How to SAFELY Format Hard Disk That I'm NOT Using?


Recommended Posts

Hot on the heels of my other thread, are there any utilities out there that I can use to safely format a hard drive?

 

I took a look around the net but everywhere I did look just suggested the right-click and format way.  If I choose the "quick format" option, it deletes the data table but not the data correct?  If I un-tick that box, will it zero the drive?

 

Thanks

Link to comment
Share on other sites

My suggestion from the last thread still stands. DBAN can solve that as well. :laugh:

To answer your question, a quick format removes only the headers, meaning that the data is still recoverable. If you zero-out the drive then the data is gone.

  • Like 3
Link to comment
Share on other sites

A quick format or a regular format will leave a lot of data on the drive.  The standard format will only do a bad sector scan after the quick format.  If you want to zero the drive you need a disk wiper.  Or in Linux use the dd command to overwrite the drive.

 

Check this link for an explanation on quick and standard format:

 

http://support.microsoft.com/kb/302686

  • Like 1
Link to comment
Share on other sites

AFAIK: a quick format will only remove the table of contents of a disk. A full format will only change the first byte of every sector to zero. (Correct me if I'm wrong here). If you really want to wipe a disk, use DBAN as others already suggested, it will zero out your entire (selected) disk.

Link to comment
Share on other sites

I ended up using Disk Wipe, which seems to have done the job.

Didn't want to use DBAN this time around, will give that a go with the other one. A portable app too so no installation rubbish :)

Link to comment
Share on other sites

From windows CMD, Format /?, check out /P:Count towards the bottom.

Formats a disk for use with Windows.

FORMAT volume [/FS:file-system] [/V:label] [/Q] [/L] [/A:size] [/C] [/i:state] [

/X] [/P:passes] [/s:state]

FORMAT volume [/V:label] [/Q] [/F:size] [/P:passes]

FORMAT volume [/V:label] [/Q] [/T:tracks /N:sectors] [/P:passes]

FORMAT volume [/V:label] [/Q] [/P:passes]

FORMAT volume [/Q]

volume Specifies the drive letter (followed by a colon),

mount point, or volume name.

/FS:filesystem Specifies the type of the file system (FAT, FAT32, exFAT,

NTFS, UDF).

/V:label Specifies the volume label.

/Q Performs a quick format. Note that this switch overrides /P.

/C NTFS only: Files created on the new volume will be compressed

by default.

/X Forces the volume to dismount first if necessary. All opened

handles to the volume would no longer be valid.

/R:revision UDF only: Forces the format to a specific UDF version

(1.02, 1.50, 2.00, 2.01, 2.50). The default

revision is 2.01.

/D UDF 2.50 only: Metadata will be duplicated.

/L NTFS Only: Use large size file records.

By default, the volume will be formatted with small size file

records.

/A:size Overrides the default allocation unit size. Default settings

are strongly recommended for general use.

NTFS supports 512, 1024, 2048, 4096, 8192, 16K, 32K, 64K.

FAT supports 512, 1024, 2048, 4096, 8192, 16K, 32K, 64K,

(128K, 256K for sector size > 512 bytes).

FAT32 supports 512, 1024, 2048, 4096, 8192, 16K, 32K, 64K,

(128K, 256K for sector size > 512 bytes).

exFAT supports 512, 1024, 2048, 4096, 8192, 16K, 32K, 64K,

128K, 256K, 512K, 1M, 2M, 4M, 8M, 16M, 32M.

Note that the FAT and FAT32 files systems impose the

following restrictions on the number of clusters on a volume:

FAT: Number of clusters <= 65526

FAT32: 65526 < Number of clusters < 4177918

Format will immediately stop processing if it decides that

the above requirements cannot be met using the specified

cluster size.

NTFS compression is not supported for allocation unit sizes

above 4096.

/F:size Specifies the size of the floppy disk to format (1.44)

/T:tracks Specifies the number of tracks per disk side.

/N:sectors Specifies the number of sectors per track.

/P:count Zero every sector on the volume. After that, the volume

will be overwritten "count" times using a different

random number each time. If "count" is zero, no additional

overwrites are made after zeroing every sector. This switch

is ignored when /Q is specified.

/S:state Specifies support for short filenames (enable, disable)

Short names are disabled by default

Link to comment
Share on other sites

If you said securely I'd suggest shred and dd. You want safely so use quick format in windows. It dont really erase anything, just the pointers which can be recreated. To safely & securely do this in ubuntu for example, pull all other drives in the system and boot from CD/DVD/USB. load up terminal and run the commands.

 

To truly securely erase the data run 4 passes of shred on the drive, then follow that with 2 each of dev/zero & dev/full, then quick format it/install a new partition table.. Don't use dev/urandom or dev/random as it just takes too long and isn't really much more beneficial than shred. (2.4MB/s rather than 40MB/s) Nothing a forensics lab has could recover anything at that point. You can also link commands using a double ampersand (&&) so you can leave it go overnight.

 

Key is to do 7 (seven) full passes on mechanical, and at least 1 on flash/SSD to securely erase.

 

shred - http://www.howtoforge.com/how-to-securely-destroy-wipe-data-on-hard-drives-with-shred

dd - http://how-to.wikia.com/wiki/How_to_wipe_a_hard_drive_clean_in_Linux

 

after looking into dban, it seems it does this automatically to any and all connected drives it can find. Seems much more user-friendly but I bet under the hood its doing what I mentioned above.

Link to comment
Share on other sites

My suggestion from the last thread still stands. DBAN can solve that as well. :laugh:

To answer your question, a quick format removes only the headers, meaning that the data is still recoverable. If you zero-out the drive then the data is gone.

but not unrecoverable until after 7 passes. (exception flash/ssd)

Link to comment
Share on other sites

but not unrecoverable until after 7 passes. (exception flash/ssd)

No, when you zero-out the drive it is as good as unrecoverable. Government equipment may be able to get some information, but that is costly and rare, meaning that it is gone.

I know there was once the idea of it being otherwise, but let me give you a situation:

00110100011011110100101011110100101000001010101

Ok, that is on your hard drive. Now let's say that that is a file and we want to put it in the recycle bin. Then the following code takes its place:

00110100011010010100101011110100101000001010101

Let's pretend that you hadn't seen the first lot of code. Would you be able to tell what was once a zero and what was once a one? If you zero-out the drive, you're in the same situation. Whatever the code may have been before, all of the bits are now 0. How can you tell which ones were once a 1?

Link to comment
Share on other sites

If you said securely I'd suggest shred and dd. You want safely so use quick format in windows. It dont really erase anything, just the pointers which can be recreated. To safely & securely do this in ubuntu for example, pull all other drives in the system and boot from CD/DVD/USB. load up terminal and run the commands.

 

To truly securely erase the data run 4 passes of shred on the drive, then follow that with 2 each of dev/zero & dev/full, then quick format it/install a new partition table.. Don't use dev/urandom or dev/random as it just takes too long and isn't really much more beneficial than shred. (2.4MB/s rather than 40MB/s) Nothing a forensics lab has could recover anything at that point. You can also link commands using a double ampersand (&&) so you can leave it go overnight.

 

Key is to do 7 (seven) full passes on mechanical, and at least 1 on flash/SSD to securely erase.

 

shred - http://www.howtoforge.com/how-to-securely-destroy-wipe-data-on-hard-drives-with-shred

dd - http://how-to.wikia.com/wiki/How_to_wipe_a_hard_drive_clean_in_Linux

 

after looking into dban, it seems it does this automatically to any and all connected drives it can find. Seems much more user-friendly but I bet under the hood its doing what I mentioned above.

 

but not unrecoverable until after 7 passes. (exception flash/ssd)

 

No. That is completely unnecessary. One pass on modern hard drives will be sufficient at making any data practically unrecoverable.

 

Elaboration on "practically": if you have fancy expensive equipment it's still possible to recover bits here and there up to ~7 passes (according to the NSA, whose own standard is 7 passes), however, just because you can recover bits doesn't mean that they will give you anything coherent or meaningful. So really for all practical purposes a single zero-out is more than sufficient.

 

The thing that you have to worry about isn't electron microscope scanning, it's bad sectors that an overwrite won't touch. That won't get fixed no matter how many passes you do, the only solution to that is physical destruction.

Link to comment
Share on other sites

"Key is to do 7 (seven) full passes on mechanical, and at least 1 on flash/SSD to securely erase."

Where do you people still get this nonsense? As stated above - One pass of writing Zero's, or 1's for that matter is more than enough.. Also lets keep in mind your not wiping the US Nuclear Arsenal Launch codes!! So even if it was technically possible, which it isn't to recover the data.. Who is going to be doing that on billy's drive -- wtf they going to get your SS number, or bank account -- be easier to just send you a email pretending to your back ask for it ;) They get lots of info that way, why should they spend the time trying to recover something that was wiped clean??

All your doing with 7 passes is wasting your time and electricity. And posting information like you did only keeps the FUD alive.. This has been gone over and over for years here and still is comes back..

Please Read!

http://www.infosecisland.com/blogview/16130-The-Urban-Legend-of-Multipass-Hard-Disk-Overwrite.html

https://www.anti-forensics.com/disk-wiping-one-pass-is-enough/

http://www.howtogeek.com/115573/htg-explains-why-you-only-have-to-wipe-a-disk-once-to-erase-it/

I could post up a dozen other sources -- just too lazy to do so.. Tired of hearing this nonsense get repeated.. Arrrggghhhh!!!

Link to comment
Share on other sites

Yeah DBAN every time or find the HDD manufacture normally they have some software to wipe disk (not as effective as DBAN). Another way is to just keep formatting the HDD I think it's about 7 times in total needed but far better to just use DBAN.

Link to comment
Share on other sites

"Key is to do 7 (seven) full passes on mechanical, and at least 1 on flash/SSD to securely erase."

Where do you people still get this nonsense? As stated above - One pass of writing Zero's, or 1's for that matter is more than enough.. Also lets keep in mind your not wiping the US Nuclear Arsenal Launch codes!! So even if it was technically possible, which it isn't to recover the data.. Who is going to be doing that on billy's drive -- wtf they going to get your SS number, or bank account -- be easier to just send you a email pretending to your back ask for it ;) They get lots of info that way, why should they spend the time trying to recover something that was wiped clean??

All your doing with 7 passes is wasting your time and electricity. And posting information like you did only keeps the FUD alive.. This has been gone over and over for years here and still is comes back..

Please Read!

http://www.infosecisland.com/blogview/16130-The-Urban-Legend-of-Multipass-Hard-Disk-Overwrite.html

https://www.anti-forensics.com/disk-wiping-one-pass-is-enough/

http://www.howtogeek.com/115573/htg-explains-why-you-only-have-to-wipe-a-disk-once-to-erase-it/

I could post up a dozen other sources -- just too lazy to do so.. Tired of hearing this nonsense get repeated.. Arrrggghhhh!!!

 

All those articles state a random value, not writing a known 0 or 1. Writing only 0 or 1 only once you are only changing half of your bits at best.  You can easily see which were toggled on an analysis of the platter using itslef and 'toggle those back' resulting in 100% data recovery. Theres commercial data recovery programs that do just that for a few hundred dollars. Most do prey on recovering an MBR at the beginning sector or whichever random sector the drive wrote the spare to.

 

To elaborate, their tests are not in a true life scenario as they likley took a fresh disk, wrote to it once, overwrote it once, and seen if they could recover the previous layer of data. Let me explain my take on it and you can be the judge on whether im parroting other idiots or actually have a reason to state what I did.

 

The problem is 'bit memory' This occurs when you overwrite a data location more than once. If you add and remove stuff from your computer you build up a bit memory on the platter, each time a tiny bit more wear is in the bit thats used, creating deeper wear mark layers if you will. As I said writing all 0 or all 1 actually checks if its a 0 or 1 and toggles it if needed, speeding up the process but also meaning some of the data isn't touched. SSD has no such (known) memory effect, and is so fast it just writes the value regardless, which is why 1 pass is all thats needed opposed to old mechanical drives.

 

'scrubbing' the drive by writing random bits to it a few times basically will ensure everythings worn evenly on the platter, then writing all 0 and 1 to it a few times ensures everythings been toggled a bit. Overkill? yes. But I would never do only one known pass on a drive and say nothings recoverable. At least do 1 random pass and one known pass, which will basically require everything short of physical platter analysis to recover. If you use your system to commit crimes on humanity or rob banks or whatever it is you shouldn't be doing I would personally do as the NSA and DOD suggests and physically destroy the media.

Link to comment
Share on other sites

"All those articles state a random value"

No they do not.. You clearly did not read the articles

Therefore, a single pass overwrite with any arbitrary value (randomly chosen or not) is sufficient to render the original HDD data effectively irretrievable.

Dude your parroting FUD!!! Please STOP IT!! Sorry but 1 single wipe is more than sufficient to remove the possibility of data recovery.

Unless you can site a source that has recovered data after a wipe -- your just passing on junk.

"Overwriting Hard Drive Data: The Great Wiping Controversy" by Craig Wright, Dave Kleiman and Shyaam Sundhar R.S. as presented at ICISS200 page 243

The purpose of this paper was a categorical settlement to the controversy surrounding the misconceptions involving the belief that data can be recovered following a wipe procedure. This study has demonstrated that correctly wiped data cannot reasonably retrieved even if it of a small size or found only over small parts of the hard drive. Not even with the use of a MFM or other known methods. The belief that a tool can be developed to retrieve gigabytes or terabytes of data of information from a wiped drive is in error.

Although there is a good chance of recovery for any individual bit from a drive, the chance of recovery of any amount of data from a drive using an electron microscope are negligible. Even speculating on the possible recovery of an old drive, there is no likelihood that any data would be recoverable from the drive. The forensic recovery of data using electron microscopy is infeasible. This was true both on old drives and has become more difficult over tine. Further, there is a need for the data to have been written and then wiped on a raw unused drive for there to be any hopy of any level of recovery even at the bit level, which does not reflect real situations. It is unlikely that a recovered drive will have not been used for a period of time and the interaction of defragmentation, file copies and general use that overwrites data areas negates any chance of data recovery. The fallacy that data can be forensically recovered using an electron microscope or related means needs to be put to rest.

Here is follow up article on it

http://computer-forensics.sans.org/blog/2009/01/15/overwriting-hard-drive-data/

They took old used drives in their testing btw

Stop Spreading FUD!! As you stated yourself "Overkill? yes" Then why are you suggesting it.. Here is the thing, can a free tool be downloaded that could recover the data?? Could software be purchased for 1k$, 10k$ that could recover the data? What equipment and or software cost for the "possibility" of this remote possibility? Even if was possible, the cost of such equipment or software makes it a non issues for the recovery of what?? Your p0rn collection? Video of your kids bday party? Your SS# maybe -- do you have a swiss bank account with millions in it?

If you want to sell your drive on ebay, or give it to a buddy for a couple of bucks, wipe it once and your done.. Anything else is just wasting your time and electricity - PERIOD!

  • Like 2
Link to comment
Share on other sites

This topic is now closed to further replies.