we were selling old hard drives to - they wanted to pull the heads out or something, anyway they complained A LOT.

    The chem guys, incidentally, thought this was a ton of fun. They liked showing off their machine, I guess.
    --Charlie
  • Wow, strike the solid state theory, from http://www.cs.auckland.ac.nz/~pgut001/secure_del.h tml.

    Contrary to conventional wisdom, "volatile" semiconductor memory does not entirely lose its contents when power is removed. Both static (SRAM) and dynamic (DRAM) memory retains some information on the data stored in it while power was still applied. SRAM is particularly susceptible to this problem, as storing the same data in it over a long period of time has the effect of altering the preferred power-up state to the state which was stored when power was removed. Older SRAM chips could often "remember" the previously held state for several days.
  • I thought that I should just mention, to all those people recommending software solutions, they don't mean squat to someone willing to have the drive analysed by a professional data-recovery service. Mondern drives are getting harder and harder to erase this way and modern OS's don't help either, both abstract the actual physical data so much that you can't be abusolutely sure about anything.

    Take ext2fs for example, to prevent fragmentation it stores files all over the surface of the disk, if a file grows in a way that would fragment it the entire file is moved to annother location on disk to prevent this fragmentation. That means you now have two copies of the file on disk.

    There are also stupid bugs possible in this software (well, any software has bugs but . . . ). For example a couple of months ago someone on Bugtraq noted that shread (or wipe, I can't remember) truncated the file to 0 bytes before it overwrote it, this had the effect of creating a new file on disk and doing _nothing_ to the existing data, which can be recovered by a simple grep of the raw disk device.

    Even if your wipe software works the hard disk itself abstracts the actual structure of the disk with things like automatic bad block relocation and such, making it impossible to know for certain that your sensitive data doesn't exist in a backup area of the hard drive.

    I guess the important consideration is who are you trying to keep the data from, people who are going to use:

    1. Software: If you expect that your attacker will be limited to accessing the disk using only normal software than dd if=/dev/zero of=/dev/hda would work fine.
    2. Hardware: If someone is going to take apart the drive (business rival, military foe) then nothing short of melting your drive into slag (Blowtorching for Fun and Profit!) will help you, anything less is a waste of time.
  • I've heard the same thing from many of the ex-military i work with, but I also hear they did the same with monitors back in the day. (because classified text might have been burned into the screen)

  • Works for me too. WD suck. Also, I have found that installing Windows 2000 and using it's NTFS filesystem reduces the waiting period significantly.
  • I don't really see how a DOS batch file (which "Hard Drive Killer Pro" is, and a bad one at that) can physically damage the hard disk, let alone really wipe the data out to the point of non-recoverability...?

    If you are a script kiddie, at least do it on Linux.
  • From what I have studied and been told, there is nothing you can do to the data that would make it impossible for a determied foe with bottomless pockets (i.e., NSA, FBI, other evil-three-letter-acronym) to get the data. You must completely de-gauss the hard drive to do it, which is only theoreticly possible. You must destroy the hard drive completely.

    Using an EMP device would be good, but it still might not be enough. However, going in this direction might have some great side effects if it's strong enough. Imagine this: The FBI breaks into your home with the mandatory guns and dogs, then you hit the button for the EMP device. They load all your stuff in their van, turn the ignition and . . . nothing. The EMP fried their van's computer. Ha Ha, suckers!

    Some sort of explosion might do it, but it still might be possible to pick up every little peice of the hard drive and put it back together (unlikely, though). Burning it isn't really enough (there are data-restore compaines that restore burned hard drives all the time). The last two options are going to totaly destroy it anyway, so you might as well make sure the job is totaly done.

    For this, you need something like thermite [thermite.org]. Useing this on your hard drive, it becomes diffcult to even say "this is a hard drive" *g*.


    ------

  • Its really not that hard. All you need is to write an assembly or a low-level C program that gives direct access to individual bits and sectors of the hdd and change all the bits to 0 xor 1. I wrote one a while back and it really didn't take me very long to do so. This is really easy to do in from a boot disk in LINUX.
  • by mojo-raisin (223411) on Wednesday February 21, 2001 @11:52AM (#413802)
    GNU fileutils has a program called 'shred' that writes over a harddrive ~30 times in a way that makes data recovery ~impossible. I have two drives in my Linux box. What I do is mount the one I want to wipe out as ext2. Then

    shred -z /dev/hd[a,b,c or d]

    It takes ~6-8 hours to wipe out a 10GB drive.
  • Well, if you are going the sandpaper route, you might as well drop the platters (or the whole drive) in some nice strong acid, or possible a smelting furnace... that should take of it.

    --
  • The general military standard, as I recall, is to place random 1s and 0s eleven times over the unwanted data. I believe I saw this on a TLC or Discovery program on cyber warfare.

    --
    Spelling by m-w.com [m-w.com].

  • ... is to run the Win95 installer program on it. Guaranteed to erase all data, ext2 partitions, hpfs partions, mbr, everything.

    No special configuration options needed, and in many cases technically counts as overwriting with totally random data. :)

    Dave

  • by rjh (40933) <rjh@sixdemonbag.org> on Wednesday February 21, 2001 @12:12PM (#413806)
    • The naieve way

      Delete your files. This will keep a six-year-old from recovering them. If you're running a UNIX which doesn't have a recycling bin, nor a broken file system which still leaves data lingering intact long after "deletion", then you'll be able to keep a seven-year-old from recovering them.

    • The cryptographic way

      Follow the following procedure:
      1. Overwrite all your data with 0xFF.
      2. Overwrite all your data again with 0x00.
      3. Overwrite all your data with a good random or pseudorandom stream of data.
      4. Repeat this process at least seven times--more if you like.


    • The smart way

      Follow the cryptographic method outlined above. Then get out a sledgehammer and physically destroy the drive. Drop the platter in a metal wastebasket, douse it in lighter fluid and set the thing on fire. Don't stop until the platter is totally destroyed.
    ... All this may sound overly paranoid, but if your data really is that important it's the only way to go. A new hard drive is $250 nowadays; the cost of important secrets getting out is easily a few orders of magnitude higher. Physical destruction of media is the only way to be fairly certain that the data is destroyed.

    Keep in mind that the cryptographic method may fail, and even a bulk degausser isn't guaranteed. They can do amazing things with electron microscopy today.
  • dd if=/dev/urandom of=/dev/(h|s)da

    do that several times... if you're really paranoid you can use /dev/random, but it will take longer (because you'll have to wait for entropy)

  • Use the hard drive killer from Hackology [hackology.org]

    It's software for windows, but this shit is crazy, it will physically damage the drive. If you use something like Blowfish Advanced CS [www.bsn.ch] to wipe the drive of everything and clear the free space with a 30x write, and then use the Hard Drive Killer, and then maybe open the drive and put the pladders in a blender, it'd be damn near impossible for anybody to get anything.

  • In the USAF about 20 years ago, usual process for the drives with the 2' platters was just to sand them until they were dull and then sand them until they were nice and shiny again. Then take a vise and a hammer and bend them in half and then half again. I've still got one on my wall(it is /such/ a pain to unbend those things:)

  • In Cryptonomicon the guys are so paranoid that they have the doorway to the server room setup as a magnetic "trap"... if someone leaves with the disks, they're erased with no effort.
    Good book.
    PGP comes with a disk wipe utility... will wipe the hard drive anywhere from 8 to 256 times.
  • Many years ago, I read about how the military destroys hard disks that have contained highly secret data. (I believe this was in comp.risks or sci.military). The procedure was as follows:
    • overwrite the disk using something like Norton "wipedisk"
    • take the disk under armed guard to a secure facility
    • use thermite to melt the disk into slag. If any slag still looks like a recognizable part of a hard disk, use more thermite.
    • bury the slag.

    Now that's secure.
  • Memory is recoverable from DRAM/SRAM for some time. Not trivially, but it takes a long time for the electron density in all of the cells to return to a statistically meaningless state.

    An excellent example of this was the recent Concorde crash. I recall reading a little blurp about how it used a solid state memory data recorder which had lost power... yet the investigators were still able to extract most of the information from it.

  • The version I heard floating around was a somewhat urban-legendish-sounding story of <some vendor, possibly Norton> trying to sell <some product, possibly "wipedisk"> to <some security-paranoid gov guys, possibly the military, Lawrence Livermore Lab, etc.>. The military (or whatever) guys listened politely to the vendor's pitch, then said "That's nice, but let me show you how we destroy classified data..." and led them over to where they had set up some sort of guillotine thing, put a drive in, and chopped it in half; the message was "we don't need no steenkin' software -- if it's important, we can afford a new drive"; the vendor was suitably chagrined, etc...

    Of course, the guillotine thing wouldn't be nearly as effective as the various other versions already posted (acid bath, thermite, etc.), which for that reason sound much more probable, but it's interesting that someone would have said it that way -- I guess to the less-imaginative, the guillotine makes an easier image (embellish the story with loud noises, pieces of platters and arm assemblies flying around, etc.) To me, the acid bath / thermite sound more impressive, but maybe it takes a little more sophistication to visualize. The embarrasing-the-vendor part seems extraneous, especially as it assumes the vendor would have failed to know better.


    David Gould
  • A "low-level" format on a modern drive probably won't really low-level format it, especially if it uses some sort of servo information track or tracks that the drive's electronics are programmed to not overwrite. The factory can use a much more expensive machine to write sector markers with a much stronger magnetic field than can be generated by the heads that the drive ships with. Running a low-level format program that only uses the drive's own heads and electronics can possibly refresh some sector markers that are starting to fade magnetically but they probably won't write new ones anywhere where the old ones weren't.
  • But then you've got Win95 on it, and the idea is to leave it usable.
  • Crackers used to use a coil of cables wrapped around the harddrive and hooked up to a 120V outlet and a lightswitch. Then if someone came into the house to confiscate the computer and hit the wrong light switch when entering the room, the 120 volts through the coil of cables would generate a massive electo magnetic field that would wipe out all the contents of the drive and be completely unrecoverable. Of course you might have a lot of melted wires on the drive too.
  • Source is here: fileutils-4.0.41 [gnu.org].

    For the theory behind it, see "Secure Deletion of Data from Magnetic and Solid-State Memory" [auckland.ac.nz].

    On-line documentation (if you have the package installed already):

    $ info 'file util' basic shred

Life would be so much easier if we could just look at the source code. -- Dave Olson

Working...