27

I'm looking for a quick, simple, and effective way to erase the hard drives of computers that my company will be getting rid of (donation to charity, most likely). Ideally, I would like a single-purpose bootable utility CD that upon booting, finds all attached hard drives and performs an "NSA grade" disk erasure.

Is anyone aware of such a utility (even one not quite as automated as what I've described)?

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Mike C.
  • 447
  • 1
  • 6
  • 6
  • 1
    I know you said you wanted to donate. I usualy physicaly distroy disk. A hammer works pretty good. – Alan Aug 19 '09 at 19:18
  • 5
    Alan, actually in all seriousness, a hammer won't work that well if someone with serious resources wants the data because it might not actually effect the magnetic data that much. – Kyle Brandt Aug 19 '09 at 19:23
  • 3
    Semtex, C4, TNT? – Nick Kavadias Aug 19 '09 at 19:37
  • 9
    Thermite. After it cools, if there is anything recognizable as coming from a drive, thermite it again. Bury the slag in a secure location. – Paul Tomblin Aug 19 '09 at 19:39
  • 4
    Thermite, man. The solution to all your problems (drive data or otherwise). – womble Aug 19 '09 at 19:39
  • 1
    Destroy it. A pneumatic press (if you have access to a good workshop) works well and produces less mess than thermite. – rodjek Aug 19 '09 at 22:44
  • 1
    The man said that he wants to DONATE the disks gentlemen. That being said, there is some kind of machine that eats hard drives like fat girls eat kebab. Only splinters come out. I saw it at a video about Google DCs. – dlyk1988 Sep 08 '13 at 22:24
  • 1
    @dsljanus, My local electronics recycling place has one of those. They disassemble computers dropped off, locking hard drives in secure crates which are then promptly taken to this beast of a shredder. – Brad Sep 08 '13 at 23:28
  • I used to wipe & donate drives but I now have an Ubuntu private cloud (MAAS + OpenStack) and recycle them myself into the nodes (two each) and let MAAS delete the partitions when it releases the node. It works like Amazon EC2 plus S3 if you're unfamiliar with the concept. – Michael Blankenship Sep 10 '15 at 16:08
  • Note - this question is about hard drives, not more modern SSD There's a whole mess of separate considerations with wiping SSD for reuse, and old-fashioned overwriting is hard on SSDs. – Criggie Mar 02 '22 at 02:06

14 Answers14

36

DBAN:
dban, Darik's "boot and nuke" bootable cd will do this. It takes a while, but that is because it really makes sure everything get erased when you use the longer format options.

Keep in mind 'sure' and 'fast' are opposing forces with something like DBAN. The faster the wipe, the easier it will be to recover the data.

Other Options:
If you have a lot of drives, you might consider looking at 3rd party vendors that provide this service, lots of companies that shred paper will do this service as well (for tapes and hard drives). If this is something you are going to be doing a lot in the future, you might want to buy a degausser. Both the 3rd party vendor and the degausser options will destroy the drives for future use, but you could still donate the rest of the hardware.

Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444
  • Beat me by 36 seconds. :( – EBGreen Aug 19 '09 at 18:57
  • 2
    Please note that even after zero-ing out a drive, some forensics can still recover data. However, using DBAN to overwrite with zeros is safe enough. The safest way, of course, is always a hammer and a degausser :) – SilentW Aug 19 '09 at 19:00
  • 3
    I'd trust a belt sander before I trust a degausser... Or an Enron style shredder. – chris Aug 19 '09 at 20:13
  • 8
    @SilentW: That is very probably a myth. While it is *theoretically* possible to recover overwritten data, no one has actually accomplished it in practice. Even if it can be done, it's most likely so hideously complicated / expensive that you don't need to worry unless you're protecting state secrets. See e.g. http://www.nber.org/sys-admin/overwritten-data-guttman.html – sleske Oct 12 '09 at 11:12
  • 5
    BTW, as fun as it is, it's not very nice to configure DBAN as the default PXE boot image on a network :) – MikeyB Oct 14 '09 at 23:20
  • DBAN was certainly a great tool in its day, but time's moved on and the last release is 2.3.0 in June 2015 or 8 years ago as of now. I cynically suspect this is to push users toward their commercial offering "blancco drive eraser" Nowdays you probably want **ShredOS** instead which can be found at https://github.com/PartialVolume/shredos.x86_64 This also handles SSD much better than DBAN did – Criggie Mar 02 '22 at 02:05
16

dd if=/dev/zero of=/dev/hda

Seriously, I don't know any way of getting rid of data faster or easier. There's even a challenge for data recovery companies to restore anything that has been erased with dd. Nobody has been able to do it.

Best part: the drive is usable afterwords. I've used DoD spec'd erasing programs that actually didnt work(the system was bootable afterwords). dd, and no boot. plus dd is faster.

It take a bit to learn how to use dd. but I've used it for data recovery on failing hard drives(think if=/dev/hda of=/dev/sda) and it has worked wonders. Don't know how it works, and don't care, it's awesome.

Steve Butler
  • 1,016
  • 9
  • 19
  • 1
    You can pass a second wipe with dd if=/dev/urandom of=/dev/sda – Bart Jan 07 '12 at 13:20
  • @SteveButler Came here to say about dd. I have known about the challenge for years, and it has always seemed like black magic to me. I use it regularly though, with client data, because, magic or no magic, it does work. I have done a little research and it seems that the challenge is legitimate and nobody has won the prize. – dlyk1988 Sep 08 '13 at 22:30
  • @Bart : using /dev/urandom is waaay slower than /dev/zero. Depending on the level of confidentiality required, I'd rather make several passes alterning between /dev/zero and [/dev/one or /dev/zero-one equivalents](http://stackoverflow.com/a/18534993/812102) (with `\377`, then replacing the `\377` by `\001`, etc.). Not as secure as seven passes of /dev/urandom of course, but it should give some hard time to the guy willing to dig into it. – Skippy le Grand Gourou Oct 29 '13 at 18:23
  • Note that the [Great Zero Challenge](http://www.hostjury.com/blog/view/195/the-great-zero-challenge-remains-unaccepted) has long ago expired, thus making claims that nobody has won it could be considered a little bit misleading. – Dave Jarvis Feb 04 '17 at 00:07
  • That is true. But from a practical perspective, a full dd zero is incredibly difficult to recover from. If you can afford to smash drives, that's the fastest/surest, but for the rest of us, there's been no published way of recovery from a full zero to date. see related Skeptics article: http://skeptics.stackexchange.com/questions/13674/is-it-possible-to-recover-data-on-a-zeroed-hard-drive – Steve Butler Feb 06 '17 at 18:10
  • Would this solution work on a Windows machine, via Cygwin/bash? Are there any caveats to bear in mind in such a case? – Hashim Aziz Aug 04 '17 at 04:55
7

If you are decommissioning the drives physically, Bustadrive is good choice.

alt text
(source: pcpro.co.uk)

Glorfindel
  • 1,213
  • 3
  • 15
  • 22
MikeJ
  • 1,381
  • 4
  • 13
  • 24
  • 3
    That is simply AWESOME! – Chris Aug 19 '09 at 23:13
  • This looks like it would keep kids and your neighbors from looking over your data but it might not really prevent the Chinese Intelligence agents from recovering your data if they were really interested... – chris Aug 20 '09 at 00:08
  • I am sure that if you are concerned about your data in the hands of foreign intelligence, i am sure a consumer grade crusher isnt going to do it. My guess is that you grind it and slag it. – MikeJ May 03 '10 at 14:34
6

Center for Magnetic Recording Research:

Secure Erase

From the Q & A doc:

Secure erase has been approved by the U.S. National Institute for Standards and Technology (NIST), Computer Security Center . In general data erasure techniques when used alone are approved by NIST for lower security sanitization (less than secret) since the data can be recovered at least in theory.

Pang
  • 273
  • 3
  • 8
pbrooks100
  • 251
  • 1
  • 4
5

Warning: Issuing any of the following commands can result in permanent data loss.

The SUSE blog suggests these commands:

  • shred:

    shred -v -n 1 /dev/sda3

  • scrub:

    scrub -p dod -f /dev/sda3

  • dd:

    dd if=/dev/urandom of=/dev/sda3

See also: https://unix.stackexchange.com/a/136477/26227

Community
  • 1
Dave Jarvis
  • 235
  • 2
  • 10
4

Seconding dban. "NSA" level wipes take 6-8+ hours to fully write to the drive the required number of times. Simply writing over the entire disk once will make it safe from anyone who lacks specialized and costly tooks to manually read the data from the drive.

If a disk uses 0's and 1's to hold data, imagine writing everything to 0 makes those 1's into 0.2's. A special tool can read that 0.2 and recognize it used to be a 1.

Wiping it fully twice (all 0's, then all 1's) is sufficient to make a recovery extremely expensive and require even more time and specialized tools.

SirStan
  • 2,373
  • 15
  • 19
  • 6
    Seconds are generally supposed to be a comment on the original answer plus an upvote. – EBGreen Aug 19 '09 at 18:57
  • 5
    One pass is enough on modern drives - see http://serverfault.com/questions/959/how-should-i-securely-wipe-data-from-a-hard-drive/1213#1213 and http://blogs.sans.org/computer-forensics/2009/01/15/overwriting-hard-drive-data/ – Hamish Downer Jun 30 '10 at 13:27
  • 2
    One pass is enough for anything in the last 20+ years; not just "modern" drives. – Chris S Oct 14 '14 at 18:03
3

Damn ! I need at least 10 rep to post more than 2 links. So I converted the links to code. Anyway, here goes -

Why I wanted to do a "full erase" - malware infection.

I quickly glanced at most of the answers and did ctrl +f HPA, then DCO. I saw that the answers don't mention one crucial aspect - removing data from "secret areas" in your HDD such as HPA (Host Protected Area) and DCO (Device Configuration Overlay).

I am no expert, rather an average user,but I have gained some knowledge on the internet. These areas matter in two cases -

  • If you have malware, especially rootkits and bootkits.
  • If you are a forensic investigator.

Software of any kind (malware) can be hidden in the HPA and DCO areas. If you don't wipe these areas too, and the (sophisticated) malware has infected them, chances are that your infection will return after a "full erase" and reinstall of (windows) OS. A forensics guy, might want to see if a criminal has hidden secret data in these areas.

DBAN does NOT wipe the HPA and DCO - 

http://www.dban.org/node/35

DBAN suggests other paid solutions for these purposes, by its partner Blancco -

http://www.dban.org/node/34

Btw, Blancco advertises on DBAN software.

HDDErase by CMRR has HPA and DCO removal feature, but its an old project which was not supported/continued after 2007 or so.

http://cmrr.ucsd.edu/people/Hughes/documents/HDDEraseReadMe.txt

BC Wipe Total wipeout is a $50 tool that clearly mentions its ability to wipe DCO and HPA. Its OS independent i think.

http://www.jetico.com/products/personal-privacy/bcwipe-total-wipeout/

See features.

Hdparm is a free linux based solution. I am using it right now, in the hopes of wiping my HPA and DCO, as per this tutorial - 

https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

Companion docs for hdparm tutorial - 

http://tinyapps.org/docs/wipe_drives_hdparm.html#n3

manual for hdparm -

http://linux.die.net/man/8/hdparm

BUT, this approach is full of challenges. My system threw up problems in many steps of the above tutorial. To solve all those problems, I had to read more and each step becomes like 5-6 sub-steps. So, its not as easy as following 10 steps and being done with it. I am seriously considering throwing away my old hdd and getting a new one. I have wasted..no spent 2 days so far.

Btw, if you want to run linux (ubuntu distro) with minimum hassle, then get it free off their website and install it on a usb flash drive (at least 4GB) and boot off that flash drive. Once you see ubuntu, then open your browser and download the .deb file for hdparm. Open it with ubuntu software center to install it. Now you can invoke hdparm via terminal. I do this method of installation instead, because sudo apt-get install command fails for me for some strange reason.

To get an idea of how much I have suffered thus far, see my profile or check out the question at -

https://serverfault.com/questions/537336/how-do-i-erase-a-harddrive-100-including-hpa-and-dco-areas

https://security.stackexchange.com/questions/42031/continuation-of-a-question-how-do-i-erase-a-harddrive-100

HTH anyone who is stuck and irritated by this problem.

Community
  • 1
Deen
  • 131
  • 2
  • HDDErase is perfectly serviceable even today. – Michael Hampton Sep 08 '13 at 21:58
  • @MichaelHampton - please tell me why, so that i can confidently use it instead of running around in circles. – Deen Sep 08 '13 at 21:59
  • It just sends the SECURITY ERASE UNIT command to the drive. This only requires that it be able to see the drive, which is trivial. – Michael Hampton Sep 08 '13 at 22:00
  • @MichaelHampton - I am tempted to do it. Hell, i'll do it now. Buut, one person who wrote a wiki for hdparm tool has a concern about it "The freeware DOS tool can also perform a ATA Secure Erase, although controller support is spotty at best. " Don't see the proof for it though. https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase Go to bottom of link. – Deen Sep 08 '13 at 22:08
  • HDDErase fails when i select emm386 method in first screen. Error - emm386 has detected error #pi symbol goes here3 in an application at memory address 0000:008e. To minimize the chance of data loss, emm386 has halted your computer. For more info, consult your (ancient) documentation. I pressed enter to restart my computer, but it is not restarting. HDDErase fails ! – Deen Sep 08 '13 at 23:02
  • Does this actually provide a solution to the problem? – Drew Khoury Sep 15 '13 at 01:16
  • @DrewKhoury - I am afraid not. See the tinyapp link which says - "The answer is manufacturer(mf)-specific, and only mf know the exact details. However,the idea is...blah..."low-level format" command.">> Basically, if your HDD mf implementation of secure erase does not erase hpa and dco, then you can't be sure if those areas are erased when hdparm makes the request. Call your HDD mf or see the hdd data sheets to find out how they implement SECURE ERASE. OR, try bwipe which i think claims to be "nsa/dod standard". Hopefully, the software will live up to its claims. – Deen Sep 15 '13 at 05:50
2

I use thermite. Of course it's a little hard to donate them to charity, but they sure are thoroughly unreadable.

Insyte
  • 9,314
  • 2
  • 27
  • 45
2

Thermite is definitely fast, and secure in the data sense. It is not exactly easy to work with.

Your other option is a big magnet, it's fast too. You don't need to get fancy with degaussing, waving a strong magnet can ruin sufficient data, including the error correction bits.

dlamblin
  • 929
  • 2
  • 10
  • 20
  • 1
    I was being a bit facetious in that it is the safest way to destroy your data *very* quickly, but a power drill is a close second in terms of speed and reliability of destroying the data in an almost as secure way as the big burn. A tool like dban will take hours and a big magnet will likely not really do anything unless you shove it right up against the platters. – chris Aug 20 '09 at 00:12
2

You don't need thermite or nitro, just take the drives apart and take the platters out (and keep the voice coil magnets from the head positioning assembly, they're super-strong rare-earth magnets, very useful), and break them. Just taking the platters off the spindles will make it impossible for almost anyone to read them (I've read different things about whether it's possible for anyone to get the platters re-aligned), and if you break the platters into a few pieces, that should be it. I guess you could still thermite the platters if you're really worried...

Ward - Reinstate Monica
  • 12,788
  • 28
  • 44
  • 59
1

dban is the proper tool to use if you are planning on using the drive for some other application or donating it to another party or selling it.

If you want it to be fast and completely unambiguously safe, nothing beats thermite. Somewhat slower but less likely to surprise your neighbors is a drill. Again, you won't be reusing the results anywhere so charity donations are out the window after the drill or thermite...

chris
  • 11,784
  • 6
  • 41
  • 51
  • 1
    I keep all laptops laced with thermite just in case: http://www.youtube.com/watch?v=5EVJFg4dxVA . Also, I always, keep extra thermite right next to my extra tinfoil hats :-) – Kyle Brandt Aug 19 '09 at 19:19
1

Oh for [goodness] sake, if you want to erase the data securely use autonuke at the command prompt in DBAN. If you want to physically get rid of the thing just throw it into the [friendly] fireplace, or fill up the sink and submerge it in water. Or get a hammer and bash the little nutter to bits. The easiest solution is, of course, the water. But then again you must consider, how highly do you think of yourself to think anyone's after your petty [friendly] data?

squillman
  • 37,618
  • 10
  • 90
  • 145
1

Hammer 'em and forget about donating. A number of charities don't accept computer equipment anymore because they've gotten non-working gear dumped on them. A lot of computer gear is hazardous and shouldn't just be thrown in a dumpster. Charities get saddled with disposal costs, so they just say no to PC gear.

@Kyle Brandt, the idea is to hammer them so the platters inside shatter into tiny bits and dust. That is impossible to read.

user18330
  • 174
  • 1
  • 6
-3

How about just filling the drive with many meaningless huge files?

A batch file --> 1000 Copies of a random .vob DVD file. Sequential filenames.

And thén a simple quick format.

Tristan Laurillard
  • 1
  • This doesn't seem very efficient, and unless you can get full coverage of the disk (which would require various file sizes or some math) may leave unerased gaps. – voretaq7 Nov 12 '12 at 06:00