Delete does not equal erase

Delete does not mean erased when it comes to a hard drive or USB stick. While it’s a lot harder than they make it look on CSI and most forensic analysts probably wouldn’t make a second casting call, data that was believed to be deleted can be recovered by people you may not want to have access to it. 

Contrary to popular myth, formatting a drive, or holding down the shift key while deleting, does not make the data unrecoverable.  Businesses and home users should be wiping their computers and external storage units before they dispose of them.  While most government departments require the drives to be crushed, and thermite is much more fun, for most of people and smaller businesses, simply writing zeros to every single sector will do the job.  ( There is an urban myth that you need to wipe the drive seven times, but we’ll “bust that” in a later post).

 

While I don’t advocate using computers for illegal activity and covering your tracks, nearly every household and business in Canada has at least a computer or two. When you drop the computer off to the recycling depot those hard drives still contain your accounting and banking records, pictures of your kids and so forth.  They may aslo contain credit card numbers which is why the PCI council insists on safe destruction of computer equipment within your card holder data environment.

Contrary to popular myth formatting a drive or holding down the shift key while deleting does not make the data unrecoverable. The following steps will indeed make the hard drive data unrecoverable, and may even qualify as “safe destruction” for PCI scoped equipment but check that out with your QSA.

Erase an external hard drive:

DD for Windows is a free tool that is an extension/port  of the UNIX tool  “DD”  that is a fundamental building block in system adminstration and forensics,  and it runs very well on Windows.  As a long time UNIX/Linux user, I prefer to see what is going on at the lowest level if possible. While there may be graphical tools out there that allow you to push a button called “Erase”, when it’s my data, or my customer’s data I want to guarentee it’s all gone.

http://www.chrysocome.net/dd has both the program download and a lot of good instruction on the general use of the tool. Rather relist that content, or one of the many other excellent tutorials on everything you can do with DD,  this is a simple step by step to erase an external drive with free tools — on Windows!

Installation is pretty easy, download, unzip and run it.  John Newbigin’s tool works from a command line so you need to open a Windows command prompt and change to the directory that you unzip the files into.  DD for Windows, is a single executable, just like the UNIX version, you change how it works by passing parameters to the program.

Content listing of DD
Content listing of unziped DD for Windows

Just like it’s UNIX ancestor, there is no “are you sure” button, so the list command is essential to confirm that you are directing zero’s to the correct drive.   Luckily the “dd –list” command will make this fairly painless,  the volume number, guid and the mounting letter are all displayed so you can ensure you are overwriting the correct device.

DD listing drives
Identify the correct drive using DD list

“Trust but verify”, may seems a little rude but downloading software off the Internet without out cross checking a few things is not a good idea.  It’s not as thorough as a full source code review but the “mountvol” utiltity is included with Windows operating systems and offers a good double check that DD is identifying the correct drive.

listing drives by mountvol
confirming the last numbers of the drive GUID

A quick triple check through Explorer gives a good level of comfort that “j:\” really is the drive I want to erase.

Confirming drive content Explorer
Using Windows Explorer to confirm drive contents

DD is simple, there is an input device and an output device; and it moves the content of one to the other. If you get them reversed then you get first hand experience about the lack of “are you sure” buttons.

In this scenario a reversing mistake would mean the data from your drive would be sent to the DD for Windows program’s /dev/zero file, but since this is destruction you can just reinstall the program and try again. When using DD to recover the contents of a disk for forensic investigation, such a mistake could destroy the only evidence you may have. This is just one of the many reasons that forensic data recovery should not be attempted by untrained employees unless assisted by a computer forensic’s professional. 

In this example we use a /dev/zero  as our input file, (if=/dev/zero), and the output is the disk we want to overwrite, (of=\\.\j:). 

DD zeroing a drive
DD pushing zeros onto drive J

For the historians and trivia buffs I do believe “if=”  is short for input file equals/is, making “of” the output file.  This is legacy UNIX at its best, “everything  is a file”.  Think about the drive you are writing to as a big container of zeros and ones that the computer operating system uses to store your files and programs, and you are forcing everything to zero whether it was zero or not. You now have the general concept without the need to sit through a computer science class on file systems.  

Just like DCFLDD, DD for Windows has a progress feature. This may seem trivial but this process will take a LOOONG time, it’s good to have some reassurance that things are progressing as expected. On a 250 gig hard drive, using a modern computer, this will take a bit more than two days to complete.  You can use your computer for everything else you’d normally do, and DD for Windows will just chug along in the background, writing zero after zero to your hard drive, consuming left over data as it goes. 

Proving nothing is left on the hard drive but zeros is a posting for another day, or some Google fun.  More CSI like though, so do check it out.

Delete does not equal erase

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top