Are We Completely Wiping That Hard Disk?

wrench2

Guest Post by Micah Lahren:
"I’ll just run DBAN on it and that will be good enough."
Is that really good enough? What if the individual or business in question is required by law to complete an erasure protocol up to a certain level of security? In some countries, including the United States, laws requiring secure erasure of data are also accompanied with a punishment if the protocol is not followed, such as fines of $250,000 and 10 years imprisonment.

Is your client’s company disposing of old hardware, or do you have a client with sensitive data who desires complete and total erasure of data? Jackhammers, wrenches, and explosives may be more enjoyable methods of destruction, but what if the user would like to use the old hardware for non-sensitive data in another way, such as an external hard drive for storing personal data of a non-sensitive nature? DBAN it, right?

Why DBAN Isn’t Enough

On the official dban.org website, DBAN is heralded as a “self-contained boot disk designed for consumer use”. The key word in that statement is ‘consumer’. DBAN and similar software intended for wiping hard disks are known as software based overwrites, or ‘clear level processes’, and are vulnerable to recovery without requiring laboratory methods. For instance, if you know what the HPA is (Host Protected Area), you’ll know DBAN doesn’t wipe it. Why should we worry about the HPA?

The HPA can be used by rootkits to hide from Anti-Virus software, manifesting again upon a reinstall of an operating system. The HPA is also used by some vendors to store data relative to the installations of software. One security firm is known to use the HPA to load software that reports back to their servers when the machine is connected to the internet. An employee could use the HPA to store data which would be hidden from many wiping tools, and recover that data later after the drive had been supposedly ‘wiped’ of all data and considered free to use in other applications.

In view of the above currently known uses, including the looming recent threat of cyberwarfare, this alone could present a high security risk for many companies and government entities. Many erasure tools do not touch the HPA or other hidden areas of the drive, which are inaccessible to many wiping tools. How can we effectively eliminate all data on the hard disk without physically destroying it?

Secure Erase

Secure Erase (SE) is a feature built into all ATA drives with 15 GB or greater capacity manufactured after 2001. There is also a Secure Erase command for SCSI drives as well, but you may not find it on all drives, as it is an optional feature. Basically, executing a SE command will virtually shred all electronic data on the hard disk in question. It will completely wipe the HPA and other hidden partitions on disk drives, which means any area of the drive which is available for hiding data will be completely wiped, beyond known forensic recovery.

SE will also wipe sectors that are unused by the drive due to errors. It performs a single pass, and that one single pass is more than enough, as technical testing confirmed that multiple passes were unneeded as far as additional erasing was concerned. This single pass meets U.S. Requirements for secure erasure of data for the regulations concerned, with the exception of highly sensitive data which requires complete physical destruction of the disks. Unless you’ve got top secret government files on your hard disk, SE should fit the bill for most clients.

A Freeware Tool That Implements Secure Erase?

That’s right, it’s completely free. And while the NSA has unfortunately dropped support of this great tool, it’s still available. It also utilizes something called Enhanced Secure Erase technology, which the FAQ for this utility details: Enhanced secure erase writes predetermined data patterns (set by the manufacturer) to all user data areas, including sectors that are no longer in use due to reallocation. It’s called HDDerase, and can be found here: http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml

Due credit goes to G. Hughes of UCSD CMRR for this utility. I won’t go into the details of all the technical aspects of the utility, but there’s a data sheet referenced on the web site you can read that goes into deep detail on the methods used.

Basically, HDDerase is a DOS-based utility for ATA hard disks. You can boot it with an antique 3.5 disk, or boot it from a CD. The last time I checked, HDDerase is also available on the Ultimate Boot CD, and is probably on a few other less known boot cd’s along with other tools useful to techs. It can also be booted from a USB flash drive as well. This utility can also bypass the ‘security freeze lock’ which the BIOS sometimes executes when it detects the drive.

Make sure you use version 3.1 or later, as these versions allow you to remove the HPA as well as the DCO on the disk. While this tool cannot be guaranteed to work on absolutely every hard disk in the field, it has worked on every hard disk I’ve had thrown at me for erasure. Scan the readme file provided on the official site before running the utility, just to be sure you cover all your bases. Simply boot it up, follow the prompts, and you’ll have a forensically clean hard disk that is beyond recovery as far as data is concerned, and still have a usuable disk for other applications.

Guest Post by Micah Lahren – Micah covers a wide spectrum of the tech industry, including PC repair, front-end development, WIMAX networking and installation, and more. He currently works with an ISP in Texas that also provides web hosting/design and computer repair, although he’s been tinkering with computers since he was 6 and eventually turned it into a career. He also enjoys traveling and doing volunteer missions in other countries.



Contributor

About the Author

This article was written by a contributor. Please see their details in the post above. If you would like to write for Technibble, check out our Jobs page here.

Comments (23)

  • skdmaster says:

    I was just at a trade show for D&H last week and one of the vendors there was showing off a drive erase device that caught my attention. It is sold under CRU Dataport and the link to it is http://www.wiebetech.com/products/Drive_eRazer_Ultra.php

    Has 12 different ways to erase the drive, the ability to printer 2 types of labels to a Zebra printer that certifies the erase printer, doesn’t tie up a computer to erase the drive, and easy to use. I have one ordered to start playing with it.

  • eikelein says:

    Quote: “One security firm is known to use the HPA to load software that reports back to their servers…”

    This is an anonymous statement like “…everybody knows…”; has little to no value for me. PLEASE either name the culprit(s) and/or link to your source. If it’s true you don’t need to be afraid of their lawyers.

    • Micah says:

      It’s not the only security firm that uses this technology, but the Computrace product line, by Absolute Software, is known to use this technology.

  • Simon Zerafa says:

    Finally someone else gets the message that DBAN is not enough! Or rather it does the task in the wrong way :-)

    Even the HDDErase utility will not work in all cases though. It’s not guaranteed to work on SATA controllers unless the BIOS / UEFI code is up to the job.

    The only reliable solution I have found is the HDD Erase script within the Parted Magic live CD.

    This script uses HDParm in the correct way to actually use Enhanced Secure Erase to completely wipe the drive properly.

    Even the HDparm included with DBAN will not work as it’s an older version with bugs which means it will not work on larger drives correctly.

    Regards

    Simon

  • iisjman07 says:

    I’ve used the secure erase & hdparm before and found that hdparm had much better hardware support.

    I normally just tend to ‘dd if=/dev/zero of=/dev/[hard disk] bs=1M’ and use dd to zero out a drive.

    • Simon Zerafa says:

      Hi,

      It’s not so much that HDPARM is widely compatible but that Linux will support lots of different mass storage controllers fairly easily.

      The same solution could be written for Windows (using Windows PE + Drivers) but no-one appears to have done it.

      HDPARM under Linux is the best way to utilise Enhanced Secure Erase and Parted Magic has the best overall hardware support and ease of use for using HDPARM that I have discovered so far.

      Believe me I have looked; any product out there that is even offering Secure Erase is using HDPARM and many of them (like DBAN) are using old buggy versions which won’t work on larger hard drives.

      Use Parted Magic and donate to the author; it’s free to download.

      Regards

      Simon

  • Jeff Gibbs says:

    I would like to second the vote for the use of Parted Magic. Hdderase is no longer being maintained by its creator though you can still get it. I am a big fan of the secure erase method of data destruction but I usually follow it up with a second block level utility as well when I am wiping Hard drives. Its probably overkill but it soothes my paranoid side….

    The Erazer product mentioned above is supposed to be quite good. Some day IO want to play with one. please let the forum know how well it works for you.

  • Bryan Brower says:

    The link provided in the article (http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml) is dead as of the time I am writing this comment.

    • Cheryl Capps says:

      I too find the link dead at the time of this writing

      • Micah says:

        Perhaps it was temporarily down, the web site was still up when I checked it today, and I double checked with another online service to make sure.

  • Dave says:

    Do any of the hard drive manufacturers tools wipe the HPA area?

  • Warren says:

    We’ve been using Active@ KillDisk for while now. Works a treat.

  • Simche Dovid says:

    http://www.secureerase.org no longer offers the app as freeware but as a free 30-day trial version. Big difference!

  • Neal says:

    Thanks for a well written article and very informative user comments (Parted Magic, etc.)

  • Paul says:

    I would have liked to use Secure Erase utility in many situations to sanitize a hard drive but have found that most motherboard BIOS’s prevent access by something called a freeze lock or something to that effect. A list of motherboards that actually permit SE would be extremely useful.

  • Shane Fowler says:

    I use Peter Gutmann’s method of overwriting 35 times.. It may be a bit excessive for most of us since hard drives are no longer but I am a security freak.

    but lets see anyone get the data back.. If you dont need the hard drive again you could try using thermite to completely melt a hole right through the Hard Drive. Its much more fun than a sledge hammer(much more dangerous and toxic too)

  • Mike Smith says:

    Thanks for the post. It’s good to visit this information on a regular basis.
    Here is how to do it with hdparm and linux as well as some nice additional info on erasing drives.
    @Paul you will find info on un-freezing the drive in the link.
    http://tinyapps.org/docs/wipe_drives_hdparm.html

  • Darryl says:

    I use a drill press and a 1/2″ drillbit…

  • nef says:

    Damn, I’ve been ignorant to this. Everyone always heralds dban as perfection, thanks for showing me the light.