Wiping hard drives and partitions thereof

When I want to get rid of a hard drive, I wipe the whole thing. I generally use a tool called dd or it’s slightly more robust counterpart dcfldd.  Many arguments have been raised over the best method to use when wiping a drive: Is setting all the bits to 0 good enough?  Should you use random or pseudorandom paterns?  How many passes do you have to make?  After reading Overwriting Hard Drive Data: The Great Wiping Controversy, I decided to stop worrying about all the multi-pass,/random issues and just wipe with zeros.

In order to use dd or dcfldd, you’ll need to know the /dev address of the drive, and you’ll need to make sure it’s not mounted.

You can use fdisk to figure out the address of the drive.  Because fdisk can seriously mess up your drives if you don’t know what you’re doing, the system will require you to use it as root.  So for Ubuntu-type systems use

sudo fdisk -l

You can read the information that fdisk returns in order to figure out which drive you want to wipe.

Disk /dev/sda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0xd23d125d

Device Boot      Start         End      Blocks   Id  System
/dev/sda1               1       12507   100459526    7  HPFS/NTFS
/dev/sda2   *       17932       19457    12257595    7  HPFS/NTFS
/dev/sda3           12508       17931    43568280    5  Extended
/dev/sda5           12508       17703    41736838+  83  Linux
/dev/sda6           17704       17931     1831378+  82  Linux swap / Solaris

Partition table entries are not in disk order

Disk /dev/sdc: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x854e21a8

Device Boot      Start         End      Blocks   Id  System
/dev/sdc1   *           1       19457   156288321    b  W95 FAT32

Disk /dev/sdd: 4110 MB, 4110230016 bytes
16 heads, 63 sectors/track, 7964 cylinders
Units = cylinders of 1008 * 512 = 516096 bytes
Disk identifier: 0xe9a6ec0b

Device Boot      Start         End      Blocks   Id  System
/dev/sdd1   *           1        7965     4013865    b  W95 FAT32

If you have more than one disc on your system, it can feel like a lot of information to go through, but use the headings to help you figure out which drive you want to wipe.  Note the size of the drive.   You can also use grep to identify just the headings (which indicate the size) for each drive:

sudo fdisk -l | grep '^Disk /d'

This returns a much smaller amount of information:

Disk /dev/sda: 160.0 GB, 160041885696 bytes
Disk /dev/sdc: 160.0 GB, 160041885696 bytes
Disk /dev/sdd: 4110 MB, 4110230016 bytes

Note: This is enough information if you mean to wipe an entire drive, but if you want to wipe a specific partition within a drive, you will need to know the partition number, and the previous method will provide you that information.  So if I know that I want to wipe my 4GB flash drive, then I’ll use /dev/sdd.  But if I want to wipe one of the partions on my internal drive (which is set up to dual boot Windows and Linux (hence the many partitions,) I’ll need to know the specific partition number that goes on the end of the device name.  In short /dev/sda represents the entire drive, /dev/sda1 represents one of the partitions on that drive.

Before you continue, make sure the partition is not mounted.  Use the mount command to see if and where your partition is mounted.  If your device shows up in the results, then use umount to unmount it, like so:

sudo umount /dev/sda1

Now to the actual wiping.  The command line recipe is pretty simple, but keep in mind that it’s really powerful.  You will overwrite every bit on the drive or partition in question.  All that data will be gone.  That’s the point of this exorcise.

So here’s the simple little recipe for overwriting every single bit on your /dev/sda1 partition with zeros:

sudo dd if=/dev/zero of=/dev/sda1

It’s that simple. And if you want to wipe the entire drive instead of just the partition:

sudo dd if=/dev/zero of=/dev/sda

Now, if you’re like me, you’d prefer some feedback with your wiping tool, which is why I prefer to use dcfldd over dd.  They essentially do the same thing, but dcfldd gives you information on how many blocks and MB it has overwritten so far.  Using /dev/zero for the input file (that’s what the “if=” means) makes for pretty fast overwriting onto the output file (the “of=” part).  But when you’re overwriting a 1 terabyte hard drive, it can still take a while, so having the feedback is nice.  To use dcfldd, use the same commands as above but replace dd with dcfldd.

Here’s an example of dcfldd‘s output while it’s working:

rix@rix-laptop ~ $ sudo dcfldd if=/dev/zero of=/dev/sdd
2048 blocks (64Mb) written.

Wiping individual files and free space

Back when I still used Windows, I used a tool called Eraser to delete individual files and/or free space on a drive.  For those who still work in the Windows world, I highly recommend this freeware tool.

I have looked for something comparable in the Linux world, but haven’t yet tried any of the tools I have found.  I did, however, find some information that I might make use of in the future:

Howto Delete Files Permanently and Securely in Linux lists several tools (shred and a suite of tools called secure-delete) that might fit the bill for file deletions.  Although, the article also makes the claim that

Starting with ext3, Linux filesystems overwrite files with zeros when you delete them, rather than just marking the file as “free space.”

which I don’t believe is true at all.

Another article I found Secure Erase in Unix notes a tool called scrub which can supposedly wipe free space when used with a certain option.

As a general disclaimer: Use this information at your own risk, and don’t blame me if you screw everything up.

Advertisements