10,000 seconds (2.7 hours) to write 1 terabyte of data, which is about right on relatively new computers.Flash wrote: As I understand it, modern hard disk drives are capable of sustained writing speeds near 100 MB per second. At that speed, it would only take a few hundred seconds to fill a terabyte hard disk drive.
Best way to completely wipe a hard drive?
1. I used a sledgehammer on a HDD, and was astonished at how tough it was.rcrsn51 wrote:It's called a hammer.
Had to prop one end [of the HDD] up on the kerb, and the other down on the road, and thwack it in the middle to attempt to bend it.
It wouldn't crush flat.
2. I think this was after I'd removed the magnets.
They are really FORCEFUL.
If you allow them to attach to something, they are difficult to get off.
I have one stuck to the [metal edging strip under the plaster on the] corner of a wall, as a bumper for the [magnet on the] fridge door to hit.
3. I wish there were an easy way to use magnets to hang stuff on walls.
e.g. My central heating controller.
-
glassparrot
- Posts: 286
- Joined: Sun 01 Jun 2008, 16:07
- Location: Durango, Colorado - USA
- Contact:
I've found it's better to go buy the proper size Torx screwdriver and take the hard disk apart, dismount the platters and then bend, scratch and break them up.Sylvander wrote:I used a sledgehammer on a HDD, and was astonished at how tough it was.
In regards to using dd to wipe disks... yes using /dev/zero as the input in the way you've listed in your first post is COMPLETELY sufficient for cleaning the data off the disk and making it unrecoverable. I always toss in a bs=4096 parameter, because it makes dd run a lot faster... although, as someone else mentioned, you could plug in an even larger power of 2 (eg bs=8192).disallowed wrote:dd if=/dev/zero of=/dev/sda
Wiping a disk takes a long time... so this is a command you can run in a second terminal to make dd cough up the information on how much progress it's made, thus far.
Code: Select all
sudo kill -USR1 $(pgrep ^dd)
Wiping a magnetic disk with one pass of zeroes is NOT sufficient to prevent recovery of the data. I have recovered disks for companies when they have been wiped with just one pass and I don't even have any special disk reading tools.
It takes a minimum of two passes with varying random data to hide edge effect data from even the standard hardware.
SSDs should be clear after deleting the data and leaving the power on for sufficient time to allow garbage collection to clear the cells.
It takes a minimum of two passes with varying random data to hide edge effect data from even the standard hardware.
SSDs should be clear after deleting the data and leaving the power on for sufficient time to allow garbage collection to clear the cells.
"Just think of it as leaving early to avoid the rush" - T Pratchett
Please provide evidence of some sort that you, or anyone for that matter, can recover data from a disk that has completely been overwritten one time.Burn_IT wrote:Wiping a magnetic disk with one pass of zeroes is NOT sufficient to prevent recovery of the data. I have recovered disks for companies when they have been wiped with just one pass and I don't even have any special disk reading tools.
It takes a minimum of two passes with varying random data to hide edge effect data from even the standard hardware.
SSDs should be clear after deleting the data and leaving the power on for sufficient time to allow garbage collection to clear the cells.
You claim is anecdotal, and contradicts all empirical evidence. Furthermore, there is no published research supporting your claim.
I'll say this one more time:
You can read a given spot on a disk 10,000 times and it will return the same value. There is NOTHING software can do to change what the read head will read in that spot. That's WHY disk storage works.
There is no magic "software" that will change how a read head reads.
My claim is based on actual fact.
I (that is me myself, not an imaginary person) was contacted by an analyst who was doing work for the Ministry of Defence. He had a disk in his possession that had been wiped and reformatted and given to him to produce his reports on.
He did his thesis for his PhD and saved it on the disk. He submitted the thesis and because it contained secret research deleted the disk. The report got lost and he contacted me to recover it from the disk for him.
Much to our surprise, not only could I recover his report (which was expected) but the tool I used recovered quite a lot of classified data that was supposedly securely wiped before he got the disk.
As a result disks are no longer reused by the MOD, but are physically crushed.
It is you who do not know what you are talking about.
I (that is me myself, not an imaginary person) was contacted by an analyst who was doing work for the Ministry of Defence. He had a disk in his possession that had been wiped and reformatted and given to him to produce his reports on.
He did his thesis for his PhD and saved it on the disk. He submitted the thesis and because it contained secret research deleted the disk. The report got lost and he contacted me to recover it from the disk for him.
Much to our surprise, not only could I recover his report (which was expected) but the tool I used recovered quite a lot of classified data that was supposedly securely wiped before he got the disk.
As a result disks are no longer reused by the MOD, but are physically crushed.
It is you who do not know what you are talking about.
"Just think of it as leaving early to avoid the rush" - T Pratchett
I can see myself agreeing with Burn_IT here, or at least, I can see the possibility that he's not blowing smoke.
My reference would be an entirely different kind of drive, though. 5.25" floppy drives.
There are two basic kinds, as far as PC-compatible drives are concerned, differentiated by the capacity of the disk once formatted. 360k disks are what the original IBM 5150 Personal Computer used, and the 1200k (1.2meg) "high density" disks --and drives for them-- came somewhat later.
If you have two computers, one with a 360k drive and one with a 1.2meg drive, and you want to swap data between them, you will find your task immensely frustrating. A 360k disk can be easily read by a 1.2meg drive -- but if you then write to that disk with that drive, the 360k drive will have a real time of it reading that new data!
It seems that 360k drives used a bigger area and stronger magnetics to, er, make their mark. A 1.2meg drive is designed for each bit to occupy a physically smaller space on the same disk, and, necessarily, that space will have a weaker field to it.
Erasing a disk, may superficially do the job -- but modern drive magnetics and erase methodologies, as implemented in consumer equipment, are not meant to withstand forensic data recovery techniques. They just aren't.
It's a bit like erasing that 360k disk with a 1.2meg drive -- there's going to be *something* left over, and I can very easily see that something being enough to recover the data in question.
My reference would be an entirely different kind of drive, though. 5.25" floppy drives.
There are two basic kinds, as far as PC-compatible drives are concerned, differentiated by the capacity of the disk once formatted. 360k disks are what the original IBM 5150 Personal Computer used, and the 1200k (1.2meg) "high density" disks --and drives for them-- came somewhat later.
If you have two computers, one with a 360k drive and one with a 1.2meg drive, and you want to swap data between them, you will find your task immensely frustrating. A 360k disk can be easily read by a 1.2meg drive -- but if you then write to that disk with that drive, the 360k drive will have a real time of it reading that new data!
It seems that 360k drives used a bigger area and stronger magnetics to, er, make their mark. A 1.2meg drive is designed for each bit to occupy a physically smaller space on the same disk, and, necessarily, that space will have a weaker field to it.
Erasing a disk, may superficially do the job -- but modern drive magnetics and erase methodologies, as implemented in consumer equipment, are not meant to withstand forensic data recovery techniques. They just aren't.
It's a bit like erasing that 360k disk with a 1.2meg drive -- there's going to be *something* left over, and I can very easily see that something being enough to recover the data in question.
Close!It seems that 360k drives used a bigger area and stronger magnetics to, er, make their mark. A 1.2meg drive is designed for each bit to occupy a physically smaller space on the same disk, and, necessarily, that space will have a weaker field to it.
The heads were bigger on the 360 drives but were actually weaker.
The heads were smaller on the 1.2 drives but the magnetic field was stronger and more concentrated ( because it occupies a smaller area but still needs a similar total field)
The disks were different as well. If you held one of each next to each other you could plainly see they were a different colour since the higher capacity needed a denser material.
I think I may still have some disks upstairs, but I sold my drives (silly) when they were making daft prices on Ebay.
"Just think of it as leaving early to avoid the rush" - T Pratchett
Here's a challenge that will prove it, then:Burn_IT wrote:My claim is based on actual fact.
I (that is me myself, not an imaginary person) was contacted by an analyst who was doing work for the Ministry of Defence. He had a disk in his possession that had been wiped and reformatted and given to him to produce his reports on.
He did his thesis for his PhD and saved it on the disk. He submitted the thesis and because it contained secret research deleted the disk. The report got lost and he contacted me to recover it from the disk for him.
Much to our surprise, not only could I recover his report (which was expected) but the tool I used recovered quite a lot of classified data that was supposedly securely wiped before he got the disk.
As a result disks are no longer reused by the MOD, but are physically crushed.
It is you who do not know what you are talking about.
Someone in the US who wishes to help with an experiment about this, send me a used drive that you don't care about the security of the data, and I will wipe it and return it to you.Take a pic of the label recording the model and serial number so we know there will be no substitution. You will then have Burn_IT give you a link to the software that will recover the data on the disk.
After you run the recovery software, report back with the results. I will be content with whatever the outcome is.
Of course, more simply, Burn_IT could just post a link to this special software and we can all test his assertion for ourselves.
This is science, not religion. In science, assertions must survive peer review. Any other technologist should be able to duplicate his result.starhawk wrote:@jafadmin -- you can't just believe him, can you...?
I have tried half a dozen different applications to try to recover a wiped disk, to no avail. Some were DOJ forensic recovery tools coupled with special forensic hardware specifically built for the task.
-
L18L
- Posts: 3479
- Joined: Sat 19 Jun 2010, 18:56
- Location: www.eussenheim.de/
Disclaimer: I'm not a data recovery expert, so take what I've said with a (large amount) of grain of salt.
I tend to agree with jafadmin in general. A spinning platter harddisk that have been dd-ed using random data (random data, not all zeros or all ones), even once, will be very difficult to recover, if not plain impossible.
Here are my reasons:
---
In *theory* you can recover the overwritten data. A very simplistic model is like this: A "zero" overwritten over a "one" will have different magnetic strength than a "zero" overwriting a previous "zero". Combined with the hysteresis left in the guard area, you can have better than chance in guessing the overwritten bits.
That being said:
-----
- hard drive many manufacturer tries to fit as much bits as possible into the platter. That means, the guard area between tracks is made as small as possible, making it very difficult to extract anything from it (not impossible, but very difficult)
- signals recorded in modern random drives are highly encoded. Data aren't written in single bits anymore, it's written as a group of bits (or even groups of bits) and then encoded for clock recovery, and then encoded for error correction, and further encoded to meet physical requirements of the disk (e.g. no continuous run of "1" bits, no continuous run of "0" bits, no bit flipping 010101 more than 5 times, etc etc, then whatever preamble and trailer signals required for the DSP to start decoding, etc), while obviously still trying to pack as much data as possible. Plus the fact that each disk manufacturer (probably) has their own "secret" sauce. And this is just talking about the raw analog signal, we haven't talked about higher-level functions like bad-block mapping, etc ... your LBA sector "10" isn't always at physical sector "10", etc.
So, I don't think any PC software can recover overwritten bits without access to the raw analog signal from the platter. You will need to tap the read-head data lines to capture the raw analog signal from the drive, and you probably need to tweak the firmware of the disk controller to change the head (mis-)alignment to be able to read from the guard area. And then, a powerful DSP software tailored for the specific manufacturer's decoding algorithm to deduce the overwritten data. We're talking about custom hardware here. But even with that, I still think that it is very tough.
________
That being said, I don't doubt Burn_IT claim. He is a reputable member of the community. I believe him when he said he did it. But he didn't tell the details: the type of the disc being recovered, when this was done, and what was involved to get the job done. I'm also curious of the details, but it's his choice to reveal that or not - I still believe his claim either way.
The question, however, is whether his success in recovering data for one particular disk at one particular time can be carried forward to now and be done for today's modern high-capacity drive chosen at random. Of that, I am doubtful.
_________
Of course all this changes if the disk controller is already backdoor-ed and has a copy of the data somewhere (hidden tracks, etc that you can access using special "magic" commands o the controller). But I'm not considering that possibility here.
Also, the above only applies for spinning-platter hard disk. If you use SSD (or flash drive) then the picture is *completely* different.
__________
EDIT: Also note that there are plenty of ways that disk-wiping can fail. If you write all zeros or all ones or some common patterns (AA or 55), some disk controllers are smart enough not to write anything and just mark the sector correspondingly (but the underlying data is there). So write with a random data is a must.
Another way is OS buffering. An improper disk-wiping program (very common on Windows) may write to OS cache first, and let the OS do the (delayed) writing later. In a certain situation this can lead the disk-wiping program to complete before all the data is flushed to disk. If the disk is connected via USB, you may think that the wiping has been completed, and unplug it (especially if you're in a rush) - and all you've got is partial refresh. Try "dd if=/dev/urandom of=/your/disk" let it run for a while. Since somebody already wrote that to clean 1TB disk takes 7 hours, try taking the disk out after "dd" has run for as long as your patience allows (just unplug it). If the disk is not damaged by the sudden unplug, see how much data you can recover (hint: a lot).
I tend to agree with jafadmin in general. A spinning platter harddisk that have been dd-ed using random data (random data, not all zeros or all ones), even once, will be very difficult to recover, if not plain impossible.
Here are my reasons:
---
In *theory* you can recover the overwritten data. A very simplistic model is like this: A "zero" overwritten over a "one" will have different magnetic strength than a "zero" overwriting a previous "zero". Combined with the hysteresis left in the guard area, you can have better than chance in guessing the overwritten bits.
That being said:
-----
- hard drive many manufacturer tries to fit as much bits as possible into the platter. That means, the guard area between tracks is made as small as possible, making it very difficult to extract anything from it (not impossible, but very difficult)
- signals recorded in modern random drives are highly encoded. Data aren't written in single bits anymore, it's written as a group of bits (or even groups of bits) and then encoded for clock recovery, and then encoded for error correction, and further encoded to meet physical requirements of the disk (e.g. no continuous run of "1" bits, no continuous run of "0" bits, no bit flipping 010101 more than 5 times, etc etc, then whatever preamble and trailer signals required for the DSP to start decoding, etc), while obviously still trying to pack as much data as possible. Plus the fact that each disk manufacturer (probably) has their own "secret" sauce. And this is just talking about the raw analog signal, we haven't talked about higher-level functions like bad-block mapping, etc ... your LBA sector "10" isn't always at physical sector "10", etc.
So, I don't think any PC software can recover overwritten bits without access to the raw analog signal from the platter. You will need to tap the read-head data lines to capture the raw analog signal from the drive, and you probably need to tweak the firmware of the disk controller to change the head (mis-)alignment to be able to read from the guard area. And then, a powerful DSP software tailored for the specific manufacturer's decoding algorithm to deduce the overwritten data. We're talking about custom hardware here. But even with that, I still think that it is very tough.
________
That being said, I don't doubt Burn_IT claim. He is a reputable member of the community. I believe him when he said he did it. But he didn't tell the details: the type of the disc being recovered, when this was done, and what was involved to get the job done. I'm also curious of the details, but it's his choice to reveal that or not - I still believe his claim either way.
The question, however, is whether his success in recovering data for one particular disk at one particular time can be carried forward to now and be done for today's modern high-capacity drive chosen at random. Of that, I am doubtful.
_________
Of course all this changes if the disk controller is already backdoor-ed and has a copy of the data somewhere (hidden tracks, etc that you can access using special "magic" commands o the controller). But I'm not considering that possibility here.
Also, the above only applies for spinning-platter hard disk. If you use SSD (or flash drive) then the picture is *completely* different.
__________
EDIT: Also note that there are plenty of ways that disk-wiping can fail. If you write all zeros or all ones or some common patterns (AA or 55), some disk controllers are smart enough not to write anything and just mark the sector correspondingly (but the underlying data is there). So write with a random data is a must.
Another way is OS buffering. An improper disk-wiping program (very common on Windows) may write to OS cache first, and let the OS do the (delayed) writing later. In a certain situation this can lead the disk-wiping program to complete before all the data is flushed to disk. If the disk is connected via USB, you may think that the wiping has been completed, and unplug it (especially if you're in a rush) - and all you've got is partial refresh. Try "dd if=/dev/urandom of=/your/disk" let it run for a while. Since somebody already wrote that to clean 1TB disk takes 7 hours, try taking the disk out after "dd" has run for as long as your patience allows (just unplug it). If the disk is not damaged by the sudden unplug, see how much data you can recover (hint: a lot).
Fatdog64 forum links: [url=http://murga-linux.com/puppy/viewtopic.php?t=117546]Latest version[/url] | [url=https://cutt.ly/ke8sn5H]Contributed packages[/url] | [url=https://cutt.ly/se8scrb]ISO builder[/url]
I don't need to prove anything to you (especially you).
The software was the enterprise version of PC Inspector File Recovery.
The disk was a standard 2.5 laptop drive.
It was a Tuesday evening and the person involved drove from Bristol to Measham specifically for this. He brought his new young wife along for company and she and my wife spent a couple of hours gossiping whilst we worked.
All this occurred probably before most of you young Puppies were born
It is far easier to recover "old" data from a disk that has been overwritten with a static pattern. That is why any proper disk wipe uses many passes of completely random data.
I still cannot tell you what the hidden data was in detail since I am still bound by the official secrets act, but I can say it involved laser weaponry on ships.
The software was the enterprise version of PC Inspector File Recovery.
The disk was a standard 2.5 laptop drive.
It was a Tuesday evening and the person involved drove from Bristol to Measham specifically for this. He brought his new young wife along for company and she and my wife spent a couple of hours gossiping whilst we worked.
All this occurred probably before most of you young Puppies were born
It is far easier to recover "old" data from a disk that has been overwritten with a static pattern. That is why any proper disk wipe uses many passes of completely random data.
I still cannot tell you what the hidden data was in detail since I am still bound by the official secrets act, but I can say it involved laser weaponry on ships.
"Just think of it as leaving early to avoid the rush" - T Pratchett
No, you don't, and I did not ask for proof - I said I completely believe your claim that you did it, regardless of whether or not you choose to reveal the circumstances. May be you confuse me with jafadmin (I'm not).Burn_IT wrote:I don't need to prove anything to you (especially you).
But thanks for explaining the circumstances anyway, and the software involved. No - please don't reveal the hidden data; its irrelevant. We're were discussing the techniques to recover the data, not the data itself.
If you still remember - what was the capacity of that 2.5 disk? Smaller capacity may be easier to recover than larger ones.
Fatdog64 forum links: [url=http://murga-linux.com/puppy/viewtopic.php?t=117546]Latest version[/url] | [url=https://cutt.ly/ke8sn5H]Contributed packages[/url] | [url=https://cutt.ly/se8scrb]ISO builder[/url]