[unisog] Wiping hard drives before computer transfer

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Mon Jan 27 07:07:16 GMT 2003

On Sun, 26 Jan 2003 13:49:04 EST, Ben Compton <Ben.Compton at sw.edu>  said:
> I've had data recovery people tell me that they know of nothing that will
> recover the data (within reason of course).  Have I been fed a line on this
> or have I figured out a good way to take care of my old drives?

This depends on what "within reason" means.

One pass of all-zeros *will* stop any casual recovery of the data by just
popping it into a PC and seeing what you read back.

It however will probably be possible with a bit of hardware and access to
a clean room - I've seen quotes of as low as $5,000 in hardware to do it.
And I've heard of case-modders who have modded disk drives by using a bathroom
as a clean room by running a *cold* shower for 15 mins beforehand to knock
the dust down. This *is* well within the range of "basement tech".

Multiple passes (especially with different bit patterns) make it exponentially
more difficult to recover. Current thinking is that after 3 or 4 passes,
it would probably require the sort of funding usually found only at TLA's
and very determined corporate adversaries.

You probably don't need to worry about TLA's.  However, if you ever scrap
info that's worth more then $5K (think "identity theft" if you let a list of
names/SSNs loose), an attacker might be tempted to buy the hardware, snarf up
several dozen disks, and see if they get lucky.  So you probably want more
than one pass...

Zeroing a 20GB drive with one pass of zeros shouldn't take 4-5 hours.  Get
yourself a Knoppix (http://www.knoppix.net) disk, boot it, and:

dd if=/dev/zero of=/dev/hda bs=1024k

I've done this to a 20G drive in a Dell GX110 in under an hour.

Getting a second pass of all-ones (untested, should work):

dd if=/dev/zero bs=1024k count=20 | tr '\0' '\377' > /tmp/ones
(while [ 1 ]; do dd=/tmp/ones bs=1024k; done) | dd of=/dev/hda bs=1024k

If you want a third pass of random data:

dd if=/dev/urandom of=/tmp/random bs=1024k count=20
(while [ 1 ]; do dd if=/tmp/random bs=1024k; done) | dd of=/dev/hda bs=1024k

You may have to lower the count=20 to what will fit in the ramdisk - it's
2AM and I'm not about to check.. ;)

Don't use /dev/random, that will take *forever*.  And if the cryptographic
difference between urandom and random, or that you're repeating the same 1M
over and over matters, you should be using thermite instead anyhow. ;)

That's probably a bit under 3 hours for a 20G drive, and should stop the
average basement techie. ;)

				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20030127/6d7dae84/attachment-0006.bin

More information about the unisog mailing list